Site Outage Thursday and Friday

**Patrick H.** · May 11, 2012, 05:47 PM

Re: Site Outage Friday and Saturday

Do you mean Thursday evening and into Friday, John?

I know - it was probably a loooooong day and felt like it lasted until Saturday. Thanks for your efforts.

Patrick

**Gary C.** · May 11, 2012, 05:55 PM

Re: Site Outage Friday and Saturday

Patrick,

Good catch. You ain't wrong, very long. First time in a long time that John or I have pulled an all nighter.

Gary
....

**John W.** · May 11, 2012, 05:56 PM

Re: Site Outage Friday and Saturday

Patrick,

It was a long day and a short night. I got html, php, cgi, java, css, on the mind I would be lucky to know what year it is.

**Patrick H.** · May 11, 2012, 06:30 PM

Re: Site Outage Friday and Saturday

Thanks again guys.

**Bill H.** · May 12, 2012, 09:54 AM

Re: Site Outage Friday and Saturday

Thanks, Guys.

Note that when I clicked on, I got a "Malicious Malware" blocked note.

**Gary C.** · May 12, 2012, 10:04 AM

Re: Site Outage Friday and Saturday

Bill,

Do a page refresh - depress Control (Ctrl) and F5 keys together and that should get rid of the note.

Website scans clean.

Gary
....

TDB-Clean Malware Scan 1005AM CDST_051212.jpg

**Bill H.** · May 12, 2012, 10:12 AM

Re: Site Outage Friday and Saturday

Thanks, Gary.
The site is fine for me now. I guess my anit-malware software is working correctly.

**Dan D.** · May 12, 2012, 02:44 PM

Re: Site Outage Friday and Saturday

I tried to get on twice yesterday (at different times). Both times the homepage came up, and then my virus software opened a window telling me it had blocked a known attack site. So that begs some questions; If the home page was infected, then why wasn't it pulled off line immediately? There are probably some people out there that do not have virus software on their computers, although that is hard to believe these days. Also, it is hard to believe that the NCRS software did not originally block it, when my simple Norton caught it. But I realize it is probably not that simple.

Its just hard to believe people can be so bad, but I guess that is the world we live in these days.

This is not meant to criticize anyone, especially Bob and John, who worked so hard and for so long to correct it. We should buy those two (and any others that worked on it) steak and beer for the next month. They really spent a lot of time (all-nighter and more) to get it back up and on line, and all for free. I commend their dedication. -Dan-

**John W.** · May 12, 2012, 03:40 PM

Re: Site Outage Friday and Saturday

Dan,

We left the home page up because we were using it for testing to see if we were making progress. It was easy to fix the home page, but within about 15 minutes it would be corrupted again. We had to keep on looking for the source so we used the home page for testing. I don't know of any threat to any users from the malware that attached our site.

What the attacker was doing was redirecting anyone who came to our page to a bunch of other pages in rapid secession to rack up hits for some advertisement. This is how they make their money. If they get .00001 cent for each hit and they can rack up a couple million hits a day that adds up to several billion dollars a year for the low life's that do this.

There is no anti virus software as such for web servers that we know of. Our host does not recommend any. We are looking at other ways to harden the site and will try to keep on top of it.

**Rick A.** · May 12, 2012, 07:59 PM

Re: Site Outage Friday and Saturday

ALL,

I work in computer security for a living and what John stated is "more or less true" wrt AV on a web server, and I offer the following for an explanation:

A well run webserver should IMHO not have a commercial anti-virus (AV) package installed. The kind of Office macro viruses and mass-market trojans that AV packages are optimized for are a poor match to the problems of a web server.

What you (NCRS) should do is:

Absolutely obsess over input validation. Examples: that users can't upload malicious content to your site (virus, SQL injection etc); that you're not vulnerable to cross site scripting attacks, etc.
Keep your server patched up with the latest security updates, and configured according to best-practices. Look at things like Microsofts security toolkit.
Have a separate firewall. Doesn't help you much with regards to intrusions, but it adds another layer of defense against misconfigured network services, and helps with simple DOS attacks. It also helps a lot with locking down remote management possibilities etc.
Install a host intrusion detection system (H-IDS) on your server, along the lines of the venerable Tripwire.

There is a lot of confusion about the terms, the words are often used in many different ways here. To be clear, what I mean by an H-IDS here is:

a service on a computer
which continuously check-sums all executable files on the computer
and throws an alert whenever a executable file has been added or modified (without authorization).

Actually a good H-IDS will do a bit more than this, such as monitoring file permissions, Registry access etc, but the above gets the gist of it. A host intrusion detection system takes some configuration, since it can give a lot of false errors if not set up properly. But once it's up and running, it will catch more intrusions than AV packages. Especially H-IDS should detect a one-of-a-kind hacker backdoor, which a commercial AV package probably will not detect. H-IDS also lighter on the server load, but that's a secondary benefit -- the main benefit is a better detection rate.

if choice is between a commercial AV package and doing nothing, then I'd install the AV. But know that it isn't ideal.

**Dan D.** · May 13, 2012, 07:59 AM

Re: Site Outage Friday and Saturday

Thanks John,

I understand it better now. There is some relief to know it was for advertising crap and not intended to destruct anyone's computer. Side note, when I opened my e-mail this morning I had an undeliverable e-mail message from Craig's list. Said the ad address had been removed. Thing is I have not been on Craig's list for several days, and have not responded to any sellers in months. Just wondering if it had anything to do with this attack.

Again John, I personally commend you and your team for the dedication and hard work you did on this problem. And I am sure I speak for the whole NCRS community. -Dan-

**Dick W.** · May 13, 2012, 08:37 AM

Re: Site Outage Friday and Saturday

Originally posted by Dan Dillingham (49672)

Thanks John,

I understand it better now. There is some relief to know it was for advertising crap and not intended to destruct anyone's computer. Side note, when I opened my e-mail this morning I had an undeliverable e-mail message from Craig's list. Said the ad address had been removed. Thing is I have not been on Craig's list for several days, and have not responded to any sellers in months. Just wondering if it had anything to do with this attack.

Again John, I personally commend you and your team for the dedication and hard work you did on this problem. And I am sure I speak for the whole NCRS community. -Dan-

Craigslist is a great site to generate spam.

**Al R.** · May 14, 2012, 08:02 PM

Re: Site Outage Friday and Saturday

Guess I must have been the only one who's virus protection did not work. I have McAfee and it disabled my hard drive. Didn't get it repaired until Sun PM late. It's the world we live in!

**John W.** · May 14, 2012, 08:21 PM

Re: Site Outage Friday and Saturday

Al,

I don't think there was any correlation between our hacking and your hard drive issue.

Site Outage Thursday and Friday

Site Outage Thursday and Friday

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment