Welcome, Guest. Please login or register.
Forums
« previous next »
Pages: 1 2 3 [4]   Go Down

Author Topic: Is Aminet OK/infected?  (Read 13090 times)

Description:

0 Members and 1 Guest are viewing this topic.

Offline Dr.Bongo

  • Sr. Member
  • ****
  • Join Date: Jun 2003
  • Posts: 342
    • Show only replies by Dr.Bongo
    • http://www.c64radio.com
Re: Is Aminet OK/infected?
« Reply #44 from previous page: May 12, 2012, 05:11:36 PM »
Amibay is re-directing to a spam page now :(
Logged
38911 BASIC BYTES FREE, less when I`ve had a drink!

 *** http://c64radio.com *** Commodore 64 Radio 24/7 for free!
 

Offline Piru

  • \' union select name,pwd--
  • Hero Member
  • *****
  • Join Date: Aug 2002
  • Posts: 6946
    • Show only replies by Piru
    • http://www.iki.fi/sintonen/
Re: Is Aminet OK/infected?
« Reply #45 on: May 12, 2012, 05:40:14 PM »
Quote from: WotTheFook;692929
My best guess at present is that it's a variant of this:-

BlackHole Exploit Kit
Yes it is. But this has nothing to do with the actual vulnerability that was used to pwn it. This is just the tool they use to infect victims browsing the site. (In my earlier post, this is the step 2. How the step 1 was achieved remains unclear.)

Any attempts to remove the malware links are in vain until the actual root cause for the site exploit has been identified and fixed.
« Last Edit: May 12, 2012, 05:48:54 PM by Piru »
Logged
 

Offline WotTheFook

  • Full Member
  • ***
  • Join Date: Mar 2007
  • Posts: 159
    • Show only replies by WotTheFook
    • http://www.amibay.com
Re: Is Aminet OK/infected?
« Reply #46 on: May 12, 2012, 06:02:25 PM »
@ Piru

All Admins are currently changing their passwords and checking local machines are clear of infection before we attempt to repair the server.

@ All

If you Google AmiBay and select any link EXCEPT the home page, you should get on. This link should also work.

http://www.amibay.com/search.php?do=getnew
Logged
 

Offline Dr.Bongo

  • Sr. Member
  • ****
  • Join Date: Jun 2003
  • Posts: 342
    • Show only replies by Dr.Bongo
    • http://www.c64radio.com
Re: Is Aminet OK/infected?
« Reply #47 on: May 12, 2012, 06:14:31 PM »
@ WotTheFook - Thank you :)
Logged
38911 BASIC BYTES FREE, less when I`ve had a drink!

 *** http://c64radio.com *** Commodore 64 Radio 24/7 for free!
 

Offline Virge

  • Newbie
  • *
  • Join Date: Mar 2002
  • Posts: 29
    • Show only replies by Virge
Re: Is Aminet OK/infected?
« Reply #48 on: May 12, 2012, 07:30:54 PM »
Hi.

Sometimes i can enter on Aminet others Not same with Amibay

Regards
Pedro
Logged
-Amiga 1200 / BlizzardPPC 060 50mhz - Powerpc 233mhz / Mediator TX / Soundblaster 128 / Ethernet / Voodoo Banshee 16mb / 256mb Ram / FastAta / 80gb ide 3.5\\" / Dvdrw Asus / Os3.9/Os4.0
-Amiga 1200 / 10gb ide 2.5\\" / Workbench 3.1
-Amiga 600HD / 2mb ...
 

Offline WotTheFook

  • Full Member
  • ***
  • Join Date: Mar 2007
  • Posts: 159
    • Show only replies by WotTheFook
    • http://www.amibay.com
Re: Is Aminet OK/infected?
« Reply #49 on: May 12, 2012, 07:54:58 PM »
Normal service should have been restored on the Amibay home page now.

:)
Logged
 

Offline golem

  • Sr. Member
  • ****
  • Join Date: May 2002
  • Posts: 432
    • Show only replies by golem
Re: Is Aminet OK/infected?
« Reply #50 on: May 12, 2012, 09:33:58 PM »
Still getting trojan here
Logged
                                                             
A1200 desktop, Blizzard 1260, OS3.9BB2, Indivision Mk II, SCSI Jaz, Ethernet
A1200 desktop, Blizzard 1230, OS3.1, Ethernet
A500, OS1.3
 

Offline WotTheFook

  • Full Member
  • ***
  • Join Date: Mar 2007
  • Posts: 159
    • Show only replies by WotTheFook
    • http://www.amibay.com
Re: Is Aminet OK/infected?
« Reply #51 on: May 12, 2012, 11:20:14 PM »
We identified php/Kryptik.AB trojan in a file called php_engine9181.php this evening. We have removed the infected file and restored the index.php file as before.

Now we know what we are up against....

WotTheFook aka Merlin
Logged
 

Offline Piru

  • \' union select name,pwd--
  • Hero Member
  • *****
  • Join Date: Aug 2002
  • Posts: 6946
    • Show only replies by Piru
    • http://www.iki.fi/sintonen/
Re: Is Aminet OK/infected?
« Reply #52 on: May 13, 2012, 12:48:10 AM »
Quote from: WotTheFook;692981
We identified php/Kryptik.AB trojan in a file called php_engine9181.php this evening. We have removed the infected file and restored the index.php file as before.

Did you also identify how the trojan got there? That's the important question.
Logged
 

Offline WotTheFook

  • Full Member
  • ***
  • Join Date: Mar 2007
  • Posts: 159
    • Show only replies by WotTheFook
    • http://www.amibay.com
Re: Is Aminet OK/infected?
« Reply #53 on: May 13, 2012, 12:32:51 PM »
We believe that an Admin account was compromised. After ensuring all of the Admin local machines were clean and clear of infection, the Admins changed their passwords and it was then that we set to work to clean the site.

Useful information for the Admins on A.org
----------------------------------------
The infected file was in the admincp folder on the server and had edited the index.php file with some encrypted script. Once we had identified the infection and cleared it, we were able to fix the index.php file and the site has remained stable from then until now.

If this attack happens to you at some point, this information should help you.
Logged
 
Pages: 1 2 3 [4]   Go Up
« previous next »