Honda XRV Forum banner

1 - 13 of 13 Posts

·
Registered
Joined
·
6,174 Posts
Discussion Starter #1
When xrv.org.uk was compromised ages ago, DaveS was quick in his response to safeguard our data and minimise any loss. Under the new ownership, I don't think we can have confidence in the same level of commitment from Verticalscope to the safeguarding of our data. For this reason I suggest that you do the following:
  • Make sure your password and/or username is different for every forum you use.
  • Make sure you use a throwaway email address (a hotmail address maybe) for your registered forum email address so that if it is harvested by a hacker, you can just ditch it and get another.
  • Don't use the same password on the forum as you use for anything else.
Why do I say this?

The forum ktmforum.co.uk is another Verticalscope owned and run forum. Three days ago it became apparent that it had been hacked resulting in the probable compromise of the entire database. Three days on, there has been no statement from Verticalscope and the hack is still in place. I won't put a link to the thread on there because it may expose you to a malware download.

Basically this sort of hack usually involves an unauthorised third party gaining full administrative access to the forum, full access to the database and the ability to run commands on the host server. This means they can harvest email addresses, usernames, profile data and basically anything on the entire database. Passwords on vBulletin boards are now stored encrypted and "salted" so they are safer than they would be if stored in plain text. Notice I didn't say safe, I said safer as in less vulnerable.

So watch out. Verticalscope seem to be somewhat inept when it comes to protecting our data. They seem quick to maximise profits by getting rid of stuff we use like Tapatalk yet unable to keep our data safe in accordance with their own privacy policies. Just as well for them that they are based in Canada. If a UK business was so ineffective and failing to act to protect users data following a breach, I suspect that they'd be in deep **** with the Information Commissioners Office.

So, you have been alerted.

:rolleyes::rolleyes::rolleyes:
 

·
Registered
Joined
·
123 Posts
We actually saw it, immediately responded, cleared it, it appears to be back. It has been escalated to VBSEO support. We are clearing it again.

As you can see the from the posts, we replied to the thread within a few hours if it being opened. At this moment it is resolved.
http://www.ktmforum.co.uk/ktmforum-uk-help-desk/193372-anti-virus-redir-alert-3.html


One of our techs is working on the site and working with the usres.

If you see any issues you can report it and we can get it fixed asap.

Thanks,
Dwayn
 

·
Registered
Joined
·
6,174 Posts
Discussion Starter #3
We actually saw it, immediately responded, cleared it, it appears to be back. It has been escalated to VBSEO support. We are clearing it again.

As you can see the from the posts, we replied to the thread within a few hours if it being opened. At this moment it is resolved.
Anti virus Redir alert - Page 3
You say you saw it and immediately responded but it didn't seem like it from where I was sitting.

Thread starts here: http://www.ktmforum.co.uk/ktmforum-uk-help-desk/193372-anti-virus-redir-alert.html

What I saw was MCAdmin asking for details of what page was causing problems and what the reported payload was on 8th July. After that I saw no evidence of it being worked on by anyone remotely technical for days and all that time the hack was in place as shown by the detection method I posted on 9th July. Every time I tested it, I hit a redirection.

There was no further support response until 15:10 BST today 12th July - more than 4 days. In that response, MCAdmin requested a screenshot if anyone had an error message from Google and said "I need the URL of the infected page to have it removed from the site.". There was no mention of the hack having previously been fixed and having then reoccurred. That was a rather long gap with no feedback. Now, there may well have been work going on to attempt to fix this, but there was zero communication in spite of requests for update. Now, I don't know how that forum is organised from a moderators and admin point of view, but however it's done, it doesn't seem to have done the job particularly effectively.

If there is an organisational issue with ktmforum.co.uk support and Verticalscope were not made aware of the issue until today, then I may well have unfairly criticised Verticalscope for being inept. However, our data is in your hands. It is your platform. If the support response on that forum is inadequate then there is an improvement opportunity there.

At least it's receiving and has received attention. The redirect is now inactive so that bit's clean. Can you confirm whether the database contents and specifically the email addresses of the members (including my own) were subject to unauthorised access? I presume the logs are intact or have they been sanitised by the attacker?
 

·
Registered
Joined
·
10,746 Posts
You say you saw it and immediately responded but it didn't seem like it from where I was sitting.

Thread starts here: Anti virus Redir alert

What I saw was MCAdmin asking for details of what page was causing problems and what the reported payload was on 8th July. After that I saw no evidence of it being worked on by anyone remotely technical for days and all that time the hack was in place as shown by the detection method I posted on 9th July. Every time I tested it, I hit a redirection.

There was no further support response until 15:10 BST today 12th July - more than 4 days. In that response, MCAdmin requested a screenshot if anyone had an error message from Google and said "I need the URL of the infected page to have it removed from the site.". There was no mention of the hack having previously been fixed and having then reoccurred. That was a rather long gap with no feedback. Now, there may well have been work going on to attempt to fix this, but there was zero communication in spite of requests for update. Now, I don't know how that forum is organised from a moderators and admin point of view, but however it's done, it doesn't seem to have done the job particularly effectively.

If there is an organisational issue with ktmforum.co.uk support and Verticalscope were not made aware of the issue until today, then I may well have unfairly criticised Verticalscope for being inept. However, our data is in your hands. It is your platform. If the support response on that forum is inadequate then there is an improvement opportunity there.

At least it's receiving and has received attention. The redirect is now inactive so that bit's clean. Can you confirm whether the database contents and specifically the email addresses of the members (including my own) were subject to unauthorised access? I presume the logs are intact or have they been sanitised by the attacker?
Nice one Alan:thumbup:
 

·
Registered
Joined
·
1,452 Posts
This is very much double Dutch to me. I cant even work out how to retrieve the files from my portable hard drive, just plug it in when it asks but haven't got a clue what its doing. I hope things are being taken care of on here on my behalf!!!
 

·
Registered
Joined
·
4,811 Posts
If the site is hosted in Europe then, I believe, data protection legislation applies. If it's hosted outside the European Economic Area, then everyone should consider the site very risky indeed*. Is.there a statement somewhere about which nation's legislation applies?

[Edit] Just realised Canada is on the EU's list of approved countries, which suggests.it has roughly equivalent data protection legislation. Not sure how one would go about getting an enforcement order though! Hopefully the Information Commissioner would help.[/Edit]
 
L

·
Guest
Joined
·
0 Posts
The server is in Holland..

Looking at the virustotal website on the IP it's had a few problems lately..

Code:
1/39 2013-06-20 19:45:08 http://www.yorkshire-divers.com/ydasv/bnrs/ebay.php
1/38 2013-06-06 16:55:55 http://www.gtr.co.uk/banners/www/delivery/afr.php?n=a88c60a3
1/37 2013-05-07 13:28:34 http://www.gtr.co.uk/
1/37 2013-04-11 07:23:42 http://www.gtr.co.uk/banners/www/delivery/ck.php/
The problem there is that on a shared system once a site has been compromised then a simple upload of a simple php file can give access to all the files/databases within or attached to that server. So even though XRV is secure a poor or outdated bit of software on another site can impact all sites...

Hopefully though the data centre will have a means of monitoring all changes to the files so rectification is swift though until security holes are plugged the problems do reaccure.. Just look at the fight Dave, myself and Boris had with this site just before the upgrade to VB4
 

·
Registered
Joined
·
6,174 Posts
Discussion Starter #8
The problem there is that on a shared system once a site has been compromised then a simple upload of a simple php file can give access to all the files/databases within or attached to that server.
Only if it's not been set up securely. I'm basing the following on Linux.

A PHP file can only be used to execute shell commands if the PHP functions that run shell commands are not locked down. Best practice is to put a server-wide block on PHP functions that enable the running of shell commands. If shell commands can be run from PHP there needs to be a VERY good reason as it is a massive security hole.

A PHP script runs as if it is a user on the server. There are different ways of setting up a shared hosting server. The most secure will use a unique user for each site that is only permitted to access only those files within its own defined web root and maybe /tmp too. This means that even if one site is compromised, the attacker can't get beyond the limits of that hosting account by including other files.

Using those approaches makes compromising other accounts and the server itself far less trivial.
 
L

·
Guest
Joined
·
0 Posts
Usually I'd agree with you, but just ask Boris as to the last one we found on here.. it was ridiculous how much you could do with it even though shell commands were locked down for the web user.
 

·
Registered
Joined
·
6,174 Posts
Discussion Starter #10
Few attackers can get outside a single compromised account on a well set up server running suPHP/FastCGI/FCGID with the appropriate config. However, added security often has a performance hit so shared servers are frequently set up to be "fast and loose" with the standard DSO and "nobody" setup as it means they need less RAM or CPU resource depending on the configuration. It's cheaper; considerably so for high traffic sites.

An attacker can only do what the permissions and config allow him or her to do plus whatever any non-patched exploits allow him or her to do. All an admin can ever hope to do is make life difficult by following best practice so run-of-the-mill attackers pick an easier target to compromise. If they're in it purely for the challenge rather than a glorified script kiddie, they'll find a way in given long enough. In that case you need to make sure you can detect the intrusion quickly, fix the hole and clean up any modifications they've left behind.
 

·
Wing Commander
Joined
·
14,437 Posts
Yes, We have it under control.

Thanks.
When are you going to realise that this sort of bland statement is not enough? The evidence presented makes believing your bland statements difficult. Standing there shouting "Don't panic Mr Mainwaring" is simply not good enough.


Sent from my iPhone using Tapatalk 2
 
  • Like
Reactions: winxp-master

·
luddite
Joined
·
1,814 Posts
Yes, We have it under control.

Thanks.
erm...

now I don't pretend to understand ANY of the techy talk about this but I do know that the above statement is so massively insufficient as to give numpties like me exactly the opposite impression & to be insulting to those who can & do understand the techy bits & the implications of it all.
 
1 - 13 of 13 Posts
Top