Author Topic: Avast reporting exploit on HLP  (Read 6558 times)

0 Members and 1 Guest are viewing this topic.

Offline Nohiki

  • 28
  • Graf von Kaffeetrinken
    • Minecraft
    • Skype
    • Steam
Avast reporting exploit on HLP
Code: [Select]
Infection DetailsURL: http://hard-light.net/manager/media/script/scriptaculous/scriptaculous.js|{gzip}
Process: C:%5CProgram Files (x86)%5COpera%5Copera.exe
Infection: JS:Blacole-CX [Expl]

Avast spat this out on me when i accessed the main site, dunno how big a threat that is (if any), but it felt like worth mentioning.
:::ALSO PROUD VASUDAN RIGHTS SUPPORTER:::

 

Offline Tyrian

  • 29
  • Dangerous When Thinking
Re: Avast reporting exploit on HLP
You're not the only one who's getting it.  It's also showing up in this file here:

Code: [Select]
http://www.hard-light.net/manager/media/script/scriptaculous/prototype.js
It's the same exploit package.  The Blacole-CX pack is an exploit package for loading malware onto machines that visit a compromised site.  More details here, along with a list of programs it attacks:  http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=JS/Blacole
Want to be famous?  Click here and become a playing card!!!

Bush (Verb) -- To do stupid things with confidence.

This year, both Groundhog Day and the State of the Union Address occurred during the same week.  This is an ironic juxtaposition of events--one involves a meaningless ritual in which we look to a creature of little intelligence for prognostication, while the other involves a groundhog.

Bumper stickers at my college:
"Republicans for Voldemort!"
"Frodo failed.  Bush got the Ring."

Resistance is futile!  (If < 1 ohm...)

"Any nation which sacrifices a little liberty for a little security deserves neither and loses both." -- Benjamin Franklin

Sig rising...

 

Offline Beskargam

  • 27
  • We'z got a nob to lead us boys, wadaful.
Re: Avast reporting exploit on HLP
Norton popped up with a a similar message

 

Offline Mr. Vega

  • Your Node Is Mine
  • 28
  • The ticket to the future is always blank
Re: Avast reporting exploit on HLP
I got the exact same alert as Nohiki.
Words ought to be a little wild, for they are the assaults of thoughts on the unthinking.
-John Maynard Keynes

 

Offline Iss Mneur

  • 210
  • TODO:
Re: Avast reporting exploit on HLP
I just downloaded the official Scriptaculcus 1.6.4 and that file that is on HLP has a blob of text appended to the end that does not exist in the official release.
"I love deadlines. I like the whooshing sound they make as they fly by." -Douglas Adams
wxLauncher 0.9.4 public beta (now with no config file editing for FRED) | wxLauncher 2.0 Request for Comments

 

Offline Zacam

  • Magnificent Bastard
  • Administrator
  • 211
  • I go Sledge-O-Matic on Spammers
    • Minecraft
    • Steam
    • Twitter
    • ModDB Feature
Re: Avast reporting exploit on HLP
Test doing a reload (clear cache or CTRL+F5) and tell me if anything breaks.
Report MediaVP issues, now on the MediaVP Mantis! Read all about it Here!
Talk with the community on Discord
"If you can keep a level head in all this confusion, you just don't understand the situation"

¤[D+¬>

[08/01 16:53:11] <sigtau> EveningTea: I have decided that I am a 32-bit registerkin.  Pronouns are eax, ebx, ecx, edx.
[08/01 16:53:31] <EveningTea> dhauidahh
[08/01 16:53:32] <EveningTea> sak
[08/01 16:53:40] * EveningTea froths at the mouth
[08/01 16:53:40] <sigtau> i broke him, boys

 

Offline Iss Mneur

  • 210
  • TODO:
Re: Avast reporting exploit on HLP
The site still appears to work.
"I love deadlines. I like the whooshing sound they make as they fly by." -Douglas Adams
wxLauncher 0.9.4 public beta (now with no config file editing for FRED) | wxLauncher 2.0 Request for Comments

 

Offline Fury

  • The Curmudgeon
  • 213
Re: Avast reporting exploit on HLP
Does the manager directory belong to EE or MODx? If EE, smells like security updates were neglected. If MODx, same as before plus what the **** does MODx STILL exist for? There should have been ample time to move everything needed over to EE and remove MODx entirely.

You should run a search to see what files have been modified in a given time frame to see if any other files have been created or modified, even outside manager dir.

:sigh:

 

Offline Tyrian

  • 29
  • Dangerous When Thinking
Re: Avast reporting exploit on HLP
We may have a more serious problem than just the malicious code we found.  When I went to HLP this morning, I got a nice, big alert page that said HLP had been blacklisted as an attack site.  We were flagged by https://www.stopbadware.org/home/index, which works closely with the Mozilla group.  Given the likely fact that a lot of people who visit the site probably use Firefox, it means a large number of people are seeing it and getting scared away.  That can't be good for publicity.  You may want to consider a PSA on the homepage to explain to people what's going on and provide updates on what's being done.  In the meantime, you may want to contact StopBadware and inform them that the site was hacked by a 3rd party.
Want to be famous?  Click here and become a playing card!!!

Bush (Verb) -- To do stupid things with confidence.

This year, both Groundhog Day and the State of the Union Address occurred during the same week.  This is an ironic juxtaposition of events--one involves a meaningless ritual in which we look to a creature of little intelligence for prognostication, while the other involves a groundhog.

Bumper stickers at my college:
"Republicans for Voldemort!"
"Frodo failed.  Bush got the Ring."

Resistance is futile!  (If < 1 ohm...)

"Any nation which sacrifices a little liberty for a little security deserves neither and loses both." -- Benjamin Franklin

Sig rising...

 

Offline Luis Dias

  • 211
Re: Avast reporting exploit on HLP
Google Chrome visitors are having the exact same issue.

 

Offline Iss Mneur

  • 210
  • TODO:
"I love deadlines. I like the whooshing sound they make as they fly by." -Douglas Adams
wxLauncher 0.9.4 public beta (now with no config file editing for FRED) | wxLauncher 2.0 Request for Comments

 

Offline Starman01

  • 213
  • Mechwarrior
    • Wing Commander Saga
Re: Avast reporting exploit on HLP
Yup, Firefox is also displaying a warning message, this site is dangerous....
MECHCOMMANDER OMNITECH

9 out of 10 voices in my head always tell me that I'm not insane. The 10th is only humming the melody of TETRIS.

 

Offline yuezhi

  • no u
  • 29
  • ¿¡you dare defy the commodore‽
Re: Avast reporting exploit on HLP
scary.
ϟIn Neo-Terra we Trustϟ
ϟGreat Tin Can Run (Download
☭Gods and Conquerors  - mission design, tech descriptions, sounds; currently 5% Book of Invasions(reserved)☭


░░░░░░███████ ]▄▄▄▄▄▄▄▄        ︻╦╤─   Bob is building an army.
    ▂▄▅█████████▅▄▃▂          ☻/         This tank & Bob are against Google+
Il███████████████████].       /▌          Copy and Paste this all over
  ◥⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙◤...     / \          Youtube if you are with us!

 

Offline Dragon

  • Citation needed
  • 212
  • The sky is the limit.
Re: Avast reporting exploit on HLP
Google Chrome visitors are having the exact same issue.
I'm also getting a Google Chrome warning. And the new UI is hideous. What's happening to this site?

 

Offline PeterX

  • 27
    • Peter
Re: Avast reporting exploit on HLP
My pale moon and fire fox as avira says the same. :-O
Peter
If i can´t model any ship then i use "flying trains" :-)

 

Offline LHN91

  • 27
Re: Avast reporting exploit on HLP
Just letting you know, Chrome has now gone beyond a basic warning to pretty much telling you you WILL be infected if you continue and attempts to not let you into the site. There's an option on the page to open advanced options and continue anyways, but they REALLY don't want people to come here.

 

Offline Crybertrance

  • 29
  • Conventional warheads only, no funny business
Re: Avast reporting exploit on HLP
Just letting you know, Chrome has now gone beyond a basic warning to pretty much telling you you WILL be infected if you continue and attempts to not let you into the site. There's an option on the page to open advanced options and continue anyways, but they REALLY don't want people to come here.

Yes, I can confirm. Damn hacker noobs...
<21:08:30>   Hartzaden fires a slammer at Cybertrance
<21:09:13>   Crybertrance pops flares, but wonders how Hartzaden acquired aspect lock on a stealth fighter... :\
<21:11:58>   *** The_E joined #bp [email protected]
21:11:58   +++ ChanServ has given op to The_E
<21:12:58>   Hartzaden continues to paint crybertrance and feeding the info to a wing of gunships
<21:14:07>   Crybertrance sends emergency "IM GETING MY ASS KICKED HERE!!!!eleventy NEED HELPZZZZ" to 3rd fleet command
<21:14:50>   Hartzaden jamms the transmission.
<21:14:51>   The_E explodes the sun

 

Offline LHN91

  • 27
Re: Avast reporting exploit on HLP
Just so it's here and present, here's what Google found on here today. This is different from what was coming up earlier today. Actually kind of unpleasant, seeing it:

Malicious software includes 2 trojan(s), 2 exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine.

Malicious software is hosted on 3 domain(s), including bbwitnia.mynumber.org/, tngvjzg.almostmy.com/, mp3soft.pro/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including mp3soft.pro/.

 

Offline Tyrian

  • 29
  • Dangerous When Thinking
Re: Avast reporting exploit on HLP
Whatever exploits are active on HLP are pulling malware from those servers.  It's probably worth it for the admins to file an abuse report with Google about those links.  It'll help keep the exploits from being distributed through HLP, plus any other sites they may be supplying.

What I'm worrying about though is that any exploits that get forwarded to other sites through us will look like we're attacking them.  If their admins file abuse reports against us, then it could result in HLP losing its hosting.

This is a question for the site admins.  How many people are going through the code and logs looking for signs of tampering?  If you guys need help, I do have some security knowledge beyond firewalls and AV programs.  If you want help, let me know.
Want to be famous?  Click here and become a playing card!!!

Bush (Verb) -- To do stupid things with confidence.

This year, both Groundhog Day and the State of the Union Address occurred during the same week.  This is an ironic juxtaposition of events--one involves a meaningless ritual in which we look to a creature of little intelligence for prognostication, while the other involves a groundhog.

Bumper stickers at my college:
"Republicans for Voldemort!"
"Frodo failed.  Bush got the Ring."

Resistance is futile!  (If < 1 ohm...)

"Any nation which sacrifices a little liberty for a little security deserves neither and loses both." -- Benjamin Franklin

Sig rising...

  

Offline rev_posix

  • Administrator
  • 213
  • I have the password to your shell account...
    • Trials and Tribulations
Re: Avast reporting exploit on HLP
This is a question for the site admins.  How many people are going through the code and logs looking for signs of tampering?  If you guys need help, I do have some security knowledge beyond firewalls and AV programs.  If you want help, let me know.
At least three of us. :P

Zacam and myself spent most of our evening after work cleaning up the main forum install by putting in place a fresh copy of the latest version, reusing only the DB data.  The custom additions were put back into place by hand as well so no scripts from the old install were used.

Sandwich has also been working on getting the stop malware warnings removed and fixing up the CSS for the menus and such, as well as tracking down any lingering smelly stuff that may have been missed.
--
POSIX is fine, as is Rev or RP

"Although generally it is considered a no no to disagree with a mod since it's pretty much equivalent to kicking an unpaid janitor in the nuts while he's busy cleaning up somebody elses vomit and then telling them how bad they are at cleaning it up cause you can smell it down the hall." - Dennis, Home Improvement Moderator @ DSL Reports

"wow, some people are thick and clearly can't think for themselves - the solution is to remove warning labels from poisons."