geekhack hacked again!?

User avatar
didja

28 Jun 2012, 05:42

Man that's a lot of being hacked.

User avatar
rknize

28 Jun 2012, 05:44

Yeah...they *really* want to own GH. Whatever.

User avatar
thegunner100

28 Jun 2012, 05:45

^Coming from a mod.

I'm afraid to post anything until I know that it won't be rolled back.

User avatar
rknize

28 Jun 2012, 05:47

Haha...yeah don't be surprised if it happens. If the exploit is hiding in the DB, a rollback is probably inevitable.

User avatar
TexasFlood

28 Jun 2012, 06:13

So earlier I hadn't hit the main page which is why I hadn't seen this. I did get redirected upon hitting the main page. Again, I'm not that worried about it being a threat to my PC.

mkawa

28 Jun 2012, 06:22

well, given that they're redirecting you to arbitrary code, you should definitely be avoiding the root page. then again, i keep clicking the damned "forum" button at the top too, so i know your pain.

my feeling is that, although we are probably looking at another db rollback, and possibly some significant changes, we have some freedom right now on when that happens, so we can give people a chance to save their transactions before we bring the forum back into working order and are forced to lose data on gh's end.

mkawa

28 Jun 2012, 06:27

for the time being, please using the google cache of index.php as the front page, and try to stop yourself from clicking the "forum" bottom on the title bar :P

http://webcache.googleusercontent.com/s ... 0&bih=1321

User avatar
TexasFlood

28 Jun 2012, 06:31

Sure, there's no point of going to the main page, was just checking it earlier.
I'm not that worried about it but no point in tempting fate either.

User avatar
thegunner100

28 Jun 2012, 06:36

I rarely actually go to the index page. I usually just chill at the spy :D

User avatar
TexasFlood

28 Jun 2012, 06:38

Just to be clear, I meant there is no point in going to the index page NOW since it's broke and will just redirect you anyway. Thanks mkawa for posting the google cache if case someone needs it.

ripster

28 Jun 2012, 06:55

I will chill until you experts say it is safe.

http://www.overclock.net/t/1247033/geek ... t_17581368
itznfb wrote:For the past week or so Geekhack has been infecting every visitor with multiple trojans. Surprisingly my work's Symantec Endpoint Protection was the ONLY thing that caught it. I tested with 30 or so other AntiVirus and AntiMalware apps and nothing picked it up. Mainly because its java scripts running that are downloading and running trojans from appdata or temp space. They aren't actually installing anything or trying to gain privileged access. My Linux and OSX machines were infected as well. I caught the outgoing keystrokes with network traces.
Turn off java if you're going to visit Geekhack. The Admin needs some help from someone who has a clue about running a web site.

Ouch!
Turn off java if you're going to visit Geekhack. The Admin needs some help from someone who has a clue about running a web site.
Last edited by ripster on 28 Jun 2012, 08:47, edited 1 time in total.

User avatar
Input Nirvana

28 Jun 2012, 07:08

Crap! I run OSX.
WTF do I gotta do about this? NOW I'm pissed.

User avatar
thegunner100

28 Jun 2012, 07:09

Funny, I run Symantec Endpoint Protection and it hasnt picked up on anything even though javascript is turned on in Opera. But then again, I havent visited the index page since GH was back up.

User avatar
didja

28 Jun 2012, 07:11

Last edited by didja on 28 Jun 2012, 07:27, edited 2 times in total.

ripster

28 Jun 2012, 07:19

Wait, you guys left JavaScript ON?

Itoldyou...

http://deskthority.net/off-topic-f10/ge ... tml#p55850

SO!

User avatar
rknize

28 Jun 2012, 07:21

Probably the best bet. I don't have any "outgoing keystrokes", but I'm on Linux.

User avatar
rknize

28 Jun 2012, 07:22

Looks like iMav killed the redirect for now.

osea23

28 Jun 2012, 07:24

Sorta scared right now. Just went onto the site and got the rootworm page. Ran MalwareBytes and Microsoft Windows Malicious Removal Tool and both haven't picked up anything yet. Will run MSE soon. *facepalm* Why did I just log onto PayPal.

mkawa

28 Jun 2012, 07:27

i have my doubts that their intent was to install malware. if that had been the case, they wouldn't have defaced the front page (repeatedly, mind you) and given themselves away.

User avatar
TexasFlood

28 Jun 2012, 07:30

Holy crap! Overreact much?

Read up on Alescurf.C for yourself at Microsoft or Symantecc.
All I can see that this thing does is redirect you to a shady web site and pass along some information from your browser. Is this a good thing? No. But sites get info from your browser all the time, if you want to avoid this I suggest following Ripsters advice about gtunnel above. Is it "infecting every visitor with multiple trojans" and "sending keystrokes" out? I doubt it, there is nothing to indicate this except an unsubstantiated post claiming so.

Microsoft:
Summary
Trojan:JS/Alescurf.C is a encrypted JavaScript trojan, which is injected into HTML files. It redirects the user to a certain webpage.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Symantec:
This malicious JavaScript may be injected into legitimate Web pages.
When a user visits the page, the threat gathers certain information from the computer, including:
Computer environment
Screen resolution
Web browser
The gathered information is then sent to the following remote location: [http://]91.196.216.64/[REMOVED]

ripster

28 Jun 2012, 07:37

The_Beast

Join Date
Jan 2012
Location
Wisconsin
Posts
340
Can I blame ripster?


I might know a hosting service, I'll ask him tomorrow. He's pretty good at dealing with DDOS attacks (which I don't think this was) and other web stuff.

hey, HEY!

ಠ_ಠ

And about that donation....

mkawa

28 Jun 2012, 07:40

further discussion on the otherwise non-defaced geekhack is happening here: http://geekhack.org/showthread.php?3296 ... -Redirects

ripster

28 Jun 2012, 07:43

TexasFlood wrote:Holy crap! Overreact much?

Read up on Alescurf.C for yourself at Microsoft or Symantecc.
All I can see that this thing does is redirect you to a shady web site and pass along some information from your browser. Is this a good thing? No. But sites get info from your browser all the time, if you want to avoid this I suggest following Ripsters advice about gtunnel above. Is it "infecting every visitor with multiple trojans" and "sending keystrokes" out? I doubt it, there is nothing to indicate this except an unsubstantiated post claiming so.

Microsoft:
Summary
Trojan:JS/Alescurf.C is a encrypted JavaScript trojan, which is injected into HTML files. It redirects the user to a certain webpage.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Symantec:
This malicious JavaScript may be injected into legitimate Web pages.
When a user visits the page, the threat gathers certain information from the computer, including:
Computer environment
Screen resolution
Web browser
The gathered information is then sent to the following remote location: [http://]91.196.216.64/[REMOVED]
Microsoft Security isn't exactly foolproof.
http://www.reddit.com/r/worldnews/comme ... _set_fire/
Last edited by ripster on 28 Jun 2012, 08:41, edited 1 time in total.

ripster

28 Jun 2012, 07:46

mkawa wrote:further discussion on the otherwise non-defaced geekhack is happening here: http://geekhack.org/showthread.php?3296 ... -Redirects
Where do I get alerts on the otherwise defaced Geekhack?
mkawa wrote:in particular, i've talked to a friend that runs a vB-based forum with 3-5k concurrent users, and his conclusion (and opener) was "vB 4 is garbage, that's what your problem is"
SURPRISE!
R00TW0RM
You guys want to hear what I think of your Wiki platform?

Sifo

28 Jun 2012, 08:23

Guess I'll chill here. I asked r00tw0rm what they want with GH, didn't get a straight up response.

ripster

28 Jun 2012, 08:28

r00tw0rms......Nasty looking things..

http://www.ipm.iastate.edu/ipm/icm/node/2428/print

Image

Don't want them in my iPad Nosiree!

The sad thing Is I buy Farmer's Market Organic Corn so have most likely eaten one or two.

mkawa

28 Jun 2012, 08:43

...and we've lost the google cache.

Sifo

28 Jun 2012, 08:44

I'm being sent trojans from index. Even just typing in the URL to my browser O_O

User avatar
codehead

28 Jun 2012, 08:50

I'm stunned. The site's been hacked for like what, 3-4 times during a year. Maybe it's time to do something? Amateurs like that should be banned for hosting websites..

ripster

28 Jun 2012, 08:52

Well, the Geekhack Moderation Team is getting little sympathy from me that is for sure.

Post Reply

Return to “Geekhacker refugee camp”