I haven't been able to reproduce this, but at the main page, an overlaying window appeared (I have "regular" pop-ups blocked), claiming that I had a "vulnerable" installation of Adobe product, and links to "fix it" lol. I don't know if this means our site has been compromised, but I figured that it might help to point it out here.

yup. I was asked to update my firefox....

Seems that it is one time pop-up. Maybe after a computer restart it might come back.


Could somebody remove all kind of 3party stuff from the site - a counter, a diagram generator, maybe something else.

It's really annoying when telling parents to renew son's or daughter's membership, they come back and tell that the website is not accessible or has a virus :/

Has this matter been cleaned up yet?

I've been afraid to go to the main CFC website since circa 2017, after possibly picking up 1 or 2 Trojan horse viruses there.

Yup, seems like chess.ca has been hacked, again. When visiting a chess.ca page today, I got a "Your Version of Chrome is Out of Date" notice and "Click Here To Upgrade" (ya right; NEVER do that). Trying that chess.ca page again did not give me that notice (likely the hack does that to make it harder/slower for admins to discover the hack before too much damage is done).

chess.ca is running a CMS called Drupal (https://www.drupal.org/). Drupal has had 3 highly critical security exploits discovered that were given the colourful names "Drupageddon" (no L; in 2014) and "Drupalgeddon 2" and "Drupalgeddon 3" (with L; both in 2018).

Is chess.ca impacted by these? Anyone (including hackers) can easily check the currently running version of Drupal on most sites by looking at http://chess.ca/CHANGELOG.txt.

Good news is that chess.ca is currently running Drupal 7.58, 2018-03-28 which means it has the patch for "Drupageddon". This was not the case for several years. I think about a year ago (i'm a long inactive player and infrequent visitor) I checked and chess.ca was running a pre-2014 version and so had the "Drupageddon" exposure. That is a possible explanation for hacks/viruses over the last few years.

Bad news is that "Drupalgeddon 2" and "Drupalgeddon 3" were discovered/fixed after Drupal 7.58, 2018-03-28 (see this quick summary (https://medium.com/at-bay/drupalgeddon-2-3-madness-47cffb36e903)). So, it's quite possible the most recent hacks are from D2 and D3. Time to upgrade chess.ca's version of Drupal again!

Is Drupal bad? Nope, all powerful software will have security holes. Drupal has a large technical community and a dedicated security team to find, alert, fix these holes so it is better than a lot of available software. The problem is that to get the security fixes you must upgrade your Drupal regularly (or at least monitor the alerts and upgrade when critical). Many Drupal (and sites using other software) don't have the budget/staff to do that, and so they get hacked.

Thanks Don, we'll have it looked at

Is Drupal bad? Nope, all powerful software will have security holes. Drupal has a large technical community and a dedicated security team to find, alert, fix these holes so it is better than a lot of available software. The problem is that to get the security fixes you must upgrade your Drupal regularly (or at least monitor the alerts and upgrade when critical). Many Drupal (and sites using other software) don't have the budget/staff to do that, and so they get hacked.

I find that update Drupal is more pita than wordpress what updates automatically.