Bad news everyone,

RatSkep has been the victim of a malicious script injection (simply put: a kind of virus) which was loaded with the site content.

I have removed all such script signs so the site is completely clean again, on the server at least.

However, have yet to find the loophole and how it eventually got through.

I cannot say for sure how much damage has been done or if the script actually has been loaded onto your machine, so please make sure to run your preferred anti-virus software and let it do a full scan on your machine, just to be sure.

Once I have more information I'll post it here.

Cheers Bernhard.

Do you know the source?

bugger - the antivirus people have marked ratskep as malware site - AVG first to do this. You generally only have a very small window to shut your site from internet traffic to stop this happening.

oh well.

Yep.... AVG blocked all access to the forum from my computer.
I can access now, but with a stern warning each time.

Thank you Bernhard. AFA forums is down too, but not Talk Rats.

byofrcs wrote:bugger - the antivirus people have marked ratskep as malware site - AVG first to do this. You generally only have a very small window to shut your site from internet traffic to stop this happening.

oh well.

Globe wrote:Yep.... AVG blocked all access to the forum from my computer.
I can access now, but with a stern warning each time.

In the case of AVG you can use this link to unblock RatSkep:
http://www.avg.com/eu-en/page-rating-report

This will make sure we aren't blacklisted anymore, I have removed and fixed all scripts,
in case the want to check the site is 100% clean again.

Bernhard, you have to indicate you have found the vector and that has been shut - obviously don't have to say what the vector was - before we can report false positive.

LIFE wrote:

byofrcs wrote:bugger - the antivirus people have marked ratskep as malware site - AVG first to do this. You generally only have a very small window to shut your site from internet traffic to stop this happening.

oh well.

Globe wrote:Yep.... AVG blocked all access to the forum from my computer.
I can access now, but with a stern warning each time.

In the case of AVG you can use this link to unblock RatSkep:
http://www.avg.com/eu-en/page-rating-report

This will make sure we aren't blacklisted anymore, I have removed and fixed all scripts,
in case the want to check the site is 100% clean again.

Thanks.... Done.

byofrcs wrote:Bernhard, you have to indicate you have found the vector and that has been shut - obviously don't have to say what the vector was - before we can report false positive.

If you report to AVG or elsewhere they will do a final double-check themselves before removing us from the blacklist.
As it stands now I have removed any malicious content and changed all access points, so we're safe, for now

This scan shows a clean result:
http://sitecheck.sucuri.net/results/www ... ticism.org

So far seems we've not been blacklisted just yet, at least on those listed there (incl Google etc)

LIFE wrote:Bad news everyone,

RatSkep has been the victim of a malicious script injection (simply put: a kind of virus) which was loaded with the site content.

I have removed all such script signs so the site is completely clean again, on the server at least.

However, have yet to find the loophole and how it eventually got through.

I cannot say for sure how much damage has been done or if the script actually has been loaded onto your machine, so please make sure to run your preferred anti-virus software and let it do a full scan on your machine, just to be sure.

Once I have more information I'll post it here.

My Avast antivirus caught it right away. It's all better now.
: JS:Redirector-AAA [Trj]
is what I got.

Thanks LIFE

Can someone just clarify for a simpleton? Earlier, when the site went all funny I got a message from AVG at the top of my page saying they had blocked harmful stuff, does that mean I'll be ok? I logged out, then logged back in, it appeared to be fine then, no messages or funny stuff.

Macs?

Also, is this something that's just been done to us? Is it a person or persons trying to fuck us over or is it more general? I don't understand.

Clive Durdle wrote:Macs?

I wasn't blocked, I just couldn't get in. But now I don't have a problem, and I've tried via both Firefox and Safari.

I use Intego and that hasn't sent me any warnings or alarms, but I've just updated the virus defs and will do a full scan...

Many thanks. I restored my pc thinking an update that was installed last thing last night may have been the culprit. Now I will have to download the update as it's vital.
Just did a complete scan, I'm all clear.

If we tried to log in during the pwnage, should we change passwords?

Addit: Done it anyway - UCP > Profile > Edit account settings

Made of Stars wrote:If we tried to log in during the pwnage, should we change passwords?

Technically.... yes if it is simple. Also if you use this SAME password on other forums or social sites with the SAME email then change them EVERYWHERE.

Why ? With ability to change site files the hackor will have downloaded the mysql access password and will have got the user table which has the user passwords as md5 hashes. They are not salted so they can do a dictionary attack and look at rainbow tables and work out your passwords if these are simple.

With a list of emails and some passwords they can then try out other social sites to see if they get bites.

Winrar.

Made of Stars wrote:If we tried to log in during the pwnage, should we change passwords?

Addit: Done it anyway - UCP > Profile > Edit account settings

Wouldn't it be a little late for that? Especially to those of us who use the same p/word on various internet log ins.

I use different email addresses but the same password or a variation of the same password. There have been times when I have had to try 5 or 6 different email addresses to get on to a site...