geekhack hacked again!?

[Zehkul]

I know that site tried to do something (blocked for me anyway, but I saw many scripts), and several others had antivirus notifications. And it doesn’t even really matter if they do try to infect PCs, all that matters is that they COULD.

And even if there wasn’t anything else besides the rootworm text, it’s still ridiculous to let it stay like that. That site needs to be taken offline, and I’d show a status message of when geekhack will be available again, if I want to keep as many users as possible, that is.

[didja]

Do you have any proof what so ever that anyone has been infected?

Do you have any proof people haven't? The server has been compromised multiple times and is still compromised. The only safe assumption is that it is and has been infecting visitors.

[absyrd]

They are a forum?

Uh oh.

I'd send them a DoubleShot Melissa Kerned key as a peace offering.

Good idea. Some of them probably just did this due to anger resulting from missing out on the recent "Dibs" sales.

[TexasFlood]

Do you have any proof what so ever that anyone has been infected?

Do you have any proof people haven't? The server has been compromised multiple times and is still compromised. The only safe assumption is that it is and has been infecting visitors.

My initial reaction was that this is all being blown out of out of proportion. While I still feel that way, I would also agree that it's the safe thing to assume danger given a server having been compromised multiple times and either still compromised or left in a state that appears so. There was an indication that it was intentionally left this way. While this doesn't make logical sense to me, I also no longer see any apparentl redirects or obviously malicious active content.

Even when the infected server web page was active, all I saw was the injected redirect from JS.Alescurf.C, no damage or permanent infection. But the potential is obviously there. Reportedly the attackers were able to get into geekhack and performer (either literally or equivalent) a "rm -fr" command. I don't know how that was accomplished but one has to respect that danger even if there is no proof (and I don't see any) that it can happen to a client simply hitting the server. Also at least one person reported in this thread seeing Downloader.Psyme. From what I saw at symantec, this is a version of an old (2004), low risk trojan. Apparently it exploits vulnerability in older versions of MS Internet Explorer to launch other Trojan programs on the infected machine. I don't run an older IE so probably wouldn't have been effected by this one. It's pretty scarey though as, for some running an old version of IE, it -potentially- can launch arbitrary code which could do basically anything. Of course if you're running an old version of IE, you're basically asking for trouble and almost certainly will get it, but still.

[GH1391401]

What theme will be used? It would be great if we could have something that didn't look like your typical web forum circa 1999.

[jdcarpe]

Was it prophetic that I had just checked out The Cuckoo's Egg by Clifford Stoll from my local library a few days before GH went down?

Has R00TW0RM infected my local library, as well? Maybe R00TW0RM is also a B00KW0RM!

[ripster]

Do you have any proof what so ever that anyone has been infected?

Do you have any proof people haven't? The server has been compromised multiple times and is still compromised. The only safe assumption is that it is and has been infecting visitors.

My initial reaction was that this is all being blown out of out of proportion. While I still feel that way, I would also agree that it's the safe thing to assume danger given a server having been compromised multiple times and either still compromised or left in a state that appears so. There was an indication that it was intentionally left this way. While this doesn't make logical sense to me, I also no longer see any apparentl redirects or obviously malicious active content.

Even when the infected server web page was active, all I saw was the injected redirect from JS.Alescurf.C, no damage or permanent infection. But the potential is obviously there. Reportedly the attackers were able to get into geekhack and performer (either literally or equivalent) a "rm -fr" command. I don't know how that was accomplished but one has to respect that danger even if there is no proof (and I don't see any) that it can happen to a client simply hitting the server. Also at least one person reported in this thread seeing Downloader.Psyme. From what I saw at symantec, this is a version of an old (2004), low risk trojan. Apparently it exploits vulnerability in older versions of MS Internet Explorer to launch other Trojan programs on the infected machine. I don't run an older IE so probably wouldn't have been effected by this one. It's pretty scarey though as, for some running an old version of IE, it -potentially- can launch arbitrary code which could do basically anything. Of course if you're running an old version of IE, you're basically asking for trouble and almost certainly will get it, but still.

You are ALWAYS so mellow though.

Baaaaaaaaa
Baaaaa
Baaa

You weren't the one that had to deal with THIS!

http://deskthority.net/geekhacker-refug ... tml#p55850


And what about all the people posting at Reddit and OCN about having to reinstall Windows and do multiple scans?

[thegunner100]

Good thing I only use one password per website, and I've somehow never been infected while using Opera.

[TexasFlood]

You are ALWAYS so mellow though.

Baaaaaaaaa
Baaaaa
Baaa

You weren't the one that had to deal with THIS!

http://deskthority.net/geekhacker-refug ... tml#p55850


And what about all the people posting at Reddit and OCN about having to reinstall Windows and do multiple scans?

I did see that, just a redirect as I posted shortly after you originally posted the above. No way that would result in a Windows reinstall. The only suggestion in the OCN thread you linked to earlier that a Windows reinstall was needed was by you who it does not appear had to do so. Scanning is always a good idea and we should all be doing so regularly. Not sure anyone HAD TO do a scan for this but sounds wise. Again in the OCN thread you linked didn't see anything unusual found in those scans. If you would like to link to some of the other threads about this, please do so and maybe I'll be educated.

[GH1391401]

You can pretty easily configure a browser to avoid issues like the one shown above.

[silat]

Do you have any proof what so ever that anyone has been infected?

Do you have any proof people haven't? The server has been compromised multiple times and is still compromised. The only safe assumption is that it is and has been infecting visitors.

So you answer a question with a question? You know what that says?
Ok my proof is I am not infected. And I have not read one post that can verify an infection definitively coming from GH.
So your turn. What proof or evidence do you have?

I have visited the RootWorm page multiple times. Scanned with Emisoft, Malwarebytes, Superanti and nothing shows up.

[ChaoticKinesis]

You are ALWAYS so mellow though.

Baaaaaaaaa
Baaaaa
Baaa

You weren't the one that had to deal with THIS!

http://deskthority.net/geekhacker-refug ... tml#p55850


And what about all the people posting at Reddit and OCN about having to reinstall Windows and do multiple scans?

I did see that, just a redirect as I posted shortly after you originally posted the above. No way that would result in a Windows reinstall. The only suggestion in the OCN thread you linked to earlier that a Windows reinstall was needed was by you who it does not appear had to do so. Scanning is always a good idea and we should all be doing so regularly. Not sure anyone HAD TO do a scan for this but sounds wise. Again in the OCN thread you linked didn't see anything unusual found in those scans. If you would like to link to some of the other threads about this, please do so and maybe I'll be educated.

As far as I can tell, the matter of malware and the need to reinstall Windows was blown way out of proportion by Ripster and several others on OCN and elsewhere. I saw a few people say they had trojans, which they suggested may have been due to Geekhack, with dozens more saying nothing at all on the subject of having their PC infected. I ran a number of different scans on both home and work computers and none of them found anything. I'm fairly confident that this is not because my AV automatically blocked it, since I have it set to warn me and never take action automatically.

As for people on OCN reinstalling Windows, the fact that a few preemptively decided to reinstall their OS, on a forum where doing so is commonplace for many users, does not say much.

[ripster]

Perhaps.

However I would think everyone agrees it does little for the Geekhack Brand Name:

R00TW0RM

Expiration Date: 2012-08-18 00:47:23

At least R00TW0RM chose Times Roman font to class it up a bit.

[TexasFlood]

Perhaps.

However I would think everyone agrees it does little for the Geekhack Brand Name:

R00TW0RM

Expiration Date: 2012-08-18 00:47:23

At least R00TW0RM chose Times Roman font to class it up a bit.

That I won't argue...

[Stevie Wonder]

Holy bejesus, should I sell my McAfee/Intel stock?

[TexasFlood]

Holy bejesus, should I sell my McAfee/Intel stock?

When you believe in things that you don't understand
Then you suffer, superstition ain't the way, yeh, yeh

Don't you worry 'bout a thing

[ChaoticKinesis]

Perhaps.

However I would think everyone agrees it does little for the Geekhack Brand Name:

R00TW0RM

Expiration Date: 2012-08-18 00:47:23

At least R00TW0RM chose Times Roman font to class it up a bit.

Agreed regarding the brand name. As for the font, checking the HTML shows they selected nothing so it's just your browser's default. Maybe you can give them a listen on fonts.

[ripster]

Interesting reads all over the web if you search for Geekhack/R00TW0RM.

https://www.vbulletin.com/forum/showthr ... o-R00TW0RM

Edit: Also the possibility they have a shell script or similar on the site that was put up when you were initially hacked, with something like that they can continue to gain access despite a security patch being applied.

OUCH!

And of course just about every other forum is wondering WTF! Anandtech, OCN, HArdForum, Reddit...even 4chan!

http://forums.overclockers.com.au/showt ... p=14509128

whos ripster?

The guy who actually supplies all info relating to keyboards at Geekhack

.

http://forums.anandtech.com/showthread.php?p=33621232
http://forum.lowyat.net/topic/2329609/+1300



I think you guys are underestimating the damage they could cause at any time. However we can all agree the R00TW0RM branding campaign is proving HIGHLY successful.

[off]

Do you have any proof what so ever that anyone has been infected?

Do you have any proof people haven't?

So you answer a question with a question? You know what that says?

Do you?

And could everyone please get some more sense in their usage of the quoting facility... (on this page TF/CK/Rip)

[rainb1ood]

I'm not sure if this has been pointed out yet but are the iTrader ratings also backed up?

We need those too

[mickd]

It was mentioned and the answer was very likely that it won't be migrated over unless they find a compatible version of iTrader for the new forum software they're going to use (smf).

[TexasFlood]

And could everyone please get some more sense in their usage of the quoting facility... (on this page TF/CK/Rip)

Could you be more specific about how my use of quoting needs more sense?

[off]

Yes ofcourse: imho quoting of posts should be limited to either quoting just the relevant part if still on the same page, and quoting images should be rare. /dicatoritrol
I'm hoping you agree on that; for it leaves more room for new info on pages.

Thankfully I've just realised how part of the issues with that can be resolved, like so:

Could you be more specific about how my use of quoting needs more sense?

Now if that could become a built-in automated standard for quoting, it'd be even more workable.

[ripster]

LIke this? A Vb Forum that is NOT R00TW0RMED?

http://forums.overclockers.com.au/showp ... count=5665

whos ripster?


lol

The guy who actually supplies all info relating to keyboards at Geekhack.

I think he's the only one who has over 50'000 posts alone. But lately he has disappeared due to some ban placed on him by iMav.

I think it's to do with his general behaviour which was getting somewhat nasty at GH (but that is only a feeling not actual fact).

A lot of people hate his guts but I love all the effort he had put into Geekhack including his wiki with detailed descriptions on everything to do with keyboards and marble-mice (YES, I do actually read his stuff, very informative).

I can never be ungrateful for all his effort he had put into that place because we all depend on the work he had done to label and categorise correctly, every known keyboard that was ever made. Sometimes you have to give credit where it's deserved, and he has rightly claimed that from me.

Thanks, and he is one of my favorite dudes too!

Spends a LOT of time here under name Ripster55, especially since Geekhack is R00TW0RMED!

http://www.reddit.com/r/keyboards/

The tricky thing is to put user names in quotes, no spaces. And you can only nest 3 quotes deep.

Oh wait. The Color thing is fucked up.

[thegunner100]

All my seller feedback... NOOOO

[MagicMeatball]

And could everyone please get some more sense in their usage of the quoting facility... (on this page TF/CK/Rip)

Could you be more specific about how my use of quoting needs more sense?

I grab the snippet of the exact quote I am referencing. Not sure why it's being made out as such a big deal.

[TexasFlood]

imho quoting of posts should be limited to either quoting just the relevant part if still on the same page, and quoting images should be rare.
I'm hoping you agree on that; for it leaves more room for new info on pages.

I do agree however feel that already do so. Admittedly I did quote an image above, but even in that post I edited down the quoted material. If you look back at my historical posts, I believe you will find that unedited quotes and quoting images is indeed rare for me.

Thankfully I've just realised how part of the issues with that can be resolved, like so:

Could you be more specific about how my use of quoting needs more sense?

Now if that could become a built-in automated standard for quoting, it'd be even more workable.

That's a good ideal and would agree that a reference back to the originally quoted post is a good idea and many forums I use have some form of this implemented. For the benefit of anyone reading this, in case it wasn't obvious what off did there, he added a hyperlink to the quoted poster name, back to the quoted post.

[silat]

Do you have any proof what so ever that anyone has been infected?

Do you have any proof people haven't? The server has been compromised multiple times and is still compromised. The only safe assumption is that it is and has been infecting visitors.

Assumptions? LOL

[silat]

off said: "Do you?

And could everyone please get some more sense in their usage of the quoting facility... (on this page TF/CK/Rip)

1. I was not the poster who "claimed" there were infections.
2. I asked for proof of the "claim".
3. I click the quote button and have nothing to with the text that it grabs.

[yttrium]

I'm in possession of one of the switch testers. The forum went down before I was able to obtain the shipping info for the next person... what do?