08.05.2008 - Last Visit date
- Thread starter D69
- Start date
Well, i asked this morning "show me new post since last visit" and i got more than 6 pages of new posts, which was way out. Then I asked "show recent posts" and i noticed that in fact the number of new post should have been around 14.drygol said:
And by the way, same thing happened with the french forum.
H
hungrig
Guest
Noticed that the sott forum was down some hours yesterday.
H
hungrig
Guest
I don't know, but, I can't access sott, and the forum. All I get is this weird Code/script, looked like I was redirected or got data from another site also when looking at the loading bar...
Only if I double-refresh my browser, or more, sott & forum shows up..
Only if I double-refresh my browser, or more, sott & forum shows up..
Yeah, its the code that tries to download trojans etc (see the warning at the top of the page/main page)
Only thing I've been able to find out about it is its someones user account on a chineese host, its also counting/tracking visits it seems through another website (will provide details if its of use)...but being chineese I cannot be certain
Only thing I've been able to find out about it is its someones user account on a chineese host, its also counting/tracking visits it seems through another website (will provide details if its of use)...but being chineese I cannot be certain
Amoeba
Jedi
Yeah...Yesterday I also got that Lizard lingo screen Grim posted. Same story today, except this time Kaspersky flashed a warning that a Trojan was trying to download...
Just to be on the safe side I just downloaded Spybot as well. Got rid of some Adware....
Thanks for the warning and Spybot tip SOTT.... :)
Keep up the good work.
Just to be on the safe side I just downloaded Spybot as well. Got rid of some Adware....
Thanks for the warning and Spybot tip SOTT.... :)
Keep up the good work.
H
hungrig
Guest
One time, my loading bar showed data from 'www.countyes.com/', but it showed more like countyes.54yes.com or something.. Im not that good on computer/browsers, but fwiw.RedFox said:
EDIT; I got that weird effect like GRiM, thats what I meant with my previous post. Though, there is not always the same signs/code when re'freshing.
It was _count45.51yes.com (_www.51yes.com)
The source of all this is hosted at _hounian.tj.cn
Both chineese.
Whois doesn't seem to show anything much.
Downloaded the website to have a look at what it was doing, seems that it uses Java Script, ActiveX, VB Script, and SWF to try and download a trojan.
The thing that was interesting was the count being sent to _51yes.com
Not speaking chineese, just looking at the website it seems that it logs hits to web addresses. Could well have logged more mind.
The source of all this is hosted at _hounian.tj.cn
Both chineese.
Whois doesn't seem to show anything much.
Downloaded the website to have a look at what it was doing, seems that it uses Java Script, ActiveX, VB Script, and SWF to try and download a trojan.
The thing that was interesting was the count being sent to _51yes.com
Not speaking chineese, just looking at the website it seems that it logs hits to web addresses. Could well have logged more mind.
D69
Dagobah Resident
well , i just finished with my new floor in new flat , and finally i could sit with laptop to browse sott forums , and i just saw that "important notice" which states that there was an ARP poisoning attack on hosting company.
Funny thing is that i know a little about about ARP attacks and i can definitely say that to succesfully launch ARP poisoning attacker must be inside LAN - LAN based on ethernet ( Local Area Network ).Also it means that if he/she succesfully injected troyan/malware/anything , then compromised computer (one of hosting company computers ) acted as a gateway for web servers.
In other words this attack is known as MiTM , which means Man In The Middle.
Normal network scheme
webserver ---> gateway/firewall ( hoster side ) <---> internet <--- sott forum user
Attack network scheme:
webserver <--> compromised computer (acting as a gateway) <--> real gateway <--> internet <--- sott forum user
So simply what attacker does is a way in which he/she tricks gateway to believe that it "talks" directly to web server and at the very same time , tricks webserver to believe that it talks to real gateway.Having done that attacker can inject network traffic in any way between this link. But to achieve all above , attacker MUST have access to one of computers inside LAN like i said so here comes another clue. If he already has this access and we know that he is able to launch quite hard kind of attack , then most probably he/she is still inside this network.
What i am trying to say is that from now , every one should watch for anomalies.
EDIT.
I was thinking a little bit more about it , and this "date of last visit" perfectly fits into this case.
Every altered connection will probably have wrong session with forum engine , which would end with this "date of last visit" reseted.
Funny thing is that i know a little about about ARP attacks and i can definitely say that to succesfully launch ARP poisoning attacker must be inside LAN - LAN based on ethernet ( Local Area Network ).Also it means that if he/she succesfully injected troyan/malware/anything , then compromised computer (one of hosting company computers ) acted as a gateway for web servers.
In other words this attack is known as MiTM , which means Man In The Middle.
Normal network scheme
webserver ---> gateway/firewall ( hoster side ) <---> internet <--- sott forum user
Attack network scheme:
webserver <--> compromised computer (acting as a gateway) <--> real gateway <--> internet <--- sott forum user
So simply what attacker does is a way in which he/she tricks gateway to believe that it "talks" directly to web server and at the very same time , tricks webserver to believe that it talks to real gateway.Having done that attacker can inject network traffic in any way between this link. But to achieve all above , attacker MUST have access to one of computers inside LAN like i said so here comes another clue. If he already has this access and we know that he is able to launch quite hard kind of attack , then most probably he/she is still inside this network.
What i am trying to say is that from now , every one should watch for anomalies.
EDIT.
I was thinking a little bit more about it , and this "date of last visit" perfectly fits into this case.
Every altered connection will probably have wrong session with forum engine , which would end with this "date of last visit" reseted.
Interesting drygol
What did occur to me was the count45 site that appeared to be logging things....the thought (which I can't prove at the moment, although this may be irrelevant if your saying he's IN the LAN) is what could have been logged about visitors to sott?
Now, I presumed it had just been IP's...and perhaps even some of your cache history.
While the site was going up/down....I was once logging in, hit login, then got the garbage on the screen.....
What do you think the odds are passwords and ip's have been logged?
Another thought (forgive my paranoia)....this was a blatant attack to get a trojan on machines at face value...
What if the attacker had a custom (i.e. unrecognizable by virus scanners) trojan....redirected you to download it, then back to sott as if all was normal?? It crossed my mind but I am totally unsure how possible something like that would be?
....I guess I was thinking about who would stand to gain by shutting down sott/sotts users
What did occur to me was the count45 site that appeared to be logging things....the thought (which I can't prove at the moment, although this may be irrelevant if your saying he's IN the LAN) is what could have been logged about visitors to sott?
Now, I presumed it had just been IP's...and perhaps even some of your cache history.
While the site was going up/down....I was once logging in, hit login, then got the garbage on the screen.....
What do you think the odds are passwords and ip's have been logged?
Another thought (forgive my paranoia)....this was a blatant attack to get a trojan on machines at face value...
What if the attacker had a custom (i.e. unrecognizable by virus scanners) trojan....redirected you to download it, then back to sott as if all was normal?? It crossed my mind but I am totally unsure how possible something like that would be?
....I guess I was thinking about who would stand to gain by shutting down sott/sotts users
D69
Dagobah Resident
First off all we should start with your last question RedFox.
More zombies they get , better attacks they will have in future. Ill just mention that game aims to get literally 1000s or 10000s
of zombies.
Now to details of attack.
Very often hosting is company puts a lot of www sites of their clients on one or two PCs , if a hoster is big then they have whole farm of servers. Point is that those servers are connected via gigabit ethernet ( cheap and efficient ) which creates LAN at their side.Then this LAN is hidden behind firewall. Here we have to mention that firewall is never that kind of super dooper magic machine that kills all bad things flowing through it. Its regular machine with operating system which is also configured by man and also has flaws in security and even more it has to let traffic over 80 port of tcp to flow inside ( 80 port is http - our www ).
Now , if attacker breaks into ANY of those machines in LAN behind firewall , then he instantly gains access to rest of computers via LAN which means that he can freely launch MiTM attack ( in this case it is ARP poisoning because of ethernet like network).
ARP poisoning in ethernet is low-level attack which supports MAIN attack in switching envrioment - SNIFFING.
Sniffing goal is to capture all traffic between victim computers , in this case it will be firewall/gateway of hoster and webserver - both in LAN of hosting company. When attack is properly launched , attacker simply redirects all traffic to machine he already compromised ( probably other server in LAN ) which means he has total control over this traffic , he can manipulate it , inject malicious data inside streams , capture passwords , modify posts online - in short everything that flows through it.
Sott forum runs over http protocol which is plaintext , which also means that data going between webserver and firewall and in effect between sott forum user is not encrypted. Thats why it is strongly suggested to use https instead of http or at least authentication certificates ( yes i know , pain in ass to configure and to persuade users to use it ;P )
HTTPS is encrypted HTTP , so all attacker will get would look like for example like this:
!@#$#%^#$#GFSCFQ#RFAAweda34q34
instead of this :
username:drygol
password: my password :P
Problem that attacker have to face is fact that not all users use same software. For example , you just said that you got garbage on screen in one moment , this could mean that you have different browser that other targeted users , and exploit ( malicious software injected by attacker ) used by attacker didnt affect your PC - i could guess that u use firefox or opera and attack was launched against internet explorer ( most possible scenario nowadays ) . Or maybe you used Ie 7.0 and attack was launched against Ie 6.0. ( Dont write which browser you use here , even if i am right )
Ok now to after attack stuff.
If hosting company says TRUTH that it was arp poisoning attack , then it would mean that attacker is quite skilled , its not an easy stuff to break in , gather enough information about network and launch succesfull mitm. I tell you not easy. So we could exclude script kiddies here. So if that was skilled guy then he most probably have access to 0-day exploits.
0-day is that one you just mentioned - unrecognizable by virus or anti-spyware/malware software.
Also attack could be performed ( easiest way ) by someone who already has access to LAN , some one who could attack from inside.
And finally we have to reconsider possibilty that this attack was specially constructed in this way , to look like it was attack aimed to get as much zombies as possible , and in the same time its purpose was totally different - hint: gov ;)
I tried my best to construct sentences for regular reader but i can imagine that it can be hard to understand , also my engrish is faulty here :)
If you have more questions , go ahead , shoot.
It almost never works this way. What i mean is , attacks on forum communities are launched mainly for one purpose - to get as much zombie computers - which would obviously involve infection. Zombies ( term used to describe computer infected by troyan or worm or both combined with virus ) are used later to send SPAM or to perform attack known as DDoS ( Distributed denial of service ) which is nowadays one of most profitable buisneses ( my spellchecker faild here :P ) on internet.
More zombies they get , better attacks they will have in future. Ill just mention that game aims to get literally 1000s or 10000s
of zombies.
Now to details of attack.
Very often hosting is company puts a lot of www sites of their clients on one or two PCs , if a hoster is big then they have whole farm of servers. Point is that those servers are connected via gigabit ethernet ( cheap and efficient ) which creates LAN at their side.Then this LAN is hidden behind firewall. Here we have to mention that firewall is never that kind of super dooper magic machine that kills all bad things flowing through it. Its regular machine with operating system which is also configured by man and also has flaws in security and even more it has to let traffic over 80 port of tcp to flow inside ( 80 port is http - our www ).
Now , if attacker breaks into ANY of those machines in LAN behind firewall , then he instantly gains access to rest of computers via LAN which means that he can freely launch MiTM attack ( in this case it is ARP poisoning because of ethernet like network).
ARP poisoning in ethernet is low-level attack which supports MAIN attack in switching envrioment - SNIFFING.
Sniffing goal is to capture all traffic between victim computers , in this case it will be firewall/gateway of hoster and webserver - both in LAN of hosting company. When attack is properly launched , attacker simply redirects all traffic to machine he already compromised ( probably other server in LAN ) which means he has total control over this traffic , he can manipulate it , inject malicious data inside streams , capture passwords , modify posts online - in short everything that flows through it.
Sott forum runs over http protocol which is plaintext , which also means that data going between webserver and firewall and in effect between sott forum user is not encrypted. Thats why it is strongly suggested to use https instead of http or at least authentication certificates ( yes i know , pain in ass to configure and to persuade users to use it ;P )
HTTPS is encrypted HTTP , so all attacker will get would look like for example like this:
!@#$#%^#$#GFSCFQ#RFAAweda34q34
instead of this :
username:drygol
password: my password :P
Problem that attacker have to face is fact that not all users use same software. For example , you just said that you got garbage on screen in one moment , this could mean that you have different browser that other targeted users , and exploit ( malicious software injected by attacker ) used by attacker didnt affect your PC - i could guess that u use firefox or opera and attack was launched against internet explorer ( most possible scenario nowadays ) . Or maybe you used Ie 7.0 and attack was launched against Ie 6.0. ( Dont write which browser you use here , even if i am right )
Ok now to after attack stuff.
If hosting company says TRUTH that it was arp poisoning attack , then it would mean that attacker is quite skilled , its not an easy stuff to break in , gather enough information about network and launch succesfull mitm. I tell you not easy. So we could exclude script kiddies here. So if that was skilled guy then he most probably have access to 0-day exploits.
0-day is that one you just mentioned - unrecognizable by virus or anti-spyware/malware software.
Also attack could be performed ( easiest way ) by someone who already has access to LAN , some one who could attack from inside.
And finally we have to reconsider possibilty that this attack was specially constructed in this way , to look like it was attack aimed to get as much zombies as possible , and in the same time its purpose was totally different - hint: gov ;)
I tried my best to construct sentences for regular reader but i can imagine that it can be hard to understand , also my engrish is faulty here :)
If you have more questions , go ahead , shoot.
Thanks for the information drygol. It is strange indeed. I received the garbage when I wasn't logged in as well.
The Sott page has an article about Iran and the PTB sallying forth with their plans to bomb Iran, so they would need to take out alternative news sites to control information. It makes perfect sense. http://www.sott.net/articles/show/158508-Batten-down-the-free-speech-hatches-it-s-time-to-bomb-Iran
I did find it interesting that one of the things that the hacking would have allowed was to "modify posts online" Can't think of anyone that would want to do that...
The Sott page has an article about Iran and the PTB sallying forth with their plans to bomb Iran, so they would need to take out alternative news sites to control information. It makes perfect sense. http://www.sott.net/articles/show/158508-Batten-down-the-free-speech-hatches-it-s-time-to-bomb-Iran
I did find it interesting that one of the things that the hacking would have allowed was to "modify posts online" Can't think of anyone that would want to do that...
Trending content
-
-
Thread 'Coronavirus Pandemic: Apocalypse Now! Or exaggerated scare story?'
- wanderingthomas
Replies: 30K -
-
