Remaining Vigilant: SWRP Vulnerability Exploited

[Tefka]

Earlier this afternoon, suspicions were confirmed when a server vulnerability was discovered as exploited. The perpetrators are unknown, but other websites who have suffered the same fate as SWRP performed wireshark pulls that identified the sources as Russian.

The SWRP Staff Team will be taking action to prevent this vulnerability from being exploited again, however I ask that all members report any suspicious activity when visiting the website.

What Happened:

• Upon visiting the website through google, a visitor would be redirected through the below website.

This is a form of "click-baiting", forcing a portion of SWRP's traffic through their own website for their own purposes for traffic.

url4short.info

It is NOT recommended members of SWRP visit this website.

It is recommended members of SWRP block this website.

Important to Know:

1. There have been no known cases of member's accounts being violated, including passwords & e-mails.

2. There have been no known cases of any exploits being further pursued.

3. The method of infiltration was PHP injection. There was no known server access granted to the infiltrators. This was a fairly common hack meant only to redirect members for the purpose of gaining their own web traffic.


TL;DR:

Keep an eye out. The internet's a dangerous place. Report any suspicious activity when visiting SWRP.

 

[Ellie Mors]

[member="Tefka"]
I actually just had this happen to me and ran a malware scan on my PC to remove a few things, I thought it was my browser or that I downloaded something to screw up my chrome. Thanks for the heads up, though.

 

[Yasha Cadera]

About a week ago, I clicked on my character Aditya Mantis' character bio and it was automatically redirected to an unsavoury site. . . I don't know if that helps.

 

[Boethiah]

Stuff like this used to plague PHPbb boards a lot in the earlier days; I'm not too familiar with IP.Board but I remember for PHPbb someone made a security plugin to prevent it , so maybe one for IP.Board exists.

 

[Fatty]

Hmm, is that perhaps why when I initially clicked on the site just now and was brought to an error screen saying "Driver Server Level Error"?

 

[Darth Carnifex]

The perpetrators are unknown, but other websites who have suffered the same fate as SWRP performed wireshark pulls that identified the sources as Russian.

*Casts a wary glance at [member="Darth Carach"]*

 

[Tefka]

Hmm, is that perhaps why when I initially clicked on the site just now and was brought to an error screen saying "Driver Server Level Error"?

This has nothing to do with that, no.

 

[Preliat Mantis]

[member="Darth Vornskr"] is a suspicious little prick

 

[Tefka]

It's also recommended that everyone recaches their browser.

No need to clear your history, just recache images/files.

 

[Fatty]

For internet dweebs, can you explain what "recaching a browser" means?

 

[Thurion Heavenshield]

For internet dweebs, can you explain what "recaching a browser" means?

Which browser do you use?

 

[Fatty]

Chrome

 

[Tefka]

For internet dweebs, can you explain what "recaching a browser" means?

 

[Fatty]

thanks!

 

[Onrai]

Sounds like some people need to be dealt with. I know this might sound a bit extreme, but have you run the IPs the hack was performed from through our list of members to check and make absolutely sure there are no correlations?

 

[sabrina]

[member="Enigma"] could that not have been piggy backed?

<------------not an IT expert

 

[Raziel]

Sounds like some people need to be dealt with. I know this might sound a bit extreme, but have you run the IPs the hack was performed from through our list of members to check and make absolutely sure there are no correlations?

Common activity from certain areas. Unlikely to be a user IMO.

 

[Tefka]

The exploit was found again to be plaguing the website.

It has since been more thoroughly investigated. This article explains exactly what happend: http://blog.sucuri.net/2015/02/analyzing-malicious-redirects-in-the-ip-board-cms.html

It's an old plague that seems to be resurfacing, and we were definitely hit with it. I found almost the exact same code within SWRP's code. It has been removed.

Constant vigilance. Member, RPJ, Admin - if you click a SWRP google link and are redirected to any website other than our own, please inform Staff - either privately or publicly - immediately. The faster we know about it, the better.

 

[Vulpesen]

I was wondering what happened there. Never clicked an X so fast in my life.

[member="Tefka"]

 

[Tefka]

I was wondering what happened there. Never clicked an X so fast in my life.

[member="Tefka"]

I'm not blaming you for anything at all, but remaining silent - as I'm guessing others have - hurts our ability to quickly track down these issues and fight back against attackers.

If you see something alarming, raise the alarm.