POUET.NET is hacked / infected with a javascript worm
category: general [glöplog]
so only Virgil was infected till now? Not too effective methods for organized criminals.
using "forever" while holding en_us flag down = fail, right?
hey ryg
thanks for posting this information. i have not been online all the weekend, so i was kinda thrown into the cold water by this. i think the only ones that know the pain ftp password is me, ps and probably fred. if it leaked, this means that i (or one of the mentioned) have some kind of rootkit/trojan somewhere on our system? av doesn't show anything, and also catchme.exe doesn't give any warnings.. so what did actually happen? how could they access the pain ftp space? i'd be happy for some enlightening information/ideas/words since i don't really feel like diving too deep into all of this :-)
Quote:
first and most important, you are only in danger if the "buy anti spyware software" window/pop-under ad appeared while/after visiting pouet, pain, demoparty.net, breakpoint.untergrund.net or any of the other 4 infected untergrund.net-hosted sites (virgill, litwin, dva, cycor). if that didn't appear, there's no reason to assume anything bad happened and you can officially relax now. furthermore, the injected javascript code appeared around friday evening, and definitely stopped working sometime before saturday 14:00 MET (part of the code comes from a site that now produces a 404 for some reason). it has since been removed from all affected sites and the ftp passwords have been changed (at least for the bigger scene sites). so if you didn't access any of the sites mentioned during that timeframe, you're definitely safe too.
thanks for posting this information. i have not been online all the weekend, so i was kinda thrown into the cold water by this. i think the only ones that know the pain ftp password is me, ps and probably fred. if it leaked, this means that i (or one of the mentioned) have some kind of rootkit/trojan somewhere on our system? av doesn't show anything, and also catchme.exe doesn't give any warnings.. so what did actually happen? how could they access the pain ftp space? i'd be happy for some enlightening information/ideas/words since i don't really feel like diving too deep into all of this :-)
only malware i found on my machine was a vundosomething, has been cleaned out.
gonna get new passwords for pouet and pain staff regardless.
gonna get new passwords for pouet and pain staff regardless.
unlock: Yes, it means that one of the ones who know the pain ftp password is infected (or has used an infected pc to login to the ftp server).
Until now none of the ones infected has been able to actually find the rootkit AFAIK.
Until now none of the ones infected has been able to actually find the rootkit AFAIK.
ps: cant we just get rid of the FTP acc for pouet? the people who keep poking it now (= you and me) already have SFTP...
unlock, use gmer. (http://www.gmer.net/)
It's able to detect that new stealthy mbr rootkit
It's able to detect that new stealthy mbr rootkit
In case the "e.pepato.org"-redirection has any relation to these latest events, I experienced such a redirection at January 16. during a random visit to pouet.net using Firefox 2.0.0.11 (or whatever newest 2.x version at the time) on WinXP SP2.
I seem to recall the redirection took place almost immediatly after clicking my pouet.net-link, can't remember what (if anything at all) was at the page. Time is local Danish time (CET) and should be accurate.
Quote:
From #tbc.UnderNet.20080116.log:
<...>
[12:46:01] <px^> hvorfor blev jeg nu smidt på http://e.pepato.org/e/e1004.html, da jeg gik på pouet - det virker ikke synderligt sundt
<...>
I seem to recall the redirection took place almost immediatly after clicking my pouet.net-link, can't remember what (if anything at all) was at the page. Time is local Danish time (CET) and should be accurate.
Quote:
Does it even matter how you connect? I thought it was a keylogger..?ps: cant we just get rid of the FTP acc for pouet? the people who keep poking it now (= you and me) already have SFTP...
scamp, ps, truck: thanks! i think i'll try gmer on my work pc and on the virtual windows installation on my mac, too then. on my main pc, i was not able to find _anything_ at all (except the usual daemon tools, firefox talkbalk and whatever else there was). and yes, i'd be happy if we could change the ftp-password for the pain site (someone from the staff send it to my private address, please :-))
Quote:
Or perhaps you should refrain from using it for a little while.. ;)i'd be happy if we could change the ftp-password for the pain site (someone from the staff send it to my private address, please :-))
that would not help if they (the hackers) already got the password, would it? didn't plan any updates to the site anyway, the next days :-)
Everyone who suspects that he has a rootkit should probably also try GMER and CatchIt using the Ultime Boot CD for Windows since a rootkit would still be able to hide the bad boot sector etc...
gloom: i dunno, but if i'd have to make a guess, i'd say it was monitoring FTP traffic (which is easier to do since the pwd is sent in plaintext)
oh boy. this does not look so nice:
My main machine:
But this on two other machines:
So there's a little difference in the first few sectors. Additionally, The last cylinder of my main machine's hard disk ends with something that looks like the pictures above, but the boot failure messages are in English which is quite strange...
My main machine:
But this on two other machines:
So there's a little difference in the first few sectors. Additionally, The last cylinder of my main machine's hard disk ends with something that looks like the pictures above, but the boot failure messages are in English which is quite strange...
i have this damn rootkit as well, and even after fixmbr it get detected again by gmer. i have no idea what to do, and really really hope there's a way around it without formatting everything, because i simply don't have time to set up a new system right now. any ideas?
just do be sure... would you be so kind and download WinHex, open your primary hard disk with it (F9 -> physical media -> hd0) and look at the first few sectors if they look similar? :)
Here's mine:
Looks like a partition table to me.
what files etc. does gmer show for the trojan btw? I think that would be helpful to know. Mine just shows a load of stuff that i'm fairly sure is supposed to be there, but it's hard to tell :)
Rootkit revealers often make people more paranoid than they are worth.
If you didn't get the anti-spyware pop up then you are fine
If you didn't get the anti-spyware pop up then you are fine
psionice: if it tells you that the mbr is infected, then it's mebroot, otherwise it isn't.
ryg: thanks. I saw no mention of the mbr, or any way to check, so i thought it must show up somewhere else.
Gmitts: and what if the anti-spyware pop-up was just a social engineering trick used as a last resort if it failed to find any security holes? That's how these things can and do work. I use this box for sensitive stuff at times, so I can't take risks.
Gmitts: and what if the anti-spyware pop-up was just a social engineering trick used as a last resort if it failed to find any security holes? That's how these things can and do work. I use this box for sensitive stuff at times, so I can't take risks.
now i used several anti-spyware, anti-rootkit, anti-whatever softwares and they didn't find anything - i also can't find a copy of a boot sector in sector 62 either... so i probably had big luck...