Is Aminet OK/infected?

[WotTheFook]

We do know about it, I've been researching it all evening.

AmiBay and ClassicAmiga have both been hit with the same script exploit attack that hit Aminet.

It has only been partially effective and the root access, FTP and e-mail have not been compromised. A config file has been corrupted and there is a URL redirect to an ibiz.cc site in place, however, this is only affecting the home page. You should block this ibiz.cc redirect if it comes up on your machine.

If a Java icon appears in your Systray, you should kill it immediately, as this is part of the exploit that is attempting to download malware to your machine.

We hope to have this repaired by tomorrow morning. We backed up the site early this morning and once we have checked the backup config files, we can get the site fully functional again.

In the interim, you can access via any other AmiBay page except the home page. A Google link that isn't the home page will let you access the site, but please ensure that your anti-virus and malware protection is up to date.

WotTheFook aka Merlin

[WotTheFook]

@ Piru

This is from one of our developers on the matter.

"It won't be until at least this afternoon before we can start removing it.

This injection attack seems quite complex compared to most site hijacking automated scripts.

Lots of sites are getting hacked in recent days, and not just vBulletin, but also WordPress, Joomla, and lots of others including popular ecommerce sites.

No one has yet worked out how they are gaining access, but some think it is gaining access from an admin account login. Then uploading a load of files in a buried location on the server by installing bogus plugins on the forum or cms software that then uploads their files.

These files contain a JavaScript based malware payload (not Java), so ensure you have a way to control JavaScript running per site.

In addition the attack injects a line of PHP code to the top of every php file on the site. So when anything accessed an injected/infected script the hash included in the injected code translates into a redirect to the hidden payload files to run the malware, and then redirects to a random domain holding page."

We'll know more when the devs start digging further. I wouldn't say that A.org is immune from this attack either, so the Admins need to back the site up as soon as possible.

It's definitely a PHP code injection script, coupled with a java script to redirect to either a usa.cc or ibiz.cc site (from the bahviour we've seen so far) that attempts to download malware. The origin appears to be Russia, as that is where the redirect is pointing to from a trace on the IP.

FTP and e-mail appear to be unaffected thus far.

WotTheFook aka Merlin

[WotTheFook]

This is what Google Diagnostics had to say about the ibiz.cc site...

"Google Safe Browsing diagnostic page for ibiz.cc
Advisory provided by Safe Browsing

Diagnostic page for ibiz.cc
What is the current listing status for ibiz.cc?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 28 time(s) over the past
90 days.

What happened when Google visited this site?
Of the 164 pages we tested on the site over the past 90 days, 0 page(s)
resulted in malicious software being downloaded and installed without user
consent. The last time Google visited this site was on 2012-05-08, and the last time suspicious content was found on this site was on 2012-04-25.

Malicious software includes 443 trojan(s), 90 scripting exploit(s), 27
exploit(s).

This site was hosted on 9 network(s) including AS43239 (SPETSENERGO), AS53665
(BODIS), AS44050 (PIN).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, ibiz.cc appeared to function as an intermediary for the infection of 37 site(s) including engranes.cl/, urbanlookout.com/,
aloveletterforyou.com/.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It
infected 145 domain(s), including abu-farhan.com/, doncb.com/,
iworkshop.com.hk/.

Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Updated 2 hours ago© Google - Google Home"

[WotTheFook]

More information (I told you we've been busy...)

This is also to inform the Admins on A.org.

No one has yet worked out how they are gaining access, but some think it is gaining access from an admin account loggin. Then uploading a load of files in a buried location on the server by installing bogus plugins on the forum or cms software that then uploads their files. This is just speculation at the moment though.

These files contain a JavaScript based malware payload (not Java), so ensure you have a way to control JavaScript running per site.

In addition the attack injects a line of PHP code to the top of every php file on the site. So when anything accessed an injected/infected script the hash included in the injected code translates into a redirect to the hidden payload files to run the malware, and then redirects to a random domain holding page.

AmiBay was backed up in the morning before this attack hit, so we should be in a position to restore the correct files once we have checked them over to ensure that they aren't affected.

[WotTheFook]

My best guess at present is that it's a variant of this:-

BlackHole Exploit Kit

A type of crimeware Web application developed in Russia to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer.
 
Blackhole exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.
 
On March 25, 2012, the Blackhole Exploit Kit 1.2.3 was released, IC3 stated. This kit included the latest critical vulnerability in Java, allowing the bypassing of Java's sandbox environment. Java's sandbox is designed to provide security for downloading and running Java applications, while preventing them access to the hard drive or network. New malware samples appearing in the wild have been highly successful at exploiting this flaw and it is estimated at least 60% of Java users have not yet patched against it.


The first Blackhole exploit kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license). Newer releases and a free version of the Blackhole exploit kit have since appeared on warez download sites. The most well-known Blackhole exploit kit attack targeted the U.S. Postal Service's Rapid Information Bulletin Board System (RIBBS) website in April 2011.

[WotTheFook]

@ Piru

All Admins are currently changing their passwords and checking local machines are clear of infection before we attempt to repair the server.

@ All

If you Google AmiBay and select any link EXCEPT the home page, you should get on. This link should also work.

http://www.amibay.com/search.php?do=getnew

[WotTheFook]

Normal service should have been restored on the Amibay home page now.

[WotTheFook]

We identified php/Kryptik.AB trojan in a file called php_engine9181.php this evening. We have removed the infected file and restored the index.php file as before.

Now we know what we are up against....

WotTheFook aka Merlin

[WotTheFook]

We believe that an Admin account was compromised. After ensuring all of the Admin local machines were clean and clear of infection, the Admins changed their passwords and it was then that we set to work to clean the site.

Useful information for the Admins on A.org
----------------------------------------
The infected file was in the admincp folder on the server and had edited the index.php file with some encrypted script. Once we had identified the infection and cleared it, we were able to fix the index.php file and the site has remained stable from then until now.

If this attack happens to you at some point, this information should help you.