2024-12-23, 08:39 *
Welcome, Guest. Please login or register.

Login with username, password and session length
 
Pages: [1]
  Print  
Author Topic: HUH?! (Bad link in an email?)  (Read 7889 times)
0 Members and 1 Guest are viewing this topic.
death_stalker
 

Makron
********
Posts: 306

« on: 2006-01-31, 15:53 »

Um guys I'm not stupid when it comes to opening emails, but I need to know if my AV was over-reacting or someone's sending out bad emails with Wireheads address on them... Slipgate - Sad  Took me almost 15 minutes to get control again and I'm still not sure if it's fully recovered yet.

It reads as following (I fudged up the links just in case)

please click forums.wireheadstudios.org

-------------------------------------
WireHead Forums Statistics:
-------------------------------------
Registered Users: 521
Total Posts: 30092
Busiest Time: 284 users were online on 03/30/04

-------------------------------------
Handy Links
-------------------------------------
Board Address: -------forums.wireheadstudios.org/index.php
Log In: --------forums.wireheadstudios.org/index.php?act=Login&CODE=00
Lost Password Recovery:
--------forums.wireheadstudios.org/index.php?act=Reg&CODE=10

-------------------------------------
How to unsubscribe
-------------------------------------
Visit your email preferences
-------forums.wireheadstudios.org/index.php?act=UserCP&CODE=02) and ensure that
the box for 'Send me any updates sent by the board administrator' is unchecked
and submit the form

--------------------------------------------------------------------------------------------------------------------------

Please tell me this was sent by board administration and my AV was being over protective.
All i did was go to the log in link and wham! Some applet called "getaccess started" began to run than insanity. The AV called it an Exploit-Onload Trojan. Well anyway I think I got it cleaned. Sorry if this was just my AV having a shit fit.



Logged

Kajet
 

Vadrigar
*********
Posts: 603

I have no clue what to put here...

« Reply #1 on: 2006-01-31, 17:56 »

I got the same email but nothing's acted weird... yet
Logged
death_stalker
 

Makron
********
Posts: 306

« Reply #2 on: 2006-01-31, 19:41 »

It may have been my AV having a hissy fit. But it spooked me when every time I click continue what I was doing it popped up and said a trojan was detected and cleaned. It did that for almost 15 minutes.  Slipgate - Distraught
Logged

Aphax
 
Unnamed Player

Posts: 1

WWW
« Reply #3 on: 2006-01-31, 20:12 »

I can't help but wonder though why there's an e-mail titled "hello my dear friends" containing "please click forums.wireheadstudios.org" originating from this board o.O

I don't know if this forum has been patched with security updates but IPB 1.1 is pretty old and there's also a suspicous iframe on every page on this board that is loading "http://toolbardollars.biz/dl/adv553.php" (or at least trying to, since it doesn't seem to respond).

There's lot of scriptkiddies these days with tools scanning for web applications with known vulnerabilities, if this really is an unpatched IPB 1.1 there may be a real problem here =]
Logged
Phoenix
Bird of Fire
 

Team Member
Elite (7.5k+)
*********
Posts: 8815

WWW
« Reply #4 on: 2006-02-01, 00:15 »

Seems we have a problem, yes, and we're working to fix it.  Thanks for the tipoff on the link.

Regarding the emails, do you still have them?  It definitely sounds like someone mailed out a trojan.  I'd like to inspect the message source code for information to find out where this came from.  You can access that in Outlook Express without opening the email (so long as you have preview pane disabled) by right-clicking the message, clicking "properties", then the "details" tab, then "Message Source".  Highlight all the text, copy, paste it into a .txt file, and then PM me the text.  That'll greatly assist in us figuring out what's going on here.

Edit:  Warden just removed that script code, so the forums should be safe to view.
« Last Edit: 2006-02-01, 00:43 by Phoenix » Logged


I fly into the night, on wings of fire burning bright...
death_stalker
 

Makron
********
Posts: 306

« Reply #5 on: 2006-02-01, 13:00 »

Hey Pho you still needing the source code from the e-mail? I just woke up and say your post. I still have the email but I use hotmail (have set up my outlook). I don't know how to get the code from that. Doom - Huh?
Logged

Phoenix
Bird of Fire
 

Team Member
Elite (7.5k+)
*********
Posts: 8815

WWW
« Reply #6 on: 2006-02-01, 17:38 »

It's ok, Aphax sent me his message source.  The infection was caused when you clicked on the link to the forums and it triggered the iframe link to the server in Russia.  It wasn't anything embedded in the email messages themselves.

I want to give a great big thank you for everyone here who brought this to our attention.  This is the first time I'm aware of that something like this has happened to us, and because you tipped us off to the problem so fast we got it fixed as soon as we were aware of it, which was within a matter of hours of the problem showing up.
 Thumbs up!  <3
« Last Edit: 2006-02-01, 17:42 by Phoenix » Logged


I fly into the night, on wings of fire burning bright...
death_stalker
 

Makron
********
Posts: 306

« Reply #7 on: 2006-02-02, 15:37 »

No problem.  Thumbs up!
Logged

Pages: [1]
  Print  
 
Jump to: