Geofex hacked; de-lousing under way

[R.G.]

I found that Geofex has been hacked. It seems to be a spam redirection to Japanese (I think - my kanji is rusty  ) sites for designer sunglasses or some such, but there's always the potential for other mischief.

I've welded some back doors shut and done a first fumigation, but there may still be bugs buried in there.

So if Geo looks odd or does funny stuff, please PM me as soon as possible. I have the hosting provider working on the back end as well as me weeding out bugs on my own.

[WhiskeyMadeMeDoIt]

I posted this a few weeks ago http://www.diystompboxes.com/smfforum/index.php?topic=107625.0
Glad you found those nasty buggers. 

[digi2t]

Can't understand why anyone would do such a thing...

A pox on their house.

[greaser_au]

Can't understand why anyone would do such a thing...

usually it's a hacked site with some nasty hidden javascript code,  redirecting you to another site with some more nasty javascript code <possibly more redirections> redirecting you to a russian, chinese, korean or brazilian website with the actual payload - often a botnet trojan, an address harvester,  keylogger or a spam generator.  The payload can be delivered and installed with no warning to the user (this is why one should NEVER do day-to-day things using an account with root/administrator privelege).

yes, there needs to be a punishemt commensurate with the crime...  a sarlacc, perhaps...

david

[Thecomedian]

You could always offer them a link for their sunglasses and demand revenue from them  

On the bright side, it means your website is that popular that they considered it a viable source of money generation.

[MrStab]

i guess a chronic lack of vagina (or appropriate external orifice) has that effect on spot-ridden basement-dwellers  

[petemoore]

 Thanks RG for [and from] all of us [you know who you are] !
I was already scouring out a way to express our gratitude and now this !

[deadastronaut]

@#$%ers...

[R.G.]

I posted this a few weeks ago http://www.diystompboxes.com/smfforum/index.php?topic=107625.0
Glad you found those nasty buggers. 

Apparentely that thread coincided with me being on a trip and I didn't see it. Dang!! I only found out when geofex came up in a different search.

So far, the attack seems to have been a spam spreader, not a malware installer - at least as far as I can tell. I've deadened the links to the spam as well as the javascript redirections inside the page, at least to a first order. I went through all the files last night to try to find any I didn't put there.  Now I'm working on the "system" files that are part of the mechanization of the page.

Secondary direct links should be fine. I have not taken the step of taking Geofex off line for this, largely based on it appearling to be spam, not malware, and the tracks of the break in being fairly easy to find. If that turns out to be optimistic, I'll take it off line for a day or two while I sterilize it. The site is all backed up, so the content will not be lost, and worst case I can rebuild it.

[seedlings]

Apparentely that thread coincided with me being on a trip and I didn't see it.

Inside job. 

CHAD

[Ice-9]

If people like this put there time into legitimate affairs they could actually make a better impact on things and more money, toss pots that they are..

[R.G.]

Sadly, that is not true. The day of the lone hacker doing juvenile mischief  for fun or minor rewards is over. Hacking has moved over to being an organized criminal enterprise. When it was discovered that you could take in a lot of money by writing exploits and compromising computer systems, the equivalents of the old Mafia moved in.

Governments too have found that being able to burrow their way into everyone's computers is useful too, as we have been made only too aware.

There are differences between organized crime and governments - aren't there? 

In any case, the hacking community finds vulnerabilities and cracks them, and then replicates that crack many, many times using their computers to "mass produce" the hacking. This multiplies the money take. A lot.

Philosophically, a legitimate function of a government would be to make the very easy communications allowed by the internet be fast, safe, and secure. This will not happen, as it would compromise the governments' abilities to use the hacking for their own uses, even if they had the capabilities. I think we're stuck with hacking and spying for my lifetime at least.

[Kipper4]

Thanks for everything you do for all of us RG
I love your site its a constant source of information.

[Seljer]

Hah, the NoScript addon for Firefox did me well, I didn't notice anything

[R.G.]

I use NoScript all the time, as a practice. It's a PITA when you happen to hit one of those sites where absolutely nothing works with sucking in content from 30-40 other sites. I think the biggest hit list I've found is 43 other sites to format one page.

But that's also the beauty - sites don't just get to cram all kinds of stuff into your browser. I'm a big fan of running with shields up.

BTW, the traps were implanted ASP code hooked to a few of the website features. I keep thinking the hacker left themself a back door somewhere, but I haven't found it yet and I'm down to actually reading html code to see.

Hmmm... I think I might just run the whole site through a text search utility looking for "*script* and ".asp"! That would sure be faster than some of the alternatives.

[aron]

Wow, yes this was posted in the off topic forum, but I was able to get to geofex so I thought nothing of it.

[rocket8810]

wtf of all sites to hack. I was going to post something about it being odd when I tried to get on, to re-read something important I forgot, but things got really crazy here. It's a shame we can't find who did it and do the same thing to them. Karma's gonna catch them.

[greaser_au]

IBTW, the traps were implanted ASP code hooked to a few of the website features. I keep thinking the hacker left themself a back door somewhere, but I haven't found it yet and I'm down to actually reading html code to see.
Hmmm... I think I might just run the whole site through a text search utility looking for "*script* and ".asp"! That would sure be faster than some of the alternatives.

there is a lot to be said for straight hard-coded HTML...       (yes, I know, the maintenance and update processes would be misery)

david

[Strat68]

I think I'm seeing these hacks on other DIY sites as well.  I visited several last night and saw a bunch of strange pages pop up.  I started my protection software into full scan mode which usually works.  About half a dozen programs got installed that I had to remove.

[R.G.]

I finished my searching, deleting and repairing a couple of days ago, and had google re-crawl the site. Now not only me but the magic google bots think that geofex.com is clean.