Title: HUH?! (Bad link in an email?) Post by: death_stalker on 2006-01-31, 15:53 Um guys I'm not stupid when it comes to opening emails, but I need to know if my AV was over-reacting or someone's sending out bad emails with Wireheads address on them... :( Took me almost 15 minutes to get control again and I'm still not sure if it's fully recovered yet.
It reads as following (I fudged up the links just in case) please click forums.wireheadstudios.org ------------------------------------- WireHead Forums Statistics: ------------------------------------- Registered Users: 521 Total Posts: 30092 Busiest Time: 284 users were online on 03/30/04 ------------------------------------- Handy Links ------------------------------------- Board Address: -------forums.wireheadstudios.org/index.php Log In: --------forums.wireheadstudios.org/index.php?act=Login&CODE=00 Lost Password Recovery: --------forums.wireheadstudios.org/index.php?act=Reg&CODE=10 ------------------------------------- How to unsubscribe ------------------------------------- Visit your email preferences -------forums.wireheadstudios.org/index.php?act=UserCP&CODE=02) and ensure that the box for 'Send me any updates sent by the board administrator' is unchecked and submit the form -------------------------------------------------------------------------------------------------------------------------- Please tell me this was sent by board administration and my AV was being over protective. All i did was go to the log in link and wham! Some applet called "getaccess started" began to run than insanity. The AV called it an Exploit-Onload Trojan. Well anyway I think I got it cleaned. Sorry if this was just my AV having a shit fit. Title: Re: HUH?! Post by: Kajet on 2006-01-31, 17:56 I got the same email but nothing's acted weird... yet
Title: Re: HUH?! Post by: death_stalker on 2006-01-31, 19:41 It may have been my AV having a hissy fit. But it spooked me when every time I click continue what I was doing it popped up and said a trojan was detected and cleaned. It did that for almost 15 minutes. O_o
Title: Re: HUH?! Post by: Aphax on 2006-01-31, 20:12 I can't help but wonder though why there's an e-mail titled "hello my dear friends" containing "please click forums.wireheadstudios.org" originating from this board o.O
I don't know if this forum has been patched with security updates but IPB 1.1 is pretty old and there's also a suspicous iframe on every page on this board that is loading "http://toolbardollars.biz/dl/adv553.php" (or at least trying to, since it doesn't seem to respond). There's lot of scriptkiddies these days with tools scanning for web applications with known vulnerabilities, if this really is an unpatched IPB 1.1 there may be a real problem here =] Title: Re: HUH?! Post by: Phoenix on 2006-02-01, 00:15 Seems we have a problem, yes, and we're working to fix it. Thanks for the tipoff on the link.
Regarding the emails, do you still have them? It definitely sounds like someone mailed out a trojan. I'd like to inspect the message source code for information to find out where this came from. You can access that in Outlook Express without opening the email (so long as you have preview pane disabled) by right-clicking the message, clicking "properties", then the "details" tab, then "Message Source". Highlight all the text, copy, paste it into a .txt file, and then PM me the text. That'll greatly assist in us figuring out what's going on here. Edit: Warden just removed that script code, so the forums should be safe to view. Title: Re: HUH?! Post by: death_stalker on 2006-02-01, 13:00 Hey Pho you still needing the source code from the e-mail? I just woke up and say your post. I still have the email but I use hotmail (have set up my outlook). I don't know how to get the code from that. :huh:
Title: Re: HUH?! Post by: Phoenix on 2006-02-01, 17:38 It's ok, Aphax sent me his message source. The infection was caused when you clicked on the link to the forums and it triggered the iframe link to the server in Russia. It wasn't anything embedded in the email messages themselves.
I want to give a great big thank you for everyone here who brought this to our attention. This is the first time I'm aware of that something like this has happened to us, and because you tipped us off to the problem so fast we got it fixed as soon as we were aware of it, which was within a matter of hours of the problem showing up. :thumb: <3 Title: Re: HUH?! Post by: death_stalker on 2006-02-02, 15:37 No problem. :thumb:
|