Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

With much regret I am notifying you that BleepingComputer was hacked today.


  • Please log in to reply
23 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 PM

Posted 15 September 2010 - 01:39 PM

It is with great displeasure and embarrassment that I am notifying the BleepingComputer.com community that a component of BleepingComputer was hacked today. This was accomplished through a vulnerability that allowed the hacker to add malicious code to certain portions of the site (forums and startup database). The other sections of the site were unaffected. The hacking occurred at 12:18 EST on 9/15/2010 and I was able to remove the hack and upgrade the software by 1:15 EST on 9/15/2010.

I have spent the rest of the time looking into what other locations of the site may have been tampered with and have found no other modifications. No email addresses, account names, passwords, etc have been accessed. The only thing that was modified was the inclusion of the malicious iframe on certain pages.

I want to assure everyone who visits BleepingComputer.com that security is of the utmost concern for the site and our visitors. Unfortunately, as we have learned even if you stay on top of the updates, sometimes you just cannot upgrade fast enough. For example, the vulnerable component of the site was only updated yesterday and I did not receive notification that an update was available.

For now, I suggest everyone scan their computer using a variety of tools such as ESet Online Scanner, Kaspersky Online Scanner, and Malwarebytes' Anti-Malware.

I will provide an update later after I analyze the malicious code.

Once again I apologize for having to write this post.


BC AdBot (Login to Remove)

 


#2 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:03:23 PM

Posted 15 September 2010 - 04:48 PM

Thank you for the heads up.

Everything appears to be secure at my end.

My computer passed all scans successfully.

Google search on my computer is also functioning as it is supposed to as well. It is going to the sites I have selected.

I as I hope everyone else, keeps my anti-virus and anti-malware scanning software up-to-date and I check for updates daily.

Hopefully all is well with everyone else.

Bruce.

Edited by MrBruce1959, 15 September 2010 - 05:18 PM.

Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 PM

Posted 15 September 2010 - 04:59 PM

Update: For those who may be concerned that they were hacked, the above hack only affected visitors who were not logged in. If you were logged into the site during that period you would not have been shown the code.

It appears that the malicious code was a multi-exploit kit that was being used to try and exploit common vulnerabilities on your computer to install malware. What that means is that if you have the latest version of Java, Adobe Reader, Shockwave, Realplayer, or Flash and all your Windows updates then your computer would not have been affected. So as an aside, please make sure you always keep your programs, especially those I just listed, updated and all your Windows updates installed. Instructions on using Secunia PSI to scan for outdated programs can be found here:

How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

For those who may have been infected, though, then you may find that your computer has become infected with the TDSS infection. I suggest that you follow the steps here:

How to remove Google Redirects or the TDSS, TDL3, or Alureon Rootkit

You will know that your computer is infected when you attempt to click on a Google search result and are redirected to a different page than you should be going to.

I have tested TDSSKiller against the malware that may have been installed and it should be able to remove it.

When done, I also suggest scan your computer using a variety of tools such as ESet Online Scanner, Kaspersky Online Scanner, and Malwarebytes' Anti-Malware. I know for a fact that MalwareBytes, if installed, would have blocked access to the site running the exploits.

Once again, I am sorry that this happened and I stress that I always prioritize the security of our visitors and the site ahead of any other tasks. If you have any questions, concerns, or issues please ask here.

I would also like to send a big thanks to tetonbob for notifying me about the issue and helping me test it. Thanks again!

#4 Rewster

Rewster

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Local time:02:23 PM

Posted 15 September 2010 - 04:59 PM

Have you learned anything about the malicious code yet? Such as what damage it could do to your computer?

Edit: You beat me to it. :thumbsup: Not sure if I was logged in or out at that time. Anyways, gonna run scans to make sure.

Edited by Rewster, 15 September 2010 - 05:01 PM.


#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:23 PM

Posted 15 September 2010 - 05:04 PM

Thanks for the heads up. I'm fairly certain I visited the site today near the time frame indicated to check on a log I am currently working. No alarms went off on my end. I'm running Windows 7 64-bit with ESET SmartSecurity 4 and mbam. I've also noticed no ill effects...no search problems. Nothing. I am nonetheless scanning as you recommend. Thanks again! Excellent, quick work by an outstanding team here. :thumbsup:

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 PM

Posted 15 September 2010 - 05:12 PM

I can tell you that Eset would have blocked it.

#7 CStew23

CStew23

  • Members
  • 1,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 PM

Posted 15 September 2010 - 05:46 PM

What a nightmare! Thanks for the heads up
Please don't send help request via PM, unless I am already helping you. Use the forums!
If you have not heard from me in 48 hours please use this and send me a PM reminder.

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:02:23 PM

Posted 15 September 2010 - 05:56 PM

Yeah, and I read Bob's post...he has ESET and his popped up a warning when following the email he got. I didn't visit via an email link. I just remember clicking the bookmarked links to all the logs I currently have. I know that's how I arrived so I must not have come during the critical time element.

Thanks again!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 pleasehelp123

pleasehelp123

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 15 September 2010 - 07:21 PM

My god good thing I was logged in :thumbsup: this site is EXTREMELY helpful. Unfourtantley the site is a worry to the evil people who create malware :flowers: EDIT im using a gaming console to post this but is the hack gone completely? because on my computer im not signed in so if I go now on my computer will I get infected?

Edited by pleasehelp123, 15 September 2010 - 07:24 PM.

hello bleepingcomputer...

#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 PM

Posted 15 September 2010 - 09:45 PM

Yes, its completely gone.

#11 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:02:23 PM

Posted 16 September 2010 - 08:28 AM

Thanks Grinler for the quick response and repair. I ran all my scans yesterday, I'm okay but I will do it again with ESet Online. Thanks again for fixing things.

#12 QQQQ

QQQQ

  • Members
  • 379 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 PM

Posted 16 September 2010 - 09:41 AM

GRRR, bleeping hackers!!!

#13 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 PM

Posted 16 September 2010 - 11:02 AM

GRRR, bleeping hackers!!!


Couldn't agree more!

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:23 PM

Posted 16 September 2010 - 01:43 PM

What component was hacked ?
We had some problems with OpenX banner system and we disabled it for a while.

http://img193.imageshack.us/img193/8171/10hoo42.png
http://img155.imageshack.us/img155/49/image000.png

PC Tools ThreaFire and Foxit PDF Reader 4 successfully blocked the attack:

http://img210.imageshack.us/img210/2976/99255932.png
http://img203.imageshack.us/img203/1479/75592880.png

*The exploit tried to open CMD.exe => to execute WMP, to execute Windows Calculator, to execute Windows Help & Support or to create a new account for Windows with full admin rights (lol).

I'm running Windows 7 64-bit and I do not have any problems so far. :thumbsup:

Seems all security sites are targeted, because G2G was attacked with URL injection some time ago.

http://img188.imageshack.us/img188/2947/g2gv.png


Thanks for letting us know, boss !


Regards,
G. :flowers:

Edited by B-boy/StyLe/, 16 September 2010 - 01:45 PM.

cXfZ4wS.png


#15 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:23 PM

Posted 16 September 2010 - 01:53 PM

Yes, I do not think this was a targeted attack against the site. Just a targeted attack against a vulnerable software.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users