PDA

View Full Version : Should be back in business



Eagle22
24th August 2012, 05:16 AM
Forms and 'paperwork' have been submitted, I think we are back up for a while. Good news is I won't need to do the downtime Sunday night ;)

eaglewraith
24th August 2012, 05:30 AM
Oh thank God. Seriously this place is like crack, I haven't known what to do the last couple of days.

NWGaEagle
24th August 2012, 06:51 AM
So where did the offending stuff end up being? Was I pretty close?

southern edumacation
24th August 2012, 06:53 AM
Oh thank God. Seriously this place is like crack, I haven't known what to do the last couple of days.

I didn't realize how much I actually checked this site during the day. I pretty much always had a window open along with all my work stuff.

cannonballgsu
24th August 2012, 07:39 AM
I didn't realize how much I actually checked this site during the day. I pretty much always had a window open along with all my work stuff.

Same here.

Hmmm, quick reply window looks different...

cannonballgsu
24th August 2012, 07:56 AM
Ok, I have cleared all browsing history since the beginning of time, but Chrome still thinks there is a virus here. IE does not. Any suggestions?

southern edumacation
24th August 2012, 08:05 AM
Ok, I have cleared all browsing history since the beginning of time, but Chrome still thinks there is a virus here. IE does not. Any suggestions?

that's because google hasn't updated their blacklist of sites w/ viruses on them. Chrome checks with that and compares. E22 submitted the paperwork to get his site checked again by google they just haven't finished yet.

GSUfanforever
24th August 2012, 08:12 AM
Is the new "What's New" button here to stay? Kind of a fan of the old one, although I sure won't complain.

cannonballgsu
24th August 2012, 08:13 AM
that's because google hasn't updated their blacklist of sites w/ viruses on them. Chrome checks with that and compares. E22 submitted the paperwork to get his site checked again by google they just haven't finished yet.

Thanks - not real familiar with hosting/servers/stuff I should have paid attention to in CISCO...

cannonballgsu
24th August 2012, 08:14 AM
Is the new "What's New" button here to stay? Kind of a fan of the old one, although I sure won't complain.

Yeah...Now we have to click on "What's New", then click on "New Posts" to get where the old button took us. Would be nice if we could default back to the old way though.

Eagle22
24th August 2012, 08:17 AM
that's because google hasn't updated their blacklist of sites w/ viruses on them. Chrome checks with that and compares. E22 submitted the paperwork to get his site checked again by google they just haven't finished yet.

Correct. I submitted a review request at 1:37 am this morning, once I had ensured from my end everything had been cleaned up. Very exhaustive approach, and I took an extra step of completely downloading everything off the server, scanning it myself, and uploading it back (which is what took an extra day). I won't go into too much detail, but I couldn't exactly trust my host.

A big thanks to NWGaEagle ... his pointers when I called him yesterday confirmed some of my suspicions about where the offending snippet of code had been injected.

Hopefully Google will get it cleared off their list soon.

Eagle22
24th August 2012, 08:19 AM
So where did the offending stuff end up being? Was I pretty close?

Yep. I found the last trace in a footer file. Since it is one of the files that has altered code, the way vbulletin handles file upgrades did not correct and remove the code. So, out of over 53,000 files on the server, it was a single line in a single file being called by most of the template pages.

cannonballgsu
24th August 2012, 08:22 AM
Correct. I submitted a review request at 1:37 am this morning, once I had ensured from my end everything had been cleaned up. Very exhaustive approach, and I took an extra step of completely downloading everything off the server, scanning it myself, and uploading it back (which is what took an extra day). I won't go into too much detail, but I couldn't exactly trust my host.

A big thanks to NWGaEagle ... his pointers when I called him yesterday confirmed some of my suspicions about where the offending snippet of code had been injected.

Hopefully Google will get it cleared off their list soon.


Yep. I found the last trace in a footer file. Since it is one of the files that has altered code, the way vbulletin handles file upgrades did not correct and remove the code. So, out of over 53,000 files on the server, it was a single line in a single file being called by most of the template pages.

WOW. Thanks again for all that you do to keep the sight up.

Eagle22
24th August 2012, 08:22 AM
Is the new "What's New" button here to stay? Kind of a fan of the old one, although I sure won't complain.

I have no idea of the new 'features' on this code level.

I haven't had much time this week to dive into seeing what the differences are, though I momentarily freaked when I couldn't find what I considered to be the 'front' page.

Been dealing off-line with a couple of major issues outside of the website and its operation ... so in true Murphy's Law fashion ... the site got hacked at just the entire wrong time. Hoping to put in some major hours next week in getting it ready for football season ... I had initially planned on doing it this weekend (upgrade installation), but the hacking forced me to do it sooner so I could get the server cleaned up.

Eagle22
24th August 2012, 08:26 AM
Oh, on an unrelated note ... once I was aware of the depth of the initial problem, Google's webtools had narrowed down for me a list of certain threads that had contained additional suspected malware in random advertisements.

While the ironic part is that they were ads served through Google, I took the approach of simply deleting those thread from the database, rather than trying to cull ad code.

All in all, about 25 threads were purged. Some were very old, but a few were somewhat recent. If your thread was deleted, sorry ;)

GaSou93
24th August 2012, 08:36 AM
Oh, on an unrelated note ... once I was aware of the depth of the initial problem, Google's webtools had narrowed down for me a list of certain threads that had contained additional suspected malware in random advertisements.

While the ironic part is that they were ads served through Google, I took the approach of simply deleting those thread from the database, rather than trying to cull ad code.

All in all, about 25 threads were purged. Some were very old, but a few were somewhat recent. If your thread was deleted, sorry ;)

Whew.... at least the Hotties thread survived..... I was a tad concerned as it wasn't on the first two pages in the Open Forum!!

Eagle22
24th August 2012, 08:40 AM
Whew.... at least the Hotties thread survived..... I was a tad concerned as it wasn't on the first two pages in the Open Forum!!

I blame that on SwampEagle ;)

Some threads are worth the time consuming ordeal necessary to ensure their survival. That one would be a lot of fun to check through, page by page !

Helltopay
24th August 2012, 08:47 AM
I post very rarely but this has made me realize how much I depend on your site for information on Georgia Southern athletics. I can offically say that I am addicted; however, some addictions are not so bad :).

GSUfanforever
24th August 2012, 08:57 AM
Yeah...Now we have to click on "What's New", then click on "New Posts" to get where the old button took us. Would be nice if we could default back to the old way though.

Didn't realize we could still access the "new posts" part off of the "what's new". That's not a big change- thanks for pointing it out.

surferdave
24th August 2012, 09:09 AM
Was there any specific malicious bug identified that users may have picked up? Something's causing problems on my home computer the last few days that Norton, Malwarebytes and the other stuff I use hasn't stopped; Google searches are redirecting to some crappy search service and WIndows Updating isn't working. I was going to spend some time this weekend trying to flush it out.

Eagle22
24th August 2012, 09:17 AM
Was there any specific malicious bug identified that users may have picked up? Something's causing problems on my home computer the last few days that Norton, Malwarebytes and the other stuff I use hasn't stopped; Google searches are redirecting to some crappy search service and WIndows Updating isn't working. I was going to spend some time this weekend trying to flush it out.


the specific malware that was being picked up by Kaspersky (on my machine and others who visit here), was this one:

flep studio.org

without a space between the "p" and "s" above.

There was one other suspect malware link, but I do not have it in front of me at the moment. I will post it here later so you can check on it as well.

cannonballgsu
24th August 2012, 09:21 AM
the specific malware that was being picked up by Kaspersky (on my machine and others who visit here), was this one:

flep studio.org

without a space between the "p" and "s" above.

There was one other suspect malware link, but I do not have it in front of me at the moment. I will post it here later so you can check on it as well.


The other one was koks in.net

Again, remove the space.

Eagle22
24th August 2012, 09:31 AM
The other one was koks in.net

Again, remove the space.

Yes, that was it.

southern edumacation
24th August 2012, 09:41 AM
Was there any specific malicious bug identified that users may have picked up? Something's causing problems on my home computer the last few days that Norton, Malwarebytes and the other stuff I use hasn't stopped; Google searches are redirecting to some crappy search service and WIndows Updating isn't working. I was going to spend some time this weekend trying to flush it out.

run a scan with malwarebytes and also hitman pro.

If you need to, use another computer to download the executable and put it onto a USB drive and plug that into your home computer and install from there.

southern edumacation
24th August 2012, 09:43 AM
Yes, that was it.

So have you changed your password information for your host and all that jazz? Someone either figured out your password or an admin password so they could make the change to the footer on your file on the web server.

Eagle22
24th August 2012, 09:55 AM
So have you changed your password information for your host and all that jazz? Someone either figured out your password or an admin password so they could make the change to the footer on your file on the web server.

oh yeah. Did that first thing. FTP, database, etc ... changed all those passwords.

But that isn't the issue. I'm about 99.9% sure the issue is host-related. I've had a forensics IT guy working with me for several months on some other issues that weren't related to this recent event.

1peatfor7
24th August 2012, 10:25 AM
Well that's what happens when you use "password" or "letmein" to secure your admin accounts. :p

GATA
24th August 2012, 10:46 AM
Looks like the virus warning is gone!

Dave.
24th August 2012, 11:27 AM
Well that's what happens when you use "password" or "letmein" to secure your admin accounts. :p

ADMIN
ADMIN

That's the best way

EagleSC
24th August 2012, 11:35 AM
I'm not sure how I survived. Thanks Paul! Bottle of Jack on me at the App St. game!

EagleSC
24th August 2012, 11:36 AM
I'm not sure how I survived. Thanks Paul! Bottle of Jack on me at the App St. game!

Not literally on me...that's just gross. But you know what I meant!

Tampa_Jax_Eagle
24th August 2012, 01:53 PM
Not literally on me...that's just gross. But you know what I meant!

I am was about to comment on that one.

Any suggestions on free virus software that is good enough to use or should I just renew Norton?

jbeagle
24th August 2012, 02:10 PM
I am was about to comment on that one.

Any suggestions on free virus software that is good enough to use or should I just renew Norton?

http://ninite.com/

Security



<INPUT id=cb_da233 value=essentials type=checkbox name=apps> <LABEL for=cb_da233 jQuery16109341073477496089="143">Essentials</LABEL> Great Antivirus by Microsoft 4.0.1526.0
<INPUT id=cb_l3vzg value=avast type=checkbox name=apps> <LABEL for=cb_l3vzg jQuery16109341073477496089="144">Avast</LABEL> Avast Free Antivirus 7.0.1466.549
<INPUT id=cb_4mrni value=avg type=checkbox name=apps> <LABEL for=cb_4mrni jQuery16109341073477496089="145">AVG</LABEL> AVG Free Antivirus 2012 12.0.2197
<INPUT id=cb_mgdaa value=malwarebytes type=checkbox name=apps> <LABEL for=cb_mgdaa jQuery16109341073477496089="146">Malwarebytes</LABEL> Malware Remover 1.62.0.1300
<INPUT id=cb_avnaa value=adaware type=checkbox name=apps> <LABEL for=cb_avnaa jQuery16109341073477496089="147">Ad-Aware</LABEL> Antivirus Free Trial 10.2.21.3698
<INPUT id=cb_cz3j7 value=spybot type=checkbox name=apps> <LABEL for=cb_cz3j7 jQuery16109341073477496089="148">Spybot</LABEL> Spyware Remover 1.6.2
<INPUT id=cb_dmzdc value=super type=checkbox name=apps> <LABEL for=cb_dmzdc jQuery16109341073477496089="149">Super</LABEL> SUPERAntiSpyware Free 5.5.1012

1peatfor7
24th August 2012, 02:36 PM
I am was about to comment on that one.

Any suggestions on free virus software that is good enough to use or should I just renew Norton?

Never pay, plenty of free stuff that works great.

One of these below:
Avast
AVG
Avira
Microsoft Security Essentials or whatever they call it.

Both are free but you have to manually run a scan.
Malwarebytes
SuperAntiSpyware

eaglewraith
24th August 2012, 06:22 PM
I am was about to comment on that one.

Any suggestions on free virus software that is good enough to use or should I just renew Norton?

Norton/Symantec is a resource hog and should be drug out in the street and shot.

I used to use Avast which is free for home use, but now I just use Microsoft Security Essentials. Never had a virus on my personal PC. My work laptop had Symantec Corporate on it and I had to get it reformatted cause it got something on it while I was out of town once.

BoroNative
24th August 2012, 07:22 PM
Norton/Symantec is a resource hog and should be drug out in the street and shot.

I used to use Avast which is free for home use, but now I just use Microsoft Security Essentials. Never had a virus on my personal PC. My work laptop had Symantec Corporate on it and I had to get it reformatted cause it got something on it while I was out of town once.

I've been surprisingly happy with MSFT Security Essentials. Of course the best anti-virus is common sense

southern edumacation
24th August 2012, 08:04 PM
I've been surprisingly happy with MSFT Security Essentials. Of course the best anti-virus is common sense

I use security essentials set home as well. Works great.

Sent using Forum Runner

Ralze34
24th August 2012, 09:45 PM
I use Microsoft Security Essentials, Malwarebytes Anti-Malware, Kaspersky, and I still use Spybody Search & Destroy. All are free, and I don't remember every having any issues.

Joseph
27th August 2012, 08:15 AM
The new reply options look much smoother. Thats the only change I can tell from the old software.