geekhack hacked again!?

[didja]

Man that's a lot of being hacked.

[rknize]

Yeah...they *really* want to own GH. Whatever.

[thegunner100]

^Coming from a mod.

I'm afraid to post anything until I know that it won't be rolled back.

[rknize]

Haha...yeah don't be surprised if it happens. If the exploit is hiding in the DB, a rollback is probably inevitable.

[TexasFlood]

So earlier I hadn't hit the main page which is why I hadn't seen this. I did get redirected upon hitting the main page. Again, I'm not that worried about it being a threat to my PC.

[mkawa]

well, given that they're redirecting you to arbitrary code, you should definitely be avoiding the root page. then again, i keep clicking the damned "forum" button at the top too, so i know your pain.

my feeling is that, although we are probably looking at another db rollback, and possibly some significant changes, we have some freedom right now on when that happens, so we can give people a chance to save their transactions before we bring the forum back into working order and are forced to lose data on gh's end.

[mkawa]

for the time being, please using the google cache of index.php as the front page, and try to stop yourself from clicking the "forum" bottom on the title bar

http://webcache.googleusercontent.com/s ... 0&bih=1321

[TexasFlood]

Sure, there's no point of going to the main page, was just checking it earlier.
I'm not that worried about it but no point in tempting fate either.

[thegunner100]

I rarely actually go to the index page. I usually just chill at the spy

[TexasFlood]

Just to be clear, I meant there is no point in going to the index page NOW since it's broke and will just redirect you anyway. Thanks mkawa for posting the google cache if case someone needs it.

[ripster]

I will chill until you experts say it is safe.

http://www.overclock.net/t/1247033/geek ... t_17581368

For the past week or so Geekhack has been infecting every visitor with multiple trojans. Surprisingly my work's Symantec Endpoint Protection was the ONLY thing that caught it. I tested with 30 or so other AntiVirus and AntiMalware apps and nothing picked it up. Mainly because its java scripts running that are downloading and running trojans from appdata or temp space. They aren't actually installing anything or trying to gain privileged access. My Linux and OSX machines were infected as well. I caught the outgoing keystrokes with network traces.
Turn off java if you're going to visit Geekhack. The Admin needs some help from someone who has a clue about running a web site.

Ouch!

Turn off java if you're going to visit Geekhack. The Admin needs some help from someone who has a clue about running a web site.

[Input Nirvana]

Crap! I run OSX.
WTF do I gotta do about this? NOW I'm pissed.

[thegunner100]

Funny, I run Symantec Endpoint Protection and it hasnt picked up on anything even though javascript is turned on in Opera. But then again, I havent visited the index page since GH was back up.

[didja]

[ripster]

Wait, you guys left JavaScript ON?

Itoldyou...

http://deskthority.net/off-topic-f10/ge ... tml#p55850

SO!

[rknize]

Probably the best bet. I don't have any "outgoing keystrokes", but I'm on Linux.

[rknize]

Looks like iMav killed the redirect for now.

[osea23]

Sorta scared right now. Just went onto the site and got the rootworm page. Ran MalwareBytes and Microsoft Windows Malicious Removal Tool and both haven't picked up anything yet. Will run MSE soon. *facepalm* Why did I just log onto PayPal.

[mkawa]

i have my doubts that their intent was to install malware. if that had been the case, they wouldn't have defaced the front page (repeatedly, mind you) and given themselves away.

[TexasFlood]

Holy crap! Overreact much?

Read up on Alescurf.C for yourself at Microsoft or Symantecc.
All I can see that this thing does is redirect you to a shady web site and pass along some information from your browser. Is this a good thing? No. But sites get info from your browser all the time, if you want to avoid this I suggest following Ripsters advice about gtunnel above. Is it "infecting every visitor with multiple trojans" and "sending keystrokes" out? I doubt it, there is nothing to indicate this except an unsubstantiated post claiming so.

Microsoft:
Summary
Trojan:JS/Alescurf.C is a encrypted JavaScript trojan, which is injected into HTML files. It redirects the user to a certain webpage.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Symantec:
This malicious JavaScript may be injected into legitimate Web pages.
When a user visits the page, the threat gathers certain information from the computer, including:
Computer environment
Screen resolution
Web browser
The gathered information is then sent to the following remote location: [http://]91.196.216.64/[REMOVED]

[ripster]

The_Beast

Join Date
Jan 2012
Location
Wisconsin
Posts
340
Can I blame ripster?


I might know a hosting service, I'll ask him tomorrow. He's pretty good at dealing with DDOS attacks (which I don't think this was) and other web stuff.

hey, HEY!

ಠ_ಠ

And about that donation....

[mkawa]

further discussion on the otherwise non-defaced geekhack is happening here: http://geekhack.org/showthread.php?3296 ... -Redirects

[ripster]

Holy crap! Overreact much?

Read up on Alescurf.C for yourself at Microsoft or Symantecc.
All I can see that this thing does is redirect you to a shady web site and pass along some information from your browser. Is this a good thing? No. But sites get info from your browser all the time, if you want to avoid this I suggest following Ripsters advice about gtunnel above. Is it "infecting every visitor with multiple trojans" and "sending keystrokes" out? I doubt it, there is nothing to indicate this except an unsubstantiated post claiming so.

Microsoft:
Summary
Trojan:JS/Alescurf.C is a encrypted JavaScript trojan, which is injected into HTML files. It redirects the user to a certain webpage.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Symantec:
This malicious JavaScript may be injected into legitimate Web pages.
When a user visits the page, the threat gathers certain information from the computer, including:
Computer environment
Screen resolution
Web browser
The gathered information is then sent to the following remote location: [http://]91.196.216.64/[REMOVED]

Microsoft Security isn't exactly foolproof.
http://www.reddit.com/r/worldnews/comme ... _set_fire/

[ripster]

further discussion on the otherwise non-defaced geekhack is happening here: http://geekhack.org/showthread.php?3296 ... -Redirects

Where do I get alerts on the otherwise defaced Geekhack?

in particular, i've talked to a friend that runs a vB-based forum with 3-5k concurrent users, and his conclusion (and opener) was "vB 4 is garbage, that's what your problem is"

SURPRISE!

R00TW0RM

You guys want to hear what I think of your Wiki platform?

[Sifo]

Guess I'll chill here. I asked r00tw0rm what they want with GH, didn't get a straight up response.

[ripster]

r00tw0rms......Nasty looking things..

http://www.ipm.iastate.edu/ipm/icm/node/2428/print



Don't want them in my iPad Nosiree!

The sad thing Is I buy Farmer's Market Organic Corn so have most likely eaten one or two.

[mkawa]

...and we've lost the google cache.

[Sifo]

I'm being sent trojans from index. Even just typing in the URL to my browser O_O

[codehead]

I'm stunned. The site's been hacked for like what, 3-4 times during a year. Maybe it's time to do something? Amateurs like that should be banned for hosting websites..

[ripster]

Well, the Geekhack Moderation Team is getting little sympathy from me that is for sure.