band forum hacked; possible code execution?

[frozencarbonite]

I was surfing band websites last night and went to check out Dead Poetic's website. I went to the forums

http://www.deadpoetic.com/forum/index.php

and it said the forum had been hacked. It gave me a window with an image holder question mark and the title of the browser window said something like "Hacked by (blah blah) etc Your Security!" I don't remember the actual name it said. Does anyone know if it's possible for someone to execute code on my machine by doing this?

I unfortunately had javascript on in Safari. That's what worries me the most. I just reinstalled OS X. I don't want to have to do that again.

I ran a virus scan (VirusBarrier) but it didn't come up with anything. I also had all of the latest security patches.

I've submitted this to SANS Internet Storm Center http://isc.sans.org/ to see if I could get any information as to whether code is being executed or not. I haven't heard back from them yet.

Thanks for any information you may know.

 

[Transeau]

currently, there are no true viruses in the wild that attack OS X, only a few "Proof-of-concepts". As far as I know, none of the PoC's have been used to make a real virus. I don't feel that you have anything to worry about.

 

[killmoms]

This is a hack on the remote server. It has nothing to do with your machine. If I had to guess, it's probably because there was some unpatched vulnerability in the forum software running on the website which was exploited. So, likely just vandalism.

 

[Transeau]

I looked at the source of that site.
The guy just added some JavaScript and a sound file. He exploited a hole in PHP that let him inject some code into the site. It has nothing to do with the client (your computer).

 

[Transeau]

cute.
he even added in some add referral code. I guess even script kiddies need to earn a living.

 

[frozencarbonite]

Thanks guys. I really appreciate it. Javascript has become a big security issue in my opinion. And there is not anything users can do except hope the programmers don't have any errors in their code. I think I'll run Firefox with the NoScript plug-in.

I tend to worry too much. Especially when it comes to computer security. Ask my fiancée. haha She has a Windows machine, so I'm always having to let her know about new security issues and reminding her to patch.

 

[baummer]

Thanks guys. I really appreciate it. Javascript has become a big security issue in my opinion. And there is not anything users can do except hope the programmers don't have any errors in their code. I think I'll run Firefox with the NoScript plug-in.

I tend to worry too much. Especially when it comes to computer security. Ask my fiancée. haha She has a Windows machine, so I'm always having to let her know about new security issues and reminding her to patch.

Hmm...well I don't necessarily believe Javascript is a big security issue. It's been around a long time, and it isn't anymore problematic than a badly coded PHP page. There's a lot users can do; and it would seem you know exactly what to do.

 

[frozencarbonite]

I just received a reply back from SANS Internet Storm Center. Here is his reply:

----------------------------------
Hi Adrian,

I've quickly checked the web site and it looks like it has just been
defaced. From my brief overview it doesn't seem like nothing malicious
has been planted on the web site.
Looking at the defacement group, I would say that it's almost certain
that they used one of that forum's PHP vulnerabilities, whatever the
forum is (phpbb or similar).

Cheers,

Bojan
ISC Handler"
----------------------------------

So it looks like just someone defaced the site.

 

[jeremy.king]

I just received a reply back from SANS Internet Storm Center. Here is his reply:

----------------------------------
Hi Adrian,

I've quickly checked the web site and it looks like it has just been
defaced. From my brief overview it doesn't seem like nothing malicious
has been planted on the web site.
Looking at the defacement group, I would say that it's almost certain
that they used one of that forum's PHP vulnerabilities, whatever the
forum is (phpbb or similar).

Cheers,

Bojan
ISC Handler"
----------------------------------

So it looks like just someone defaced the site.

You should notify the site's webmaster. Tell him/her to stay current with phpBB if they are going to use it. The site is about 15 dot releases behind. 2.0.6 vs 2.0.21

P.S. this has nothing to do with Javascript, if you disable it, more than half of the websites on the world wide interweb won't work since many developers rely on it too much

 

[frozencarbonite]

You should notify the site's webmaster. Tell him/her to stay current with phpBB if they are going to use it. The site is about 15 dot releases behind. 2.0.6 vs 2.0.21

P.S. this has nothing to do with Javascript, if you disable it, more than half of the websites on the world wide interweb won't work since many developers rely on it too much

Did you check out the forums?

Also I can't find a webmaster email address anywhere on the site.

 

[jeremy.king]

Did you check out the forums?

Also I can't find a webmaster email address anywhere on the site.

Start with the forum admin.

http://www.deadpoetic.com/forum/pro...e&u=1641&sid=30816886fa423060c950246ea73fc3ea


Heres a whois for that site too.

Registrant:
Dead Poetic
Brandon Rike
10120 Little Richmond Road
Brookville, OH 45309
US
Email: brandonrike17 AT aol.com

Registrar Name....: REGISTER.COM, INC.
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com

Domain Name: deadpoetic.com

Created on..............: Fri, Nov 23, 2001
Expires on..............: Fri, Nov 23, 2012
Record last updated on..: Sat, Feb 25, 2006

Administrative Contact:
Dead Poetic
Brandon Rike
10120 Little Richmond Road
Brookville, OH 45309
US
Phone: 937.687.3260
Email: brandonrike AT mac.com

Technical Contact:
Dead Poetic
Brandon Rike
10120 Little Richmond Road
Brookville, OH 45309
US
Phone: 937.687.3260
Email: brandonrike AT mac.com

DNS Servers:

ns2.startlogic.com
ns1.startlogic.com

 

[frozencarbonite]

Ok, when I go to the forum, all I get is a blank image holder and nothing else. How are you guys seeing all this other stuff?

 

[frozencarbonite]

Start with the forum admin.

http://www.deadpoetic.com/forum/pro...e&u=1641&sid=30816886fa423060c950246ea73fc3ea


Heres a whois for that site too.

Registrant:
Dead Poetic
Brandon Rike
10120 Little Richmond Road
Brookville, OH 45309
US
Email: brandonrike17 AT aol.com

Registrar Name....: REGISTER.COM, INC.
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com

Domain Name: deadpoetic.com

Created on..............: Fri, Nov 23, 2001
Expires on..............: Fri, Nov 23, 2012
Record last updated on..: Sat, Feb 25, 2006

Administrative Contact:
Dead Poetic
Brandon Rike
10120 Little Richmond Road
Brookville, OH 45309
US
Phone: 937.687.3260
Email: brandonrike AT mac.com

Technical Contact:
Dead Poetic
Brandon Rike
10120 Little Richmond Road
Brookville, OH 45309
US
Phone: 937.687.3260
Email: brandonrike AT mac.com

DNS Servers:

ns2.startlogic.com
ns1.startlogic.com

hahaha, I doubt Brandon Rike checks his email very much since he's in the vocalist in the band. I will email him, but I don't know if they are out on tour or anything right now.

EDIT: I just checked and they are not touring. So I will email him and see.

 

[jeremy.king]

Ok, when I go to the forum, all I get is a blank image holder and nothing else. How are you guys seeing all this other stuff?

You can view the source of the website. In Firefox its under View > Page Source