The Sh33p's Fluff Message Board

A place for gathering wool...
It is currently Sun Apr 30, 2017 11:37 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 19 posts ] 
Author Message
 Post subject: Possible malware
PostPosted: Thu May 30, 2013 6:50 pm 
Offline
Slum Lord
Slum Lord
User avatar

Joined: Tue Oct 07, 2003 5:40 am
Posts: 6619
Location: The Land of Oz
Guys, some people are reporting that their malware scanners are reporting a "Exploit Blackhole Exploit Kit (type 2704)" warning on some parts of this site.

I'm checking with Gamer and I'll let you know as soon as I hear anything. In the meantime, Wikipedia says:

Quote:
Defenses against the Blackhole exploit kit

A typical defensive posture against this and other advanced malware includes, at a minimum, each of the following:

* Ensuring that the browser, browser's plugins, and operating system are up to date. The Blackhole exploit kit targets vulnerabilities in old versions of browsers such as Firefox, Google Chrome, Internet Explorer and Safari as well as many popular plugins like Adobe Flash, Adobe Acrobat and Java.
* Running a security utility with a good antivirus and good host-based intrusion prevention system (HIPS). Due to the polymorphic code used in generating variants of the Blackhole exploit kit, antivirus signatures will lag behind the automated generation of new variants of the Blackhole exploit kit, while changing the algorithm used to load malware onto victims' computers takes more effort from the developers of this exploit kit. A good HIPS will defend against new variants of the Blackhole exploit kit that use previously known algorithms.


In short, make sure your operating system, browser and any plugins and your malware scanner are up to date. I also recommend disabling scripts on this site unless you specifically need them (e.g. for posting pics).

_________________
"A great deal of Security is unfortunately just like the underwear of Brittany Spears. If it's even there at all, it is needlessly complex and frilly; looks good without actually covering much; and is far to easy to get around or remove completely."
- David Boston


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Thu May 30, 2013 7:16 pm 
Offline
MiniGod
MiniGod
User avatar

Joined: Sun Oct 05, 2003 9:51 pm
Posts: 102
Location: Hell on earth.
I don't immediately see any signs of trouble with the site itself - odds are the posts are simply embedding something malicious hosted externally. The particular message you're receiving looks to be from AVG.

I'll need an example post to better investigate.


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Thu May 30, 2013 7:19 pm 
Offline
Slum Lord
Slum Lord
User avatar

Joined: Tue Oct 07, 2003 5:40 am
Posts: 6619
Location: The Land of Oz
Gamer wrote:
I don't immediately see any signs of trouble with the site itself - odds are the posts are simply embedding something malicious hosted externally. The particular message you're receiving looks to be from AVG.

I'll need an example post to better investigate.

Thanks Gamer.

Can anyone who's getting these messages give Gamer more details?

_________________
"A great deal of Security is unfortunately just like the underwear of Brittany Spears. If it's even there at all, it is needlessly complex and frilly; looks good without actually covering much; and is far to easy to get around or remove completely."
- David Boston


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Fri May 31, 2013 12:10 pm 
Offline
MiniGod
MiniGod
User avatar

Joined: Sun Oct 05, 2003 9:51 pm
Posts: 102
Location: Hell on earth.
The affected files have been removed and the board is now on the current version of phpbb


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Fri May 31, 2013 4:49 pm 
Offline
Slum Lord
Slum Lord
User avatar

Joined: Tue Oct 07, 2003 5:40 am
Posts: 6619
Location: The Land of Oz
The small but loyal band of SFMBers thanks you.

:D

_________________
"A great deal of Security is unfortunately just like the underwear of Brittany Spears. If it's even there at all, it is needlessly complex and frilly; looks good without actually covering much; and is far to easy to get around or remove completely."
- David Boston


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Sat Jun 01, 2013 9:51 am 
Offline
Slum Lord
Slum Lord
User avatar

Joined: Tue Oct 07, 2003 5:40 am
Posts: 6619
Location: The Land of Oz
Just had a note to say that a user is now getting a virus warning - "Mass[something]5.exe". :-(

_________________
"A great deal of Security is unfortunately just like the underwear of Brittany Spears. If it's even there at all, it is needlessly complex and frilly; looks good without actually covering much; and is far to easy to get around or remove completely."
- David Boston


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Sat Jun 01, 2013 11:48 am 
Offline
Rack of Lamb
Rack of Lamb
User avatar

Joined: Thu Feb 28, 2013 5:00 pm
Posts: 50
Deref wrote:
Just had a note to say that a user is now getting a virus warning - "Mass[something]5.exe". :-(


Do you mean this?

I had a strange encounter the other day. One time, the index page led to a completely different page, kkarantoris DOT net SLASH libraries SLASH cnt.php. It was a blank page, other than the one word "ok". Just search for kkarantoris DOT net in Google (put a space between the "k"s) in Chrome (if you have it), and in another tab, go to the SFMB index page. Notice a logo on the left side of each tab that looks like a golden slanted L (the left side of the Karantoris logo), where for the SFMB, it should be a piece of paper with a fold in the top right corner (as it is on every other page on the SFMB), but isn't? No coincidence there. I looked to see what cnt.php was as a file, to see if it had been seen before. I found this. That's a list of malicious redirects to a page "cnt.php" on another site, mtiusa DOT org. I think we might have had a malicious redirect here.

Also, take a look at this page (use ctrl-F to find "cnt.php" in the simplified JavaScript).


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Sat Jun 01, 2013 8:14 pm 
Offline
Sh34r Excellence
Sh34r Excellence
User avatar

Joined: Sun Apr 24, 2005 11:21 pm
Posts: 3478
Location: Far Western Kentucky
Nothing like this is happening to me at the moment. Which is a little odd, since I'm usually the one being plagued by all kinds of inexplicable computer/Internet issues, that are always assumed to be my own fault. This time, nothing (so far). :shock: :-?

Anyway, thanks for trying to address ... whatever it is.

Cross

_________________
"The practical reason for freedom is that freedom seems to be the only condition under which any kind of substantial moral fiber can be developed — we have tried law, compulsion and authoritarianism of various kinds, and the result is nothing to be proud of." -- Albert Jay Nock, "On Doing the Right Thing", in The American Mercury (1925)

‎"Men in a state of decadence employ professionals to fight for them, professionals to dance for them, and a professional to rule them." -- G.K. Chesterton

"No man is so exquisitely honest or upright in living, but that ten times in his life he might not lawfully be hanged." -- Montaigne

"But to live outside the law, you must be honest." -- Bob Dylan

"Unjust laws can be altered, as well as made. There's a new spirit in the world. Taxed out of existence, robbed of their independence by the government, the people must fight back how they can. What we're doing here is just a pin-prick. But a thousand pin-pricks put together ... " -- Christopher Syn

"Not in the flight of thought, but in the act alone is there freedom" - Dietrich Bonhoeffer

"The human race divides politically into those who want people to be controlled and those who have no such desire ... Must be a yearning deep in the human heart to stop other people from doing as they please. Rules, laws — always for the other fellow." -- Robert Heinlein


Last edited by crossada75 on Sat Jun 01, 2013 8:54 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Sat Jun 01, 2013 8:20 pm 
Offline
Slum Lord
Slum Lord
User avatar

Joined: Tue Oct 07, 2003 5:40 am
Posts: 6619
Location: The Land of Oz
Thanks SE - that's very interesting.

I'll leave it up to our esteemed host to sort it out, if he hasn't already done so. Since I haven't done any programming or site design for years, my knowledge and skills, such as they were, are hopelessly out of date.

_________________
"A great deal of Security is unfortunately just like the underwear of Brittany Spears. If it's even there at all, it is needlessly complex and frilly; looks good without actually covering much; and is far to easy to get around or remove completely."
- David Boston


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Sun Jun 02, 2013 6:40 pm 
Offline
Rack of Lamb
Rack of Lamb
User avatar

Joined: Thu Feb 28, 2013 5:00 pm
Posts: 50
One more thing. The thing with the other website's logo only works if you type in the SFMB's URL or click on any outside link to the index page, and only on the index page. If you click on "board index" in the corner while on the site, or if you refresh the index page or retype the URL while on it, it's the usual "folded piece of paper" design that shows up. This only applies when not working from an outside source--going directly from Google, my bookmarks, or DariaWiki, the logo appears, and remains when refreshing or retyping.

My theory is that someone was/is trying to use this site as a way to boost traffic to theirs, and either obfuscated whatever they were doing after a minute (so that only that logo remains visible) or fucked it up a bit. The fact that it does that in search engines or outside links seems to support that. I'm not much of a programmer, so I can't be sure. Just my thought.


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Mon Jun 03, 2013 1:58 pm 
Offline
MiniGod
MiniGod
User avatar

Joined: Sun Oct 05, 2003 9:51 pm
Posts: 102
Location: Hell on earth.
Several files were modified, including htaccess, to redirect to a malicious website. That being said, it was all cleaned up prior to me upgrading the board.

Are we purely discussing what was happening, or are there still issues?


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Mon Jun 03, 2013 4:03 pm 
Offline
Rack of Lamb
Rack of Lamb
User avatar

Joined: Thu Feb 28, 2013 5:00 pm
Posts: 50
Gamer wrote:
Several files were modified, including htaccess, to redirect to a malicious website. That being said, it was all cleaned up prior to me upgrading the board.

Are we purely discussing what was happening, or are there still issues?


The only thing still going on is the logo on the index page, shared by the website I mentioned. Strangely, that occurs in Chrome for me, but not IE. Do you see it? If not, then I just have to give a big old "oh, shit", because my computer would be infected in that case.


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Tue Jun 04, 2013 12:36 pm 
Offline
MiniGod
MiniGod
User avatar

Joined: Sun Oct 05, 2003 9:51 pm
Posts: 102
Location: Hell on earth.
SinisterExaggerator wrote:

The only thing still going on is the logo on the index page, shared by the website I mentioned. Strangely, that occurs in Chrome for me, but not IE. Do you see it? If not, then I just have to give a big old "oh, shit", because my computer would be infected in that case.


The SFMB logo seems normal. It's possible there's a cached file causing you issues; have you tried clearing your browser cache?


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Tue Jun 04, 2013 5:27 pm 
Offline
Rack of Lamb
Rack of Lamb
User avatar

Joined: Thu Feb 28, 2013 5:00 pm
Posts: 50
Gamer wrote:
SinisterExaggerator wrote:

The only thing still going on is the logo on the index page, shared by the website I mentioned. Strangely, that occurs in Chrome for me, but not IE. Do you see it? If not, then I just have to give a big old "oh, shit", because my computer would be infected in that case.


The SFMB logo seems normal. It's possible there's a cached file causing you issues; have you tried clearing your browser cache?


I do that each time I clear my history, which is after every session. I also deleted the cookies, too, just now. It's still the Karantonis logo on the index page.


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Tue Jun 04, 2013 7:04 pm 
Offline
MiniGod
MiniGod
User avatar

Joined: Sun Oct 05, 2003 9:51 pm
Posts: 102
Location: Hell on earth.
SinisterExaggerator wrote:
I do that each time I clear my history, which is after every session. I also deleted the cookies, too, just now. It's still the Karantonis logo on the index page.


Can you take a screenshot of where you're seeing it?


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Wed Jun 05, 2013 3:49 pm 
Offline
Rack of Lamb
Rack of Lamb
User avatar

Joined: Thu Feb 28, 2013 5:00 pm
Posts: 50
Gamer wrote:
SinisterExaggerator wrote:
I do that each time I clear my history, which is after every session. I also deleted the cookies, too, just now. It's still the Karantonis logo on the index page.


Can you take a screenshot of where you're seeing it?


Okay, the first attachment is a screenshot of the index page as I see it from an outside link. Note the gold half-triangle on the left side of the middle tab.

Attachment:
SFMBKarantonis1.png
SFMBKarantonis1.png [ 127.59 KiB | Viewed 9539 times ]


I tried to take a screenshot of kkarantonis DOT net, but what a surprise! Google Chrome blocked it, stating that it contains malware! By the way, this is a page from Sucuri Malware Labs, and the page I reported seeing is the one "distributing the malware or acting as a redirector".

However, I found another (harmless) site, which lists the business related to the malicious site, and you can see the logo in this screenshot within a screenshot (the harmless site's page is here).

Attachment:
KarantonisSFMB1.png
KarantonisSFMB1.png [ 8.66 KiB | Viewed 9539 times ]


Can you say "smoking gun"?


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Wed Jun 05, 2013 7:05 pm 
Offline
Slum Lord
Slum Lord
User avatar

Joined: Tue Oct 07, 2003 5:40 am
Posts: 6619
Location: The Land of Oz
Sorry I've been without a connection for several days. Damn AT&T to heck. What a useless "service". And Verizon, which has got great coverage, won't sell me a SIM!!!!

Me: Hi. I'd like to pay you some money for your fine product.

Verizon: No. Fuck off. Don't need your steenkin' money.

Anyway, that triangle thing's weird. WTF????

Edit: Oh dear. I can't get to the administration control panel. :-(

_________________
"A great deal of Security is unfortunately just like the underwear of Brittany Spears. If it's even there at all, it is needlessly complex and frilly; looks good without actually covering much; and is far to easy to get around or remove completely."
- David Boston


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Wed Jun 05, 2013 9:40 pm 
Offline
MiniGod
MiniGod
User avatar

Joined: Sun Oct 05, 2003 9:51 pm
Posts: 102
Location: Hell on earth.
If all you're seeing is that little icon in the browser tab itself, that's a favorite icon. Chrome will store those separately from browser cache if you have a bookmark.

SFMB doesn't actually have a favorite icon, so it'll never try to replace it. If you're using a bookmark, try recreating it.


Top
 Profile  
 
 Post subject: Re: Possible malware
PostPosted: Thu Jun 06, 2013 2:05 pm 
Offline
Rack of Lamb
Rack of Lamb
User avatar

Joined: Thu Feb 28, 2013 5:00 pm
Posts: 50
Gamer wrote:
If all you're seeing is that little icon in the browser tab itself, that's a favorite icon. Chrome will store those separately from browser cache if you have a bookmark.

SFMB doesn't actually have a favorite icon, so it'll never try to replace it. If you're using a bookmark, try recreating it.


Recreated (see the very right of the top):

Attachment:
SFMBRecreated.png
SFMBRecreated.png [ 100.62 KiB | Viewed 9511 times ]


With the favorite icon, it never used to be that until this whole malware thing started. And knowing that the SFMB didn't replace it, I'm assuming that's the fault of the hacker(s). I could be wrong, of course.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group