• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Hacking Attacks

Status
Not open for further replies.
FrgMstr

FrgMstr

Just Plain Mean
Staff member
2FA
Joined
May 18, 1997
Messages
58,070
We are 99.9999% sure we have closed the security hole that seems to have not been a docuemented issue so we will see if have remidied the issue this week or not.

Sorry for the inconvenience. I highly suggest a full scan of your system to look for any viri.

Using a fully updated Win 7 OS with Chrome and MSE, I have not been infected with anything under heavy use this week while I know the forum was infected.

Again, sorry for the issues, and thanks for the patience.
 
If you have any idea what trojan/viri were planted on the forum, could you maybe post info on how users could detect infections? I can't imagine that every AV package is perfect...
 
Thanks for the update. Was reading some of the locked topics and was wondering what was happening.

Info on the virus would be good too if possible, like was it flash, Js, what is the originating host etc. I have noscript so I'm hoping it was just a js link to another host that way it should have been blocked. Will do a full scan anyway.
 
Use latest version of MSE. It seems to have been the one that protected fully.
 
+1 for MSE. It protected me just fine the entire week, and it's the AV I recommend above all else.
 
thanks for the update Kyle

i hadn't visited the site for much of last week while this was going on, I checked it for the first time in a while today. Glad you got it under control!

Red Squirrel, I'm not an authority at all, but I think it was a Java exploit, it kept asking you to open Java for something, but I don't have Java installed, so it didn't affect me.

Of course, I could be wrong.
 
Fail said:
thanks for the update Kyle

i hadn't visited the site for much of last week while this was going on, I checked it for the first time in a while today. Glad you got it under control!

Red Squirrel, I'm not an authority at all, but I think it was a Java exploit, it kept asking you to open Java for something, but I don't have Java installed, so it didn't affect me.

Of course, I could be wrong.
Click to expand...

Oh so this would have actually prompted me first? I was not prompted for anything nor would I click yes, so I should be fine then. Probably did not browse during the time it was hacked. Doing full scan anyway just in case.

I've been caught with drive bys that don't even prompt or anything, so I'm more paranoid then before when it comes to this stuff. A single click on a bad google result can yield to a bunch of crap installed, even with the latest version of FF and all bells and whistles.
 
What security tools are known to find the issue? What are the symptoms?
 
RUN MSE. Clean scan will shot no issues. Any issues it will fix.
 
My Kaspersky AV kept blocking me from visting this site for most of today. I still can't get on here when using Mozilla though...I just get a blank page. I can access this site from IE7 without problems....weird.
 
Kyle, thanks for all of the work you guys have been laying down. As for the MSE; it definitely kept me protected quite well. Along with a sand-boxed browser (Chrome). Forums are looking normal again on my side. :)
 
That had to be a PITA. I browse mostly from the linux lappy and suffered no ill effects. Thanks for getting things back in order.
 
MSE caught something
comodo blocked another
Malware Bytes: 11 infected items
 
night_2004 said:
If you have any idea what trojan/viri were planted on the forum, could you maybe post info on how users could detect infections? I can't imagine that every AV package is perfect...
Click to expand...


ok heres the information that eset shows for the one that actually made an attempt to install(manual install if you clicked yes on the java app popup)

eset is labeling it as: "a variant of java/trogandownloader.openstream.NAS trojan"

that is the only information it is giving.
 
well i dont know where on the forums you guys are picking this crap up from.....are you clicking on links you dont know..LOL???

using my main rig running Win7 x64, Chrome and MSE....no infections according to MSE and Malware Bytes

i do a lot of Hard surfing on my Android device as well, no problems there either as far as i can tell.....
 
I hadn't had MSE or anything until an hour ago.

Installed both MSE and Malware Bytes, update and full scan on both, no infections.

I've been at the forums a dozen times a day and that again for hardocp.
 
like i said in my post you had to manually click the install to catch any virus. so unless your a complete noob and clicked yes to install a java app on a forum that has never used java then that's your problem.
 
Thanks for all the hard work Kyle, much appreciated :). I'm running Windows 7 64bit with MSE and surf mostly with Chrome, all nice and clean. Had 1 pop-up message the first time around and hit cancel and never seen it again, ran scans with MSE and MB and all came up clean :). With the scrolling issue i just blocked those 2 sites through my router and that was killed too.

Once again, thanks Kyle :).
 
For me in Firefox, it was coming up as a "missing plugin" to view content properly on the page.
Don't tell me the [H]ard was oft on security? :p
 
Monkey34 said:
For me in Firefox, it was coming up as a "missing plugin" to view content properly on the page.
:p
Click to expand...

Firefox seems to be common thing on those of us that got hit.

A missing plugin is also what I saw but I never installed anything and still got infected.

ZA did find it and quarantined it. Had 17 occurrences the first time and only 1 yesterday.

Glad it is fixed.
 
sirmonkey1985 said:
like i said in my post you had to manually click the install to catch any virus. so unless your a complete noob and clicked yes to install a java app on a forum that has never used java then that's your problem.
Click to expand...

Not on this one. I got a pop-up about a missing plug-in and did not install and still got infected.
 
We have been suggesting MSE for quite a while now and this last week sure made me a total believer in it. Updated MSE kept three of my systems safe, and we were using the forum system when we knew it was infected.

Chrome caught the first two infections and then MSE caught it when Chrome did not.
 
Doing Full Scans now with MalwareBytes, and then after that, I will with MSE to see if anything's on there, I don't think there will be, if I'm right about the Java thing, then i'm pretty sure i'm ok. Gonna do it just in case, and btw, MSE is really as good as people say it is, it's not only good at picking up threats and infections, but it has a very minimal footprint, which is a relief compared to past useage of Norton Anti-Virus which was just a hog on your resources, not to mention various other pains it caused you.

Anyway, I have faith that the results will come back clean.
 
MSE is pretty much the #1 free choice at the moment, most respectful places recommend it. I mean, you are dividing hairs half the time compared to competitors anyway though :p
I run Eset on one PC and MSE on the other, my Eset computer seems to have caught the junk... It also showed up after a scan as ""a variant of java/trogandownloader.openstream.NAS trojan" as shown above.
My MSE computer came away clean though.

Also, when I tried visiting the forums, all I saw was a message that said, "It works!" Was that the hackers or the [H] staff?? I visited before and after that though :p
 
Last edited:
well, here's a report

MalBytes, and MSE both did full scans, both turned up clean.
 
DOOMHAMMA said:
Also, when I tried visiting the forums, all I saw was a message that said, "It works!" Was that the hackers or the [H] staff?? I visited before and after that though :p
Click to expand...

That is the default message supplied by a fresh install of Apache webserver.
 
My NOD32 detected a 'Java/TrojanDownloader.OpenStream.NAS trojan' in here a couple of days ago. If you guys want the full report with the offending URL let me know.
 
Win 7 x64 + firefox, MSE 2.0 full scan (this took forever) turned up nothing. Not sure if I should be worried or not. Will run Malwarebytes tonight.

For sure didn't click anything, or even had anything come up to click.
 
If you didn't click on anything it was asking you to, there wasn't an infection on your system, i browsed the site completely when it was infected.
 
I ran a CCleaner and it was still in my temp files, MSE only picked up the trojan when CCleaner was deleting / accessing those files during a clean sweep....
 
MooCow said:
I ran a CCleaner and it was still in my temp files, MSE only picked up the trojan when CCleaner was deleting / accessing those files during a clean sweep....
Click to expand...

Ah, good call. Did not think to nuke the browser cache too.

I was using firefox and had Java's JRE installed - the Trojan caused a prompt asking if you wanted to run an unsigned applet. At first, I figured it was some low budget advertiser, till I saw the goofiness with the mouse wheel.

Love to get a debrief on the server infection vector. Bad things happen - always good to hear how a black hat did it, so the rest of us can protect our own servers.
 
Hecktec said:
My NOD32 detected a 'Java/TrojanDownloader.OpenStream.NAS trojan' in here a couple of days ago. If you guys want the full report with the offending URL let me know.
Click to expand...

Yea I saw that as well. Running 7 64 with nod 4.2
 
Did the server maintenance cause password flushes? After the site was down for awhile this weekend I tried to get back on and for some reason the saved user ID login pull-down shows TWO identical user IDs for me. Both of them failed to log in. Had to go through the password reset routine and it works fine now, but still shows two ID's when logging in. I assume this is because they each have different passwords saved now. This is in FF.
 
I am here browsing on our corp network and [H] no longer blocked. I dreaded the worst in that situation and figured it would be that way forever.

I am guessing that some of our IT Staff hang out here.
 
Status
Not open for further replies.
Back
Top