goproblems.com / 2008 December 27 Hacking Incident

Karl Knechtel: I acknowledge that this is not how SL is intended to be used, but this was the best way I could think of to get a warning out to the community.

As of Dec. 27, 2008, and possibly for some time: it appears that goproblems.com has been hacked, perhaps by SQL injection. Embedded more or less randomly within the text of one of the news items on the main page is an iframe tag linking to some cryptically named directory at 'masturr.cn'. The iframe then attempts to load a document entitled 'php.pdf'. I didn't get a chance to see what would happen as a result; Firefox spun up to 100% CPU at this point (I couldn't even access the task manager) and I decided it would be better just to reboot the computer. After a bunch of frantic checking, everything appears to be fine.

(The last time Firefox hung like this and I waited for my opportunity to end-process it, though, the Windows firewall went down, and I ended up running an extra process (almost certainly malware, but fortunately made itself obvious and was trivial to remove). This is with an up-to-date copy of Firefox - 3.0.5 - there is some scary stuff out there.)

I heard a report from someone on KGS suggesting that the hacked site attempts to push a file called 'snapview.ocx'. Obviously you should not accept any download from the internet that you were not expecting to download, especially with an extension like that (.ocx = an ActiveX component; the only one of these you should ever trust IMO is the one that runs Windows Update).

(I will be emailing the website admin also.)

maruseru: Can't reproduce - but then I'm using Mac OS X, where such Windows malware would have little effect... (Not to start an OS flame war, just to inform.)

It might have been fixed already? Check the source of the webpage? I haven't received a reply to my email.

unkx80: Looking at the HTML source of goproblems.com, I would say that it is not resolved.

2008 December 29

unkx80: The hacking incident appears to be resolved.

(mike2096) yea i got something take down my windows and froze then i couldnt loadt he pc.... we tried a system suite 8 and it said some thing aboiut snapshot something.... maybe this casued it.

2008 December 30

RueLue: Interestingly safeweb.norton.com still reports 2 threats on that page: MSIE DHTML CreateControlRange Code Exec
Ok - maybe it's only one threat, as one is on goproblems.com/ and one on www.goproblems.com/
is safeweb.norton.com not up to date?

unkx80: Found Adum's response here: http://www.goproblems.com/forum/viewtopic.php?f=5&t=593&start=0&st=0&sk=t&sd=a&sid=2d2b7a34f12b02b09650e274138d9944

I visually scanned the HTML source code on December 27, and it was obviously hacked. The present HTML source code shows that Adum has (at least attempted to) removed the hijacking.

As for safeweb.norton.com, I am not surprised to see that it will continue to report that goproblems.com is not safe for browsing for quite some time. Sites like this typically poll the sites periodically for updates, and it is not unusual to have two consecutive polls to be days or weeks apart.

Tapir: Pretty scaring... but what I and maybe someone else want to know most: Is it safe to solve Tsume Go again - as someone with a ms windows operating system and firefox browser? Is it safe to follow your link to goproblems-forum?

2009 January 19

Reuven: what about now? avast! still thinks it's harmful but a brief scan of the main page shows a commented out hidden iframe and a bunch of links (spam) in a hidden div... so not too clear what's going on...

BramGo: indeed when entering goproblems.com I immediatly receive a warning. Avast tells me "A Virus Was Found! ... Malware name: HTML:Iframe-inf ; Filename: www.goproblems.com/\{gzip}". Scary.

2009 February 3

adum: everything should be fixed now. there were some nasty people hacking the site (they came in through a vulnerability in a piece of 3rdparty software), but i have cleaned it all up, and haven't seen any attacks in a while.

On a different note,

Reuven: maybe it'd be a good idea to change this page to "/status"? also i really think the gp (what i think would be a good alias for it, btw) page itself needs a wme... if nobody'll take it up, i'll try to do it this or the next weekend (depending on net access and time available)

unkx80: The proposed WME page is now made the actual goproblems.com page. The original page is saved as /Version 2009 March 25.