Author Topic: TSP forum and blog were infected with a trojan  (Read 33143 times)

Offline Mr. Bill

  • Like a hot cocoa mojito
  • Administrator
  • Forum Veteran
  • *******
  • Posts: 14017
  • Karma: 1849
  • Trained Attack Sheepdog/Troll hunter
    • Website Maintenance and Online Presence Management by Mr. Bill
TSP forum and blog were infected with a trojan
« on: December 14, 2011, 04:21:44 PM »
Our site -- both the forum and Jack's blog -- was infected with a trojan for about the past day.  We believe it's fixed now.

I wish I could tell you for certain whether you're at risk for problems.  If you're running a good antivirus program, you're probably okay.  Some browsers (current versions of Opera and Chrome, we think) may have been immune.

We believe this is part of a widespread attack that takes advantage of a security hole in PHP, and has probably affected many forums and blogs.

More info to follow, if we learn anything.

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17037
  • Karma: 379
  • #ImissAmerica
    • Journey to Greener Pastures
Re: TSP forum and blog were infected with a trojan
« Reply #1 on: December 14, 2011, 04:25:39 PM »
A little clarity:
This is a PHP based redirection attack to collect usage/other information, it will not infect/harm your own personal system. Better anti-virus/malware programs will detect this redirection and give a warning about the redirection. It also broke some Javascript/PHP functions.

If you have a web server running a blog using PHP you check it out to look for this.

Offline technicalanarchy

  • Senior Survivalist
  • ****
  • Posts: 208
  • Karma: 5
  • That's Pep in my profile pic
    • Response Technical
Re: TSP forum and blog were infected with a trojan
« Reply #2 on: December 14, 2011, 05:43:38 PM »
I had it happen to a couple of sites i manage. It was through filezilla :(

Offline FromScratchWoman

  • Survivalist Mentor
  • *****
  • Posts: 524
  • Karma: 18
  • "Never buy nothin from a man named true"
    • Cold Creek Homestead
Re: TSP forum and blog were infected with a trojan
« Reply #3 on: December 14, 2011, 06:40:21 PM »
I do almost all of my tsp"ing on my phone..which is an HTC,so just a little mini computer..and for the past day going on two now It's been turning off and flashing the HTC logo and gets really hot only way to stop it is to take out the battery and leave it out for a minimum of 15 mins..and It's been freezing like crazy..upon talking to the tech people for my phone today they informed me I may have picked up a virus from my internet use..which is mainly the form  :-\ just giving people a heads up that if you have a smart phone that's been acting off this may be why..I don't know any of this for a fact just connecting dots..

Offline Cianaodh

  • Survivor
  • ***
  • Posts: 136
  • Karma: 7
  • Dehydrated Water?
    • Temple Of the Standing Stones
Re: TSP forum and blog were infected with a trojan
« Reply #4 on: December 14, 2011, 06:47:27 PM »
I too do most of my TSP forum reading on an HTC phone and have been experiencing similar behavior lately.  ???

I do almost all of my tsp"ing on my phone..which is an HTC,so just a little mini computer..and for the past day going on two now It's been turning off and flashing the HTC logo and gets really hot only way to stop it is to take out the battery and leave it out for a minimum of 15 mins..and It's been freezing like crazy..upon talking to the tech people for my phone today they informed me I may have picked up a virus from my internet use..which is mainly the form  :-\ just giving people a heads up that if you have a smart phone that's been acting off this may be why..I don't know any of this for a fact just connecting dots..

Offline MaddoginMass

  • Survivalist Mentor
  • *****
  • Posts: 525
  • Karma: 10
Re: TSP forum and blog were infected with a trojan
« Reply #5 on: December 15, 2011, 06:57:00 AM »
I'm running Kaspersky for AV and it picked this up yesterday on the homepage of the TSP site.  It flashed a warning and wouldn't let me open the page.  I shot an email to Jack when it happened.  Everything seems fine now though.

If you have smartphones, you should be running AV on them too.  I've been using the free version of Lookout for Android.

Offline soupbone

  • Once made a pun out of "Mephistopheles"
  • Survival Demonstrator
  • *******
  • Posts: 2446
  • Karma: 146
  • If you think you're close enough - get closer.
Re: TSP forum and blog were infected with a trojan
« Reply #6 on: December 15, 2011, 01:27:54 PM »
I started a full scan this morning. Microsoft Security Essentials found the following and removed it:

Trojan: JS/BlacoleRef.N

Was this what you were talking about?

soup

Offline Docwatmo

  • May Ignite Spontaneously
  • Administrator
  • Survival Veteran
  • *******
  • Posts: 8596
  • Karma: 255
  • The Prepper Rising from the Ashes
Re: TSP forum and blog were infected with a trojan
« Reply #7 on: December 15, 2011, 01:38:18 PM »
It showed up under JS/Iframe.AS Trojan under ESET Nod32 Antivirus, but it may show up under different names on different products. 


Offline Mr. Bill

  • Like a hot cocoa mojito
  • Administrator
  • Forum Veteran
  • *******
  • Posts: 14017
  • Karma: 1849
  • Trained Attack Sheepdog/Troll hunter
    • Website Maintenance and Online Presence Management by Mr. Bill
Re: TSP forum and blog were infected with a trojan
« Reply #8 on: December 15, 2011, 01:43:01 PM »
I started a full scan this morning. Microsoft Security Essentials found the following and removed it:

Trojan: JS/BlacoleRef.N

Was this what you were talking about?

Honestly, we don't know for sure.  Archer's opinion is that this was only an information-collecting scheme, and would not install malware on your computer.  He knows a lot more about this stuff than I do -- but I'm more paranoid.
 :tinfoily:

The attack inserted code into about 350 files on thesurvivalpodcast.com and survivalpodcast.net.  Hats off to Archer, who edited the malware out of all of them by hand! :clap:

Anyway, I'm glad to hear you removed a trojan from your system.

Offline Docwatmo

  • May Ignite Spontaneously
  • Administrator
  • Survival Veteran
  • *******
  • Posts: 8596
  • Karma: 255
  • The Prepper Rising from the Ashes
Re: TSP forum and blog were infected with a trojan
« Reply #9 on: December 15, 2011, 02:15:21 PM »
Archer is correct, the malware just redirected some requests, however the locations that they were redirected to, could be infection sources and unprotected machines could have picked up additional malware from scripts at the redirected points.  Most likely not as they appeared to be just trying to garner hits and stats but without a full forensic exam, we just won't know 100%.






Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17037
  • Karma: 379
  • #ImissAmerica
    • Journey to Greener Pastures
Re: TSP forum and blog were infected with a trojan
« Reply #10 on: December 15, 2011, 02:17:17 PM »
Archer is correct, the malware just redirected some requests, however the locations that they were redirected to, could be infection sources and unprotected machines could have picked up additional malware from scripts at the redirected points.  Most likely not as they appeared to be just trying to garner hits and stats but without a full forensic exam, we just won't know 100%.

Correct Doc, the site that was sent to looks also to have been compromised and that could have sent nasties to local systems.
Can I have 5 min alone with the bastard(s) who did this? I want to 'thank' them for their efforts.....

Offline Docwatmo

  • May Ignite Spontaneously
  • Administrator
  • Survival Veteran
  • *******
  • Posts: 8596
  • Karma: 255
  • The Prepper Rising from the Ashes
Re: TSP forum and blog were infected with a trojan
« Reply #11 on: December 15, 2011, 02:19:43 PM »
5 minutes?  That's not nearly enough time to get as medieval as necessary.  (but would be a good start).

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17037
  • Karma: 379
  • #ImissAmerica
    • Journey to Greener Pastures
Re: TSP forum and blog were infected with a trojan
« Reply #12 on: December 15, 2011, 02:25:40 PM »
5 minutes?  That's not nearly enough time to get as medieval as necessary.  (but would be a good start).
I figure hamstringing them then doing the same to their wrists to start out...

Offline Docwatmo

  • May Ignite Spontaneously
  • Administrator
  • Survival Veteran
  • *******
  • Posts: 8596
  • Karma: 255
  • The Prepper Rising from the Ashes
Re: TSP forum and blog were infected with a trojan
« Reply #13 on: December 15, 2011, 02:28:35 PM »
I kind of like what Gerard Butler did to the guy who killed his family in "Law Abiding Citizen" :-)   

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17037
  • Karma: 379
  • #ImissAmerica
    • Journey to Greener Pastures
Re: TSP forum and blog were infected with a trojan
« Reply #14 on: December 15, 2011, 02:31:58 PM »
I kind of like what Gerard Butler did to the guy who killed his family in "Law Abiding Citizen" :-)   
Never saw it.
Hmm. better police myself
BACK ON TOPIC!

Offline cohutt

  • non semper erit aestas
  • Moderator On Leave
  • Survival Veteran
  • *
  • Posts: 5192
  • Karma: 182
  • Don't Give Up Your Keys
    • Behind cohutt's Fence
Re: TSP forum and blog were infected with a trojan
« Reply #15 on: December 15, 2011, 06:53:34 PM »
TW& SW

Wilderwolf just lit up MSSE like my Christmas tree. I emailed you both figured I'd post here too in case you wander through.

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17037
  • Karma: 379
  • #ImissAmerica
    • Journey to Greener Pastures
Re: TSP forum and blog were infected with a trojan
« Reply #16 on: December 15, 2011, 06:57:10 PM »
TW& SW

Wilderwolf just lit up MSSE like my Christmas tree. I emailed you both figured I'd post here too in case you wander through.
http://sitecheck.sucuri.net/scanner/# shows it is ok.

Offline kenser321

  • Survivor
  • ***
  • Posts: 188
  • Karma: 7
Re: TSP forum and blog were infected with a trojan
« Reply #17 on: December 15, 2011, 09:11:51 PM »
I contacted hostgator regarding my blog and they scanned it and said that I had a trojan that most likely sniffed out my password through my email for my cpanel login and uploaded more trojans. The night before this all happened I tried to access. Tap chat with major problems. Basically hostgator cleaned up my site and changed my password and told me to completely scan with AntiVirus and malware software to fix the problem. I thought at firstmy home computer may have beem a contributor to tsp's, but this sounds really wide spread and i doubt it was solely something i did.

Offline LJH

  • Dedicated Contributor
  • ******
  • Posts: 1218
  • Karma: 63
Re: TSP forum and blog were infected with a trojan
« Reply #18 on: December 16, 2011, 07:31:08 PM »
I remember something like this a while back and IIRC, it turned out to be some kind of false alarm but this one was for real, eh? Glad you guys know how to deal with this stuff. My Avast (free version) caught it but I'll run some other scans anywho. Thanks for jumping on it so fast!

Thox Spuddy

  • Guest
Re: TSP forum and blog were infected with a trojan
« Reply #19 on: December 17, 2011, 08:21:41 AM »
I started a full scan this morning. Microsoft Security Essentials found the following and removed it:Trojan: JS/BlacoleRef.N
Was this what you were talking about?soup

ditto for me. How does this happen? By just arriving at the site or did I click on something that infected my computer? Isn't the site protected by anti-v?

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17037
  • Karma: 379
  • #ImissAmerica
    • Journey to Greener Pastures
Re: TSP forum and blog were infected with a trojan
« Reply #20 on: December 17, 2011, 11:38:51 AM »
ditto for me. How does this happen? By just arriving at the site or did I click on something that infected my computer? Isn't the site protected by anti-v?
the trojan got in though a bug in a wordpress add on. it wrote small routines to various files which when access via a web browser directed the web browser to connect to a remote server. seem that remote server was also infected which directed the browser to possibly download malware to the local personal computer.

server level computer security is different from person computer level. but yes, there are security systems setup for direct attacks. but in this case it was some other companies program that compromised.

Offline yoshi

  • Survivor
  • ***
  • Posts: 143
  • Karma: 4
  • Learning to be an ant
    • New Jersey Personal Defense Academy
Re: TSP forum and blog were infected with a trojan
« Reply #21 on: December 17, 2011, 04:12:36 PM »
When I log into the MSB member area it shows a malicious attack website warning. This is probably a remnant of the original attack, but it should be taken care of as it's a little bit of a pain in the butt to get past it and log in correctly.

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17037
  • Karma: 379
  • #ImissAmerica
    • Journey to Greener Pastures
Re: TSP forum and blog were infected with a trojan
« Reply #22 on: December 17, 2011, 04:23:58 PM »
When I log into the MSB member area it shows a malicious attack website warning. This is probably a remnant of the original attack, but it should be taken care of as it's a little bit of a pain in the butt to get past it and log in correctly.
hmm thx. i took care of that. i'll check it out.

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17037
  • Karma: 379
  • #ImissAmerica
    • Journey to Greener Pastures
Re: TSP forum and blog were infected with a trojan
« Reply #23 on: December 17, 2011, 04:26:57 PM »
hmm thx. i took care of that. i'll check it out.

google has not updated their site yet:
the last time Google visited this site was on 2011-12-16, and the last time suspicious content was found on this site was on 2011-12-16.

so once google updates we'll be ok.

Offline bartsdad

  • Scrooge McDuck
  • Global Moderator
  • Survival Demonstrator
  • ******
  • Posts: 4013
  • Karma: 237
  • We're Vikings, we have stubbornness issues.
    • SPAMMY Link
Re: TSP forum and blog were infected with a trojan
« Reply #24 on: December 17, 2011, 11:27:03 PM »
Everyone should give a big thanks and  buy a beer for the admins and Doc for all the time and resources spent dealing with this.
 :beer: :beer: :beer:
Thank you !

Offline LJH

  • Dedicated Contributor
  • ******
  • Posts: 1218
  • Karma: 63
Re: TSP forum and blog were infected with a trojan
« Reply #25 on: December 18, 2011, 07:58:31 PM »
Everyone should give a big thanks and  buy a beer for the admins and Doc for all the time and resources spent dealing with this.
 :beer: :beer: :beer:
Thank you !

You betcha! Thanks a zazillion you guys!

Offline The Professor

  • Tactical Skittle Assassin
  • Survival Demonstrator
  • *******
  • Posts: 2691
  • Karma: 378
  • All we have to do is create another universe
Re: TSP forum and blog were infected with a trojan
« Reply #26 on: December 18, 2011, 08:28:44 PM »
Hmm, I wonder if that explains why I've been having MAJOR problems the past 3 days.

The Professor