1. Attachments are working again! Check out this thread for more details and to report any other bugs.

PriusOnline Hacked!!

Discussion in 'Fred's House of Pancakes' started by dbarry, Mar 5, 2005.

  1. dbarry

    dbarry Member

    Joined:
    Jul 22, 2004
    114
    2
    0
    Location:
    Houston Texas
    Vehicle:
    2005 Prius
    Model:
    N/A
    PriusOnline's home page has been hacked, it redirects now to some .tk site.

    Looks like it's also trying to download a worm, my firewall caught it.

    I also got this interesting email from "[email protected]"

    The following is an email sent to you by an administrator of "PriusOnline.com". If this message is spam, contains abusive or other comments you find offensive please contact the webmaster of the board at the following address:

    [email protected]

    Include this full email (particularly the headers).

    Message sent to you follows:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Visite our new website!!!

    www.e-corporation.tk
     
  2. PriusTN

    PriusTN New Member

    Joined:
    Oct 30, 2004
    5
    0
    0
    ok, i thought that email was phony.
     
  3. Tideland Prius

    Tideland Prius Moderator of the North
    Staff Member

    Joined:
    Oct 2, 2004
    44,767
    16,014
    41
    Location:
    Canada
    Vehicle:
    Other Non-Hybrid
    Model:
    N/A
    got it. I stopped the page from loading once I saw it was being redirected. Thanks
     
  4. dbarry

    dbarry Member

    Joined:
    Jul 22, 2004
    114
    2
    0
    Location:
    Houston Texas
    Vehicle:
    2005 Prius
    Model:
    N/A
    I did some more digging....

    The hack redirects you to a forwarder:

    http://usuarios.lycos.es/mulesoftxxx/1.html

    It looks like it got into the SQL - there's been a virus out that attacks boards running MySQL - looks like it got PriusOnline.

    On my board, I've had to apply two vBulletin patches to protect it.

    Sure hope it hasn't trashed all the data in his DB.
     
  5. exces6

    exces6 New Member

    Joined:
    Aug 22, 2004
    97
    0
    0
    Location:
    Houston, TX
    I got that email too. I hope everythign will be alright.
     
  6. brosnan

    brosnan New Member

    Joined:
    May 2, 2004
    159
    11
    0
    Location:
    Silicon Valley
    Vehicle:
    2010 Prius
    Model:
    IV
    Here are the email headers in case that's of any use. Presumably they got access to the list of email addresses of users. You should probably delete any email with the subject "We Have New Website!!!!!!" or anything from [email protected]

    Received: from dynamocomputers.com ([69.64.32.45])
    by sccrmxc13.comcast.net (sccrmxc13) with SMTP
    id <20050305225756s13008a4qpe>; Sat, 5 Mar 2005 22:57:56 +0000
    X-Originating-IP: [69.64.32.45]
    Received: (qmail 28191 invoked from network); 5 Mar 2005 22:53:36 -0000
    Received: from gmga.net (HELO mail.priusonline.com) (69.64.32.45)
    by endwellumc.us with SMTP; 5 Mar 2005 22:53:31 -0000
    Subject: We Have New Website!!!!!
    To: [email protected]
    Reply-to: [email protected]
    From: [email protected]
    Return-Path: [email protected]
    Message-ID: <[email protected]>
    MIME-Version: 1.0
    Content-type: text/plain; charset=iso-8859-1
    Content-transfer-encoding: 8bit
    Date: Sat, 5 Mar 2005 17:53:11 -0500
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: PHP
    X-MimeOLE: Produced By phpBB2
    X-AntiAbuse: Board servername - www.priusonline.com
    X-AntiAbuse: User_id - 2
    X-AntiAbuse: Username - jeff
    X-AntiAbuse: User IP - 62.57.182.184
    X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on dynamocomputers.com
    X-Spam-Level: *
    X-Spam-Status: No, hits=1.1 required=5.0 tests=AWL,MISSING_OUTLOOK_NAME,
    NO_REAL_NAME,PLING_PLING autolearn=no version=2.63
     
  7. IsrAmeriPrius

    IsrAmeriPrius Progressive Member

    Joined:
    May 27, 2004
    4,333
    7
    0
    Location:
    Southern California
    Vehicle:
    2005 Prius
    With two firewalls, one in the router and ZoneAlarm, and real time virus protection, I allowed the redirected site to load.

    It is a sexually explicit porn site.

    Just to be on the safe side, I am updating my virus definitions and running a scan.
     
  8. brosnan

    brosnan New Member

    Joined:
    May 2, 2004
    159
    11
    0
    Location:
    Silicon Valley
    Vehicle:
    2010 Prius
    Model:
    IV
    If you've visited the redirected site you might want to delete the cookie it leaves behind and the .js, .gif, .jpg files from http://naonak.defacers.com.mx it leaves behind in your Temporary Internet Files directory.

    The cookie just contains:
    phpbb2mysql_data
    a%3A0%3A%7B%7D
    www.priusonline.com/
    1024
    3844875008
    29769902
    1826853808
    29696477
    *
     
  9. IsrAmeriPrius

    IsrAmeriPrius Progressive Member

    Joined:
    May 27, 2004
    4,333
    7
    0
    Location:
    Southern California
    Vehicle:
    2005 Prius
    I have my Internet Options set to delete the temp files when I close the browser.

    I looked for such a cookie, but found none.

    Thanks
     
  10. stevesol

    stevesol Junior Member

    Joined:
    Jul 31, 2004
    15
    0
    0
    Location:
    Midwest
    Or you can just get a Mac and download your e-mail and visit your web sites with impunity....

    I got the offending e-mail too and got redirected to the spanish porn site... bummer for PriusOnline.... I guess I'll be getting more spam soon.
     
  11. hdrygas

    hdrygas New Member

    Joined:
    May 22, 2004
    3,650
    6
    0
    Location:
    Olympia Wa
    Vehicle:
    2004 Prius
    I am on OS X on a Mac and I purged the cookies. Anything else to do? I reported the email as spam to comcast. Should I call the Attorney Generals Office for Washington State? We have a spam law. If I was still running OS 9 I would have no doubts but I am still working through this UNIX OS X thing. Why would someone want to send a total Gringo like me to a foreign language site. I have no idea what was going on. I do English and can puzzle out German and that's it. One day I will learn enough Polish to decipher my genealogy. I hope Satin is holding a special circle in hell for these folks.
     
  12. TimeFor

    TimeFor New Member

    Joined:
    Sep 6, 2004
    162
    1
    0
    Location:
    Fullerton, CA
    Damnit, If I got an email from them that means I'm going to get Spam. I've had this email account safe from Spam for 3 years.

    I visited the web site but was not redirected to a porn site. I guess the code doesn’t work for FireFox. I behind a cheap linkys router firewall so I'm sure I'm not protected. I don't run Anti Virus either.

    I had it once. Then one day Norton started asking me to pay for it again. I was like!!!! No. Ok.... Uninstall. I already paid the 40 bucks for it once.... I don't want to keep paying that year after year.

    So. I probably have a virus. Whooo! I guess I’m one of those people on the AOL commercials that are just asking for Viruses. Well, my computer is still running. Its not going slower. I have so much spyware on it already I don’t even care anymore. I hate computers.
     
  13. efusco

    efusco Moderator Emeritus
    Staff Member

    Joined:
    Nov 26, 2003
    19,891
    1,191
    9
    Location:
    Nixa, MO
    Vehicle:
    2004 Prius
    Model:
    N/A
    It does work for Firefox, I got the redirect...this is really bad, there are a lot of subscribers to POL and they clearly now have access to every e-mail address....
     
  14. Robert Taylor

    Robert Taylor New Member

    Joined:
    Oct 13, 2004
    451
    0
    0
    Location:
    Rocket City
    I checked my email on the server, did not download it to my PC. Sure enough, that spam email was there. While I deleted it off the roster of email's in my inbox, I expect to get hosed with spam now.
     
  15. jkash

    jkash Member

    Joined:
    Nov 26, 2003
    889
    18
    0
    Location:
    West Hills, CA
    Vehicle:
    2004 Prius
    Model:
    N/A
    PriusOnline is back now. The site director is aware of the problem and is working on it.
     
  16. cybele

    cybele New Member

    Joined:
    Dec 5, 2003
    406
    1
    0
    Location:
    Los Angeles
    The other thing to be cautious about is if you use that password with anything else with that userame or email address.

    We don't know at this time how hacked they were.

    If you do, you might want to change those passwords, just to be safe.
     
  17. LisaMarli

    LisaMarli Member

    Joined:
    Oct 30, 2004
    117
    1
    0
    Location:
    San Jose, CA
    Vehicle:
    2014 Prius v wagon
    Model:
    V
    That's why for all these groups I use an e-mail addy that is already compromised and a different user/password than what I use for accounts that need more safety (like banks). The information is too easily hacked these days *sigh*.

    I use SafeID and RoboForm to keep track of all the usernames/passwords. Otherwise I'd be lost.

    By the By, I haven't noticed my Firefox doing anything weird after I went to Prius Online during the hack period. There seem to be no cookies. The e-mail was not flagged by my virus software. I think they were nasty but not evil.

    Lisa
     
  18. Potential Buyer

    Potential Buyer New Member

    Joined:
    Feb 22, 2005
    287
    2
    0
    Location:
    San Diego, CA
    This is why you should always keep public and private e-mails separate; never publicly list addresses you don't want spammed. Also, your e-mails were already known to the spammers long before PriusOnline got hacked -- e-mail "spiders" crawl the web just like Google does, except they search for e-mail addresses and add them to a database so later mass e-mails can be sent to every address that's found.

    I run a website, and I encode all e-mail addresses, and decode them client-side using JavaScript. It looks perfectly normal for users, but since e-mail spiders never run JavaScript, they never see the actual e-mail addresses.
     
  19. dbarry

    dbarry Member

    Joined:
    Jul 22, 2004
    114
    2
    0
    Location:
    Houston Texas
    Vehicle:
    2005 Prius
    Model:
    N/A
    Yep, they got to the site with the MySQL SQL Injection bug - so they got access to the whole thing, including the DB

    Their admin posted this:
    As anybody who visited the site in the last couple of hours noticed PriusOnline was once again hacked. This time the attacker was able to inject code directly into the database. I have removed the iframe link but I have no idea what else was done. I will be investigating further and will post an announcement if fixing it will require any further downtime.
     
  20. DanMan32

    DanMan32 Senior Member

    Joined:
    Aug 27, 2004
    3,799
    26
    0
    Location:
    Tampa Bay, FL
    <div class='quotetop'>QUOTE(TimeFor\";p=\"69819)</div>
    Try AVG, its free for personal use.