Here's some info from Panda about the exploit:

http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/05/11/MPack-uncovered_2100_.aspx

And Symantec's writeup:

http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html

shit happens James, The key is to minimize the impact and the loss of data which you appear to have done. It's difficult to keep a machine up to date against exploits that haven't even been patched yet. Thanks for the update and good job.

creepy, I'm gonna have to go virus sweep my computer when I get home now... damn you haX0rs! Damn you!

But hang in there James, like grspec said, shit happens.

i am super mega interested to know how they hacked...
did they get in to the server thru the back door or did they go thru the website and exploit some ajax or php type thing?

sorrry if i just said something completely nonsensical. i am dangerously semitechnical.

I mean... was it the videosift app that let them in, or something else on the server?

btw... macs rule.

It was something on the server. We're talking to our tech support people about it. The asshats apparently knew that our server type was vulnerable and neglected to contact us.

Must have been running Asshat Linux lololol haha i crack myself up.

hello? is that New Server Company Inc? Yes I would like to place an order.

Is there a way fo us 'clients' to see if we were infected? The links provided are very interesting from a dev point of view, but don't really help ascertain if we got hit.

Try this website for a free scan to find out if you have been infected:

http://www.infectedornot.com/usa/

The Nanoscan was recommended by Panda Software.

hunt them down!

Are we sure the site is clean? I checked the log for eTrust Pest Patrol, it quarantined Emusaffil A at 1:12 pm, about the time I first checked in here today. I'm checking some other things and ways now to make sure that's it, caught it before it could install so I'm ok there.

The eTrust page shows that as a high risk one, if many others have it we might want to front page a scan and fix for that and whatever else turns up.

they were loading an IFRAME through all of our pages, those are now gone so we should be good.

if you are running IE then you deserve any infections you get from malicious webpages. Use firefox and you don't have to worry about visiting a webpage will hose your computer.

Guys, I don't know what kind of sysadmin you are doing. Here's what you need to type:

sudo cat /var/log/auth.log | /dev/siftbot -mode overlord

I run Linux, so it probably had no effect on me . . .

In any case, I run a website myself. How would I be able to detect if my website has been compromised in a similar manner?

I KNEW something was giving me viruses! I just ran a McAfee scan last night and found 49 detections. Couldn't figure out what it could possibly be. Wasn't opening up strange email or going to bad sites.

Mostly these weird DS/Downloader Trojans that kept showing up in my Temporary Internet Files.

Sylvester_Ink

It appears they executed a script inside of our server that targeted all php and html files with the words:

"admin, login, index, footer, header, and options"

Then their script inserted an iframe. You can just go to you root html directory and type

grep IFRAME */* and see if anything shows up.

Firefox here, but according to what was posted above Firefox might not be safe either if it has an outdated IE plugin, or perhaps through Quicktime or other plugins as well. It's a world above IE in general for security though.

More info about how MPack works
http://www.videosift.com/video/VideoSift-Hacked-by-Mass-Hacking-Tool

Well karaidl you use AOL so you deserve what you get

Looks like I'm clean. Thanks for the info, James.

Well karaidl you use AOL so you deserve what you get

That made me chuckle. Yes, I'm truely a masochist of the internet world. Actually, since Sift was hacked, I started viewing the site in FF, cuz AOL kept freezing up and of course, the trojans sucked.

It's all in good fun karaidl, glad you got a chuckle out of it. It's good to see you've switched to a real browser now as well

Keep the iframe trojan on the sift, that way karaidl can keep using a real browser.

*quality response to be open & forthcoming about the problem.

Gold Star member winkler1 has awarded James Roe one published post for this quality Sift Talk contribution.

Comment hidden because you are ignoring dag. (show it anyway)

As much as it's fun to blame the hax0rs, it's our server- we will do our best to make sure it doesn't happen again. The good news is that I think that the vast majority of our members are very cluey and would have patched, up to date systems. ;-)

Also if you use Java JRE, be sure it is updated. That's another way to get exploited. http://www.dslreports.com/forum/remark,18586534

Thanks for the notice and action to clean everything up as well as notify everyone!

I'm having fun with addons right now.

Jeez thats a nasty piece of work and the russian gangs are selling this thing at 900 quid a go? Dam thats not good for the future if thats a sign of things to come.

TBh i NEVER use IE infact i tell anyone i know not to use it. Im not sure how IE 7 is nowadays in comparison to Firefox is it still the same pile of crap it was before? Anyone got some info on how how both compare for security etc?

When I read the review in PCWorld a while back it said that the security between the two was roughly even at the time. However, it also noted that FF made several updates in the time that IE was able to make just one, and expected it to do so in the future. Undoubtedly, if they ever were even, FF has surpassed IE again. (And AOL, as I've just recently had first hand knowledge on.)

Speaking of FF, anyone got any addon recommendations? I've been going through PCWorld's list of essential addons - find.pcworld.com/56100

Yes, Dag, supergeeks one and all.

I guess I'm only marginally geeky, silvercord.. I'm currently trying to figure out what I'm infected with I have mccafee and I've ran it, but I just tried the Panda scan mentioned above and it said I have something.
I use Firefox btw

Any suggestions? (help )

FF extensions I cannot live without:

Nuke Anything Enhanced - Allows removal of almost anything on a webpage, for example, nuking freaky avatars of man-titties.
https://addons.mozilla.org/en-US/firefox/addon/951

Flashblock - Blocks Flash so it won't get in your way, but if you want to see it, just click.
https://addons.mozilla.org/en-US/firefox/addon/433

Web dev - So many good tools that are not just for web development
https://addons.mozilla.org/en-US/firefox/addon/60

SessionSaver - Restores your browser session and more
https://addons.mozilla.org/en-US/firefox/addon/436

Plain text to link
https://addons.mozilla.org/en-US/firefox/addon/623

GreaseMonkey - customize any web page
https://addons.mozilla.org/en-US/firefox/addon/748

MediaPlayerConnectivity - launch embedded media in vlc, mplayer, winamp, etc.
https://addons.mozilla.org/en-US/firefox/addon/446

Swampgal, this might help, though it might not be updated with the latest attacks until next Tuesday.

http://www.microsoft.com/security/malwareremove/default.mspx

Gah! I just logged onto AOL and immediately downloaded a Vundo trojan! This isn't funny anymore!

[Edit] - And thanks to everyone who sent me recommendations!

Thanks Batmanuel...I've been scanning/adding/downloading/scolding/flossing this pc all afternoon. I used that link plus a couple of those FF plugins too. Thankyou

maybe karaidl can learn his lesson about using crappy browsers.. eventually he'll come around. old habits and all that.

AOL is moving away from having it's own browser. The innovations being made are geared to AOL access via web pages.

Hmmmm... this is weird. My Google toolbar went away, and I can't seem to get it back. I've tried reinstalling it several times. It went away after I install the Netcraft anti-phishing extension, by recommendation of PCWorld.

[Edit] - Nevermind, I fixed it.

@swampgirl - I would download the AVG Free Edition here: http://free.grisoft.com/doc/2/, install it and update it and then scan your computer with it.

The other thing you can do, Swampy, is to update your McAfee and see if it can quarantine whatever it is you've got.

Sc

Phew, Panda's online scanner thinks I'm clean. Good thing I have a patched-up FF!

Scary news, but thank you so V V V V V much for sharing James!

Comment hidden because you are ignoring dag. (show it anyway)

I second Sivercord's recommendation of AVG. It's a great little bit of software and works just as well, if not better than the big boys.

Not to overkill it, but here's Blacklight's rootkit detection tool that people can run to check it:

https://europe.f-secure.com/exclude/blacklight/index.shtml

Also, here is Microsoft's tool:

http://www.microsoft.com/downloads/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en

Sc

My own experiences with AVG were underwhelming. I also used Clam for a while, and though clamav/clamd works nicely on *nix, I found clamwin to be fairly lacking. I recommend Avast for free antivirus these days. Just make sure to change or disable the definition update sound, lest you be scared out of your chair on a daily basis.

Something else to keep in mind is that every Firefox addon is a potential attack vector. Limit yourself to the few you actually need. I use only Flashblock and SearchWords.

[OT@Karaidl] a counter-suggestion: now, install and play with any addon you like. But remember that addons slow down A LOT the starting of FF, so if you don't want to wait ages to start it, you'll have to decide what to keep and what to disable.

The address I use for this site is relatively new; not many people have it because I can't stand spam, and so far so good...haven't gotten a single bit yet. However, I recently received one that was odd... the subject said something about receiving an application for employment or something like that, but there was no body text except for the confidentiality warning, which is usually attached after emails from employers, hospitals, etc. (after that, there was a similar one about the IRS, which I'd never seen before)... both seemed to be a signature on an email which otherwise contained no text. So I looked to see who it was from, and it was from "unknown@unknown.unknown" It's true I've been looking for a few jobs lately, but I don't recall applying at the CIA. So, A) it had me wondering if it was correlated to the security breach here, (ie intruders obtaining email addresses) and/or B) has anyone had a similar experience with gmail, especially with the triple-unknown "From" address?

Comment hidden because you are ignoring dag. (show it anyway)

From our investigation - we don't think that anyone gained access to our database or member account details.