pouët.net

Go to bottom

POUET.NET is hacked / infected with a javascript worm

category: general [glöplog]
so only Virgil was infected till now? Not too effective methods for organized criminals.
added on the 2008-02-03 16:49:42 by the_Ye-Ti the_Ye-Ti
BB Image
added on the 2008-02-03 16:59:01 by Zest Zest
using "forever" while holding en_us flag down = fail, right?
hey ryg

Quote:
first and most important, you are only in danger if the "buy anti spyware software" window/pop-under ad appeared while/after visiting pouet, pain, demoparty.net, breakpoint.untergrund.net or any of the other 4 infected untergrund.net-hosted sites (virgill, litwin, dva, cycor). if that didn't appear, there's no reason to assume anything bad happened and you can officially relax now. furthermore, the injected javascript code appeared around friday evening, and definitely stopped working sometime before saturday 14:00 MET (part of the code comes from a site that now produces a 404 for some reason). it has since been removed from all affected sites and the ftp passwords have been changed (at least for the bigger scene sites). so if you didn't access any of the sites mentioned during that timeframe, you're definitely safe too.


thanks for posting this information. i have not been online all the weekend, so i was kinda thrown into the cold water by this. i think the only ones that know the pain ftp password is me, ps and probably fred. if it leaked, this means that i (or one of the mentioned) have some kind of rootkit/trojan somewhere on our system? av doesn't show anything, and also catchme.exe doesn't give any warnings.. so what did actually happen? how could they access the pain ftp space? i'd be happy for some enlightening information/ideas/words since i don't really feel like diving too deep into all of this :-)
added on the 2008-02-03 20:59:30 by unlock unlock
only malware i found on my machine was a vundosomething, has been cleaned out.
gonna get new passwords for pouet and pain staff regardless.
added on the 2008-02-03 22:02:09 by psenough psenough
unlock: Yes, it means that one of the ones who know the pain ftp password is infected (or has used an infected pc to login to the ftp server).

Until now none of the ones infected has been able to actually find the rootkit AFAIK.
added on the 2008-02-03 22:12:29 by scamp scamp
ps: cant we just get rid of the FTP acc for pouet? the people who keep poking it now (= you and me) already have SFTP...
added on the 2008-02-03 22:22:05 by Gargaj Gargaj
unlock, use gmer. (http://www.gmer.net/)

It's able to detect that new stealthy mbr rootkit
added on the 2008-02-03 22:36:27 by _-_-__ _-_-__
In case the "e.pepato.org"-redirection has any relation to these latest events, I experienced such a redirection at January 16. during a random visit to pouet.net using Firefox 2.0.0.11 (or whatever newest 2.x version at the time) on WinXP SP2.

Quote:
From #tbc.UnderNet.20080116.log:
<...>
[12:46:01] <px^> hvorfor blev jeg nu smidt på http://e.pepato.org/e/e1004.html, da jeg gik på pouet - det virker ikke synderligt sundt
<...>


I seem to recall the redirection took place almost immediatly after clicking my pouet.net-link, can't remember what (if anything at all) was at the page. Time is local Danish time (CET) and should be accurate.
added on the 2008-02-04 01:52:41 by px px
Quote:
ps: cant we just get rid of the FTP acc for pouet? the people who keep poking it now (= you and me) already have SFTP...
Does it even matter how you connect? I thought it was a keylogger..?
added on the 2008-02-04 08:06:21 by gloom gloom
scamp, ps, truck: thanks! i think i'll try gmer on my work pc and on the virtual windows installation on my mac, too then. on my main pc, i was not able to find _anything_ at all (except the usual daemon tools, firefox talkbalk and whatever else there was). and yes, i'd be happy if we could change the ftp-password for the pain site (someone from the staff send it to my private address, please :-))
added on the 2008-02-04 08:18:53 by unlock unlock
Quote:
i'd be happy if we could change the ftp-password for the pain site (someone from the staff send it to my private address, please :-))
Or perhaps you should refrain from using it for a little while.. ;)
added on the 2008-02-04 09:29:34 by gloom gloom
that would not help if they (the hackers) already got the password, would it? didn't plan any updates to the site anyway, the next days :-)
added on the 2008-02-04 09:38:48 by unlock unlock
Everyone who suspects that he has a rootkit should probably also try GMER and CatchIt using the Ultime Boot CD for Windows since a rootkit would still be able to hide the bad boot sector etc...
gloom: i dunno, but if i'd have to make a guess, i'd say it was monitoring FTP traffic (which is easier to do since the pwd is sent in plaintext)
added on the 2008-02-04 15:12:54 by Gargaj Gargaj
oh boy. this does not look so nice:

My main machine:
BB Image

But this on two other machines:
BB Image

So there's a little difference in the first few sectors. Additionally, The last cylinder of my main machine's hard disk ends with something that looks like the pictures above, but the boot failure messages are in English which is quite strange...
i have this damn rootkit as well, and even after fixmbr it get detected again by gmer. i have no idea what to do, and really really hope there's a way around it without formatting everything, because i simply don't have time to set up a new system right now. any ideas?
added on the 2008-02-04 16:51:27 by dipswitch dipswitch
just do be sure... would you be so kind and download WinHex, open your primary hard disk with it (F9 -> physical media -> hd0) and look at the first few sectors if they look similar? :)
Here's mine:

BB Image
added on the 2008-02-04 17:22:01 by ATH500 ATH500
Looks like a partition table to me.
added on the 2008-02-04 18:14:11 by 216 216
what files etc. does gmer show for the trojan btw? I think that would be helpful to know. Mine just shows a load of stuff that i'm fairly sure is supposed to be there, but it's hard to tell :)
added on the 2008-02-04 18:16:55 by psonice psonice
Rootkit revealers often make people more paranoid than they are worth.

If you didn't get the anti-spyware pop up then you are fine

added on the 2008-02-04 18:24:21 by Gmitts Gmitts
psionice: if it tells you that the mbr is infected, then it's mebroot, otherwise it isn't.
added on the 2008-02-04 18:28:25 by ryg ryg
ryg: thanks. I saw no mention of the mbr, or any way to check, so i thought it must show up somewhere else.

Gmitts: and what if the anti-spyware pop-up was just a social engineering trick used as a last resort if it failed to find any security holes? That's how these things can and do work. I use this box for sensitive stuff at times, so I can't take risks.
added on the 2008-02-04 18:32:45 by psonice psonice
now i used several anti-spyware, anti-rootkit, anti-whatever softwares and they didn't find anything - i also can't find a copy of a boot sector in sector 62 either... so i probably had big luck...

login

Go to top