TriS reported as an Attack site

[Cogito]

Many of them are written by extremely skilled programmers, but the people who deploy them are often ignorant little gits who just follow instructions. Spreading infections is quite a big business for some people who use them to harvest large quantities of personal data that they can then sell.

Hopefully SilverBullet's firewall and/or antivirus was smart enough to prevent the infection from entering his machine, but it's possible that he has a less smart firewall / antivirus that has let his machine get infected and has only prevented the infection from reporting to its master.

If in doubt it would be a good idea to visit http://housecall.trendmicro.com/uk/ and do an online scan to see whether there is any cause for concern. There is a similar scanner at http://www.eset.com/us/online-scanner if you want to double check.

[Silverbullet]

Ran Trend Micro housecall. No threats. Of course, this piece of Horsepuckey I have for an ISP picks the damndest time to screw up so it hinders things a bit. It has a habit of doing that when I am trying to install or buy something on line. cost me two charges for a renewal of Norton by screwing up things. It stopped dead during a download and I had to restart the computer. Meanwhile the first download was registerd on my crdit card and so was the next which looked as if it had picked up where the first had left off. got a hefty bill for two Nortons. Slightly diferent.

Sometimes think am being harrased by the ISP but then I am paranoid.

Just because I am paranoid doesn't mean that they are not after me.

SB

[WarpGirl]

I always say... "Just because I'm paranoid doesn't make me wrong!" I've picked up more viruses at FF.net then anywhere else on the net. I haven't once caught anything from here.

[Silverbullet]

Actually I caught so many from Trek BBS that I stopped going there. Seemed every time I logged on I got something. Think it was in the ads.

FF Net will swtich to an ad once you are on the site. Annoying as Hell. That may be where I got this Web Attck blackhole Toolkit Web 5. Who knows.

I mean it is expected if one goes near a Porn site or a skin site but Hell I only log on to Tris, NCIS Friends site, FF Net and occasionaly Amazon or B&N also Astronomy. Wouldn't thinik that they would be hideouts for Trojans.

SB

[Cogito]

Actually I caught so many from Trek BBS that I stopped going there. Seemed every time I logged on I got something. Think it was in the ads.

FF Net will swtich to an ad once you are on the site. Annoying as Hell. That may be where I got this Web Attck blackhole Toolkit Web 5. Who knows.

I mean it is expected if one goes near a Porn site or a skin site but Hell I only log on to Tris, NCIS Friends site, FF Net and occasionaly Amazon or B&N also Astronomy. Wouldn't thinik that they would be hideouts for Trojans.

SB

It often seems to be completely sensible sites that get infected. I remember reading once how many web sites associated with household names had been compromised and it was an alarmingly high percentage with some very well known names in the list. These days even sticking to entirely reputable sites isnt' enough to ensure safety. But in this case I'm pretty sure that it was the TriaxianSilk web site that was compromised (and now seems to have been healed) rather than your computer.

[Silverbullet]

Healed? does this mean that the Main page will be back? Still get the Page cannot be found message when I log on. Can get to forum a susual though.

Will have to see in the morning if I get attacked again.

My daugher logs on to damn near anything. She goes for the free coupon sites and anything else that offers something free. My neice was getting cases of Dog food and god knows what else free. She had a whole file of places offerening free stuff. this was before computers were in the home.

Hell my daughter gives out her Credit Card number over the net.

Sb

[Elessar]

Thanks for the advice, Kotik and Cogito, I know that Mike is keeping tabs on this thread for ideas, so here's an update...

We're continuously removing the 'file' that's being generated but the pinch is there's a piece of code hidden somewhere that's continuously regenerating it, and to my untrained technical mind the only way to understand it is that there are lots of places this piece of code can hide. Mike's still looking for it and continues to delete this file.

We're considering a complete backup may be the most brute-force method to remove this thing. Currently just getting all our ducks in a row to make sure we do not lose anything by uploading the backup. We'll keep you informed, thanks for your patience.

[Kotik]

What sort of file is being generated? The only ways for a file to be generated on the server are:

a) a hidden automatic upload. Such a file would show up in the default upload directory (configured in php.ini)
b) a file being generated by the server software, which would mean someone compromised the webserver software
c) an attack on OS level, but that's rather unlikely, unless the server is running on a windoze system and IIS.

There are several ways, where code can hide:

a) sql injection. If text entry fields are not handled properly, attackers might inject SQL code, but that's usually used to attack databases.
b) JavaScript injection. From my experience and what I've seen from this blackhole toolkit, Code might be hidden in the JavaScript parts. I've done an analysis of what TriS delivers to my browser and I hate to say so, but there's a lot of completely unneccessary JavaScript malarkey in it, like the stuff that changes the button colours when you hover the mouse over it. Doesn't add anything to the site rather than useless bling, but JavaScript is by definition unsafe. Most website attacks/defacements/infections use JavaScript.
c) A far-fetched, but not negligable chance is that someone injected code using the comment system. It all depends on how well the entered text is analyzed, before it makes it's way into the database.

Quite honestly, at the moment, most of it is speculation. For a real picture, the following informations are needed:

- Type and version of the server's operating system (including patch level)
- Type and version of the webserver software (including patchlevel)
- PHP version (including patchlevel and ini-settings)

Other contributing factors might be ACL settings on directories that the web server software has access to or mistakenly SUID'ed cgi binaries. A webserver is a rather vulnerable construction if you go by the default settings.

The thing that really baffles me is the fact that someone chose to attack a niche site. If activity of the last few weeks is anything to go by, we're a rather quite place, so for anyone to attack us can only mean that he/she was either patently clueless or we have a huge big ol' security hole somewhere that just begged for being exploited.

[Silverbullet]

Noticed something. am attacked by Blackhole toolkit Web 5 when I first get on Trisilk. Just when I hit the area saying page cannot be found the only time my computer is attacked by this. First thing in the a.M. wonder if the damned thing is keeping tack and attacking once, failing and not attcking again until the next day.

First time I noticed anything wrong was when Decon started acting up. click on a story and the Decon would try to load and tryy again and again bever being successful.

SB

[Entilzha]

For safer surfing I use add ons in Firefox like NoScript or Flashblock and Addblock. I only allow script if I really need it.

[marchale]

Wow, I'm sure sorry to hear about the trouble folks have had here recently, just wanted to add my two cents in that I use Firefox 5 (with SeaMonkey too, for email and web browsing if I'm following a link in an email), and I've got the Ad-Block & No Script Addons too, and a real aggressive Norton searchbar installed in Firefox that warns me about anything suspicious and last night I even had to add both 32 bit and 64 bit new Java software to upload the new Trip and T'Pol folders to my Photobucket account - and everything is running as smooth as silk for me here in this forum and on your website too. (Sorry I can't check out your Facebook site, but I'm not a member of Facebook so I can't see anyone's account there, not just Triaxiansilk's). But I didn't get any warnings or blocks at all in Firefox (or SeaMonkey!). Anyway, Triaxiansilk sites are working fine for me with this set-up I've got.

[Silverbullet]

When I first got on Trisilk this morning no attack from Blackhole Toolkit. HOwever, when I just now got on there was an immediate attack whch was blocked by my Norton firewall.

I have Norton and am using Internet explorer and Google as my home page.

I still get the message that the front main page cannot be found. Do other still have trouble with the main page or can they now get on to it and read the stories posted there. Marc sounds as if she can. Wonder what is up.

SB

[Cogito]

I use FireFox and everything works exactly as normal for me. I no longer get the warning that TriaxianSilk is flagged as an attacking site. As far as I can see there is nothing at all out of the ordinary happening.

You may find it helps to clear the cache in your browser (Tools / Options / General / Delete Browsing History / Delete Temporary Internet Files) in case Internet Explorer has cached an infected copy of one of the files.

[Silverbullet]

Deleting browsing History and temporary internet files didn't help. Still get message that Page cannot be found.

Shit, not to put too fine a point on it.

SB

[Cogito]

I see the infection is back again although the site hasn't been flagged as an 'attack site' again.

I suppose it is pot luck whether the malware has managed to reinstall itself since the last time the Triaxian Silk IT team purged it.

You could try using this URL, which I think should take you to the same home page but might avoid the 'page not found' thing.

http://www.triaxiansilk.com/index.php?page=fanfiction