Golden Sun Hacking Community
01, April, 2020, 02:58:42 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Be sure to check out gsmagic, a WIP tool that has map editing capabilities!
 
  Home   Forum   DC Wiki Help Search Calendar Downloads Login Register  
Pages: [1]   Go Down
  Print  
Author Topic: Important announcement regarding forum malware attack  (Read 3671 times)
0 Members and 1 Guest are viewing this topic.
Atrius
Programmer Extraordinaire
Web Host

Fear my blades

Veteran Member
*

Coins: 100
Offline Offline

Gender: Male
Emblems: Website Founder
Clan Position: Creation God of Sol
Posts: 1768

« on: 21, March, 2017, 12:17:47 AM »

Hey everyone, I've got some bad news and some good news.


The bad news: It's just been discovered that goldensunhacking.net was infected with malware around the end of February in 2016.

The good news: There is no indication so far that the attacker was trying to target user data, or impact normal site visitors in any way.



I'm still sifting through everything to determine the damage, but fortunately what I've analyzed so far indicates that the attacker was just using our server as a proxy.  What that means is that they were masking their IP address as our server's to access other sites.  I haven't found anything yet that would indicate regular users of the site would have been impacted by the malware, but I will keep you updated if I discover anything that indicates otherwise.



21 Mar Update

I've found code that could have been used to redirect traffic coming in specifically from the search providers Google, Yahoo, MSN, AOL, and Bing, or replace all of the links on the site with different links for traffic coming from those same search providers.  It appears to have never been configured properly though, and would not have been functioning.  So far this is the only code I've found that could have impacted normal users, but again it would have required additional set up that was not performed, and would not have been functioning.

Although there are still no indications that user data was targeted, I'm continuing my analysis of all of the site's files to make sure, and will keep you informed.  I have no estimate for when I'll get the site up and running again, making sure everything is clean is my main priority right now.
« Last Edit: 02, April, 2017, 01:59:26 PM by Atrius » Logged

I'm shaking my head in general disapproval of everything
View Profile WWW
Atrius
Programmer Extraordinaire
Web Host

Fear my blades

Veteran Member
*

Coins: 100
Offline Offline

Gender: Male
Emblems: Website Founder
Clan Position: Creation God of Sol
Posts: 1768

« Reply #1 on: 02, April, 2017, 02:20:28 PM »

I've completed my clean up of the Malware, I'm pretty confident that we're clean now, additionally, I've made sure we have the latest security updates installed on the forum.

I'm still not sure how it happened in the first place, it's possible the attack didn't even originate on this site.  One of the dangers of using a shared hosting environment is that things can leak over from other sites on the server.  Regardless, I'm going to be keeping a closer eye on things for a while.
Logged

I'm shaking my head in general disapproval of everything
View Profile WWW
Pages: [1]   Go Up
  Print  
 
Jump to:  

Chatbox
Today at 02:42:50 AM
JupiterDjinn: Also my browser is sending two o f my messages srry.
Today at 02:42:48 AM
JupiterDjinn: Also my browser is sending two o f my messages srry.
Today at 02:42:09 AM
JupiterDjinn: Just got the reply. Ok my question is: how can I get the tea editor on Android, because I already have an emulator. But no computer.
Today at 02:42:06 AM
JupiterDjinn: Just got the reply. Ok my question is: how can I get the tea editor on Android, because I already have an emulator. But no computer.
Yesterday at 07:18:29 PM
Salanewt: Sure thing!
Yesterday at 03:38:30 PM
JupiterDjinn: Can I have a question answered?
Yesterday at 03:38:27 PM
JupiterDjinn: Can I have a question answered?
28, March, 2020, 12:50:15 AM
Salanewt: I want to shrink it down in size later, but yup!
28, March, 2020, 12:50:13 AM
Salanewt: I want to shrink it down in size later, but yup!
26, March, 2020, 03:24:45 PM
Daddy Poi: The news box is back? :D
19, March, 2020, 05:59:16 PM
Salanewt: Nice work hiding the searchbots Atrius!
19, March, 2020, 04:23:34 PM
Salanewt: I was wondering when I said that stuff! May need to work it out with Kain.
19, March, 2020, 07:03:05 AM
Daddy Poi: (The simplest being to not accept char IDs pass 255, I think.)
19, March, 2020, 05:33:15 AM
Daddy Poi: Heheh.... I'm just testing. You pretty much gave it away. Hahah. It seems to look fairly convincing, but I'm sure there's an easy solution to preventing it.
19, March, 2020, 05:28:50 AM
Atrius: Whelp, there it goes... Just what I didn't want.  Have fun with that I guess...   
19, March, 2020, 05:20:25 AM
Daddy Poi: So like. Replace the "e" with another "e"? Alright. Gotcha.
19, March, 2020, 05:04:41 AM
Daddy Poi: Good work.
19, March, 2020, 04:44:10 AM
Atrius: Nah, any member could change their name to what I did, there's a trick to it.  I just fixed it so that now the Cbox will use your new name if you change it though, so... That part of the problem is fixed.
19, March, 2020, 04:41:53 AM
Daddy Poi: For which? It may be that normal users can't change their names to used names, but admins can?
19, March, 2020, 04:39:57 AM
Atrius: Sorry if the Cbox keeps breaking, I'm trying to make that be less of a thing.
19, March, 2020, 04:02:04 AM
Daddy Poi: Looks like ID Fraud. You're under arrest. :D  Oh wait.
19, March, 2020, 03:57:56 AM
Atrius: Yup, that's a thing.
19, March, 2020, 03:57:08 AM
Atrius: Just testing something, for science.
18, March, 2020, 04:05:12 PM
Salanewt: Sounds good; thanks for looking into it!
18, March, 2020, 04:05:11 PM
Salanewt: Sounds good; thanks for looking into it!
17, March, 2020, 01:14:25 PM
Atrius: Hmm... Actually I need a different way to hide them.  Now there are 4 guests spread over 3 pages of users...
17, March, 2020, 01:04:22 PM
Atrius: Yeah, their usernames don't get changed, they're hidden now.
09, March, 2020, 11:37:02 PM
Daddy Poi: So um. When sorting by User, does it treat Guest and Searchbot as being the same name?
09, March, 2020, 11:20:43 PM
Daddy Poi: Most likely. Perhaps we could do a toggle, or a second page that becomes the new default.(Which can have a link to the old original page.) My thoughts.
09, March, 2020, 10:21:11 PM
Salanewt: Hey Atrius; would it be possible to hide the searchbots from the "users online" list?

Affiliates
Temple of Kraden Golden Sunrise
Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.088 seconds with 21 queries.