Amiga.org
Amiga computer related discussion => General chat about Amiga topics => Topic started by: desiv on May 11, 2012, 04:51:22 AM
-
I couldn't download anything from there from my Amiga using either iBrowse or AWeb.
I poked my laptop at it, and Avast AV said it stopped a bad program....
I couldn't download from there either.
(Every thing I tried to DL actually downloads a script that's encoded, that sounds bad...)
(Note: don't go running there if you have Windows just to see if it's safe! :-)
desiv
-
I also get a similar virus alert with NOD32 :(
-
I got similar too for Symantec.. Probably a real threat since other Virus Scanners are picking it up..
-
AVG: Script/Exploit.Kit
:(
-
Slightly off topic but Norton 360 always shreds Hollywood on my PC before I can use it.
-
Same thing here - main page flags Eset NOD32/Eset Smart Security the minute I visit the main Aminet page.
-
Yes, aminet is infected. It attempts a drive-by attacks against windows systems via java vulnerability, at least. It likely attempts to use several attack vectors depending on the targets system: java, flash, pdf, and vulnerabilities in the browsers themselves.
Here's how you can see the initial javascript payload regardless of the platform:
curl --user-agent 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)' http://aminet.net/util/arc/lha.run | less
Modifying e(s) the end of the code to document.write(s) we can see the actual payload decoded. It opens an iframe with URL "http://.ibiz.cc/?go=2" that'll perform the actual drive-by attack:
(http://sintonen.fi/pics/aminet-malware.png)
-
aminet is toast, explains why grunch is dying :(
-
I hope it can be sorted out, Where would we be without Aminet? :-(
-
I hope it can be sorted out, Where would we be without Aminet? :-(
Don't fear, you don't need the web for everything... yet.
ncftp> open ftp.aminet.net
Connecting to 69.163.220.116...
ProFTPD 1.3.3a Server (My FTP server) [::ffff:69.163.220.116]
Logging in...
Anonymous access granted, restrictions apply
Logged in to ftp.aminet.net.
ncftp / > ls
biz/ gfx/ pix/
comm/ INDEX pub/
demo/ INDEX.gz README.BEFORE.UPLOAD
dev/ info/ RECENT
disk/ man RECENT.gz
docs/ misc/ robots.txt
driver/ mods/ text/
favicon.gif MOTD touch
favicon.ico mus/ TREE
game/ new/ util/
ncftp / >
-
Don't fear, you don't need the web for everything... yet.
Unfortunately you cannot trust anything coming from aminet at this stage. The FTP could be distributing malware as well, though luckily windows binaries are in the minority...
-
Thanks for pointing out the problem. Unfortunately, I'm on my way out, and I won't be back in civilisation until Sunday. I alarmed the server admin (nicomen), I hope he sees my mail asap and has the time to investigate and fix the problem.
-
Thanks for pointing out the problem. Unfortunately, I'm on my way out, and I won't be back in civilisation until Sunday. I alarmed the server admin (nicomen), I hope he sees my mail asap and has the time to investigate and fix the problem.
From your post March 30, 2012 on AW, I notice:
our hoster decided to make some changes for the sake of security
Perhaps a connection?
#6
-
It is fixed now.
Aminet seems clean and working :)
-
I'd like to hear an explanation for this however. Unless if the method of original penetration can be figured out and blocked it could happen again and again (as has happened with certain other amiga related sites). Also, it seems that the domain name used to distribute the malware expired (or was changed deliberately).
Some official word from aminet would be in order I'd say.
-
Unfortunately you cannot trust anything coming from aminet at this stage. The FTP could be distributing malware as well, though luckily windows binaries are in the minority...
Correct. I should've considered Windows and Emulator users before posting. My bad.
-
As a side, I also ran a "full scan" on my machine to be safe. It found 1 instance of the file on my hard disk (not running, but waiting to be called I'm sure) and recommended a "boot scan" which I did.
The boot scan found a few more waiting to be called..
If you went there with a Windows machine, even tho your AV caught it, I'd recommend a full scan.
I'll use another product's scan after this to be sure...
desiv
(Didn't I say NOT to go there if you have Windows? It's bad enough I did.. And it's bad because I've seen encoded javascript "bad programs" before. Not enough to recognize them, but enough to know there probably shouldn't have been one on Aminet..)
-
Now it appears that Amibay.com has been hit, but the code injection was done poorly, so the whole site is broke and just throws a php cookie/session error.
-
Now it appears that Amibay.com has been hit, but the code injection was done poorly, so the whole site is broke and just throws a php cookie/session error.
I can still get to Amibay, although there were people there saying they were getting virus alerts..
I'm using Linux at the moment.. :razz:
(No, I'm not saying there are no Linux baddies out there...)
Yeah, several people on Amibay are having problems with the main page if they are using Windows (not sure which versions), but several others using Linux aren't having issues..
desiv
-
Interesting, I can get to it on my ubuntu box too, but not on my win7 box. I wonder if there is some OS detection going on there.
-
hxxp://ldsysgcaix.igg.biz/d/404.php?go=1 seems same type as the Aminet one.
-
hxxp://XXXXXXXX.igg.biz/d/404.php?go=1 seems same type as the Aminet one.
yeah, that's what I was saying. Same type of injection attack used on aminet. Probably not a coincidence. The code seems to change as well. I got one earlier for XXXXXXXX.usa.cc/site/main.php? earlier.
-
Now it appears that Amibay.com has been hit, but the code injection was done poorly, so the whole site is broke and just throws a php cookie/session error.
DON'T GO THERE!!!
I just went there on my XP machine and that lovely java icon popped up on the toolbar and my hard drive started grinding away.... I PULLED THE PLUG!
STAY WELL AWAY!!
-
Whats happened to amibay? my pc won't let me go there (firefox)
How did they catch the virus from aminet? surely they must have had some form of protection?
-
Hi,
I tried logging into Amibay using an A1200 and got:
"Unable to add cookies, header already sent.
File: /homepages/1/d277227762/htdocs/amibay/forum/index.php(1) : eval()'d code
Line: 7"
Regards, Michael
aka rockape
-
..surely they must have had some form of protection?
Haven't you had that discussion yet,, where you learned that no protection is 100% effective?? :laugh1:
desiv
-
Haven't you had that discussion yet,, where you learned that no protection is 100% effective?? :laugh1:
desiv
Errrr what do you mean i thought the stork brought children once they were born :laugh1:
I dare not go to amibay at the moment - when did they get infected?
-
Aminet is now clean. But Amibay is now infected.
-
DON'T GO THERE!!!
I just went there on my XP machine and that lovely java icon popped up on the toolbar and my hard drive started grinding away.... I PULLED THE PLUG!
STAY WELL AWAY!!
Do you not have virus protection? Any modern virus package should protect against that.
Whats happened to amibay? my pc won't let me go there (firefox)
How did they catch the virus from aminet? surely they must have had some form of protection?
Amibay didn't "catch" the virus from aminet, both sites appear to have been hacked at some level. It could have been somebody sneaking something in via sql injection, or someone gaining root level access to the server, it's hard to tell at this point.
Either way, I'm surprised it hasn't been fixed yet. I'm sure *someone* over there has to know about it.
Keith
-
We do know about it, I've been researching it all evening.
AmiBay and ClassicAmiga have both been hit with the same script exploit attack that hit Aminet.
It has only been partially effective and the root access, FTP and e-mail have not been compromised. A config file has been corrupted and there is a URL redirect to an ibiz.cc site in place, however, this is only affecting the home page. You should block this ibiz.cc redirect if it comes up on your machine.
If a Java icon appears in your Systray, you should kill it immediately, as this is part of the exploit that is attempting to download malware to your machine.
We hope to have this repaired by tomorrow morning. We backed up the site early this morning and once we have checked the backup config files, we can get the site fully functional again.
In the interim, you can access via any other AmiBay page except the home page. A Google link that isn't the home page will let you access the site, but please ensure that your anti-virus and malware protection is up to date.
WotTheFook aka Merlin
-
We do know about it, I've been researching it all evening.
Did you manage to find out how the initial exploitation vector was? That's the most important thing to figure out. If the hole isn't fixed properly you might just get pwned again.
The timing of these issues makes me think of the recent PHP-CGI remote command injection vuln:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
-
Did you manage to find out how the initial exploitation vector was? That's the most important thing to figure out. If the hole isn't fixed properly you might just get pwned again.
The timing of these issues makes me think of the recent mod_cgi PHP command injection vuln:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
I was discussing this earlier today with a colleague. Why run PHP as a CGI under *nix rather than a compiled so or compiled into the httpd? On Windows I can see it (FastCGI,) but on a *nix machine I just don't see an advantage.
-
I was discussing this earlier today with a colleague. Why run PHP as a CGI under *nix rather than a compiled so or compiled into the httpd? On Windows I can see it (FastCGI,) but on a *nix machine I just don't see an advantage.
Whatever the reasons are, there are likely tens of thousands of hosts around with the vulnerable setup and the vulnerability is exploited actively. I expect to see very active scanning for these in the httpd logs.
-
This is not something just hitting our little crater of the world, but a widespread problem on the internet as a whole. The below gives a rough overview of how widespread it is:
http://www.avgthreatlabs.com/webthreats/info/blackhole-exploit-kit
Classic SQL injection. In this day and age, there's no reason to not be running up to date, modern virus and malware protection, especially on a Windows machine.
Unless you absolutely need Java, uninstall it.
-
This is not something just hitting our little crater of the world, but a widespread problem on the internet as a whole. The below gives a rough overview of how widespread it is:
http://www.avgthreatlabs.com/webthreats/info/blackhole-exploit-kit
Classic SQL injection. In this day and age, there's no reason to not be running up to date, modern virus and malware protection, especially on a Windows machine.
Unless you absolutely need Java, uninstall it.
SQL injection? Really? I'd find that somewhat surprising.
-
Unsure about the exact terms of what happened to Aminet, but Blackhole is being spread by such methods (SQL, PHP).
http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/
-
Unsure about the exact terms of what happened to Aminet, but Blackhole is being spread by such methods (SQL, PHP).
http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/
Well that article does explain many parts related to the kit itself, like for example that it itself is PHP and that it uses MySQL backend. It also covers many of the client side vulnerabilities it exploits (that list is obviously outdated by now, though).
It however does not mention anything about how the actual sites linking to it are compromised in the first place or if Blackhole has any tools for that.
There are two sides to this:
1) pwning websites / servers and making them link to blackhole instance
2) blackhole exploiting the client vulnerabilities of the unsuspecting browsers of the infected sites and installing malware
Anything in 2 is obvious. But how 1 happens in the first place is the interesting part.
-
@ Piru
This is from one of our developers on the matter.
"It won't be until at least this afternoon before we can start removing it.
This injection attack seems quite complex compared to most site hijacking automated scripts.
Lots of sites are getting hacked in recent days, and not just vBulletin, but also WordPress, Joomla, and lots of others including popular ecommerce sites.
No one has yet worked out how they are gaining access, but some think it is gaining access from an admin account login. Then uploading a load of files in a buried location on the server by installing bogus plugins on the forum or cms software that then uploads their files.
These files contain a JavaScript based malware payload (not Java), so ensure you have a way to control JavaScript running per site.
In addition the attack injects a line of PHP code to the top of every php file on the site. So when anything accessed an injected/infected script the hash included in the injected code translates into a redirect to the hidden payload files to run the malware, and then redirects to a random domain holding page."
We'll know more when the devs start digging further. I wouldn't say that A.org is immune from this attack either, so the Admins need to back the site up as soon as possible.
It's definitely a PHP code injection script, coupled with a java script to redirect to either a usa.cc or ibiz.cc site (from the bahviour we've seen so far) that attempts to download malware. The origin appears to be Russia, as that is where the redirect is pointing to from a trace on the IP.
FTP and e-mail appear to be unaffected thus far.
WotTheFook aka Merlin
-
This is what Google Diagnostics had to say about the ibiz.cc site...
"Google Safe Browsing diagnostic page for ibiz.cc
Advisory provided by Safe Browsing
Diagnostic page for ibiz.cc
What is the current listing status for ibiz.cc?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 28 time(s) over the past
90 days.
What happened when Google visited this site?
Of the 164 pages we tested on the site over the past 90 days, 0 page(s)
resulted in malicious software being downloaded and installed without user
consent. The last time Google visited this site was on 2012-05-08, and the last time suspicious content was found on this site was on 2012-04-25.
Malicious software includes 443 trojan(s), 90 scripting exploit(s), 27
exploit(s).
This site was hosted on 9 network(s) including AS43239 (SPETSENERGO), AS53665
(BODIS), AS44050 (PIN).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, ibiz.cc appeared to function as an intermediary for the infection of 37 site(s) including engranes.cl/, urbanlookout.com/,
aloveletterforyou.com/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It
infected 145 domain(s), including abu-farhan.com/, doncb.com/,
iworkshop.com.hk/.
Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Updated 2 hours ago© Google - Google Home"
-
More information (I told you we've been busy...)
This is also to inform the Admins on A.org.
No one has yet worked out how they are gaining access, but some think it is gaining access from an admin account loggin. Then uploading a load of files in a buried location on the server by installing bogus plugins on the forum or cms software that then uploads their files. This is just speculation at the moment though.
These files contain a JavaScript based malware payload (not Java), so ensure you have a way to control JavaScript running per site.
In addition the attack injects a line of PHP code to the top of every php file on the site. So when anything accessed an injected/infected script the hash included in the injected code translates into a redirect to the hidden payload files to run the malware, and then redirects to a random domain holding page.
AmiBay was backed up in the morning before this attack hit, so we should be in a position to restore the correct files once we have checked them over to ensure that they aren't affected.
-
are these attacks windows specific or ?
-
Just a part of a bigger attack going on around.
-
are these attacks windows specific or ?
Well it depends on what you're asking.
There are two levels at play:
1. Someone is attacking web sites via some vulnerabilities in their software (old vulnerable sw versions, security issues in the actual web sites themselves etc). These are very often running linux or bsd, but also sometimes Windows. Sometimes the access to the system is gained by stealing the login credentials by attacking a desktop/laptop of the administrator.
2. The successfully breached websites are programmed by distribute malware. The motive in this case is money: The attackers "lease" the hacked sites and distribute tailored malware for whoever is willing to pay. Typically the malware is a rootkit (https://en.wikipedia.org/wiki/Rootkit) that'll man-in-the-browser (https://en.wikipedia.org/wiki/Man-in-the-browser) normal bank transactions to steal money. In most (if not all) cases these malwares target Windows platform. That's only because most of the potential victims are using Windows. If OS X continues to gain ground it will be targeted as well at some point.
So at different levels the attacks are targeting different platforms.
Recommendations
System administrators
Keep your host operating system up to date with security updates. Keep track of security updates of the actual web application platforms as well, and install new security updates as soon as they arrive (of course using staging host to verify that everything works fine after installing the upgrade). You can follow the Full Disclosure (http://seclists.org/fulldisclosure/) mailing list to keep track of recent activity on the security front. There are also numerous RSS/Twitter feeds you can follow, but I find those a bit tiresome in the long run. YMMV.
End users
Windows users need to be very careful to maintain security of their systems and installed applications. I can recommend Secunia PSI (https://secunia.com/products/consumer/psi/) to all windows users. This tool will check all installed applications for old versions and (optionally) automagically install the required updates.
OS X users should install the OS security updates as soon as they arrive. For application updates there's AppFresh (http://metaquark.de/appfresh/mac) tool which works somewhat similar to Secunia PSI. It's not as good as PSI, but best I've found for OS X so far.
Linux/BSD users should install security updates weekly.
While OS X / Linux/BSD users might not be targets for the most attacks, that's really no excuse to skip the security updates. Sometimes vulnerabilities in these systems are actually exploited and the feeling of false security the users of these systems might have can lead to some rather nasty surprises (say for example storing tons of confidential material on the systems in belief no-one can possibly breach the system...).
-
My best guess at present is that it's a variant of this:-
BlackHole Exploit Kit
A type of crimeware Web application developed in Russia to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer.
Blackhole exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.
On March 25, 2012, the Blackhole Exploit Kit 1.2.3 was released, IC3 stated. This kit included the latest critical vulnerability in Java, allowing the bypassing of Java's sandbox environment. Java's sandbox is designed to provide security for downloading and running Java applications, while preventing them access to the hard drive or network. New malware samples appearing in the wild have been highly successful at exploiting this flaw and it is estimated at least 60% of Java users have not yet patched against it.
The first Blackhole exploit kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license). Newer releases and a free version of the Blackhole exploit kit have since appeared on warez download sites. The most well-known Blackhole exploit kit attack targeted the U.S. Postal Service's Rapid Information Bulletin Board System (RIBBS) website in April 2011.
-
Amibay is re-directing to a spam page now :(
-
My best guess at present is that it's a variant of this:-
BlackHole Exploit Kit
Yes it is. But this has nothing to do with the actual vulnerability that was used to pwn it. This is just the tool they use to infect victims browsing the site. (In my earlier post, this is the step 2. How the step 1 was achieved remains unclear.)
Any attempts to remove the malware links are in vain until the actual root cause for the site exploit has been identified and fixed.
-
@ Piru
All Admins are currently changing their passwords and checking local machines are clear of infection before we attempt to repair the server.
@ All
If you Google AmiBay and select any link EXCEPT the home page, you should get on. This link should also work.
http://www.amibay.com/search.php?do=getnew
-
@ WotTheFook - Thank you :)
-
Hi.
Sometimes i can enter on Aminet others Not same with Amibay
Regards
Pedro
-
Normal service should have been restored on the Amibay home page now.
:)
-
Still getting trojan here
-
We identified php/Kryptik.AB trojan in a file called php_engine9181.php this evening. We have removed the infected file and restored the index.php file as before.
Now we know what we are up against....
WotTheFook aka Merlin
-
We identified php/Kryptik.AB trojan in a file called php_engine9181.php this evening. We have removed the infected file and restored the index.php file as before.
Did you also identify how the trojan got there? That's the important question.
-
We believe that an Admin account was compromised. After ensuring all of the Admin local machines were clean and clear of infection, the Admins changed their passwords and it was then that we set to work to clean the site.
Useful information for the Admins on A.org
----------------------------------------
The infected file was in the admincp folder on the server and had edited the index.php file with some encrypted script. Once we had identified the infection and cleared it, we were able to fix the index.php file and the site has remained stable from then until now.
If this attack happens to you at some point, this information should help you.