Forum problems - No pictures

[Andreas Umnus]

I've got problems with the forum since it restarted yesterday.
I don't see the User Avatars and what's more worse is I don't see the posted pictures in the forum.
When I click at the attached picturs, I get the information:

Information

The selected attachment does not exist anymore.

The file ./../files/7_e790d0f4e6f565f8fe5eaa99d5fae11a does not exist.

For example:
In the thread Rovos Rail I wanted to see the
Rovos Charter returns. I can't see pictures.

All I see is:

Attachments

september2010 086z.jpg
Driver Cliff Petzer and trainee driver Gilton- an historic occasion
september2010 086z.jpg (131.46 KB) Viewed 116 times

No pictures.

I use firefox but I tried it also with Internet Explorer. There is the same problem. No pictures.

Has anyone the same problem?

[Steve Appleton]

Hi Andreas,
I am aware that there are only a few pics on the forum at present. The reason is that some 15 000 items (about 1.6 GB - most of the pics) still need to be restored from a backup following the re-installation of the site's software after the website was hacked. I hope to have that completed over the weekend.
Meantime, please accept my apologies for this -- unfortunately this was the second almost identical hack we have suffered of this type, and I am braced for more. If it's any consolation, it is apparently estimated that at least 250 000 web sites, mainly on shared servers, running various applications that use php software (as this site does) suffered the same or a similar fate. From research on the net, and when one plows past all the hysteria and misinformation, it seems that the exact method used to facilitate the attacks is not yet fully understood which means that any possible security loopholes that allowed entry are not yet closed.
What I do know, from the site access logs (every single access request is recordered - even yours) , is that in the minute preceeding the hacking, the site was accessed from Moldova -- not to an ordinary web or forum page, but more deeply to a software module. Being a fairly IT-literate person, I know that was not normal - most likely deliberate. How that was used to gain further access and infect all the site's software I do not know -- I suspect the hacker covered his tracks by finally deleting any scripts used to gain access and do the damage.

[HenryLazenby]

What does the hacker gain from destroying a forum like this?

[Steve Appleton]

Henry, good question.

Essentially the hackers care nothing about the websites they have hacked. Most usually want to use those sites as vectors to get their 'payloads' across. Those payloads may be from a message, a worm, a virus, trojan, some other malware like a keylogger, or even website spoofing (the banks are vulnerable to the latter). The aims are as varied and as long as you like. A few hackers (those that emulate the original ones) are plain vandals only intent on destruction of the website and its content but, as alluded to above, most are not. So, generally any damage done to the website is simply a by-product of achieving an aim.

Another reason people hack websites is to get at the information or data stored within it (or stored elsewhere), usually by breaking through the security into the website's underlying database. That way they may get to usernames, passwords, email addresses and even credit card numbers and bank account details. This group of hackers rarely defaces the websites they have hacked because that would reveal their activities. Some hackers insert silent redirects to spoof websites that collect information, like usernames, passwords, bank details, credit card numbers, etc. Instead of overcoming the difficulties of stealing that information from a database they merely spoof you into supplying it.

In the case of the hacking that ocurred here, the intention was to redirect people willynilly to various malware websites which then attempted to download their malware onto the users' computers. The hacker did that by somehow "injecting" a block of additional, thinly disguised php program code into the start of each and every one of the php program modules making up this website's applications.

They did not "break" the website in the true sense: the underlying functionality was still there, but you would have had to put up with a myriad of "virus" warnings generated by your computer first -- assuming you practice "safe computing" and had already installed good anti-virus/anti-malware software to start with. The worst case scenario would be that your computer was left infected with goodness knows what malware afterwards, and that the website performance was degraded.

[Aidan McCarthy]

Hi,

The attack on the website is a fairly common form of attack. They redirect you to a site that pretends to be an anti-virus/malware checking site which pops up lots of fake messages that you are infected. Unfortunately for naive users they do look like they come from windows, then it presents a link to purchase some fake anti-virus software to solve the problem. If the user is naive enough to hand over their credit card info to the crooks and downloads the "anti-virus software" ,t he result is that the crooks then have their credit card info and the fake software actually installs malware and trojans on the users computer that is used to steal banking login data and make the computer part of a botnet. The user thinks they are safe as they have installed anti-virus software.

For the crooks this is a good approach even if it has a low take up, as they get everything credit card, ownership of user computer and personal info.

Cheers

Aidan

[Steve Appleton]

Yep, Aidan,

I read that itis estimated that at least 200 000 to 300 000 websites using php software have been hacked in exactly this way over the last few months. Who counts that I do not know. Sites running Joomla, phpBB, WordPress, osCommerce and many other open source php-scripted apps have been targetted.

[John Ashworth]

Members may have noticed that the site was down again just a couple of days after Steve got it up and running. It was hacked a second time within days (third time overall). It's up and running again now but once again some features are missing, including many of the photos. They will be restored in due course from our back-up.

More serious for FOTR is that our main website was also hacked. This is having an adverse affect on bookings for our trains during the busy pre-Christmas season. Steve and Mike are working hard to get the main website up again as soon as possible, and currently that's a greater priority than fixing the small bugs in the forum.

Our apologies to our forum members. I'm not an internet fundi, but I understand from Steve that this is an attack that is affecting hundreds of thousands of sites and the weakness is in the ISP, so there's little we can do about it in the short term.

[Andreas Umnus]

Hi Steve,
First: Thank you for doing such a good job to restore the pictures to the forum.

Now, while I have some time I read some threads I haven't seen before. And I found some
threads already where are still problems with the pictures.
For example this one:
http://www.friendsoftherail.com/phpBB2/ ... 106&t=3178

Missing pictures in this thread but...
it is possible to open the pics by clicking on the file name.

Any chance to change it?

[Steve Appleton]

Hi Andreas,
Thanks. I see what you mean. No idea why. I will attempt tolook into it over the weekend. Priority is rebuilding the main website though.