Strange background script on board topic...

[dwire]

Yeah, ticking the box seems like the thing to do. Not saying it is bad, but you know what that actually does right? Leaves a cookie on YOUR MACHINE for the board login. I'm sort of staying away from letting the board cache or do much of anything along those lines right now. Surely is a good little bug. Smart enough now I've seen three new domains (URL's) is says it is residing on. I'm not pleased to admit people have gotten better with these sorts of automated attacks from the server side to the public, but they have... I'll be interested to know, while yes, these things can be fixed (sometimes) what in the Heck its purpose is. Surely not singling out boxerworks I would not think, but whomever it would like to bother, that I am curious of...

[Steve in Golden]

I am pretty sure Boxerworks, just like a zillion other web sites, will leave cookies whether you choose to check the "keep me logged in" checkbox or not. Probably just a session cookie but still a cookie. In fact it looks like Boxerworks sets a lot of cookies, period.

But are they chocolate chip cookies? Those are my fav.

[dwire]

Yeah, I like Chocolate Chip cookies too. It has been a couple of years now since I was running super-dooper large phpBB forums anywhere, but this looks like about the norm, but I'd have to set up a forum here on one of the local LAN servers to know for certain. While not too hard for me, Matt and the Web Mistress will get further faster than my speculation; I have no idea what plugins, modifications, hard edits, etc. have been performed here, so. I don't even know what version or the update status of the board...

Here is what it drops without the password cookie.



Style and stats I recall. The others seem to ring a bell, but honestly all it takes is a few days, weeks, months or years away from running something like this to forget all you once knew; OK at least in my case... sid should be my "Session ID" if I recall - for the life of me I can't recall what the ***U and ***K could be for or if they should even be here - I simply do not know. I'd likely look into checking the mySQL database for corruption and waste the board by reinstalling, or overwriting it - that is if the script attacking stuff continues to come and go... Otherwise, all the php errors "could" be caused by a lot of things really... Those people will know better than I as they have all the information before them; I do not. And obviously number one thing to do is for them to change their ftp usernames and passwords to the board and never ever connect via ftp; ONLY sftp, so packet sniffers and such cannot gain access to the board by reading their username(s) and PW's in the plain text set to access the server... sftp connections to the server encrypt that, so crap like the scripts I was seeing trying to run from websites that were a day or hours old can no longer be re-writing the bb...

[vesparazzi]

When I just came to the site Norton indicated that it blocked an attack on my computer from this site.


Network traffic from <b>her.sapef.in/0288</b> matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE6\BIN\JAVA.EXE. To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.

[Steve in Golden]

When I just came to the site Norton indicated that it blocked an attack on my computer from this site.

Network traffic from <b>her.sapef.in/0288</b> matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\JAVA\JRE6\BIN\JAVA.EXE. To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.

Everytime I logon with Internet Exploder several files appear on my desktop with names like "hs_err_pid3196.log", containing text similar to

An unexpected exception has been detected in native code outside the VM.
Unexpected Signal : EXCEPTION_STACK_OVERFLOW (0xc00000fd) occurred at PC=0x7C90E8EE
Function=strchr+0xE1
Library=C:\WINDOWS\system32\ntdll.dll

Current Java thread:
...

Seems to be Java related alright.

When will we hear from Matt with some reassuring words of wisdom that the hackers have been evicted from Boxerworks?

[dwire]

No need for me to comment on this really any further. Everyone from top to bottom should know. If (and I am glad they DO NOT run Google analytics on the forum) but... if they did, this would have been pegged as a maliciuos site known to contain viruses, malware and/or on and on... They (Google) have a standard page like you get with an untrusted certificate in Firefox while navigating to a secured (https) page when the robots and spiders see the activity that has been going on here happening.

Not my deal. I came, I informed, I protect myself; I cannot affect change in any other way. There's nothing good about it and I see it coming and going; likely the cause for the PHP errors strange redirects and board slowdowns or complete crashes I've had too...

[mattcfish]

Finally back on the forum after several weeks. Against my will, I erased the hard drives on two separate computers at work logging into this Forum. It was somewhat uncomfortable telling the Tech guys what had occurred. At least it wasn't a porn site ( or worse a Harley chat forum). A nasty virus attacked each computer as soon as I opened Boxerworks. The virus instantly erased the hard drive and then sent a bogus add requesting money to buy a program to fix the problem. My home computer, a Mac, seems unaffected, but at least I have a spare drive just in case. I think Boxerworks may have addressed the problem.
Still, I won't be logging on at work anymore. viewtopic.php?f=1&t=3482&hilit=full+fairing

[dwire]

Yeah, I like Chocolate Chip cookies too. It has been a couple of years now since I was running super-dooper large phpBB forums anywhere, but this looks like about the norm, but I'd have to set up a forum here on one of the local LAN servers to know for certain. While not too hard for me, Matt and the Web Mistress will get further faster than my speculation; I have no idea what plugins, modifications, hard edits, etc. have been performed here, so. I don't even know what version or the update status of the board...

Here is what it drops without the password cookie.

NOTE:
Oddly, we can no longer re-edit our posts; bet there was a time limit set, which can be done, or perhaps when the webmistress sorted things out, all of the older topics were locked. So, since I am moving a great deal of data around at my web server at the domain, I'll just put the growler picture back up down here for anyone who has interests. The same will apply to any images embedded in posts here as it would seem there is nothing I can do about it.[/quote]



Style and stats I recall. The others seem to ring a bell, but honestly all it takes is a few days, weeks, months or years away from running something like this to forget all you once knew; OK at least in my case... sid should be my "Session ID" if I recall - for the life of me I can't recall what the ***U and ***K could be for or if they should even be here - I simply do not know. I'd likely look into checking the mySQL database for corruption and waste the board by reinstalling, or overwriting it - that is if the script attacking stuff continues to come and go... Otherwise, all the php errors "could" be caused by a lot of things really... Those people will know better than I as they have all the information before them; I do not. And obviously number one thing to do is for them to change their ftp usernames and passwords to the board and never ever connect via ftp; ONLY sftp, so packet sniffers and such cannot gain access to the board by reading their username(s) and PW's in the plain text set to access the server... sftp connections to the server encrypt that, so crap like the scripts I was seeing trying to run from websites that were a day or hours old can no longer be re-writing the bb...