Steelpulse

Well... don't panic... but it appears Batoto has been hacked.

Google scanner reported that there is malware present on this site about half a day ago from this post date which caused the malware warning being displayed to anyone trying to visit the site which started the investigation.

An encrypted javascript injection (simply malware/virus) was found in Batoto's skin code, namely Deluxe. This is highly concerning since the admins are the only ones supposed to be the only one who should be able to access that. I cleaned out the infection, but later decided to nuke the entire skin as there may be more lingering pieces. Deluxe skin has been deleted and will not be restored. In place, our old skin, Sylo is back to default and Blood is still there as an option.

At this time, I am unable to be certain of the scope of the damage or the point of vulnerability. I am going to further investigate as to since when this virus was present later.

I'm not sure what the injected javascript does, because whenever I tried to access it, I either got an already suspended account it led to or a file not found page (404). But it is possible the not-found page is a disguise since it's possible to make the URL time gated and/or referrer gated to prevent accessing the same URL again later. At the same time, it's entirely possible the URL the virus tried to load really didn't exist and resulted in no action.

The virus itself seems to often hide itself, thus making detection difficult. On top of that, it seems very new (or recently altered) and does not exist in many anti-malware's database. That's why there were even notices by Google saying there's malware but found 0 pages with it. Almost no scanner I tried had detected it and almost gave up using scanners. It seems to have targeted IE users. I could not make the injected code appear using using firefox/chrome browser headers. It targeted users that came from a search engine. It was also invisible to standard googlebot.

During investigation, I also found out that the same kind of virus was previously present at another IPB site, completely independent of ours. And similarly, it is running version 3.4.6 (latest). So it seems most likely that this virus targets IPB sites and may be a zero-day exploit (an exploit that a patch does not exist for). I've sent little, but much info as I can to IPB as well in case it really is a zero-day attack vs IPB systems.

The biggest concern right now is that I still don't know exactly how the system was breached. If this really is an attack vs current version IPB system, I can't guarantee the virus won't return. If it was an exploit caused by the Deluxe skin, I have rid of it, but that's just a guess. I've been scouring the logs for last few hours... and besides the typical dozens attempts that failed (this is nothing specific to us, just life of sys admin), I really don't see anything special right now.

AS OF NOW

no unknown 3rd party items are being pulled during loading of Batoto pages. So google is no longer flagging us as suspicious.

If you see anything suspicious from this moment on, please report them immediately! If you don't have an account, you can email me: [email protected]

Security tips & Profiling

These kind of malware (javascript injected into sites) are typically are after putting their ads / redirecting you to somewhere else / installing virus on your computer. From the reports I've gotten, it doesn't seem like that's happening. But just as a tip... If this site, heck any site or anything, anywhere EVER tells you to install something, don't. Only time you want to install something is if you initiated it. If you went out to search and install that thing.

Also, if you'd like, Batoto is designed to be able to run without JS or flash. You can run this site with pure html & css only which has zero risk. But certain features will be inaccessible.

tl;dr

It looks like we're okay. But we might not be.

p.s. This incident is not related to the ads.

... It seems to have targeted IE users.