Jump to content




Sign in to follow this  
anyweb

Please Read ! - Recent issue on windows-noob.com



Recommended Posts

We received a report from a user of an unusual alert from their anti-malware software, where it appeared that a domain known to host malicious JavaScript was accessed from a Windows-Noob page. An analysis at the time did not detect any unusual changes to the forum software and concluded that the most likely scenario was a malicious advertisement in the Google/DoubleClick ecosystem. At this time, the skins for the IP.Board software were re-cached as a precaution.
Some time later, some proxy servers' content categorisation system began to categorise Windows-Noob.com as "Suspicious". We were frustrated at the time to have little to no further information as to why this was the case. Only one of the website scanners we used to try and externally determine if there was an infection showed an issue: it had "Detected reference to malicious blacklisted domain myitforum.com". This domain obviously is quite legitimate, but had been compromised in the past, as have many websites that accept user generated content. We were assured that the infection issue on myitforum.com had been resolved, but in an effort to remove the "Suspicious" category from Windows-Noob.com, removed all outbound links to myitforum.com from our site. We did not at this stage connect the earlier report and this issue.
None of the highly respected external systems like Google Webmaster Tools at any point suggested that we had been infected, and the 'detection' was limited to this one website scanner, which gave us these results referencing myitforum.com.
Later still, we received another report from a user that their browser had been redirected to a malicious domain after visiting Windows-Noob from a search engine result page. We also finally received detailed information from the proxy server categorisation system provider that gave specific detail as to our “Suspicious” categorisation.
A packet capture on the Windows-Noob server was taken over a few hours and then analysed. With the reported information from the user, we quickly identified injected JavaScript based on the reported malicious domain.
The injected JavaScript was located in the theme cache files and was removed. Additional aggressive monitoring was put in place to try and determine if there was an active entry vector for the attacker.
Later on that evening, malicious JavaScript re-appeared, detected by our additional monitoring that was put in place, and we promptly removed it again. Detailed analysis, including log file and packet capture analysis was performed to try and determine the attack vector, but no promising leads were found.
The injected JavaScript then did not re-appear after that second appearance, and we unfortunately remain in the dark as to how the attack occurred. Our improved monitoring systems remain in place.
The code, once unpacked and analysed, was actually quite rudimentary and simply injected references to the malicious JavaScript if certain conditions were met (user was referred from a search engine result page, and using certain browsers). Extensive reviewing of log files revealed no evidence of any other intrusion, but we accept that given our lack of understanding of the original attack vector, we cannot determine if any other actions were taken.
Because we were unable to determine with confidence the source of the injected JavaScript and the attack vector used, we took the step of a complete server reinstall from known good media. The forum software has been completely reinstalled from a fresh download of the IP.Board software and all old and non-essential files removed.
At the same time, we have taken other steps to protect users, including implementing mandatory HTTPS across the site (long overdue!), which would have, in this scenario, prevented injected JavaScript on HTTP domains executing in users' browsers and also protects passwords in transit.
We apologise to users that this happened and particularly that we didn't spot it quickly enough. We hope as fellow IT professionals you appreciate the challenges in defending complex systems that are exposed to the world, especially on a very modest budget. We have learned a lot from this incident, despite the frustration of not knowing the original attack vector, and will continue to work hard to do better.
It is a good idea, given what has happened, to reset your password for this site. This will also have the effect of invalidating the passwords that used to transit in the clear over HTTP and mean that your new password will not have traversed the public internet unencrypted. The standard advice about also resetting any other password that you might have shared with this site applies too.

 

  • Like 1

Share this post


Link to post
Share on other sites


Sign in to follow this  

×