FYI: Why all of this morning's posts have disappeared.

stapel

stapel

Super Moderator
Staff member
Joined
Feb 4, 2004
Messages
16,583
Q. Where did all of this morning's posts go? Why is there nothing posted since some time "yesterday"?

A. At some point since this morning, the database which houses the "back end" of the forums was hacked. The site owner, Ted Wilcox, (yes, he does exist!), rolled back the server to the last back-up, which was yesterday or last night. He's working now on securing his server and, in particular, the database.

If you should ever encounter a "Hacked by" screen on these forums in the future, please go directly to the FreeMathHelp site. Click on the "Contact Us" link and send Mr. Wilcox an e-mail at the address shown on that page. Thank you! ;)

[edited by Ted to reflect that his name is in fact Ted, and not Tex :)]
 
Yes, big thanks to Ms. Stapel for contacting me immediately. Since I was at work I had no option but to have my hosting company immediately revert to this morning's automatic backup copy, rather than trying to recover the database if possible. Unfortunately that does mean the posts made from 4AM this morning until around 4PM are lost :(

As she said, I'm not usually around here much, but in case of emergency you can reach me via ted@freemathhelp.com.
 
Ted said:
Yes, big thanks to Ms. Stapel for contacting me immediately. Since I was at work I had no option but to have my hosting company immediately revert to this morning's automatic backup copy, rather than trying to recover the database if possible. Unfortunately that does mean the posts made from 4AM this morning until around 4PM are lost

As she said, I'm not usually around here much, but in case of emergency you can reach me via ted@freemathhelp.com.
Click to expand...

I will report that I could not get beyond the page announcing the "hack".
Now it may be just me, but I could not go beyond that point.
 
pka said:
I will report that I could not get beyond the page announcing the "hack".
Now it may be just me, but I could not go beyond that point.
Click to expand...

I think that was the case for everyone. But, since I don't really know at what time the hack happened, I can only assume there were posts between 4AM and the hacking which were lost. Luckily it was fixed by evening.
 
Immediately after I hit the hack page yesterday, I ran a scan on my computer (something I usually do on Fridays). I found a piece of malware and successfully deleted it.

When I logged in here today, my malware blocker informed me that it had blocked my going to a potentially malicious site. This is the only site where I am (overtly) logged in. I am wondering if the hack was cover for another purpose. The blocked IP address is 193.169.87.36

I am going to run both my scanners on my computer to make sure that all is well on my end. That will take a while. I shall post a message letting everyone know about the results of the scans.
 
JeffM said:
Immediately after I hit the hack page yesterday, I ran a scan on my computer (something I usually do on Fridays). I found a piece of malware and successfully deleted it.

When I logged in here today, my malware blocker informed me that it had blocked my going to a potentially malicious site. This is the only site where I am (overtly) logged in. I am wondering if the hack was cover for another purpose. The blocked IP address is 193.169.87.36

I am going to run both my scanners on my computer to make sure that all is well on my end. That will take a while. I shall post a message letting everyone know about the results of the scans.
Click to expand...

I too get that exact same message multiple times.
 
pka said:
I will report that I could not get beyond the page announcing the "hack".
Now it may be just me, but I could not go beyond that point.
Click to expand...
But it was possible to back up "above" that page.

The URL for the main page of the forums is the domain name, "freemathhelp.com", followed by "/forum/forum.php".

Delete the "/forum/forum.php" part of the URL in the location bar of your browser, and you will find yourself "above" the forums in the server directory tree. From that location, you will (or should) be able to access the "Contact Us" page with the e-mail address. ;)
 
OK I have run multiple checks on my system and am still getting told that signing in to this site is triggering a call to a potentially dangerous site. I am not getting that message at other sites.
 
JeffM said:
OK I have run multiple checks on my system and am still getting told that signing in to this site is triggering a call to a potentially dangerous site. I am not getting that message at other sites.
Click to expand...

I am not getting that. Do you have any toolbars that might interfere with your browsing?
 
daon2 said:
I am not getting that. Do you have any toolbars that might interfere with your browsing?
Click to expand...
What I have are two malware systems operating simultaneously. I do not assert that there is a residual problem here as a result of the hack. I may have a problem on my own computer (one that pka seems to have as well). What I can say for certain is that I am getting the warning only when on this site.
 
JeffM said:
What I have are two malware systems operating simultaneously. I do not assert that there is a residual problem here as a result of the hack. I may have a problem on my own computer (one that pka seems to have as well). What I can say for certain is that I am getting the warning only when on this site.
Click to expand...
I too am still getting the messages from this site alone. I have scanned this computer with two different programs twice each. Each time, nothing was found.
 
Interestingly, I am now getting a redirect to http://ww* .mursenopasid.com/ when I click on any links off the main page (only for this domain). Ted's servers have been infected with something, hopefully only a simple redirect script.
To get around it, you can install Adblock plus, and insert custom filters: I am blocking
Code: 
http://ww1.mursenopasid.com/
http://ww2.mursenopasid.com/
http://ww3.mursenopasid.com/
http://ww4.mursenopasid.com/
http://ww5.mursenopasid.com/
http://ww6.mursenopasid.com/
http://ww7.mursenopasid.com/
http://ww8.mursenopasid.com/
http://ww9.mursenopasid.com/

and it seems to have fixed the redirects.
 
I tracked down the source of that redirect link and have removed it. At the moment I *think* everything is well, but please let me know if anything comes back. Additionally, I do want to mention that to the best of my knowledge there is NO risk to your individual computers, especially if you are using the latest antivirus software and keep your computer and web browser up-to-date. It wouldn't hurt to run a scan if you're concerned that malicious code could have been used to attack your computer directly.
 
I sent an email to Ted last night saying that things had got worse and that, like daon, I was now being redirected to a specific site (with the same address as daon's). I could not get into the forum at all.

Obviously, that has now stopped, and System Mechanic, my virus protection software, is now letting me into the forum without delay or warning. However, Malwarebytes is still warning me that is it is blocking me from some site that appears to be housed in the Ukraine (same address as previously reported). I am getting that warning only when on this site. I fear that there may still be some residual problems from the hack, but as Ted says, they do not seem to be adversely affecting my system.

I shall send Ted a new email bringing him up to date with my experience because I am not sure that he is monitoring this thread.

What a bloody waste of time and energy. I appreciate what Ted is doing for us all.
 
Ted said:
I tracked down the source of that redirect link and have removed it. At the moment I *think* everything is well, but please let me know if anything comes back. Additionally, I do want to mention that to the best of my knowledge there is NO risk to your individual computers, especially if you are using the latest antivirus software and keep your computer and web browser up-to-date. It wouldn't hurt to run a scan if you're concerned that malicious code could have been used to attack your computer directly.
Click to expand...
I still get the malware warning each I change locations on this site. Is there no way to ​scrub the entire site?
 
pka said:
I still get the malware warning each I change locations on this site. Is there no way to ​scrub the entire site?
Click to expand...
As of Saturday morning (eastern US time), I am NO LONGER getting the blocking message.

Thanks Ted
 
Ted said:
Are you still getting warnings?
Click to expand...
Yes, each time I come here or change locations here.
The message does not stay long enough for me to copy.
It is something like "anti malware has blocked transfer to a possible infected site". Then it gives a url 193.169.87.36, which always the same number (web address). I spend a great deal of time each day on the web. I visit many sites and at least five mathboards. This is the only site that I get that message. I have scanned this machine with three different programs. None of which has found any thing locally.
 
Last edited:
You must log in or register to reply here.
Top