Attach site warning???

[eelamb]

Update, my software is again warning me the site has code on it. Again it is a redirection code.

[lynnfrwd]

We are obviously back online, but I do not know anything beyond that.

[cmorlier]

Hi Everyone,
I can confirm that the CarveWright front page and the CarveWright forum were hacked several times starting on Friday morning. The hackers inserted an <iframe> element in the HTML code to include their malicious site when our pages loaded. The malicious sites all had web addresses ending in "cx.cc". In general, our website should only include HTML from other CarveWright pages or occasionally mainstream sites like google.com or facebook.com. Be wary if you see data loading from any sites with unfamiliar web addresses.

We have identified an IP address used by the attackers, and have blocked that address and taken other steps to prevent unauthorized access. While I am hopeful that we have resolved the problem for now, we have not definitively identified how the hackers gained access. So over the next several days, we will be reviewing our web security and security processes to prevent future attacks.

[eelamb]

Thanks Chris, and good work. Check your .htaccess files for code inserted in those. Also best to change all FTP passwords. This is what I have done in the past for sites I host.

Oh it looked like the attacker was from Monbia India. Using an ISP ip address, it may help tp block that ISP's ip address range.

[b.sumner47]

Big Thank You. You guys are on the ball. Capt Barry

[cmorlier]

Hi Everyone,

I just wanted to update you on what we've found with the malware warnings.

As previously posted, we did find that someone had gained access to our site and inserted HTML <iframe> tags, linking to other malicious sites in both the Forum and main page headers. It is clear that the hacker(s) did gain access to the forum, but we have no indications that they gained access to our webserver.

What steps have we taken to remove the malware and prevent future hacks?
1) We have removed the malicious code from our site, and Google is no longer generating warnings about our site.
2) The vBulletin forum software was out of date, so we have updated to the latest version.
3) We have blocked the IP address range from which the hackers were accessing the site, purged dead administrative accounts, and required all administrative users to update there passwords. We have also changed passwords of users who had easy to hack passwords.
4) Even though there is no indication that our server itself was breached, we are taking precautions there as well. We are checking that software is up-to-date, disabling unused software, purging dead accounts, and updating passwords. We have also scanned our web pages (including the .htaccess files, thanks eelamb) and have not found anything else suspicious.

Having not had many problems in the past, we had become a little complacent about keeping everything up-to-date. However, moving forward we will strive to be more vigilant.

That said, please be proactive about your own safety. Make sure you keep your browser software up-to-date to ensure you have that latest and greatest security features and patches.

We appreciate your support and understanding as we have worked through this problem.

[eelamb]

Chris, once again you have done a great job in securing this forum, and protecting the community members. THANK YOU

[dbfletcher]

I second Eddie's comments. It is always a struggle staying one step ahead of the bad guys...

[pkunk]

Thanks Chris, and good work. Check your .htaccess files for code inserted in those. Also best to change all FTP passwords. This is what I have done in the past for sites I host.

Oh it looked like the attacker was from Monbia India. Using an ISP ip address, it may help tp block that ISP's ip address range.

The majority of the bogus/scammer new users that I ban are from India or China. Why do we need to have any forum members from those IPs?