The Black Wyrm's Lair - Forums > Malicious code removed

The Black Wyrm's Lair - Forums > Realms of the Wyrm > Black Wyrm Community News & Services

Baronius

Mar 19 2006, 04:08 PM

Hello,

I would like to announce that the forum, and only the forum, of BWL, had been infected by malicious code, and I've successfully removed it. I've also blocked the IP range where the malicious code came from and affected forum files. I will check the server logs as well as soon as I can get some time.

I would like to reassure everyone that, except some forum non-binary files, NO content (web, forum attachments, DHDC, IRC etc.) on BWL server had been infected or changed in any way by the malicious code. Thus, there was NO virus directly on the BWL server: those who received such a warning by their virus scanner, became connected to traffsale1.biz -- via the URL that was added to a forum file of BWL either automatically by a bot or by a malevolent person. The malicious code also caused BWL forum's PHP mail to send emails in the name of BWL forum and myself, with content [DO NOT TRY THE LINK]: "http://traffsale1.biz/dl/loadadv746.exe This link to a patch for our forum.
Please install this patch, for correct work of a forum. " The sender was certainly not a BWL admin or myself, these emails were automatically sent "by" the malicious code.

How could the malicious code get into a forum software file? We use an old IPB version 1.3.1 (extended by some mods), which has some bugs that can be exploited. I didn't have time to update it in the past. I was aware of the risk that IPB 1.3.1 could be exploited, but I didn't consider it too likely that it would actually happen.

One might ask: "isn't it strange that BWL was down last weekend, and now this malicious code-stuff? Even smaller sites are much more stable." It isn't strange, or surprising. Smaller sites are stable because they are on servers that are maintained continuosly by people whose full-time job is exactly this. BWL has a dedicated server. However, I've no time to pay as much attention to it as it would require, neither I've the intention to pay for a support team -- DHDC is eating up enough money (and its costs increase from month to month). I simply have no more time to spend for BWL than I do now (which is very very little).

I'll try to update the forum's software to a newer IPB as soon as possible. However, as I've said, the problematic IPs were blocked and the malicious code was found and removed (I won't tell how it managed to modify forum files -- the method that was used here is not on google, and I don't want to give ideas how to exploit the forum). So there is no need to worry.

I would like to thank SConrad for drawing my attention about it via MSN, otherwise I might have noticed it later, considering how often I check BWL.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.