PDA

View Full Version : Forum hijack



Kaa
06-24-2009, 09:28 AM
People, run a virus scan on your computers.

Yesterday around 4:02pm EST the forum software was hijacked and for a while was infecting anyone who opened any forum webpage. Specifically, it tried to download a file called r0x.com to your computer and execute it. I don't know what malware was the payload as my own machine wasn't infected, but I am pretty sure it was nasty enough.

If your computer seems extra slow, or shows a lot of network traffic when you're not doing anything, or you get random pop-ups when you're browsing -- a clean-up might be in order.

Kaa

mmd
06-24-2009, 09:33 AM
Saw this yesterday. My computer caught the bug & alerted me. I bailed and told our IT person, who swept my 'pooter and out network this morning. Nothing got in, but it was alarming nonetheless.

mizzenman
06-24-2009, 09:33 AM
Thanks a lott for the warning!

Any free virus scans you would recomend?

Paul Pless
06-24-2009, 09:33 AM
sooooooon....

Kaa
06-24-2009, 09:37 AM
sooooooon....

Yeah, that's the one. If you saw that page, it had a chunk of VBscript code (available upon request :D) that tried to download a file to your computer and execute it.

Kaa

Popeye
06-24-2009, 09:38 AM
i found a coupla cookies from a ladies underwear site , otherwise nada

huisjen
06-24-2009, 09:39 AM
This is a windoze thing, isn't it.

Dan

Tylerdurden
06-24-2009, 09:39 AM
Any word from Scot?

willmarsh3
06-24-2009, 09:40 AM
I saw the Sooooon... in Google Chrome. I'll check.

mmd
06-24-2009, 09:40 AM
We use the AVG Free download on all our laptops and workstations, and an enhanced (non-free) version on our servers. It seems to be pretty good - we do a lot of web-browsing and e-mail traffic, and haven't had a significant threat to our systems for the length of time I have been here (almost two years).

Kaa
06-24-2009, 09:42 AM
Any word from Scot?

I called the WoodenBoat offices yesterday to tell them they have a problem and sent an email to Scot.

I think the forums were back to normal by 7pm EST or so.

Kaa

mizzenman
06-24-2009, 09:42 AM
Thanks! I'll check it out :)

Kaa
06-24-2009, 09:44 AM
Any free virus scans you would recomend?

As per mmd, AVG Free is the standard recommendation.

A couple of years ago Ad-Aware and Hijack This! were quite popular and useful. I don't know if they kept up with being the state of the art.

Kaa

John of Phoenix
06-24-2009, 09:46 AM
From WhoIs - http://whois.domaintools.com/r0x.com

It appears to be one of those advertisment aggregators. There's ads for everything under the sun at r0x(dot)com. Looks like they're trying to redirect traffic to their site to boost revenue.


Whois Record

Domain Name: R0X.COM

Registrant [1247518]:
Moniker, Privacy Services http://source.domaintools.com/email.pgif?md5=d0caafadfe0545b7f6915ccc9e361c3d&face=Atomic_Clock_Radio&size=7&color=000000&bgcolor=FFFFFF&face=Trebuchet&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent (http://www.domaintools.com/registrant-search/?email=d0caafadfe0545b7f6915ccc9e361c3d)
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US

Administrative Contact [1247518]:
Moniker, Privacy Services http://source.domaintools.com/email.pgif?md5=d0caafadfe0545b7f6915ccc9e361c3d&face=Atomic_Clock_Radio&size=7&color=000000&bgcolor=FFFFFF&face=Trebuchet&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent (http://www.domaintools.com/registrant-search/?email=d0caafadfe0545b7f6915ccc9e361c3d)
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US
Phone: +1.9549848445
Fax: +1.9549699155

Billing Contact [1247518]:
Moniker, Privacy Services http://source.domaintools.com/email.pgif?md5=d0caafadfe0545b7f6915ccc9e361c3d&face=Atomic_Clock_Radio&size=7&color=000000&bgcolor=FFFFFF&face=Trebuchet&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent (http://www.domaintools.com/registrant-search/?email=d0caafadfe0545b7f6915ccc9e361c3d)
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US
Phone: +1.9549848445
Fax: +1.9549699155

Technical Contact [1247518]:
Moniker, Privacy Services http://source.domaintools.com/email.pgif?md5=d0caafadfe0545b7f6915ccc9e361c3d&face=Atomic_Clock_Radio&size=7&color=000000&bgcolor=FFFFFF&face=Trebuchet&size=9&color=0000FF&bgcolor=FFFFFF&format[]=underline&format[]=transparent&format[]=transparent (http://www.domaintools.com/registrant-search/?email=d0caafadfe0545b7f6915ccc9e361c3d)
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US
Phone: +1.9549848445
Fax: +1.9549699155

Domain servers in listed order:

NS2.DSREDIRECTION.COM
NS1.DSREDIRECTION.COM

Record created on: 2000-09-26 12:58:05.0
Database last updated on: 2009-06-19 12:08:22.803
Domain Expires on: 2009-09-26 12:58:05.0

Kaa
06-24-2009, 09:53 AM
From WhoIs

Well, the file was named r0x.com -- that's .com as the extension of a specific kind of an executable file in DOS and Windows, not as an internet domain.

The file was actually served from www. kingaztech. com (unless you know what you're doing I don't recommend following this link) which looks to be a personal site that was itself hijacked and used as a file server.

Kaa

willmarsh3
06-24-2009, 10:31 AM
Trend Micro did not turn up anything. I think Google Chrome did not run the vbscript or what ever was intended by the malware. I'm running Windows XP.

Krunch
06-24-2009, 10:40 AM
I use a Mac. What's a virus?

2MeterTroll
06-24-2009, 10:50 AM
Thanks a lott for the warning!

Any free virus scans you would recomend?


Avast

http://www.avast.com/

home edition is free

2MeterTroll
06-24-2009, 12:12 PM
Gentoo didn't even register it as a problem or an install. told me there was a PHP showed me the SOOON thing and simply went on with its day.

paladin
06-24-2009, 12:23 PM
Actually...my machine blocked it and recommended against opening the file....since I didn't recognize the origin I turned the machine off...

John of Phoenix
06-24-2009, 12:28 PM
Did anyone else get the message that the forum was down for maintenance on the main forum page?

I got "Soooon" only on the Bilge page.

2MeterTroll
06-24-2009, 12:33 PM
yep thats what i got.

Gary E
06-24-2009, 12:41 PM
Did anyone else get the message that the forum was down for maintenance on the main forum page?

I got "Soooon" only on the Bilge page.

I was trying to get to a forum page and was shown a page that said I was banned from this forum, then a page say the site was in maintenance..

came back later and it was ok

Can someone hack the Woodboat site and get all the e-mail adress of each registered user?

John of Phoenix
06-24-2009, 12:59 PM
:confused: Most unusual. :confused:

Any word from Scot?

johnw
06-24-2009, 01:02 PM
Norton caught it.

Anybody figured out what it does yet?

Kaa
06-24-2009, 01:18 PM
Did anyone else get the message that the forum was down for maintenance on the main forum page?

I got "Soooon" only on the Bilge page.

Yes.

Going to www.woodenboat.com/forum (http://www.woodenboat.com/forum) led to the same thing -- an attempted download of a file onto my machine. Specifically, the www.woodenboat.com/forum/index.html file was rewritten and I have saved myself a copy.

Kaa

peter radclyffe
06-24-2009, 01:32 PM
Avast

http://www.avast.com/

home edition is free
avast, a scan for wbf , you couldnt make it up

2MeterTroll
06-24-2009, 01:39 PM
I used it for a long time on a windoze box the outfit is pretty savvy and the updates are rather nice. they give the home version away cause it makes there lives easy.

huisjen
06-24-2009, 01:42 PM
... the madding crowd.

We resemble that remark.

Dan

TomF
06-24-2009, 01:45 PM
We resemble that remark.

DanSpeak for yourself - I'm just irritable.

Bob Adams
06-24-2009, 06:44 PM
Norton caught it.

Anybody figured out what it does yet?

Yeah, Norton wouldn't let me on the foum either. Sometimes it's a pain, but it worked this time.

BarnacleGrim
06-24-2009, 06:52 PM
So that was what it was.

Isn't VBscript an Internet Explorer thing?

SMARTINSEN
06-24-2009, 07:14 PM
I figure that when the "Forum is down for maintenance" screen showed that
Scott put the kabosh to things, perhaps after KAA notified him. AVG blocked the intrusion for me using Firefox. I got a thread message about a "MDAC insertion".

johnw
06-24-2009, 07:36 PM
I'm a Firefox guy too, but since you can't get rid of Internet Exploiter, it's vulnerabilities are still with you.

WX
06-25-2009, 07:06 AM
Firefox on Ubuntu 9.04...nothing showed here.

shamus
06-25-2009, 07:14 AM
I had left a bilge thread open, and when I got back and clicked refresh was told (AVG that I pay for) to leave it alone. Shortly after I noticed the forum was down for maintenance, and presumed Scot had been advised of the problem.

Tylerdurden
06-25-2009, 07:16 AM
Was there an announcement anywhere? Most forums I visit will make an announcement in regards to such things so members can take action to protect themselves. Thanks Kaa for bringing this forward.