Spoke too soon :(

[spool32]

I'll attempt to fix it again in the morning... until then, add go00ogle . net (remove spaces) to your
adblock preferences under Tools-->adblock Plus Preferences.
Non-firefox users, please watch out for trojans.

[PlasmaJohn]

Another way to block it is to add the following to your hosts file:

Code: Select all

127.0.0.1 go00ogle(dot)net

[gutemensch]

Here is what Kaspersky complained about when I logged in.

6/8/2009 8:25:50 AM Detected: cximnik.cn/* Firefox http://cximnik.cn/img1/index.php Databases
6/8/2009 8:25:50 AM Denied: cximnik.cn/* Firefox http://cximnik.cn/img1/index.php Databases
6/8/2009 8:25:51 AM Denied: Exploit.JS.Pdfka.gu Firefox http://xfcg.info/evo/count.php?o=11
6/8/2009 8:25:51 AM Detected: Exploit.JS.Pdfka.gu Firefox http://xfcg.info/evo/count.php?o=11
6/8/2009 8:25:52 AM Detected: peskufex.cn/* Firefox http://peskufex.cn/ss/in.cgi?7 Databases
6/8/2009 8:25:52 AM Denied: peskufex.cn/* Firefox http://peskufex.cn/ss/in.cgi?7 Databases

[Grunt]

Another way to block it is to add the following to your hosts file:

Code: Select all

127.0.0.1 go00ogle(dot)net

In case anyone doesn't know how to do so:
Hosts file is found under C:\WINDOWS\SYSTEM32\drivers\etc
You can edit it with notepad.

BROWSER FAIL

Not everyone can choose their browser or what can be installed on their machine. The "Firefox or Fail" attitude and giving the MSFT smirk is a bit much considering the real fail is on the website.

[spool32]

Yeah, I know.

Working on a real solution...

[krackq]

Please be sure to dump your web browser cache too if it hasn't been in a few days. Its the link you typically use to clear out your history and temp files in IE or Firefox when you're trying to hide your pr0n from your boss or spouse.....

[Mulu]

Another way to block it is to add the following to your hosts file:

Code: Select all

127.0.0.1 go00ogle(dot)net

I already show that mapped to "localhost."

[Grunt]

Another way to block it is to add the following to your hosts file:

Code: Select all

127.0.0.1 go00ogle(dot)net

I already show that mapped to "localhost."

Yes, you can map more than one thing to 127.0.0.1 (your local machine). What this particular fix will do is keep the script from being able to be run because it will try to access the go00ogle site, and point back to your machine, and no script will run (because it's not there).

[StormShadows]

Well, you can point as many of them to your machine as you want, though I am not sure how it will react (if you don't have a server running likely you will just get a destination unreachable error or some such). At the moment I have a full LAMP package with around 10 virtual hosts running on my machine with an entry for every single one in my hosts file.

But anyway, I have been meaning to ask what is the problem with the site? I doubt I can do anything to help with it, but since I can not even tell what is wrong I can't even guess...

[Mulu]

Sounds good. Haven't actually had an issue yet, I use Safari, but better safe than sorry.

[spool32]

Well, you can point as many of them to your machine as you want, though I am not sure how it will react (if you don't have a server running likely you will just get a destination unreachable error or some such). At the moment I have a full LAMP package with around 10 virtual hosts running on my machine with an entry for every single one in my hosts file.

But anyway, I have been meaning to ask what is the problem with the site? I doubt I can do anything to help with it, but since I can not even tell what is wrong I can't even guess...

The basic problem was that someone was injecting code into the styles/subsilver2/templates/overall_header.html file... an advQuery function that, when executed, executed a file if.php at the site go00ogle dot net. if.php contained malicious code that attempted to do a series of nasty things to the client machine.

I *think* it's fixed again for good... if anyone sees differently, please let me know ASAP.

Thanks,

-spool32

[jaythespacehound]

You know... I can't help but ask..
How did the code get there?

[StormShadows]

Spool:
Injecting? Makes me think of that big hole in a basic SQL DB interface. I would not think that would be the case on Avlis though, not as old and established as this thing is. I would think the portal should have been secured by now, and PHPBB should have SQL Injection protection built right in. I would assume that the Wiki was a pre-packaged CMS much like the forums, in which case it should be protected as well.

*Shrugs* Oh well, it is another one of those things that was sorely neglected in my education. Still, I find the whole thing rather fascinating. *Grins* I kind of built my casters after myself in that way. I rather enjoy learning new things and acquiring knowledge.

I am curious though Spool, how much knowledge/training/experience/whatever do you have with this kind of stuff?
---------

Jay:
Likely that is the million dollar question. It actually might not be a bad idea to have everyone with general server, FTP, and DB access change their passwords. But then again, if that were the problem it just might let him get everyone's passwords instead of one or two peoples... That is the problem with hackers and such. Until you know just what it was they did you can't tell how to fight them.

[spool32]

Going on 15 years in the computer industry, most of it windows admin and network design... the last three in information security

We're all patched up right now, so sql injections are unlikely. It's either a new vulnerability, or something I've missed so far. Now that we seem to be OK again, the forensics starts!

Our logs are huge.

[loki70]

Server logs are teh suck. Just be lucky you aren't trying to find a printer in TS configurations for a remote location

[Grunt]

The wiki is still infected.

[spool32]

The wiki is still infected.

"again", not still... but yeah. Thanks for the catch... headed over there now to fix.

[ninja]

I think this is just another ruse to allow Spool32 to increase his post count.

[spool32]

[Sarmanos]

Please make sure you have anti-malware or malicious site software or what not. It seems now Adblock is no longer completely stopping these attacks and I am now getting attempts to be sent to a malicious site.

[PlasmaJohn]

blocking the google imposter stops it cold

[Demonseed]

If you have firefox, get Noscript. Stops this dead in it's tracks