GolfClubAtlas.com has been sabotaged

[Sam Morrow]

I've got to ask, who would sabatoge GCA?

http://www.youtube.com/watch?v=H4PN7Xbexq4

How could I have been so blind?

Sam, that's a question, I'm afraid, only you can answer ... .

I'm not sure if I'm man enough to answer it. I think it's a much deeper emotional issue I have.

[Kalen Braley]

This should be easy to investigate... The Google Ads on top of each page contain the following javascipt variables:

google_ad_client = "pub-1804863164493224";
google_ad_slot = "1742717301";

If these ads are indeed unwanted by gca, Google would certainly want to know that this Google Client is somehow placing their ads on this site.

Also found this in the source code as well:

src="http://pagead2.googlesyndication.com/pagead/show_ads.js">.

To all,

Please don't follow the link though.  Could be something nasty if you open the .js file extension.

[mike_beene]

Cybersquatting, internet traffic is a big industry. Every time I get some web pirate shut down someone is trying something new to divert people from our site by trickery. There is a whole industry teaching people how to shadow web sites and make money. Don't assume this is a mistake and ignore it until they get their injunction.

[Phil_the_Author]

Well it's nice to see that it has become mobile and moved itself to the bottom of the page...

[Rich Goodale]

If this is the way Google allows its customers to operate, I'm selling all those shares that Sergey kindly gave me in 2001 when I lent him a fiver at Starbucks in Palo Alto for a Chai Latte.....

[Kalen Braley]

Sure enough, the intruder has moved his ads to the bottom of the of the page in the source code.

After poking around on some message boards last night for this type of problem, it looks like the server has been comprised.  As B. Richard said, those unique ID's should be reported to Google as well as the server should change its username and password.  However its very possible the hacker has set up a back door account on the server and can access it now anyways......

Looks like they may need to move the site to a different server that has not been compromised and then wipe the current server clean.  

[Tom Huckaby]

I've been trying to tell you guys for oh so long, no one listens to me...

Google = bad
Yahoo! = good

Now can you see it, believe it, live it?

 

BTW Rich, Dan King lent Sergey $20 - that's why he's a gazillionaire today.  Karma, man.

 

[TEPaul]

Slag:

Thanks a lot for the mugshot of the guy in the Hawaian shirt above. Jeeesus, I thought I was looking in the mirror!

Sam Morrow:

Who would want to sabotage GOLFLCLUBATLAS.com??

I'll be glad to compile a list on that and get back to you. Give me about two weeks.

Furthermore, I feel cheated. I was really looking forward to checking out BADLANDS GC. Oh My God, I didn't notice but now I see the saboteurs have dropped from the top of the page down to the bottom of the page. I think they're fixin' on totally circlin' us and comin' in for the kill.

[Scott_Burroughs]

Slag:

Thanks a lot for the mugshot of the guy in the Hawaian shirt above. Jeeesus, I thought I was looking in the mirror!

Tom,

FYI, that mug shot is of actor Nick Nolte when he got busted 3-4 (?) years ago for possession of some illegal substances.

[Mike McGuire]

The ads don't matter. Being hacked does. Who maintains this site? I would log on - remove the google adsense code - change the password - and log off.

Should take seconds - not days.

What other harm could someone with administrator password credentials do?  access paypal account? - check IM's - take the site down ?

[Garland Bayley]

We have suffered irreversible mental anguish due to this intrusion. We must do what americans do -litigate!

Good idea! Does anyone know a lawyer??

[Richard Boult]

I doubt the site was hacked... the ads were most likely added by either the website host or discussion forum provider (http://www.yabbse.org).  The terms of service for one of these hosts probably states they're allowed to do so - meaning they're making a little extra cash off this site in addition to any service fees being paid.

[Kalen Braley]

B Richard,

Rans initial comments would suggest it was an outside, non-authorized entity.  If thier web host says they don't know where its coming from, that would rule them out.  

And if the host hasn't added any recent patches to the forum software from yabbSe, that would rule out Yabb.

I've read in a few other forums this has happened to others and they reported the offenders to Google and made sure to cheack and or change thier authentication policies.

[ANTHONYPIOPPI]

I clicked on one of those links and won a fabulous two-day, no-night trip to Lawrenceville, Ill.

Anthony

[Steve Sayre]

So they are still there.....now at the bottom of the page, and on the login page...

[Craig Van Egmond]

The version of YABB (1.5.4)  that GCA uses is old, circa 2003, and has quite a few known vulnerabilities including some nasty PHP cross site scripting and sql injection attacks.  It would be trivial to exploit if they have not patched their software.

Version 2.2 is out now.

[Doug Wright]

...nasty PHP cross site scripting and sql injection attacks.  

Craig please watch your language or the moderator'll wash your mouth out with soap!  

Alternatively maybe this should be the NY Giants game plan for Sunday.

[TEPaul]

"Tom,
FYI, that mug shot is of actor Nick Nolte when he got busted 3-4 (?) years ago for possession of some illegal substances."


ScottB:

Yeah, I recognized him---I knew it was Nick Nolte but I didn't want to mention his name because I never really liked the guy. I always thought he was a bit too much of a "goodie-two-shoes" and the kind of guy who didn't like to have enough of a good time for my tastes!

[Jay Flemma]

...nasty PHP cross site scripting and sql injection attacks.  

Craig please watch your language or the moderator'll wash your mouth out with soap!  

Alternatively maybe this should be the NY Giants game plan for Sunday.

It looked more to me like a Patriots "spread offense" play!

Brady:  "On three!  YABB 154, cross site script, sql injection.  Let's go!"  

[Mike McGuire]

Craig-

Could you give a few simple examples of what could happen due to security holes in this website?

Perhaps it would help push along an upgrade.

[tlavin]

The version of YABB (1.5.4)  that GCA uses is old, circa 2003, and has quite a few known vulnerabilities including some nasty PHP cross site scripting and sql injection attacks.  It would be trivial to exploit if they have not patched their software.

Version 2.2 is out now.

If I hear ONE MORE horror story about cross-site scripting, I'm gonna burst!

[Craig Van Egmond]

Mike,

here are the gory details..

Warning techno babble to follow...


"YaBBSE Index.PHP Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability affects YaBBSE because the application fails to properly sanitize user-supplied input before including it in dynamically generated web content.

An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks."


"yabb-multiple-sql-injection (15354)    The risk level is classified as MediumMedium Risk

Description:

YaBB (Yet Another Bulletin Board) is an open-source bulletin board system that runs on any system capable of executing Perl CGI scripts. YaBB SE versions 1.5.4, 1.5.5, 1.5.5b and possibly earlier versions are vulnerable to SQL injection, caused by a vulnerability in the ModifyMessage module and in the ModifyMessage2 module. A remote attacker could insert arbitrary SQL code in the $msg variable in a request to the index.php script of the ModifyMessage module, in the $postid variable in a request to the index.php script of the ModifyMessage2 module, or in the $attachOld variable in a request to the index.php script of the ModifyMessage2 module, which would allow the attacker obtain sensitive information, including the user's MD5 password hash and secret question, allowing the attacker to add, modify or delete data in the backend database."



"yabb-post-sql-injection (15224)    The risk level is classified as MediumMedium Risk

Description:

YaBB (Yet Another Bulletin Board) is an open-source bulletin board system that runs on any system capable of executing Perl CGI scripts. YaBB SE versions 1.5.4 and 1.5.5 and possibly other versions are vulnerable to SQL injection using the post.php script. A remote attacker, with a valid account, could pass malicious SQL commands to the post.php script using the quote parameter, which would allow the attacker to obtain the encrypted password of another user."


Readers digest version...

Basically it can steal stuff from your computer via your web browser, wipe out the database on the server or steal someone else's password to just for starters.  

[Mike McGuire]

If I hear ONE MORE horror story about cross-site scripting, I'm gonna burst!

Terry -

Hopefully the hacker gods aren't listening  

[Doug Ralston]

I've been trying to tell you guys for oh so long, no one listens to me...

Google = bad
Yahoo! = good

Now can you see it, believe it, live it?

 

BTW Rich, Dan King lent Sergey $20 - that's why he's a gazillionaire today.  Karma, man.

 

Tom;

That is not a joke. I bought a Dell desktop, and it came to my surprise that Dell sold it's/my soul to Google. I have tried for years to get rid of Google, but it has some built in hiding program, and reappears to interrupt my wandering at irregular intervals. It is insideous!

I rebel by using Yahoo as a search engine exclusively.  

Doug

[Tom Huckaby]

Doug:

You are a good man.

 

Tom Huckaby
Yahoo! Inc.