Jump to content


Photo

Security warnings concerning LSP


  • Please log in to reply
95 replies to this topic

#16 "Crazy" Don Flynn

"Crazy" Don Flynn

    LSP Junkie

  • LSP_Members
  • PipPipPipPip
  • 71 posts

Posted 08 May 2010 - 09:42 PM

I'm getting a warning and block on the main page, which I use most times for access to the forums. I'm coming through the link posted on HS now to this post no warnings

Norton NIS 2009....fully updated

#17 LSP_Kevin

LSP_Kevin

    Senior Member

  • Administrator
  • 39,415 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 09 May 2010 - 02:13 AM

OK, I've done some investigating and it appears LSP has become the victim of a brand-new attack. I'm currently trying to clean it up, but it's Mother's Day here in Australia, so my priorities are elsewhere for the moment. At least this one was easy to find, and hopefully easy to clean up. Unfortunately it leaves me having to remove some malicious code from a large majority of our site files - and there's thousands of 'em...

Stay tuned.

Kev

#18 LSP_Kevin

LSP_Kevin

    Senior Member

  • Administrator
  • 39,415 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 09 May 2010 - 02:15 AM

Avast is now reporting a Trojan when accessing this site:

5/8/2010 11:24:52 AM http: //www4.suitcase52td.net/?p=p52dcWpkbG...WhtZZycmA%3D%3D[/url] [L] JS:ScriptIP-inf [Trj] (0)

suitcase52d appears to be a known malware site (at least it is being report as such (http://www.freepcsec...us-sites-may-8/)

Once Avast blocked access to the site, I was able to come back and access the site without problems.


By the way, if you do as Mark suggests above, you'll be fine, since this is indeed the heart of the problem.

Kev

#19 LSP_Kevin

LSP_Kevin

    Senior Member

  • Administrator
  • 39,415 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 09 May 2010 - 07:27 AM

Alrighty, I think I've managed to remove the offending malicious content from all the top-level files. It had pretty much infected every PHP file on the site, including the forums, so they've been cleaned too. I still have to do the bulk of the main website's content, but I'm working towards it. To give you an idea of how much there really is, the Articles section alone has taken well over 7 hours to download via FTP to my local computer for sanitizing, and it hasn't even finished yet...

Kev

#20 JamesHatch

JamesHatch

    Senior Member

  • LSP_Members
  • PipPipPipPipPipPip
  • 2,332 posts
  • Gender:Male
  • Location:LSM HQ, Northern UK Division.

Posted 09 May 2010 - 08:00 AM

Wow! You don't use FTP passwords like '12345' do ya!!! :thumbsup:


sig.jpg


#21 LSP_Kevin

LSP_Kevin

    Senior Member

  • Administrator
  • 39,415 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 09 May 2010 - 08:35 PM

OK, I think I've worked through most of this now, though I'll keep checking for any files I might've missed.

Wow! You don't use FTP passwords like '12345' do ya!!! :thumbsup:


Nope, but I changed it anyway!

Kev

#22 LSP_Kevin

LSP_Kevin

    Senior Member

  • Administrator
  • 39,415 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 10 May 2010 - 01:09 PM

Right, I'm pretty sure I've been through every file now, and it's all clean. I'm seeing reports on both HyperScale and ARC that some people are still seeing a problem, but I can't verify that.

We do still have, however, the annoying Google redirection hack, which is possibly what people are still experiencing (or at least their AV software is). I'm still working on that one, but so far am stumped. I'm attempting to get Invision to help us out, but they seem to operate like a government department. :speak_cool:

Kev

#23 Kagemusha

Kagemusha

    Senior Member

  • LSP Moderator
  • 9,607 posts
  • Gender:Male
  • Location:Mancunia

Posted 10 May 2010 - 02:51 PM

I've got Kaspersky, and got my first Trojan warning while visiting the site just now while posting on the B-25 thread if that helps Kev?

#24 LSP_Kevin

LSP_Kevin

    Senior Member

  • Administrator
  • 39,415 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 11 May 2010 - 12:39 AM

I've got Kaspersky, and got my first Trojan warning while visiting the site just now while posting on the B-25 thread if that helps Kev?


Thanks Kag. I've done a rescan and found a few files that I've missed, plus, I think I found the source of our Google redirect problem too.

So, I tentatively declare that LSP is now clean, for the moment!

However, should you notice any anomalies, please either contact me directly (kevin@largescaleplanes.com), or post a message here in this thread.

Kev

#25 LSP_Kevin

LSP_Kevin

    Senior Member

  • Administrator
  • 39,415 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 11 May 2010 - 02:26 AM

And so I'm proven wrong, yet again! I've just verified that I was too hasty in my assessment. I'm pretty sure this is just my oversight this time, in that I failed to deal with all the sub-directories of the various sections. More work to do...

Kev

#26 LSP_Kevin

LSP_Kevin

    Senior Member

  • Administrator
  • 39,415 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 12 May 2010 - 12:49 AM

OK, while I'm no longer prepared to make a definitive statement about things being 'all clear', I'm hoping they are now. I'll continue to monitor the situation over the coming days and weeks, to be sure. It seems McAfee still has issues with LSP, but I suspect that this is because it uses a ratings system, rather than active malware scanning, and it probably just needs to update its list.

Here's a bonus though: some of you may have been aware that the some of the buttons, tabs and drop-downs in the user profile section weren't working. Well, after the clean-up, it appears they are again. So, some good news for a change.

Kev

#27 Allok

Allok

    Senior Member

  • LSP_Members
  • PipPipPipPipPipPip
  • 3,632 posts
  • Gender:Male
  • Location:Christchurch, New Zealand

Posted 12 May 2010 - 08:40 AM

Some of you may have been aware that the some of the buttons, tabs and drop-downs in the user profile section weren't working.

Thanks for fixing that Kev.
I'd almost given up hope.
Don't you wish some people would use glue...
Instead of lipstick?

#28 LSP_Kevin

LSP_Kevin

    Senior Member

  • Administrator
  • 39,415 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 12 May 2010 - 09:00 AM

Thanks for fixing that Kev.
I'd almost given up hope.


I wish I could take credit Keith, but it was a mere side-effect of removing all the malicious code. The Google redirect code was interfering with the JavaScript code that underpins that functionality. So, I guess we can say that that particular nasty has been there for as long as the profile stuff hasn't been working. <_<

Anyway, things are looking OK for the moment.

Kev

#29 LSP_Kevin

LSP_Kevin

    Senior Member

  • Administrator
  • 39,415 posts
  • Gender:Male
  • Location:Melbourne, Australia

Posted 12 May 2010 - 12:58 PM

Well, it seems my worst fears have come true. All our files are already infected, again. <_<

Kev

#30 phantomdriver

phantomdriver

    Senior Member

  • LSP_Members
  • PipPipPipPipPipPip
  • 564 posts
  • Gender:Male
  • Location:offworld............

Posted 12 May 2010 - 02:58 PM

never had any problem, I use ESET NoD32... <_<




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users