band forum hacked; possible code execution?

Discussion in 'macOS' started by frozencarbonite, Nov 29, 2006.

  1. frozencarbonite macrumors 6502

    frozencarbonite

    Joined:
    Aug 3, 2006
    #1
    I was surfing band websites last night and went to check out Dead Poetic's website. I went to the forums

    http://www.deadpoetic.com/forum/index.php

    and it said the forum had been hacked. It gave me a window with an image holder question mark and the title of the browser window said something like "Hacked by (blah blah) etc Your Security!" I don't remember the actual name it said. Does anyone know if it's possible for someone to execute code on my machine by doing this?

    I unfortunately had javascript on in Safari. That's what worries me the most. I just reinstalled OS X. I don't want to have to do that again.

    I ran a virus scan (VirusBarrier) but it didn't come up with anything. I also had all of the latest security patches.

    I've submitted this to SANS Internet Storm Center http://isc.sans.org/ to see if I could get any information as to whether code is being executed or not. I haven't heard back from them yet.

    Thanks for any information you may know.
     
  2. Transeau macrumors 6502a

    Transeau

    Joined:
    Jan 18, 2005
    Location:
    Alta Loma, CA
    #2
    currently, there are no true viruses in the wild that attack OS X, only a few "Proof-of-concepts". As far as I know, none of the PoC's have been used to make a real virus. I don't feel that you have anything to worry about.
     
  3. killmoms macrumors 68040

    killmoms

    Joined:
    Jun 23, 2003
    Location:
    Washington, DC
    #3
    This is a hack on the remote server. It has nothing to do with your machine. If I had to guess, it's probably because there was some unpatched vulnerability in the forum software running on the website which was exploited. So, likely just vandalism.
     
  4. Transeau macrumors 6502a

    Transeau

    Joined:
    Jan 18, 2005
    Location:
    Alta Loma, CA
    #4
    I looked at the source of that site.
    The guy just added some JavaScript and a sound file. He exploited a hole in PHP that let him inject some code into the site. It has nothing to do with the client (your computer).
     
  5. Transeau macrumors 6502a

    Transeau

    Joined:
    Jan 18, 2005
    Location:
    Alta Loma, CA
    #5
    cute.
    he even added in some add referral code. I guess even script kiddies need to earn a living.
     
  6. frozencarbonite thread starter macrumors 6502

    frozencarbonite

    Joined:
    Aug 3, 2006
    #6
    Thanks guys. I really appreciate it. Javascript has become a big security issue in my opinion. And there is not anything users can do except hope the programmers don't have any errors in their code. I think I'll run Firefox with the NoScript plug-in.

    I tend to worry too much. Especially when it comes to computer security. Ask my fiancée. haha She has a Windows machine, so I'm always having to let her know about new security issues and reminding her to patch.
     
  7. baummer macrumors 6502a

    Joined:
    Jan 18, 2005
    Location:
    Southern California
    #7
    Hmm...well I don't necessarily believe Javascript is a big security issue. It's been around a long time, and it isn't anymore problematic than a badly coded PHP page. There's a lot users can do; and it would seem you know exactly what to do.
     
  8. frozencarbonite thread starter macrumors 6502

    frozencarbonite

    Joined:
    Aug 3, 2006
    #8
    I just received a reply back from SANS Internet Storm Center. Here is his reply:

    ----------------------------------
    Hi Adrian,

    I've quickly checked the web site and it looks like it has just been
    defaced. From my brief overview it doesn't seem like nothing malicious
    has been planted on the web site.
    Looking at the defacement group, I would say that it's almost certain
    that they used one of that forum's PHP vulnerabilities, whatever the
    forum is (phpbb or similar).

    Cheers,

    Bojan
    ISC Handler"
    ----------------------------------

    So it looks like just someone defaced the site.
     
  9. jeremy.king macrumors 603

    jeremy.king

    Joined:
    Jul 23, 2002
    Location:
    Fuquay Varina, NC
    #9
    You should notify the site's webmaster. Tell him/her to stay current with phpBB if they are going to use it. The site is about 15 dot releases behind. 2.0.6 vs 2.0.21

    P.S. this has nothing to do with Javascript, if you disable it, more than half of the websites on the world wide interweb won't work since many developers rely on it too much
     
  10. frozencarbonite thread starter macrumors 6502

    frozencarbonite

    Joined:
    Aug 3, 2006
    #10
    Did you check out the forums?

    Also I can't find a webmaster email address anywhere on the site.
     
  11. jeremy.king macrumors 603

    jeremy.king

    Joined:
    Jul 23, 2002
    Location:
    Fuquay Varina, NC
    #11
    Start with the forum admin.

    http://www.deadpoetic.com/forum/pro...e&u=1641&sid=30816886fa423060c950246ea73fc3ea


    Heres a whois for that site too.

    Registrant:
    Dead Poetic
    Brandon Rike
    10120 Little Richmond Road
    Brookville, OH 45309
    US
    Email: brandonrike17 AT aol.com

    Registrar Name....: REGISTER.COM, INC.
    Registrar Whois...: whois.register.com
    Registrar Homepage: www.register.com

    Domain Name: deadpoetic.com

    Created on..............: Fri, Nov 23, 2001
    Expires on..............: Fri, Nov 23, 2012
    Record last updated on..: Sat, Feb 25, 2006

    Administrative Contact:
    Dead Poetic
    Brandon Rike
    10120 Little Richmond Road
    Brookville, OH 45309
    US
    Phone: 937.687.3260
    Email: brandonrike AT mac.com

    Technical Contact:
    Dead Poetic
    Brandon Rike
    10120 Little Richmond Road
    Brookville, OH 45309
    US
    Phone: 937.687.3260
    Email: brandonrike AT mac.com

    DNS Servers:

    ns2.startlogic.com
    ns1.startlogic.com
     
  12. frozencarbonite thread starter macrumors 6502

    frozencarbonite

    Joined:
    Aug 3, 2006
    #12
    Ok, when I go to the forum, all I get is a blank image holder and nothing else. How are you guys seeing all this other stuff?
     
  13. frozencarbonite thread starter macrumors 6502

    frozencarbonite

    Joined:
    Aug 3, 2006
    #13
    hahaha, I doubt Brandon Rike checks his email very much since he's in the vocalist in the band. I will email him, but I don't know if they are out on tour or anything right now.

    EDIT: I just checked and they are not touring. So I will email him and see.
     
  14. jeremy.king macrumors 603

    jeremy.king

    Joined:
    Jul 23, 2002
    Location:
    Fuquay Varina, NC
    #14
    You can view the source of the website. In Firefox its under View > Page Source
     

Share This Page