Jump to content
 

I no longer get email notifications of threads I am watching or PMs

RBE

By RBE,
in Forum Rules, Notices, Faults & Help

Recommended Posts

Kenton

Kenton

Posted
Posted

Martin, an incomplete list (might be just me) but doesn't show all topics that have changed according to the "view new topics") in fact it contains a list of quite old (topics) some of which I am the last to post on :( and others I have also posted on but haven't looked at for ages :(

 

Top of my list is a topic I haven't looked at and isn't on the first 4 pages of "view new topics" but does have new posts on - I really out to read.

 

Also none of the topics I have posted on today, recently are on that list!

 

There are also locked topics on the first page of that list (locked more than 24hrs ago!)

 

So that list is less useful (possibly broken/misleading) than just scanning the pages of "view new topics" ... anyway I'm also interested in the "new" cries for help or just interesting subjects.

 

 

 

I do wonder how RMWeb ended up on that black list and if there was any real evidence to support the allegation - or if it was just a malicious attack? Being as paranoid as I evidently am, it is a potential worry about how many were infected by it before the mailserver was locked.

Link to post
Share on other sites
Andy Y

Andy Y

Posted
Posted

We believe the issue has been isolated now but it may take a while before that filters through to such blocking services. It looks like a security loophole in the software allowed a file to be uploaded but it only appears to be emails spoofed to appear as though they're from RMweb and to sundry email addresses unrelated to forum membership and the volume appears to be very low. I believe any such attack is malicious irrespective of whether it's anyone with a grudge.

Link to post
Share on other sites
  • RMweb Premium
martin_wynne

martin_wynne

Posted
  • RMweb Premium
Posted

I do wonder how RMWeb ended up on that black list and if there was any real evidence to support the allegation - or if it was just a malicious attack? Being as paranoid as I evidently am, it is a potential worry about how many were infected by it before the mailserver was locked.

 

Hi Kenton,

 

It was most likely a security loophole in the CMS system which runs the portal page: http://www.rmweb.co.uk/community/index.php?/page/home.html

 

rather than anything on the RMweb forum itself. A detailed look at the infection is here: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf

 

It's quite possible there never was any infection. Spam detection systems are notorious for false positives, but once an IP is black-listed it can take quite an effort to get it removed. Many of the blacklists are simply a compilation of other blacklists, and not always kept up to date. Most ISPs will block anything on a blacklist, regardless.

 

I doubt you need worry about receiving dodgy emails -- the malicious code was using the RMweb server to relay spam to its own targets, rather than accessing the IPB email database.

 

Martin.

Link to post
Share on other sites
  • 1 month later...
  • 1 month later...
  • RMweb Premium
martin_wynne

martin_wynne

Posted
  • RMweb Premium
Posted

It was unblocked last night but is blocked again today: http://cbl.abuseat.org/lookup.cgi?ip=109.104.118.213

 

From which:

 

"It was last detected at 2015-09-08 05:00 GMT (+/- 30 minutes), approximately 5 hours ago.

It has been relisted following a previous removal at 2015-09-07 21:37 GMT (11 hours, 56 minutes ago)

Perhaps the person who previously removed it didn't actually fix the problem."

 

If the IT folks at Warners/Dediserve are simply requesting unblocking each time without doing something to fix the problem, sooner or later CBL will refuse to unblock it.

 

Martin.

Link to post
Share on other sites
  • RMweb Gold
Alister_G

Alister_G

Posted
  • RMweb Gold
Posted

If the IT folks at Warners/Dediserve are simply requesting unblocking each time without doing something to fix the problem, sooner or later CBL will refuse to unblock it.

 

 

 

Have to agree with Martin, the hosting company don't seem to be addressing the root of the problem.

 

If (to be generous) it's the case that they are removing the malicious software, and it is immediately being re-installed, then there is obviously an attack vector which they haven't blocked - either another user on the same box,  if it's a shared environment - or a vulnerability in some existing piece of software, the Invision forum software itself, or something else on the server. It might be something as daft as an anonymous FTP server running unnoticed.

 

Whatever, it's about time they cleaned it up properly, or the forum email will be banned permanently, and you'll have to change IPs.

 

Al.

Link to post
Share on other sites
  • RMweb Premium
martin_wynne

martin_wynne

Posted
  • RMweb Premium
Posted

The recurrence of the issue tends toward a software loophole being exploited which is like herding cats trying to get answers. I am aware and looking for answers.

 

Hi Andy,

 

There is a lot of info and advice on this page (scroll down): http://cbl.abuseat.org/lookup.cgi?ip=109.104.118.213

 

(It is mainly for Dediserve to deal with.)

 

regards,

 

Martin.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...