Moderators: richierich, ua900, PanAm_DC10, hOMSaR

 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

Wierd Redirect On A NonAV Thread

Wed Oct 18, 2006 8:39 pm

When visiting this thread:
MP3 Files Question (by Wardialer Oct 18 2006 in Non Aviation)

SIA fan's post has a javascript mouseover redirect on the blank part of his post, sending you to:
http://shinigami.byethost32.com/c.php?c=non_aviation_Threads=

with the airliners.net cookie info attached to the end of that URL, which includes a significant amount of information.

I hope the requisite action is taken.

This has also been sent as a 'suggest delete', but I want other users of this board to be aware.
 
strasserb
Posts: 1497
Joined: Fri Nov 11, 2005 7:46 pm

RE: Wierd Redirect On A NonAV Thread

Wed Oct 18, 2006 10:36 pm

Currently this happens with all posts of "SIA fan".
You can check it here as well: New Forum Search Engine (by Administrator Oct 12 2006 in Site Related)
Still, even in the most arid desert is an airport somewhere ...
 
Kieron747
Posts: 2461
Joined: Wed Feb 16, 2005 7:17 am

RE: Wierd Redirect On A NonAV Thread

Wed Oct 18, 2006 11:56 pm

Quoting StrasserB (Reply 1):
Currently this happens with all posts of "SIA fan".

Is it something done intentionally by SIA or a glitch with the site?

Thanks

kieron747
Airliners.Net - The Jam Rag Of The Web.
 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 12:03 am

Quoting Kieron747 (Reply 2):
Is it something done intentionally by SIA or a glitch with the site?

Its 99.99% certain that its not a glitch with the site (watch me proven wrong) other than the forum code should strip out such things, and Ive not seen any spyware or malware which targets users posts to forums in such a way, Im inclined to believe its intentional on his part for motives unknown.

I wont comment on possible uses, but suffice to say its not polite and can be likened to stealing.
 
bmibaby737
Posts: 1653
Joined: Sun Jun 12, 2005 1:07 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 12:04 am

I too got taken to this page!

Quoting RichardPrice (Thread starter):
which includes a significant amount of information.

Enough for us to have to change passwords?

Bmi
 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 12:36 am

Quoting BmiBaby737 (Reply 4):

Enough for us to have to change passwords?

Taking a quick look through the *58* cookies Airliners.net utilises, I cant make that determination - however, your username is stored, your email address is stored, and there is something there which looks suspiciously like an md5sum'ed password (but I trust Johan enough as a developer to believe he would never save such info in a cookie).

Also stored is a PHP session ID, which can be used to hijack your logged in session, but as a password is required on all posts Im not entirely sure what he could do with this other than drop your account.

The short of it is - I dont know, I could be getting the wrong end of a stick here and its all innocent, but it looks very suspicious from where Im sitting.
 
MYT332
Posts: 7302
Joined: Mon Sep 08, 2003 7:31 pm

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 1:07 am

Quoting StrasserB (Reply 1):
New Forum Search Engine

That just happened to me in that thread too, I'd like to know what is going on here please.

Edit: Jesus, there's even a log which has my email in here! I'm not happy, Ban this guy.

http://shinigami.byethost32.com/log.txt

[Edited 2006-10-18 18:17:21]
One Life, Live it.
 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 1:19 am

Quoting Myt332 (Reply 6):
Edit: Jesus, there's even a log which has my email in here! I'm not happy, Ban this guy.

http://shinigami.byethost32.com/

The website has been updated, but I managed to get a copy of the log.
 
GSM763
Posts: 573
Joined: Sat Jan 07, 2006 3:35 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 3:44 am

Arrgh so that's what happened whe I went there. i've changed passwords just in case. Good thing my passwrod to things I pay for is not the same as this one.
 
Jaspike
Posts: 4843
Joined: Sat Feb 23, 2008 1:40 pm

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 3:50 am

The log is now "hasil.txt"...

If they can get our email address from our profile, can they get the passwords too?

Tom
 
chachu201
Posts: 773
Joined: Fri Apr 28, 2006 5:22 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 5:06 am

OK guys, thanks for bringing this up, and just to let you know, we're looking into it, but if anyone has any useful information, could you either email the team at [email protected] or post a reply on here.

Many Thanks,

Gabriel
 
Feroze
Posts: 698
Joined: Fri Dec 17, 2004 11:05 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 7:26 am

Interesting to note that this appears on SIAfan's profile: "This user chose to end his or her First Class Membership. We are holding his/her username though in case he or she choose to come back....
 
ikramerica
Posts: 15135
Joined: Mon May 23, 2005 9:33 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 3:06 pm

Hmm ..
I've been trying to open those url above, but none of them seems to be active for me. So far, the only thing happening here is that our email address been logged out on that url right??
Whats the deal with it then? Nothing so special about our email address being logged isn't it? Or is there anything critical about here?
'
Of all the things to worry about... the Wookie has no pants.
 
AirTranTUS
Posts: 3313
Joined: Tue Jun 21, 2005 9:12 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 3:45 pm

Quoting Ikramerica (Reply 12):
I've been trying to open those url above, but none of them seems to be active for me.

Same with me. The first link shows up empty and the second one has a picture that changes every time it is loaded and adds that look like the ones sponsored by Google on these pages.

I just went to the New Forum Search Engine thread and I got redirected there. The page showed up empty, but if what you guys are saying is true, then my computer sent something. I don't see the logs you are referring to. How are you guys seeing them? I changed my e-mail yesterday and might change my password soon.
I love ASO!
 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 5:19 pm

Ok guys, change your passwords NOW! This is *important*.

The cookie does store it, its used for the comment posting system.

Also check all other systems that have the same password - unfortunately I didnt realise that password was the same as my paypal one and now I have a dozen unauthorised transactions occuring for amounts up to £1000.00 a throw.

Yay me  Sad Learnt that lesson, didnt I.


Again - change your password NOW.
 
Kieron747
Posts: 2461
Joined: Wed Feb 16, 2005 7:17 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 6:00 pm

Quoting RichardPrice (Reply 14):
Ok guys, change your passwords NOW! This is *important*.

The cookie does store it, its used for the comment posting system.

Also check all other systems that have the same password - unfortunately I didnt realise that password was the same as my paypal one and now I have a dozen unauthorised transactions occuring for amounts up to £1000.00 a throw.

Yay me Learnt that lesson, didnt I.


Again - change your password NOW.

Do you mean the A.Net password or the computer terminal?


Is A.Net doing anything about this?

Kieron747
Airliners.Net - The Jam Rag Of The Web.
 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 6:14 pm

Quoting Kieron747 (Reply 15):
Do you mean the A.Net password or the computer terminal?

Your A.net password - its part of the page (and thus DOM, and thus the information sent to this scammer) so it can be filled as part of the 'Remember Me' section of the comment posting system.

A.net have removed this redirect from some of SIA fans posts, but when I last looked it still existed in some! Specifically the new search engine thread.
 
Kieron747
Posts: 2461
Joined: Wed Feb 16, 2005 7:17 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 6:53 pm

Quoting RichardPrice (Reply 16):
A.net have removed this redirect from some of SIA fans posts, but when I last looked it still existed in some! Specifically the new search engine thread.

Well this seems to have been a right jip! I hope he is banned if he did do this on purpose.

Have you actually lost any money then on PayPal?

Kieron747
Airliners.Net - The Jam Rag Of The Web.
 
tmatt95
Posts: 476
Joined: Sat Sep 17, 2005 9:31 pm

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 6:56 pm

Quoting RichardPrice (Reply 14):

Yay me Sad Learnt that lesson, didnt I.


Again - change your password NOW.

Thanks for the warning, I will go through and make all my passwords different. Can Pay pal get back the money for you? Also, is this problem browser specific?
Matt

P.S How did you find that you had lost funds?
 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 7:00 pm

Quoting Kieron747 (Reply 17):
Have you actually lost any money then on PayPal?

£45 has already been deducted from a Credit Card I hold with them, the rest of the transfers have been via direct debit and hopefully have been caught in time.

Quoting Tmatt95 (Reply 18):
Can Pay pal get back the money for you?

That remains to be seen.

Quoting Tmatt95 (Reply 18):
Also, is this problem browser specific?

No, Im using Firefox.

Quoting Tmatt95 (Reply 18):
P.S How did you find that you had lost funds?

Woke up this morning to see a dozen emails from paypal for successful transactions.
 
ikramerica
Posts: 15135
Joined: Mon May 23, 2005 9:33 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 7:05 pm

Yeah, thanks for the warning, i will also change my forum password.
But, is there any way for this SIA fan to get our password??
I think that Johan is able to protect us, and i believe that he would not store any critical information within the cookies or any other website's data.
'
Of all the things to worry about... the Wookie has no pants.
 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 7:21 pm

Quoting Ikramerica (Reply 20):
I think that Johan is able to protect us, and i believe that he would not store any critical information within the cookies or any other website's data.

The problem is that the website retrieves your forum password if you have the 'Remember Me' item ticked, which means the password is part of the document object model, which means it can be grabbed by something like this.
 
Kieron747
Posts: 2461
Joined: Wed Feb 16, 2005 7:17 am

RE: Wierd Redirect On A NonAV Thread

Thu Oct 19, 2006 8:05 pm

Quoting RichardPrice (Reply 21):
The problem is that the website retrieves your forum password if you have the 'Remember Me' item ticked, which means the password is part of the document object model, which means it can be grabbed by something like this.

I see, so does this mean then that the villain in this case has your email and your A.Net password, and can then randomly try that info at various sites, on the chance that they fit, such as Paypal etc?

Kieron747
Airliners.Net - The Jam Rag Of The Web.
 
airbusA346
Posts: 7284
Joined: Fri Dec 10, 2004 7:05 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 12:11 am

This is shocking, It has just happened to me and I don't know how, which threads has this been happening in.

Tom.
Tom Walker '086' First Officer of a A318/A319 for Air Lambert - Hours Flown: 17 hour 05 minutes (last updated 24/12/05).
 
AirTranTUS
Posts: 3313
Joined: Tue Jun 21, 2005 9:12 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 12:25 am

Quoting Kieron747 (Reply 22):
I see, so does this mean then that the villain in this case has your email and your A.Net password, and can then randomly try that info at various sites, on the chance that they fit, such as Paypal etc?

Good Question.

This question is directed to anyone who can answer it. Since I have 4 e-mail addresses and different passwords for each of them and different passwords for all the sites I go to that need one, am I at less of a risk?
I love ASO!
 
SInGAPORE_AIR
Posts: 11623
Joined: Mon Nov 13, 2000 4:06 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 12:30 am

Dear Singapore Airlines,

Our logs indicate that there is a slight risk that your user password on
Airliners.net has bee compromised. To be on the safe side, we have
automatically changed your password.




First of all, I don't understand why the e-mail to me was addressed as "Dear Singapore Airlines".

When I hover my mouse over "SIA Fan"'s post in the aforementioned thread on the search engine, I only seem to get my cookie information.

Luckily my a.net password for some strange reason is unique. Alas, seems like a text book case of why you unfortunately have to remember passwords for numerous sites that one frequents.

So who is this http://shinigami.byethost32.com ?

[Edited 2006-10-19 17:33:51]
Anyone can fly, only the best Soar.
 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 12:30 am

Quoting AirTranTUS (Reply 24):
Since I have 4 e-mail addresses and different passwords for each of them and different passwords for all the sites I go to that need one, am I at less of a risk?

You are being smart, and yes you are less of a risk.
 
Tom12
Posts: 1050
Joined: Tue Dec 27, 2005 7:29 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 12:46 am

This is well screwed up. I don't understand one thing though. Is http://shinigami.byethost32.com a user on the site?!

Tom
"Per noctem volamus" - Royal Air Force Bomber Squadron IX
 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 12:48 am

Quoting Tom12 (Reply 27):
This is well screwed up. I don't understand one thing though. Is http://shinigami.byethost32.com a user on the site?!

Its a generic lowcost webhost, and yes it was used by someone who was a member of this website. Or the webhost account is stolen.
 
SInGAPORE_AIR
Posts: 11623
Joined: Mon Nov 13, 2000 4:06 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 12:49 am

Having read the thread, I fully sympathise with RichardPrice's monetary loss. It is indeed shocking and your relative calmness is to be commended.

This must be a very elaborate scheme though. However, it only appears to affect a very few number of users (of 10000). Furthermore, maybe this information was collected over a very short time period? Maybe the whole site has actually been hacked in somehow?

All specualtion on my part. Quite shocking.
Anyone can fly, only the best Soar.
 
SInGAPORE_AIR
Posts: 11623
Joined: Mon Nov 13, 2000 4:06 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 12:51 am

Quoting RichardPrice (Reply 28):
and yes it was used by someone who was a member of this website. Or the webhost account is stolen.

So how can we tell who the bugger is?
Anyone can fly, only the best Soar.
 
airbusA346
Posts: 7284
Joined: Fri Dec 10, 2004 7:05 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 12:56 am

Quoting Jkw777 (Reply 31):
Sick world...

You said it, you should look at the IE7 thread in the Non-Av. forum  Angry

Tom.
Tom Walker '086' First Officer of a A318/A319 for Air Lambert - Hours Flown: 17 hour 05 minutes (last updated 24/12/05).
 
User avatar
nighthawk
Posts: 4890
Joined: Sun Sep 16, 2001 2:33 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 1:41 am

A.net should NOT be storing passwords unencrypted in the first place, it is a serious security flaw! When a user logs in, the password they entered should be encrypted, then compared to the encrypted password in the database.

That way if someone ever does repeat such an attack, or gains access to the database, all they get is a list of encrypted passwords which are next to useless!

Perhaps time a.net took security seriously...
 
chachu201
Posts: 773
Joined: Fri Apr 28, 2006 5:22 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 1:52 am

Just to keep you guys updated, the vunerability has been fixed, and to all the people who we believe have been affected, their password has been automatically changed, and a message sent to them informing them of this.

If in any doubt, we suggest that you change your password anyway, to prevent any incursions on your account. As Richard suggested, its a good idea to also change the login details of any other site with the same password, to prevent any incursions on that account as well.

My apologies for any inconvenience that this has caused anyone, and remember that if you've still got worries, or just want a hand, drop the team a line at [email protected]
 
administrator
Posts: 2702
Joined: Mon May 17, 1999 5:11 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 4:05 am

As Gabriel said, we've been working very hard on this and are taking it very seriously. The problem is fixed but I strongly suggest that anyone who were redirected with that link change their password immediately. I have sent out an email to those that we know (about 31 people) but there might be more.

Nighthawk, the passwords were not stored unencrypted but the encryption was more of a "security by obscurity" thing. It was not made to withstand a hacker attack. This is something we will seriously look into and update within the coming days.

Quoting RichardPrice (Reply 14):
unfortunately I didn't realise that password was the same as my paypal one and now I have a dozen unauthorised transactions

This hack was caused by a bug in Internet explorer where javascript was executed without any script tags present. If you are using Firefox, you should be safe. Or did anyone get redirected even when using Firefox?

In any case, contact me - I have more info on this hacker including IP.

As it looks now, the user "Sia fan" was not involved but it seems his password was by a hacker used to start all this.

I apologize for the problems this has caused. The vulnerability is fixed and the encryption will be improved within a day or two.

Johan Lundgren
Working on the site from morning 'till night that's livin' alright (1997-2007)
 
Jaspike
Posts: 4843
Joined: Sat Feb 23, 2008 1:40 pm

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 4:09 am

Quoting Administrator (Reply 34):
Or did anyone get redirected even when using Firefox?

I did - more than once too.
 
Tom12
Posts: 1050
Joined: Tue Dec 27, 2005 7:29 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 4:11 am

Quoting Administrator (Reply 34):

Good to know you have this under control. Also, good that you have the hackers IP address.

Thanks for informing us.

Tom
"Per noctem volamus" - Royal Air Force Bomber Squadron IX
 
RichardPrice
Topic Author
Posts: 4474
Joined: Sat Apr 23, 2005 5:12 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 4:17 am

Quoting Administrator (Reply 34):
This hack was caused by a bug in Internet explorer where javascript was executed without any script tags present. If you are using Firefox, you should be safe. Or did anyone get redirected even when using Firefox?

Yes, firefox is vulnerable to this - its a typical mouseover event trigger on an area, nothing requiring script tags.

I have sent you a PM as requested, cheers.
 
airbusA346
Posts: 7284
Joined: Fri Dec 10, 2004 7:05 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 4:26 am

Quoting Administrator (Reply 34):
I have more info on this hacker including IP.

Go on Johan, tell us Big grin

Tom.
Tom Walker '086' First Officer of a A318/A319 for Air Lambert - Hours Flown: 17 hour 05 minutes (last updated 24/12/05).
 
DAL767400ER
Posts: 5084
Joined: Wed Feb 09, 2005 2:47 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 4:28 am

Quoting Administrator (Reply 34):
The problem is fixed but I strongly suggest that anyone who were redirected with that link change their password immediately. I have sent out an email to those that we know (about 31 people) but there might be more.

How'd you find out who was redirected? I didn't even read that referred thread, let alone click on the link, yet I still got a mail about the password change as well.

Regardless, good to read that the problem has been taken care of.
 
strasserb
Posts: 1497
Joined: Fri Nov 11, 2005 7:46 pm

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 4:52 am

Hi Johan.
First of all thank you for your explanations and your expressed concerns.

I was already going to post my concerns related to this attack, which in my opinion is definitely more than only an incident.

Regarding your question ...

Quoting Administrator (Reply 34):
Or did anyone get redirected even when using Firefox?

... I can say: Yes I was using FireFox 1.5.0.7 at the time when the attack happened to me (see RE 1).
I hit the s**t at least 4 times.

(I have IE6 on my laptop only for fallback reasons. Since today it's IE7.)
(And with a big smile to Klaus: Yes, unfortunately my laptop is not a MAC!)

Finally I please you to keep us a.netters informed and in any case of needed support don't hesitate to contact me via my e-mail @ business.

Brdgs
Bernhard
Still, even in the most arid desert is an airport somewhere ...
 
User avatar
nighthawk
Posts: 4890
Joined: Sun Sep 16, 2001 2:33 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 6:07 am

Quoting Administrator (Reply 34):
Nighthawk, the passwords were not stored unencrypted but the encryption was more of a "security by obscurity" thing. It was not made to withstand a hacker attack. This is something we will seriously look into and update within the coming days.

Johan, run them through the php MD5() function and that should be sufficient, although it can be cracked. Do it after your "security by obscurity" procedure for extra security. Alternatively look at some other encryption libraries.

Also, as others have pointed out, Firefox is also vulnerable to this kind of attack.

The joys of being a webmaster  Silly
 
trekster
Posts: 4319
Joined: Fri Dec 26, 2003 2:47 am

RE: Wierd Redirect On A NonAV Thread

Fri Oct 20, 2006 8:17 am

I got linked to that page in the original site and wondered what it was.

Then it happened again and i saw this thread.
Have amended passwords accordingly,
Where does the time go???
 
standby87
Posts: 405
Joined: Tue Jul 03, 2001 2:33 am

RE: Wierd Redirect On A NonAV Thread

Mon Oct 23, 2006 4:49 am

Oh come on - we need to know the IP address of the person who did this!

I've had to change my passwords on various accounts to feel safe again!

Who is online

Users browsing this forum: No registered users and 10 guests

Popular Searches On Airliners.net

Top Photos of Last:   24 Hours  •  48 Hours  •  7 Days  •  30 Days  •  180 Days  •  365 Days  •  All Time

Military Aircraft Every type from fighters to helicopters from air forces around the globe

Classic Airliners Props and jets from the good old days

Flight Decks Views from inside the cockpit

Aircraft Cabins Passenger cabin shots showing seat arrangements as well as cargo aircraft interior

Cargo Aircraft Pictures of great freighter aircraft

Government Aircraft Aircraft flying government officials

Helicopters Our large helicopter section. Both military and civil versions

Blimps / Airships Everything from the Goodyear blimp to the Zeppelin

Night Photos Beautiful shots taken while the sun is below the horizon

Accidents Accident, incident and crash related photos

Air to Air Photos taken by airborne photographers of airborne aircraft

Special Paint Schemes Aircraft painted in beautiful and original liveries

Airport Overviews Airport overviews from the air or ground

Tails and Winglets Tail and Winglet closeups with beautiful airline logos