Hard Light Productions Forums
Site Management => Site Support / Feedback => Topic started by: Nohiki on October 28, 2012, 06:21:33 am
-
Infection DetailsURL: http://hard-light.net/manager/media/script/scriptaculous/scriptaculous.js|{gzip}
Process: C:%5CProgram Files (x86)%5COpera%5Copera.exe
Infection: JS:Blacole-CX [Expl]
Avast spat this out on me when i accessed the main site, dunno how big a threat that is (if any), but it felt like worth mentioning.
-
You're not the only one who's getting it. It's also showing up in this file here:
http://www.hard-light.net/manager/media/script/scriptaculous/prototype.js
It's the same exploit package. The Blacole-CX pack is an exploit package for loading malware onto machines that visit a compromised site. More details here, along with a list of programs it attacks: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=JS/Blacole
-
Norton popped up with a a similar message
-
I got the exact same alert as Nohiki.
-
I just downloaded the official Scriptaculcus 1.6.4 and that file that is on HLP has a blob of text appended to the end that does not exist in the official release.
-
Test doing a reload (clear cache or CTRL+F5) and tell me if anything breaks.
-
The site still appears to work.
-
Does the manager directory belong to EE or MODx? If EE, smells like security updates were neglected. If MODx, same as before plus what the **** does MODx STILL exist for? There should have been ample time to move everything needed over to EE and remove MODx entirely.
You should run a search to see what files have been modified in a given time frame to see if any other files have been created or modified, even outside manager dir.
:sigh:
-
We may have a more serious problem than just the malicious code we found. When I went to HLP this morning, I got a nice, big alert page that said HLP had been blacklisted as an attack site. We were flagged by https://www.stopbadware.org/home/index, which works closely with the Mozilla group. Given the likely fact that a lot of people who visit the site probably use Firefox, it means a large number of people are seeing it and getting scared away. That can't be good for publicity. You may want to consider a PSA on the homepage to explain to people what's going on and provide updates on what's being done. In the meantime, you may want to contact StopBadware and inform them that the site was hacked by a 3rd party.
-
Google Chrome visitors are having the exact same issue.
-
Specifically, http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.hard-light.net%2Fforums%2Findex.php%3Ftopic%3D82809.new%23new&client=googlechrome&hl=en-GB
It seems HLP has not served any malware, but is hanging out with those that are....
-
Yup, Firefox is also displaying a warning message, this site is dangerous....
-
scary.
-
Google Chrome visitors are having the exact same issue.
I'm also getting a Google Chrome warning. And the new UI is hideous. What's happening to this site?
-
My pale moon and fire fox as avira says the same. :-O
Peter
-
Just letting you know, Chrome has now gone beyond a basic warning to pretty much telling you you WILL be infected if you continue and attempts to not let you into the site. There's an option on the page to open advanced options and continue anyways, but they REALLY don't want people to come here.
-
Just letting you know, Chrome has now gone beyond a basic warning to pretty much telling you you WILL be infected if you continue and attempts to not let you into the site. There's an option on the page to open advanced options and continue anyways, but they REALLY don't want people to come here.
Yes, I can confirm. Damn hacker noobs...
-
Just so it's here and present, here's what Google found on here today. This is different from what was coming up earlier today. Actually kind of unpleasant, seeing it:
Malicious software includes 2 trojan(s), 2 exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine.
Malicious software is hosted on 3 domain(s), including bbwitnia.mynumber.org/, tngvjzg.almostmy.com/, mp3soft.pro/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including mp3soft.pro/.
-
Whatever exploits are active on HLP are pulling malware from those servers. It's probably worth it for the admins to file an abuse report with Google about those links. It'll help keep the exploits from being distributed through HLP, plus any other sites they may be supplying.
What I'm worrying about though is that any exploits that get forwarded to other sites through us will look like we're attacking them. If their admins file abuse reports against us, then it could result in HLP losing its hosting.
This is a question for the site admins. How many people are going through the code and logs looking for signs of tampering? If you guys need help, I do have some security knowledge beyond firewalls and AV programs. If you want help, let me know.
-
This is a question for the site admins. How many people are going through the code and logs looking for signs of tampering? If you guys need help, I do have some security knowledge beyond firewalls and AV programs. If you want help, let me know.
At least three of us. :P
Zacam and myself spent most of our evening after work cleaning up the main forum install by putting in place a fresh copy of the latest version, reusing only the DB data. The custom additions were put back into place by hand as well so no scripts from the old install were used.
Sandwich has also been working on getting the stop malware warnings removed and fixing up the CSS for the menus and such, as well as tracking down any lingering smelly stuff that may have been missed.
-
Does the manager directory belong to EE or MODx? If EE, smells like security updates were neglected. If MODx, same as before plus what the **** does MODx STILL exist for? There should have been ample time to move everything needed over to EE and remove MODx entirely.
Manager belongs to MODx. MODx still being around is probably my fault... :(
-
Well, we've kind of been bugging you about that for years now. :p
-
Yes, indeed. It's gone now, although if there's any databases for it, they can/should be deleted as well.