Detected Malware 02/18 @ 08:40 EDT

[Alexander Turcic]

Today the account of one of our moderators was compromised. As a result an attacker used this account at 8:41 AM EDT and injected malicious cross-site-scripting code into our forum software with the goal to gain access to the database. At 9:19 AM EDT team members discovered and removed the code and locked down the compromised account. Due to existing safety measures, access to the database did not occur.

Given the nature of this attack, we contacted everyone who loaded the malicious code (around 30 members) with the suggestion to proactively change their user passwords.

Our apologies for the inconvenience.

Cheers,
Alexander

MobileRead Team

[David Munch]

Uh, I feel special now.

*Changed his password*

[vivaldirules]

Thank you, Alexander, for once again being on top of things and being open about it.

[crich70]

I never even noticed a thing. Guess I missed the (unwanted) excitement.

[Lynx-lynx]

Thank you Alexander for alerting the Community about this attack.

It comforts me to know that you have security measures in place to handle such an attack and/or compromised situation.

Special thanks to the Moderators who were so quick off the mark.

[Billi]

So, have you thrown the commander overboard?

Thanks to the mods who have been so attentive and knowledgeable!

[49Kat]

Quote:

Originally Posted by Alexander Turcic

Today the account of one of our moderators was compromised. As a result an attacker used this account at 8:41 AM EDT and injected malicious cross-site-scripting code into our forum software with the goal to gain access to the database. At 9:19 AM EDT team members discovered and removed the code and locked down the compromised account. Due to existing safety measures, access to the database did not occur.

Given the nature of this attack, we contacted everyone who loaded the malicious code (around 30 members) with the suggestion to proactively change their user passwords.

Our apologies for the inconvenience.

Cheers,
Alexander

MobileRead Team

I'm late to this, as I don't often scroll down to this part of the forum.

Just curious, how would you know who loaded the malicious code? Did it require downloading something or did one just have to land on the wrong page with malicious code loaded into a signature on someone's post or...what? I guess I'm a little paranoid, but I know sometimes just landing on a web page can get one's computer infected.

[Glorfindel]

or even closing one

[49Kat]

Quote:

Originally Posted by Glorfindel

or even closing one

I'm unsure about the nature or intention of this post. I was referring to what is commonly known as a "drive by download".


https://blogs.mcafee.com/consumer/drive-by-download

[Alexander Turcic]

Quote:

Originally Posted by 49Kat

Just curious, how would you know who loaded the malicious code? Did it require downloading something or did one just have to land on the wrong page with malicious code loaded into a signature on someone's post or...what? I guess I'm a little paranoid, but I know sometimes just landing on a web page can get one's computer infected.

Seeing who loaded the malicious code was trivial thanks to the error triggered by it and recorded in our server logs. Through a compromised moderator account the javascript code was embedded in a fake announcement - basically waiting for an administrator to load that page. Once that would have happened, the code should have been able to install a payload software onto our system that could have allowed them access to the database. The exploit has been known since November 2013 when MacRumors, Ubuntu Forums and openSUSE forums were hit by it, and we took precautions to prevent the payload from getting executed. As a side effect, everyone who loaded the code in the duration of those 30+ minutes before we detected it was confronted with an error message.

So in a nutshell, this code was not about infecting your computer (it didn't), but about using your MobileRead credentials to execute administrator commands. Kinda like a brute force attack not caring whether you are actually an administrator or not.

[49Kat]

OK. Thanks, Alexander.

[Glorfindel]

Quote:

Originally Posted by 49Kat

I'm unsure about the nature or intention of this post. I was referring to what is commonly known as a "drive by download".
https://blogs.mcafee.com/consumer/drive-by-download

what I meant was that some viruses attempt to install when you close the page it's on...

[Glorfindel]

you mentioned "landing on a page can get ones computer infected"...

[49Kat]

Quote:

Originally Posted by Glorfindel

what I meant was that some viruses attempt to install when you close the page it's on...

Ah, OK, I see. I wasn't sure if your comment was tongue-in-cheek or not. Hard to tell online sometimes how things are intended. Thanks for clarifying.

Now that you mention it, about things trying to install when you close a web page, a while back I went to a page where a popup window showed up offering to download something, and clicking on any button in that window (even if it said "no" or "cancel") would start a download, or even using the red 'x' in the corner to close the window would start the download. I think in that case I closed the entire browser and ran a scan with Malwarebytes, which did find a partial of a malware file.

I've also had it happen where I've gone to a web page and my AV software popped up a warning about some malware of some sort trying to run. If my memory is correct, I think that was a java exploit, which my antivirus software blocked. (I don't have java on my windows machines anymore.)

When I read Alexander's post, I had wondered if it was that sort of exploit in a signature or something like that that Alexander was referring to.