Caution about hijacked forum website

[Ted Nicoson]

For what it's worth . . . .

I see that the Casio Music Forum website has been hijacked again by that "Get Host" website. I strongly suspect that this is one of the Russian spammer sites mentioned by Mike in his post before he went on vacation. This time, once my system connected to it, I did some quick investigating. My hard drive and satellite modem activity were through the ceiling, and my desktop network activity monitor indicated that almost all of that activity was uploads, not downloads. That means it was stealing my data - and I am running the Comodo software firewall in addition to the hardware firewall in my satellite modem. I really liked that forum, and I am going to miss it, but I think I will just avoid it until they get this straightened out.

 

[happyrat1]

They were up again last night and now they're hijacked again today. I dunno if this is a domain name service thing or if they just hacked the site and put in a redirect but it looks like they're neck deep in the sh*t this week.

First the spam flood of a hundred garbage messages and now this. Looks like someone either really has it in for Casio or else the site owners are simply incompetent or both.

Either way this is taking way too long to fix and I have my doubts about the forums coming back online at all in the future. I think they're in over their heads.

 

[Ted Nicoson]

Yup ! Sure nuff ! Looks like I was right the other day when I thought the Casio Music Forum hijacker site was uploading data from my laptop. Today I received emails (phishmails really) on three different accounts that I manage online. In each case, the email stated that it had come to their attention that my account had been compromised, was now locked, and that I need to follow the link provided to set a new password (of course, I needed to provide the old password). In each case, I was able to log into those accounts through my normal means, using my normal ID's and passwords. They had not been compromised and were not locked. I hope nobody else got burned on this. I went into the CMF site very briefly last night, and it looked like it was back up, but since only about 1/3 of the stuff was there, I got suspicious and got out real quick.

 

[happyrat1]

Actually it turns out the redirected site was happening on my laptop after the first infection. I run Firefox in Linux with the Noscript addon installed.

Even so, my browser was totally hijacked to their malware site whenever I surfed to Casiomusicforums.com

Long story short, without going into too much detail, I cleaned up my system and removed the offending scripts and now am back on the casio site with all forum scripting disabled. It's still functional enough to post and they seem to be back in order again.

My advice, if you haven't done so already, is to install and run Firefox and the Noscript Addon and always be careful which scripts and sites you allow.

If you're running a windows system I'd also suggest paying a visit to

http://housecall.trendmicro.com/

And run the online scanner with the deep scan option enabled. It's by far the best free windows malware scanner I've ever used and have used it in the past to detect stuff that McAffee, Norton and Kaspersky have all missed. And it cleans the malware free of charge as well.

 

[Ted Nicoson]

It looks like maybe only Firefox was infected, but when I connect with what looks like the "real" CMF site with IE or Chrome, I'm still not sure that it is the "real" site. I see only the sections for the Privias and Celvianos and the Classic synths. I do not see the sections for the XWs, CTKs, or WKs. Is this what you are seeing ?

 

[happyrat1]

I'm seeing the whole site, with java and php scripts disabled. I've been actively participating in a handful of threads there since yesterday.

I'd suggest running a few free malware scans on your system just to make sure you're not being hijacked to a dummy site.

Here's a few I recommend.

http://www.whatthetech.com/hijackthis/

http://windows.microsoft.com/en-CA/windows/security-essentials-download

http://www.kaspersky.ca/downloads/free-anti-virus-scan

http://housecall.trendmicro.com/

http://www.eset.com/us/online-scanner/

The trendmicro Housecall is incredibly thorough, but it takes about 5 to 8 hours to run a full deep scan with the beta version, but it catches stuff that others just blow by. I'd advise running the others first since they are much quicker but less thorough. if your system comes up clean after all that then I really couldn't advise anything else.

BTW, here's some screenshots of what I'm currently seeing on the casioforums site.

 

[Ted Nicoson]

Thanks, Gary !

I figured that since it's obvious these guys got a fair piece of my personal data, the first order of business was to get all of my passwords changed, particularly on the financial stuff, so I just spent the last couple of hours doing that. I wanted a machine that I knew was clean, so I drug out an old Compaq XP-SP2 laptop that's been packed away for about a year. I will use it for all of my financial stuff until I get the new laptop and the desktop cleaned up. I stopped all scripting (that I know of) on both of them, but the desktop still goes to the Get Host site, while the laptop goes to that truncated "real" site. I ran an Avast full scan on the laptop and have one running now on the desktop, but have not come up with anything so far. I'm getting ready to start a HouseCall scan on the laptop now. If Avast does not find anything on the desktop, I guess I will just have to start down the list you gave me. The desktop is a Vista-64 machine, and the HouseCall site says it's only for Win-7 and 8.

Oddly enough, I also have a small Acer netbook that I use for sequencing on the XW-P1 and the Jupiter-50. It has never even been connected to the network, so there is no way it could have been infected by this. I hooked it up, and it also gets that truncated "real" site, so I have absolutely no idea what is going on with that. I don't think it is going to make much difference though. After all this, I think I will just get my machines cleaned up and then just stay away from that site. I don't want to have to go through this again.

Anyway, thanks again for the info.

 

[happyrat1]

Hi Ted. I've used the Housecall Beta successfully to detect malware on a 32 bit Vista laptop so I don't think it will give you any real problems.

Here's hoping you get things cleaned up sooner rather than later.

I know how you feel. violated.

Gary

 

[happyrat1]

So Ted, did the housecall detect any malware on your system or not?

Gary

 

[Ted Nicoson]

Gary

Turns out, only my Vista desktop was infected. No problem with the Win-7 laptop. I was running MSE on the desktop, and it didn't see a thing, so I took it off and re-installed Avast. I tried Avast a couple of years ago, but it did not play well with Vista. Anyway, the new Avast found and removed a virus, but I had to take it back off as it was worse than the older version - too many lockups, especially coming out of sleep mode. Then I tried HouseCall, but it did not find anything else. Saturday, I finally bit the bullet and went to Walmart and got the 3-PC license version of Kaspersky for $47. I had used it some years ago and liked it, but got away from it because of the expense. Once installed, it rooted out a Trojan real quick. Only other problem with Kaspersky is its real time protection is so stringent, it tends to slow things down a bit, but am willing to live with that. Think I will just stay with Kaspersky and HouseCall on both machines, even though Avast runs fine under Win-7. I will just feel safer with Kaspersky.

Now the aftermath. That "truncated" CMF site I was seeing on the laptop and on IE and Chrome on the desktop appears to be from Mike's IP address blocking. It looks like each section of the forum is a forum unto itself and each one can block IP addresses. Looks like you were lucky and didn't get caught, but by the time Mike got involved, my machine was infected and I was still online, so he saw me as one of the bad guys and blocked me from just the sections I normally go into, which was the XW and CTK/WK sections. It's still that way. The only sections I can get into now is just the Celviano and the Classic sections, but I think I will just leave well enough alone. I have this site for my Casio and Roland and Yamaha units, plus the Roland Clan Forum and the PSR Tutorial forum for my Yamaha stuff.

Thanks for all your help in this !

 

[happyrat1]

Personally I think all windows malware detectors are a crap shoot on a good day, but kaspersky and housecall are among the better ones. Anyway, I got fed up with windows almost 15 years ago after being compromised and switched to linux and never looked back. Even so, I still have to be cautious about zero day scripting exploits and hence I run noscript as well.

Anyway, I'm happy to hear that you managed to recover your system. Casiomusicforums is still safe enough if you run it with noscript and you can still post and edit messages with the more primitive editor.

All's well that ends well...

Gary