Malicious Site Warnings - An update and what happened

[searingxheretic]

What was the malware package that was being delivered? You should post info on the package including processes or files that it creates so that site visitors can double check their own computers to ensure we weren't compromised.

Sent from my cm_tenderloin

 

[blantonl]

We don't know because our site wasn't the one actually delivering the Malware - the malicious Javascript on our site simply redirected the browser to another set of random sites which hosted the delivery mechanism.

 

[searingxheretic]

We don't know because our site wasn't the one actually delivering the Malware - the malicious Javascript on our site simply redirected the browser to another set of random sites which hosted the delivery mechanism.

Ah, perhaps in the future you could look into implementing a warning page when a site user is being directed to a URL not contained withing RR.com. At any rate, thanks for the hard work tracking down the problem in the end.

Sent from my cm_tenderloin

 

[mrkelso]

Right now i am blocking

Viglink
Quantcast
Google Analytics
Facebook Connect

each and every time i log in here. Are these known researchers?

 

[jfhtm350]

Right now i am blocking

Viglink
Quantcast
Google Analytics
Facebook Connect

each and every time i log in here. Are these known researchers?

Dont forget this one:
statistic-online.com

 

[jackj]

Also Google Adsense.

 

[mkewman]

Why we didn't initially identify what happened

Well, we didn't fully understand what happened. We initially thought that Google misidentified some of our Javascript due to the way that Google initially reported the problem to us (it looked harmless). Additionally, these guys were good. They specifically targeted RadioReference and spent a lot of time researching how our site and infrastructure was put together, which allowed them to prevent us from identifying what occurred.

You did the right thing. When hackers are involved, it's best to clean up the mess, audit and THEN release what happened.

Glad nobody's personal information was involved and glad you guys handled it quickly!

 

[spectr17]

THanks Lindsey for the update. Life for admins would be so much easier if the USA just IP blocked certain countries like Russia, China, Nigeria etc.

 

[QDP2012]

Life for admins would be so much easier if the USA just IP blocked certain countries like Russia, China, Nigeria etc.

Though useful, there are ways around that defense-technique also.

 

[N0YFE]

Thanks for sharing the information behind the attack on the site. If you have not done so already. I would recommend making a report to the IC3 regarding the hacking. Their website can be found at and including contact informtion.

https://www.ic3.gov/default.aspx

Ryan Kelzenberg

 

[QDP2012]

Malware attack when logging into Wiki

Good evening SysAdmins,

I don't know if this is a continuation of the above malware incident, or not, but just now, while logging into the Wiki (via the "Recent Changes" page), Norton prevented an attack and provided the following info in its alert:

• Severity: High
• Summary:An intrusion attempt by zzgjrlobch.hopto.org was blocked
• Date & Time: 4/12/13 8:12:56 PM (EDT)
• IPS Alert Name: Web Attack: FakeAV Download 2
• Attacking Computer: zzgjrlobch.hopto.org (212.124.115.117, 80)
• Attacker URL: zzgjrlobch.hopto.org/index.php?c=RaENOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtvDheVQzm+YhzfWz1MP...
  (Edit: this post renders the URL with a space where there is none before AaK...)
• Destination Address: (My machine name)(My internal IP, port 3799)
• Source Address: 212.124.115.117 (212.124.115.117)
• Traffic Description: TCP, http
• Note: Network traffic from zzgjrlobch.hopto.org/index.php?c=RaENOjEayDF925cOxP3ACC60zajgAjCTlcK0liAaKtvDheVQzm+YhzfWz1MP... matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISK\VOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE

I might be wrong, but I am guessing that this is related to a (possibly infected) Google ad that appears to be incompletely displayed in the ad-box at the bottom of the left navigation column, below the "ToolBox" section. Right now it has an icon for "Download" and another for "Play", but no other identifying information, no text, no logos, no additional description, etc.

I suspect the Google ad because I had already been on the "Recent Changes" page, and was attacked only as it refreshed after logging-in.

Edit: To be clear, I did not click on the Google ad. This happened as soon as I typed my credentials into the log-in screen and tapped my keyboard's "Enter" button, as the "Recent Changes" page was reloading after a successful login.

Edit #2: I just now noticed in small-print at the bottom of the suspect-ad the following text "Advertisement for FreeDailyDownload.com"

Edit #3: This is the URL that displays when the suspect-ad is "moused-over":

http://www.googleadservices.com/pagead/aclk?sa=L&ai=C2db5EKNoUb33IY3U0AHt7YHgAujrvdgCsPr7s0DAjbcBEAEg_Y-IA1CC9ayEBWDJ_puN7KSkEq

Thank you for your continued efforts to protect RR.

Hope this helps,

 

[blantonl]

Thanks for the report QDP2012 - we will investigate immediately.

 

[QDP2012]

Thank you sir for your prompt reply. I just edited my previous post with more details.

Hope this helps,

 

[blantonl]

I sent you an email to get further details.... QDP2012

 

[Rt169Radio]

I was wondering if the hacking is bad enough and/or the loss of money is big enough do you have too or need too contact law enforcement?

 

[gr8rcall]

In one of the attack instances - the hackers configured their code to only run on the homepage and only for Internet Explorer browsers.

They spent a lot of time working on their attack vectors...

I guess, Im lucky that I use the site on an Ipad! No IE for me!

Also, QDP2012, I've seen the ad that you are talking about!
I though it was a little suspicious, but I wasn't aware of these recent attacks!