Title: Important announcement regarding forum malware attack
Post by: Atrius on March 21, 2017, 12:17:47 AM
Hey everyone, I've got some bad news and some good news.
The bad news: It's just been discovered that goldensunhacking.net was infected with malware around the end of February in 2016.
The good news: There is no indication so far that the attacker was trying to target user data, or impact normal site visitors in any way.
I'm still sifting through everything to determine the damage, but fortunately what I've analyzed so far indicates that the attacker was just using our server as a proxy. What that means is that they were masking their IP address as our server's to access other sites. I haven't found anything yet that would indicate regular users of the site would have been impacted by the malware, but I will keep you updated if I discover anything that indicates otherwise.
21 Mar Update
I've found code that could have been used to redirect traffic coming in specifically from the search providers Google, Yahoo, MSN, AOL, and Bing, or replace all of the links on the site with different links for traffic coming from those same search providers. It appears to have never been configured properly though, and would not have been functioning. So far this is the only code I've found that could have impacted normal users, but again it would have required additional set up that was not performed, and would not have been functioning.
Although there are still no indications that user data was targeted, I'm continuing my analysis of all of the site's files to make sure, and will keep you informed. I have no estimate for when I'll get the site up and running again, making sure everything is clean is my main priority right now.
Title: Re: Important announcement regarding forum malware attack
Post by: Atrius on April 02, 2017, 02:20:28 PM
I've completed my clean up of the Malware, I'm pretty confident that we're clean now, additionally, I've made sure we have the latest security updates installed on the forum.
I'm still not sure how it happened in the first place, it's possible the attack didn't even originate on this site. One of the dangers of using a shared hosting environment is that things can leak over from other sites on the server. Regardless, I'm going to be keeping a closer eye on things for a while.