Malware Issue

[Archaic]

Hello everyone,

Earlier today, we started getting reports from people that received the following malware warning notice when they browsed the Bulbagarden forums in Google Chrome or Mozilla Firefox.

"The site ahead contains malware. Attackers currently on 194.6.233.8 might attempt to install dangerous programs on your computer that steal or delete your information."

On investigating the issue, we've found that the culprit was a small 1x1 iframe that was somehow injected into the forums copyright notice footer. The IP address of this attack resolves to the Ukraine, which is currently a hotbed for this kind of thing. We are not yet 100% certain how this was achieved, but we believe the attack vector was most likely one of a small number of an out-of-date forums addons that we'd delayed upgrading as we prepared to replace the Bulbagardens forum server (yeah, there's a new forums server coming, surprise!). For now, we've been able to successfully band-aid over the issue by removing the copyright footer entirely, however this is not a permanent fix.

We would also suggest that as a matter of general safe browsing practice, you install a browser extension like NoScript. If you are using that extension and did not allow the rogue IP, there should be nothing whatsoever to worry about. Those of you who accessed the forums and received this warning should run your standard suite of anti-virus and malware checks, just to be safe, but we've received no reports as of yet of anyone actually having something planted onto their computer.

At this point, we do not believe that the Bulbagarden forums server or database has been directly compromised. Your account details should be safe. As a matter of routine security however, you should make sure that you are not using the same password on other websites as you do on Bulbagarden. You may wish to change your password on Bulbagarden as well if you fear something may have been compromised.

We'll keep you posted on how things go. If we're right about the source, then simply upgrading all these addons should fix the problem. If not, then we'll let you know. In the unlikely event there has been a server/database breach, there will be a mandated password reset enforced.

 

[Archaic]

An update. We've updated relevant addons, and confirmed that they are not the attack vector. We now believe this is a vulnerability in the forum software itself, specifically one that's allowing for remote code injection. At this stage, we do not believe the forums database has been compromised. We're currently moving to contact vBulletin to see if we can identify what could be the root cause of this issue.

 

[Dorothy]

An update. We've updated relevant addons, and confirmed that they are not the attack vector. We now believe this is a vulnerability in the forum software itself, specifically one that's allowing for remote code injection. At this stage, we do not believe the forums database has been compromised. We're currently moving to contact vBulletin to see if we can identify what could be the root cause of this issue.

Has this issue come up for other forums using the vB4 suite? Seems a bit surprising that in the... four? years that BMGf has been using vB4 this vulnerability has only now been identified.

 

[Archaic]

Similar issues have cropped up for other forums, however not recently. One similar issue we've identified appears to have been reported in 2013, but it's not clear if that's the same vulnerability or simply an attacker using different means to achieve the same ends.

At this point, we believe the issue has been successfully resolved. We've removed that band-aid we were putting in place before, and the problem has not re-asserted itself. We'll keep an eye on things and re-apply that band-aid if it does come back, but for now we're not expecting any issues.

 

[Archaic]

Just to follow up on the message from the other day. We're continuing to investigate exactly how this issue came about in the first place, and have narrowed down the possibilities to a shortlist of possible attack vectors. We're waiting to hear back from vBulletin support as to their findings, but at this point we're quite confident that the attacker did not have database access, and that there is no threat to user information.

As we said in our initial message, as a matter of routine security you should make sure that you are not using the same password on multiple websites. As a (perhaps overly paranoid) precaution, we would also suggest that anyone who visited the Bulbagarden forums from April 6th to April 8th reset their passwords. Though we don't know exactly how the malware in that iframe worked, it's possible it was attempting to steal passwords as people entered them to log in. If you already have good internet security and have different passwords on other websites, that's not going to be much of an issue for you. If you use that same password on other websites with more sensitive info however (such as your email account, or a social networking account), you could potentially be at risk.

 

[Kadabra]

This was clearly an attempt by Team Rocket to steal your Pokemon.
...wait, Archaic is with Team Rocket. Oh crap.

This kind of thing can happen when running unpatched forum software and/or mods/addons. For this reason, I keep mine up to date and run it essentially stock, to make maintenance easier and the whole thing more secure. I'd say it's very unlikely that a zero-day attack took place here--a known, unpatched bug was likely exploited. In addition to checking the forum software, I'd check the stuff running on the server itself.

Get rid of this crappy software and move to xenForo.

 

[mccoyzn]

Wait, you mean xenForo is safer?

 

[Kadabra]

Yes, I do mean so.

 

[Snowy]

No software is 100% safe... and unpatched software, like BMGf was using, is a very bad idea. xenForo, IPB, SMF, and any other forum software would suffer from the same set backs.

 

[overlordreubs]

I hope we can find a permanent fix soon... But at least we're safe for now.

 

[Archaic]

For the record...we were not using unpatched forums software. Our vBulletin was fully up to date. The software that was out of date were a small number of 3rd party addons. Furthermore, the bugs in those that had been patched in the versions we hadn't yet installed when this happened had nothing to do with security (and weren't anything to do with the attack vector that was used here).

 

[Snowy]

The software that was out of date were a small number of 3rd party addons.

With respect, vBulletin addons are still software that is processed by the PHP system, and have access to the MySQL database. Any vulnerabilities in those can easily cause trouble for the entire system.

I'm not saying it did - as you have pointed out that the bugs in those addons weren't responsible - I was just pointing out that out of date forum software, or out of date addons, will cause vulnerabilities regardless of the forum software used.

 

[italicizewafer]

I would suggest a middleman to seperate the smaller addons from the main PHP server, but even that is susceptible. I'll sub to this thread to see if anything new comes up.