geekhack hacked again!?

[metafour]

The problem is that it has happened a number of times now. If more secure software is not going to be used then I think moving to a different domain needs to be tested to see if the intrusions cease.
...

The domain name will not change much!

Solution for GeekHack:
- moving to a new software
- moving to a new backup system
- moving to deskthority.org

I take the 3rd solution.

According to this thread it appears you have already moved here:
http://geekhack.org/showthread.php?3290 ... no-package

I believe it has been mentioned in the past that the belief is the site's domain name is the largest contributing factor to the intrusion attempts.

[Acanthophis]

I believe it has been mentioned in the past that the belief is the site's domain name is the largest contributing factor to the intrusion attempts.

Well, duh!

[7bit]

3rd solution would be a disaster...

Yes.

We need another site (deskhack.net) with an orange/black theme!

[Acanthophis]

Why not canthackthis.org?

[ripster]

This could affect my Wiki page views.

I have 1 million now but was hoping to hit two befoe the site died.

[top]Most Popular Ripster Guides: ONE MILLION VIEWS!


MOST POPULAR - THE TOP 20 RIPSTER GUIDE HITS BY HISTORICAL VIEWS:
>159K The Geekhack Mechanical Keyboard Guide
>110K Ripster And Chloe's Cherry MX Wiki
>83K Geekhack Worldwide Shopping Links
>69K Ripster Review of Das/Filco
>67K Ripster's Model M Comparison - IBM to Lexmark to Unicomp - Did Quality Decline?
>63K Ripster's Nostromo N52 Mod Adding Cherry MX Switches
>60K All About Keys
>47K Ripster's Guide To Doubleshot Key Swaps
>46K Ripster And Chloe All About ALPS Guide
>43K Ripster's NKRO Guide
>32k Ripster's Key Pulling Guide
>33k Ripster Review of Filco Tenkeyless Brown Cherry (Gen1)
>33K Ripster's Model M Rivet Replacement Guide
>30K PBT Versus ABS Keys - Abrasion and Chemical Tests of KBC/Ducky PBT and Filco ABS keys
>30K Ripster's Key Reference
>30K RipOmeter
>30K Ripster's Guide to The Mystery of The Topre Capacitive Switch and Stiffness Mod
>20K Ripster's Retrobrite Guide - Get Rid of That Yellow Piss Color
>20K Ripster's Megasound Roundup
>20k Paul Rand, The Designer of The Model M Logo


>One Million Views!

TWO million eyeballs.

NEXT A BIIILLLLLIIIIOOOONNNN!

[ripster]

Hmmmmmm...

NOW the Geekhack moderators are finally silent at least. Such a chatty bunch.

View Profile
View Forum Posts
Private Message

Junior Member
Join Date
Jan 2012
Posts
18
is there any way to remove that trojan?

i got it because i turned off noscript on this site :/

They never were good at PRACTICAL advice.

[postlapsaetia]

MSE just caught Exploit:JavaCVE-2012-0507.BQ for me. A full Malwarebytes scan turned up with nothing. Now I have NoScript running and I'm staying clear of GH until this problem is resolved.

[off]

@postlapsaetia: Did you get that with noscript running (and geekhack dissallowed), or did you install it afterwards?

[Acanthophis]

Great. Now I am with my gf at her home 600km away from my possibly infected PC...

[ripster]

HPV virus shot reminder for everyone!

Infected PCs are annoying.

Infected penises are SERIOUS BUSINESS!

[Acanthophis]

Ripster and his penis talk...

[Icarium]

Until my computer starts to act weird I will just assume that I didn't catch anything.
In this respect I did feel better when I was still using Linux, though.

[ripster]

People that worry more about all their Geekhack keyboard pics being lost than their penises being infected have their priorities ALL WRONG!

IPad through a proxy here. Last thing I want to do is give my IP address to some dude named ROOTWORM.

But I'll save you the trouble. Only clueless Asians seem to be posting at Geekhack today.

[webwit]

The urban legend persists that it is because of the name. Although all the people who come up with that story don't provide actual evidence. This is because it isn't true. Script kiddies don't scan for web sites with that word in it. They scan all web sites, ip range by ip range. The same vulnerabilities they try on each ip and domain name. So on deskthority too, they check for a wild variety of exploits for software which isn't there, like wordpress and vbb. Then usually the web server just returns that page doesn't exist. The reason geekhack keeps getting hacked is because they use a popular target with lots of holes (vbb) and because, despite all earlier hacks, they fail to update to the latest patches before the exploits are turned into script kiddie tools.

[off]

Quite plausible; but that would indicate iMav and his hosting service really lack common sense, after all this time even.

Still do have the feeling these 'hacks' might actually be targetted, at GeekHack (for instance by Ripster's partner who wants to spend more time together), or perhaps after all because of the name; a site with geek&hack in the name that has seemingly very weak protection is the penultimate target to make a point / score points.

[ripster]

Being permabanned for saying having 23 moderators for a small hobby forum was a crazy idea I can confirm iMav has little common sense.

[itlnstln]

Being permabanned for saying having 23 moderators for a small hobby forum was a crazy idea I can confirm iMav has little common sense.

That, and basically granting moderator privileges to anyone that asked. Not only is that a lack of common sense, but it also showed/shows how seemingly out of touch he is with the forum.

[webwit]

Like I said they try the same exploits at other sites such as deskthority. Vbb, latest version May 22, 2012. Update quicker.

[TexasFlood]

Really? Wow, looked that up, discovered in 2004!

Anything important about it? I couldn't find anything.

I googled it and found a blurb somewhere which listed this as mapped to what symantec calls Downloader.Psyme., so unless that mapping is not accurate, check the info at that link.
Quick summary...
Downloader.Psyme is a Trojan horse that downloads and executes a file using a known exploit of ADODB Stream objects in Microsoft Internet Explorer.
Threat Assessment
Threat Containment: Easy
Removal: Easy
Damage Level: Low

[postlapsaetia]

@postlapsaetia: Did you get that with noscript running (and geekhack dissallowed), or did you install it afterwards?

I got it with noscript disabled. I had it disabled because it was annoying me a lot, but now I just configured it for the sites I visit most and so that it doesn't notify me of every little thing.

[Ekaros]

So crap security on site which name that begs to be hacked? One or other is manageable but both? I think name also does drag some attention, but yeah, security and a few other issues...

[metafour]

The fact that a known exploited site that is reportedly attempting to spread malware is left running and publicly accessible while, and I quote, "iMav is evaluating where to go from here," does not inspire confidence.

I'd like to know what the rationale is for having the site up still.

[ripster]

Well, ask the moderators there, not here.

Rknize and Mkawa appear to have scurried off.

[thegunner100]

People that worry more about all their Geekhack keyboard pics being lost than their penises being infected have their priorities ALL WRONG!

IPad through a proxy here. Last thing I want to do is give my IP address to some dude named ROOTWORM.

But I'll save you the trouble. Only clueless Asians seem to be posting at Geekhack today.

Hey, I'm not THAT clueless!

[ripster]

Rofl.

This btw means all my Lego and Meme pics are hosed? Oh well, no loss, I have backup copies.

mkawa
MODERATOR TEAM
punch me if you need to
Join Date
Oct 2010
Location
SoCal
Posts
2,331
the forum database is intact modulo whatever they are trying to inject in it right now, but we lost a very very large number of attachments (nearly all of them) in the initial attack yesterday. don't expect for much additional media to come back.

i expect that the way things will stabilize is that a) we will have a lot of new software, but not a lot of a lot of old content b) the same fantastic geekhack community

i believe that with b, we can minimize the downsides of a, so i want to thank everyone for being understanding during this trying period for all of us, and if you think you can help, now might be the time to consider what you can bring to the table.

Oh wait, does he mean iMav is finally putting up Mediawiki and hosing my VbVaultWiki wikis?

ABOUT TIME!

They are getting out of date.

[longweight]

Ergh.

I started to be redirected but I don't think that I have an infection, scanned with Kaseya, Malwarebytes and MSE is running a scan at the moment.

They need to change the domain name imo and seriously think about getting more money into the site.

[ripster]

GeekWhack.

And the problem always has been that iMav does NOT run it professionally for the money as far as I can tell. Frankly, sometimes I wonder WHAT his goal is. A bit of Vigilink revenues, free bandwidth, frankenstein hardware, and donations doesn't seem to be doing the job.

He SHOULD assign a moderator to do Vbulletin updates.

Duh.

[TexasFlood]

longweight, the info I looked up so far point to, although this malware is labeled as "trojans", that they are not permanent or doing any real damage to web clients hitting the geekhack index. I see no damage or persistent infections on my PC. Looks like the index has been hot wired in some way to prevent the redirect as of now. Guess that could change as this thing has managed to come back at least a couple of times already, but fixed for NOW.

[ripster]

TexasFlood, I like your cheery optimism. My computer sure got hosed last time.

[7bit]

Quite plausible; but that would indicate iMav and his hosting service really lack common sense, after all this time even.
...

Even if GeekHack is hacked because of the name and even if iMav is incapable to switch over to something more modern, there still is the question why there are no proper backups, so the loss after a rollback would be minimal.

Also: I'm so lucky I never found out how GeekHack wikis worked.