Author Topic: Another virus on the website  (Read 5674 times)

Corey Cooper

  • Administrator
  • Hero Member
  • *****
  • Posts: 6216
    • View Profile
Another virus on the website
« on: October 13, 2009, 12:09:17 PM »
Yesterday the Tournament Director website was hit with a virus.  It compromised a lot of pages, and I spent a good few hours cleaning it up.  I believe I have it cleaned at this point.

Mainly it tried to add some tasteless advertising to the site, but it also attempted to redirect your browser to a page with known browser exploits.  I was using Firefox 3 and the virus was unable to redirect my browser.  I hope this was also the case with other browsers.  I tried to visit the intended destination using the Chrome browser and it immediately warned me that it was a known bad site.  Again, I hope that other browsers would do the same.

The end effect, it seems, was to break the forums, but that's about it.  I'm sorry if anyone else was affected by this.  Please let me know if you notice anything strange on the site.

Phaze

  • Sr. Member
  • ****
  • Posts: 346
    • View Profile
Re: Another virus on the website
« Reply #1 on: October 15, 2009, 06:18:14 AM »
yeah I just got the bad page warning via Chrome just now... how annoying it must be for  you, as well as a kick in the balls for the business... good luck bud

Corey Cooper

  • Administrator
  • Hero Member
  • *****
  • Posts: 6216
    • View Profile
Re: Another virus on the website
« Reply #2 on: October 15, 2009, 10:09:38 AM »
Believe me, it is.  It hit two days in a row.  Since then I've updated all passwords, update the forum software (to patch any security vulnerabilities), and now have a script that I can run at any time to detect and clean up the site in a matter of seconds.  That's the lazy programmer way.  Get sick of doing something, and he will write a script to do the work.  :)

I don't see a warning with Chrome, however.  And according to my script, the site is clean.  What page gave you the warning?

Phaze

  • Sr. Member
  • ****
  • Posts: 346
    • View Profile
Re: Another virus on the website
« Reply #3 on: October 15, 2009, 10:08:08 PM »
just went on again tonight and I have this page bookmarked : http://thetournamentdirector.net/forums/index.php

It gave the warning again via chrome

Johnnie_nl

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: Another virus on the website
« Reply #4 on: October 18, 2009, 04:23:53 PM »
The only thing i saw, was that the complete site was down for a few hours.
This was 2 day's ago.
I don't get any virus warnings.
I'm using AVG as my virusscan

Corey Cooper

  • Administrator
  • Hero Member
  • *****
  • Posts: 6216
    • View Profile
Re: Another virus on the website
« Reply #5 on: October 19, 2009, 09:52:45 AM »
just went on again tonight and I have this page bookmarked : http://thetournamentdirector.net/forums/index.php

It gave the warning again via chrome

That's odd.  I don't get a warning with Chrome.

I've been running the "check" script multiple times a day, and manually checking various files I know were hit previously.  The site is clean.  I checked some log files and it appears that the culprit managed to get the ftp password, and that's how the site was compromised.  As I said previously, the passwords were changed and since then nothing has happened.

And just to clarify, the "virus" was not really the same thing as a virus you might get on your PC.  Basically, the culprit modified a number of the pages in such a way that, when you visited the Tournament Director website, it was SUPPOSED to redirect your browser to a website that contained a number of browser "exploits" - code that could hopefully get around browser security and infect your computer with a virus/trojan/adware stuff.  I say "supposed" to because using Internet Explorer 7, Firefox 3, and Chrome 3, it did NOT in fact redirect any of my browsers.

Edit: By the way, thank you for the info.

MattBurlew

  • Jr. Member
  • **
  • Posts: 78
    • View Profile
Re: Another virus on the website
« Reply #6 on: October 20, 2009, 08:42:10 PM »
Got the warning just now with Chrome.

Corey Cooper

  • Administrator
  • Hero Member
  • *****
  • Posts: 6216
    • View Profile
Re: Another virus on the website
« Reply #7 on: October 21, 2009, 11:36:04 AM »
I wonder if it is the version of Chrome.  What version are you guys using?  Mine is 3.0.195.27.

MattBurlew

  • Jr. Member
  • **
  • Posts: 78
    • View Profile
Re: Another virus on the website
« Reply #8 on: October 21, 2009, 07:11:01 PM »
I wonder if it is the version of Chrome.  What version are you guys using?  Mine is 3.0.195.27.

Same for me.

Bean_D

  • Newbie
  • *
  • Posts: 27
    • View Profile
Re: Another virus on the website
« Reply #9 on: October 22, 2009, 04:01:38 AM »
Same Chrome version here and the same virus warning for me just now.  IE 7.0 doesn't object at all.


Bean_D

  • Newbie
  • *
  • Posts: 27
    • View Profile
Re: Another virus on the website
« Reply #10 on: October 22, 2009, 04:10:26 AM »
It seems that it is Google who have registred the homepage as "suspicious" according to the helpfile.

According to the Google logs, they have visited the site 10-21 and still found "malicious software" on the site.

Corey Cooper

  • Administrator
  • Hero Member
  • *****
  • Posts: 6216
    • View Profile
Re: Another virus on the website
« Reply #11 on: October 22, 2009, 09:31:57 AM »
Just to put people's minds at ease, here is Google's report of the site.  Would someone with Chrome who has seen the warning take a screenshot of it and send it to support@thetournamentdirector.net?  Maybe I can get someone at Google to let me know what's going on.  (ha)

MattBurlew

  • Jr. Member
  • **
  • Posts: 78
    • View Profile
Re: Another virus on the website
« Reply #12 on: October 22, 2009, 07:47:08 PM »
Here you go.

Corey Cooper

  • Administrator
  • Hero Member
  • *****
  • Posts: 6216
    • View Profile
Re: Another virus on the website
« Reply #13 on: October 23, 2009, 09:26:02 AM »
Thank you very much, I'm seeing it now in Chrome.  Not sure why Google's malware reports aren't sync'ed up...

Corey Cooper

  • Administrator
  • Hero Member
  • *****
  • Posts: 6216
    • View Profile
Re: Another virus on the website
« Reply #14 on: October 23, 2009, 10:29:28 AM »
There was indeed still some nasty stuff in there.  The good news is that the location that all of this hacked code was sending browsers to is apparently defunct, so there wasn't any chance of infection.

I've modified my scan script to be a lot more sensitive and it found the last (I hope!) of the bad stuff.  My Chrome warning went away as soon as I emptied Chrome's cache (the wrench icon, then "Clear browsing data" - you only need to clear the cache).  Or, when you hit the TD forums and get the Chrome warning, you can press Ctrl+F5 to make it reload everything.  This should make it go away.

Thanks very much to everyone for helping with this.