and as promised here's the 'report' of what has happened, what we know, and what we've done about it,
apologies for any incovenience, cheers niall We received a report from a user of an unusual alert from their anti-malware software, where it appeared that a domain known to host malicious JavaScript was accessed from a Windows-Noob page. An analysis at the time did not detect any unusual changes to the forum software and concluded that the most likely scenario was a malicious advertisement in the Google/DoubleClick ecosystem. At this time, the skins for the IP.Board software were re-cached as a precaution. Some time later, some proxy servers' content categorisation system began to categorise Windows-Noob.com <http://windows-noob.com> as "Suspicious". We were frustrated at the time to have little to no further information as to why this was the case. Only one of the website scanners we used to try and externally determine if there was an infection showed an issue: it had "Detected reference to malicious blacklisted domain myitforum.com". This domain obviously is quite legitimate, but had been compromised in the past, as have many websites that accept user generated content. We were assured that the infection issue on myitforum.com had been resolved, but in an effort to remove the "Suspicious" category from Windows-Noob.com <http://windows-noob.com>, removed all outbound links to myitforum.com from our site. We did not at this stage connect the earlier report and this issue. None of the highly respected external systems like Google Webmaster Tools at any point suggested that we had been infected, and the 'detection' was limited to this one website scanner, which gave us these results referencing myitforum.com. Later still, we received another report from a user that their browser had been redirected to a malicious domain after visiting Windows-Noob from a search engine result page. We also finally received detailed information from the proxy server categorisation system provider that gave specific detail as to our “Suspicious” categorisation. A packet capture on the Windows-Noob server was taken over a few hours and then analysed. With the reported information from the user, we quickly identified injected JavaScript based on the reported malicious domain. The injected JavaScript was located in the theme cache files and was removed. Additional aggressive monitoring was put in place to try and determine if there was an active entry vector for the attacker. Later on that evening, malicious JavaScript re-appeared, detected by our additional monitoring that was put in place, and we promptly removed it again. Detailed analysis, including log file and packet capture analysis was performed to try and determine the attack vector, but no promising leads were found. The injected JavaScript then did not re-appear after that second appearance, and we unfortunately remain in the dark as to how the attack occurred. Our improved monitoring systems remain in place. The code, once unpacked and analysed, was actually quite rudimentary and simply injected references to the malicious JavaScript if certain conditions were met (user was referred from a search engine result page, and using certain browsers). Extensive reviewing of log files revealed no evidence of any other intrusion, but we accept that given our lack of understanding of the original attack vector, we cannot determine if any other actions were taken. Because we were unable to determine with confidence the source of the injected JavaScript and the attack vector used, we took the step of a complete server reinstall from known good media. The forum software has been completely reinstalled from a fresh download of the IP.Board software and all old and non-essential files removed. At the same time, we have taken other steps to protect users, including implementing mandatory HTTPS across the site (long overdue!), which would have, in this scenario, prevented injected JavaScript on HTTP domains executing in users' browsers and also protects passwords in transit. We apologise to users that this happened and particularly that we didn't spot it quickly enough. We hope as fellow IT professionals you appreciate the challenges in defending complex systems that are exposed to the world, especially on a very modest budget. We have learned a lot from this incident, despite the frustration of not knowing the original attack vector, and will continue to work hard to do better. It is a good idea, given what has happened, to reset your password for this site. This will also have the effect of invalidating the passwords that used to transit in the clear over HTTP and mean that your new password will not have traversed the public internet unencrypted. The standard advice about also resetting any other password that you might have shared with this site applies too. On Fri, Dec 4, 2015 at 4:19 PM, Niall Brady <[email protected]> wrote: > awesome info Todd i'll get my web admin researching that ASAP, > > and i'll report back anything found too. > > cheers > niall > > On Fri, Dec 4, 2015 at 4:12 PM, Miller, Todd <[email protected]> > wrote: > >> I pressed the folks at bluecoat to give us details on why windows-noob >> was being blocked. “I need it to do my job and it has been blocked for a >> month!,” I said and if it is just because it is hosting scripts that might >> look dodgy, then that is to be expected. Lots of client management scripts >> can appear to be “hacker tools” to heuristic scans. Meanwhile, I’ve >> discovered the wifi in the office next to mine doesn’t go through a proxy, >> so if I take a laptop and sit right next to the wall in my office I can >> access windows-noob and myitforum. It is pretty inconvenient, but worth >> it. >> >> >> >> This is the direct response we got from bluecoat on Wed Dec 4th about >> Windows-Noob. – they did not respond to us regarding MyItForum. >> >> After review, this domain has been redirecting/referring to a known >> exploit kit domain, smartfenia[.]com. Traffic for this has been happening >> for the last week and is current (within the last 24 hours). The MO of this >> attack is that a malicious injected script has been placed somewhere on >> this site. I am unable to identify exactly where. The current rating will >> be maintained until this behavior ends. Thank you for your submission. >> >> I don’t know anything about web hosting so I don’t know if that >> information is useful, accurate, or relevant to you. If we start blocking >> every site that LINKS to a bad site, well there is not going to be much >> left on the internet. It is a “web” after all. >> >> >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Niall Brady >> *Sent:* Thursday, December 03, 2015 11:56 PM >> *To:* [email protected]; Rod Trent >> >> *Subject:* Re: [MDT-OSD] persistent Pre-TS action in WinPE? >> >> >> >> thanks Rod for that info, I did request more info several times >> previously but did not get that snippet of info, however i will now run >> with it and update this thread once i know more, i do appreciate that info! >> >> >> >> On Fri, Dec 4, 2015 at 12:49 AM, Rod Trent <[email protected]> >> wrote: >> >> Actually, there’s more to it and not necessarily due to out of date >> plugins. Google changed its criteria recently on the “safeness” of >> downloadable scripts – which myITforum has supplied for the last 15 years >> for IT folks . A lot of those proxy protector sites pull information from >> Google to update their own service. Until Google updates, the won’t update. >> So the issue is with Google. We’re actively working on it, but, Niall, you >> might also check to ensure you fit Google’s criteria. >> >> >> >> >> >> >> *From: *Niall Brady >> *Sent: *Thursday, December 3, 2015 5:57 PM >> >> *To: *[email protected] >> *Subject: *Re: [MDT-OSD] persistent Pre-TS action in WinPE? >> >> >> >> >> >> no problem Todd, glad to have helped finally, >> >> as regards windows-noob being blocked or comprimised, *it's a farce*, it >> all stems from myitforum.com having had wordpress plugins that were *out >> of date*, as a result that site (myitforum) got blacklisted, and in turn >> as i had *11 links back to myitforum.com <http://myitforum.com>*, >> amazingly windows-noob.com got blacklisted. yes you read it right, >> windows-noob was blacklisted because of out of date plugins on >> myitforum.com. >> >> sadly, those proxy protector sites that blacklisted windows-noob aren't >> that clever at updating their cached results, so even though i removed the >> links about two weeks ago, my site still remains blacklisted, even at the >> company i work for. >> >> i'm really not impressed by that at all. :( >> >> >> >> On Thu, Dec 3, 2015 at 11:44 PM, Miller, Todd <[email protected]> >> wrote: >> >> Niall --- thank you *very* much for this tip. I have all kinds of other >> ideas on how to use this. Your post at www.windows-noob.com was easy to >> follow and worked great. I got it right on the first try! which is great >> because updating the WinPE boot image is quite a task to have to iterate >> with tweaks/changes/typos over and over. >> >> >> >> In my opinion Microsoft’s field guide for OSD 802.1x implementation >> should be updated to include this method to re-establish an 802.1x >> connection during WinPE phases. >> >> >> >> >> >> It looks like I will have to neither retire early nor take a long >> vacation J >> >> >> >> >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Niall Brady >> *Sent:* Wednesday, December 02, 2015 11:58 AM >> *To:* [email protected] >> *Subject:* Re: [MDT-OSD] persistent Pre-TS action in WinPE? >> >> >> >> Have a look at checkfornetwork and storage on windows noob, it runs >> before sny prestarts via a reg hack >> >> >> >> Sent from my phone, please excuse any typo's as a result. >> >> >> >> >> On 02 Dec 2015, at 18:21, Miller, Todd <[email protected]> wrote: >> >> I am interested in running a pre-TaskSequence routine *every time* my >> clients boot into WinPE during a task sequence. What is the best way to >> accomplish this? I’m not talking about a pre-execution hook which only >> runs on *first* WinPE boot. >> >> >> >> I have added a command to unattend.xml on the WinPE image and it works >> great for the first boot onto the WinPE OS, but when the TS engine stages >> the Boot Image onto the disk for subsequent PE reboots, it overrides that >> function with its own WinPEUnattend.xml >> >> >> >> Is there a way for me to insert anything in front of the Task Sequence >> engine to run before the Task sequence takes over? >> >> >> >> I want to use this to attach to our 802.1x network, but it could be used >> to re-establish DART or any of number of things. >> >> >> >> Of course I can insert items in the task sequence after every “Reboot” >> item to re-establish the network, but it would be much better if I could >> just make that happen at every reboot. Putting those in the TS itself >> sub-optimal since there is a long delay at each TS startup if the network >> is not available. Is there any way to insert my own code into the WinPE >> start for all the staged PE reboots? >> >> >> >> I have started re-look at OSDInjection.xml as I used that previously to >> write a custom smsts.ini file to my WinPE boot images. It doesn’t appear >> that winpeshl.ini is listed in OSDInjection.xml so some other process is >> creating that file? I think my best hope is to use this process to inject >> the necessary 802.1x files into the WINPE image using the standard means >> for extra files and then use osdinjection.xml to figure out how to modify >> the WinPE startup process. Just not sure which ini file I need to >> inject/modify that can survive both the WinPE build process and the TS >> WinPE staging process. I think the console even overwrites the >> WinPESHL.ini file if I use OSDInjection.xml to write a custom one. Ugh! >> >> >> >> >> >> I really could use a way to inject a network startup process into the >> WinPE boot process - not only to establish 802.1x connections but I think >> others could use it to establish VPN early in the WinPE boot process as >> well. >> >> >> >> >> >> >> >> (Please --- I’m not interested in bypassing 802.1x in other obvious ways >> like having build benches with 802.1x disabled ports or using MAC >> whitelisted devices to bypass 802.1x auth… I know about those options and >> am using them already. We want to get away from whitelisted USB Ethernet >> adapters for deskside re-deploys) >> >> >> >> Notice: This UI Health Care e-mail (including attachments) is covered by >> the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is >> confidential and may be legally privileged. If you are not the intended >> recipient, you are hereby notified that any retention, dissemination, >> distribution, or copying of this communication is strictly prohibited. >> Please reply to the sender that you have received the message in error, >> then delete it. Thank you. >> >> >> >> Notice: This UI Health Care e-mail (including attachments) is covered by >> the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is >> confidential and may be legally privileged. If you are not the intended >> recipient, you are hereby notified that any retention, dissemination, >> distribution, or copying of this communication is strictly prohibited. >> Please reply to the sender that you have received the message in error, >> then delete it. Thank you. >> >> >> >> >> >> >> >> >> >> >> ------------------------------ >> Notice: This UI Health Care e-mail (including attachments) is covered by >> the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is >> confidential and may be legally privileged. If you are not the intended >> recipient, you are hereby notified that any retention, dissemination, >> distribution, or copying of this communication is strictly prohibited. >> Please reply to the sender that you have received the message in error, >> then delete it. Thank you. >> ------------------------------ >> > >
