Author Topic: Trojan horse on SoR??  (Read 23279 times)

0 Members and 1 Guest are viewing this topic.

Offline want2learnTopic starter

  • Robot Overlord
  • ****
  • Posts: 189
  • Helpful? 4
Trojan horse on SoR??
« on: March 14, 2009, 12:15:10 AM »
Anyone else get this or just me?

I have SoR in my favourites but the page is linked to the $50 robot tutorial, I just navigate to the forum from there, no big hassle really.
Since last night I've been getting a message from avast that 'step by step robot[1]htm contains a sample of JS Redirector E trojan horse'.

I've cleaned my computers but don't know if it's actually SoR or me. The message is still coming today.

Anyone else get this?

EDIT:-I've now been on a lot of other sites with absolutley no problems at all, Its now happening on more of SoR's pages and I had a bit of a time trying to get back onto the forum.
I'm beggining to think it's not me ???
« Last Edit: March 14, 2009, 06:50:57 AM by want2learn »
The question that drives me hazy:

Am I, or the others crazy?

Offline MrWizard

  • Full Member
  • ***
  • Posts: 117
  • Helpful? 0
  • My cylon friend told me a killing joke......
Re: Trojan horse on SoR??
« Reply #1 on: March 14, 2009, 10:26:48 AM »
I have no problem.....what kind of anti-virus software are you using ?

Offline want2learnTopic starter

  • Robot Overlord
  • ****
  • Posts: 189
  • Helpful? 4
Re: Trojan horse on SoR??
« Reply #2 on: March 14, 2009, 11:47:06 AM »
AVAST (free edition), The resident scanner is picking up the redirector, only noticed because my link on my favourites is to the $50 tutorial and not the forum. I'm too lazy to change it ;D

I've tried loads of the other links in my favourites and I've browsed the net for a couple of hours too without problem, I'm only getting it with SoR

EDIT:- Since finding this yesterday, I've found the forum incredibly slow to load. Sometimes not even at all.

The homepage is giving the alert too. Funny becuse not the whole site seems to be affected, except for the slow loading issue (although all of the pages I have tried so far are slow, some are just marginally slower)
« Last Edit: March 14, 2009, 01:23:23 PM by want2learn »
The question that drives me hazy:

Am I, or the others crazy?

Offline sigurd

  • Beginner
  • *
  • Posts: 5
  • Helpful? 0
Re: Trojan horse on SoR??
« Reply #3 on: March 14, 2009, 02:50:17 PM »
I am getting that message too... :-\
Maybe its a glitch with !AVAST...
Wait, it cant be a new glitch... it hasn't upgraded for a while...
I hope it gets fixed soon...

Offline Razor Concepts

  • Supreme Robot
  • *****
  • Posts: 1,856
  • Helpful? 53
    • RazorConcepts
Re: Trojan horse on SoR??
« Reply #4 on: March 14, 2009, 04:10:58 PM »
I'm on Avast free edition and nothing comes up.

Offline galannthegreat

  • Supreme Robot
  • *****
  • Posts: 615
  • Helpful? 4
  • Blue-Lensed Blue LEDs?! What?! Impossible!!
Re: Trojan horse on SoR??
« Reply #5 on: March 14, 2009, 04:47:43 PM »
New avast update I'm guessing. Really annoying, but I do notice it is reporting it as "MALWARE", so somebody should look into it pronto.
Kurt

Offline SmAsH

  • Supreme Robot
  • *****
  • Posts: 3,959
  • Helpful? 75
  • SoR's Locale Electronics Nut.
Re: Trojan horse on SoR??
« Reply #6 on: March 14, 2009, 05:12:38 PM »
wait so when you scan for viruses there is a file labelled sor $50 robot for the favorites that your pc sees as a virus?
Howdy

Offline HDL_CinC_Dragon

  • Supreme Robot
  • *****
  • Posts: 1,261
  • Helpful? 5
Re: Trojan horse on SoR??
« Reply #7 on: March 14, 2009, 05:14:04 PM »
Im running Norton and nothing comes up. My web browser is also Google Chrome. Ill try it on Fire Fox and IE.

-EDIT-
I just looked at step 1 of the tutorial in all 3 of my browsers and no warnings come up.
Usually Google Chrome will automatically redirect away from a web page that it has had reports of being malicious. Its brings you to a page that says why it was red flagged and then you can click a link that either takes you back to the page anyway or goes into more detail about the threat.
« Last Edit: March 14, 2009, 05:19:18 PM by HDL_CinC_Dragon »
United States Marine Corps
Infantry
Returns to society: 2014JAN11

Offline SeagullOne

  • Robot Overlord
  • ****
  • Posts: 248
  • Helpful? 0
  • Humans and Robots working together for our future.
    • Loren John Presley - Author, Artist, Roboteer
Re: Trojan horse on SoR??
« Reply #8 on: March 14, 2009, 06:50:59 PM »
I too am getting a warning for a Trojan Horse, and I too am using the Avast! free edition. It really confused me because its never done that before ???
I think the chauffeur did it.

.......

He did.

Offline Admin

  • Administrator
  • Supreme Robot
  • *****
  • Posts: 11,703
  • Helpful? 173
    • Society of Robots
Re: Trojan horse on SoR??
« Reply #9 on: March 14, 2009, 07:16:34 PM »
The next time this happens, go to View Source, save it as a .txt, and email it to me.

palmisano@[email protected]

There is quite the small possibility that someone hacked me and modified source code . . .

Offline want2learnTopic starter

  • Robot Overlord
  • ****
  • Posts: 189
  • Helpful? 4
Re: Trojan horse on SoR??
« Reply #10 on: March 15, 2009, 01:46:22 AM »
The next time this happens, go to View Source, save it as a .txt, and email it to me.

Can't find any option to view source but I'm emailing you what I did find.
The question that drives me hazy:

Am I, or the others crazy?

Offline SmAsH

  • Supreme Robot
  • *****
  • Posts: 3,959
  • Helpful? 75
  • SoR's Locale Electronics Nut.
Re: Trojan horse on SoR??
« Reply #11 on: March 15, 2009, 02:05:44 AM »
when your in the tutorial right click and go view page source it should open a new window with something like this:

then copy it into a .txt file and email it to john(admin)
« Last Edit: March 15, 2009, 02:07:19 AM by SmAsH »
Howdy

Offline Admin

  • Administrator
  • Supreme Robot
  • *****
  • Posts: 11,703
  • Helpful? 173
    • Society of Robots
Re: Trojan horse on SoR??
« Reply #12 on: March 15, 2009, 02:17:45 AM »
I've looked through the various most likely to be infected files and couldn't see anything obvious. I need to see the page source to see exactly whats going on.

What browser and OS are you guys using?

My theory is that Statcounter, which runs a javascript on every page in SoR, is infected itself. It's external to SoR, so I'd have to write them if that's the case.

This look familiar? http://www.statcounter.com/counter/counter.js

I also run two javascripts from Google, so I'll assume they are secure . . .
http://www.google-analytics.com/urchin.js
http://pagead2.googlesyndication.com/pagead/show_ads.js

Offline want2learnTopic starter

  • Robot Overlord
  • ****
  • Posts: 189
  • Helpful? 4
Re: Trojan horse on SoR??
« Reply #13 on: March 15, 2009, 02:31:02 AM »
Sorry it's taking me a minute to get things done.

The only windows computer we have is my wifes laptop, the usual browser on this one is AOL's default browser. I had to start IE then get the source.

My home network has been down a while for Ahem (clears throat) maintanence. I really need to get some motivation to get things done :D

I've started one of my kids pc's which is running Ubuntu LTS, got firefox booted and wheyhey no problems, no redirection, NOTHING.

I'm starting to think this is a false positive from AVAST?
« Last Edit: March 15, 2009, 10:30:56 AM by want2learn »
The question that drives me hazy:

Am I, or the others crazy?

Offline Admin

  • Administrator
  • Supreme Robot
  • *****
  • Posts: 11,703
  • Helpful? 173
    • Society of Robots
Re: Trojan horse on SoR??
« Reply #14 on: March 15, 2009, 02:38:34 AM »
Its NOT a glitch . . .

want2learn just sent me the source, and holy crackers its loaded with bad stuff!!!

Incredibly obfuscated javascript, billions of random links, porn sites, etc. It seems to all be appended at the end of the page.

Strangely however I don't see this at my end. I looked through all the pages, viewing source and all, but I don't see anything . . . I refreshed the main page many times thinking its a trojan that intentionally appears some small percentage of the time. Still didn't see stuff.

No files are listed as modified that I didn't personally modify (checking by date).

Quote
I had to start IE then get the source.
I don't see it in IE 6 either . . .

My Norton AV isn't detecting anything . . .

Does this happen on *every* page load? Just the main page, or all pages? Does it also happen in the forum?

Offline want2learnTopic starter

  • Robot Overlord
  • ****
  • Posts: 189
  • Helpful? 4
Re: Trojan horse on SoR??
« Reply #15 on: March 15, 2009, 02:46:35 AM »
The resident scanner warnings have been happening on the SoR Homepage, The $50 tutorial pages and the whole site has been slower loading.

Funny thing is I've just started looking through the site on both computers to give a comprehensive list and viola! no more problems ;D
The question that drives me hazy:

Am I, or the others crazy?

Offline Admin

  • Administrator
  • Supreme Robot
  • *****
  • Posts: 11,703
  • Helpful? 173
    • Society of Robots
Re: Trojan horse on SoR??
« Reply #16 on: March 15, 2009, 04:11:55 AM »
want2learn emailed me and said it occurs on both Linux and Windows, on IE and Firefox.

I did a rootkit scan . . . apparently the SoR server has been rootkitted. So supposedly my site host screwed up security settings and that's how the baddies got in . . . I sent them and email but that's all I can do right now.

For now, if you visit SoR, TURN ON YOUR ANTI-VIRUS SOFTWARE!!! Also, temporarily disable javascript and redirects if you're extra paranoid . . .

Offline SmAsH

  • Supreme Robot
  • *****
  • Posts: 3,959
  • Helpful? 75
  • SoR's Locale Electronics Nut.
Re: Trojan horse on SoR??
« Reply #17 on: March 15, 2009, 04:20:52 AM »
wait, if i have norton360 its always on rigght? and im using firefox which says it scans webpages and downloaded files? you got me all paranoid now :-[ oh well, norton says phishing protection is on. not much more i can do realy eh. sit back and read away 8)
Howdy

Offline Tsukubadaisei

  • Robot Overlord
  • ****
  • Posts: 293
  • Helpful? 0
Re: Trojan horse on SoR??
« Reply #18 on: March 15, 2009, 04:34:00 AM »
want2learn emailed me and said it occurs on both Linux and Windows, on IE and Firefox.

I did a rootkit scan . . . apparently the SoR server has been rootkitted. So supposedly my site host screwed up security settings and that's how the baddies got in . . . I sent them and email but that's all I can do right now.

For now, if you visit SoR, TURN ON YOUR ANTI-VIRUS SOFTWARE!!! Also, temporarily disable javascript and redirects if you're extra paranoid . . .

Just reporting but, I am on Linux(Fedora 10, up-to-date) and no problems.
A.I.(yes those are my initials)

Offline airman00

  • Contest Winner
  • Supreme Robot
  • ****
  • Posts: 3,650
  • Helpful? 21
  • narobo.com
    • Narobo.com - Mechatronics and related
Re: Trojan horse on SoR??
« Reply #19 on: March 15, 2009, 07:31:06 AM »
I assume that since I am on Mac there is no problems for me personally?
Check out the Roboduino, Arduino-compatible board!


Link: http://curiousinventor.com/kits/roboduino

www.Narobo.com

Offline want2learnTopic starter

  • Robot Overlord
  • ****
  • Posts: 189
  • Helpful? 4
Re: Trojan horse on SoR??
« Reply #20 on: March 15, 2009, 10:12:17 AM »
Sorry I should've posted earlier but had kid stuff to take care of.

I know it may not be cleaned yet but in my last E-mail to admin I said I was no longer getting the alert and that I had attached another copy of the source which I thought looked pretty clean (compared to the first but I'm difinately no programmer so I'd tend to take admins word on it)
The question that drives me hazy:

Am I, or the others crazy?

paulstreats

  • Guest
Re: Trojan horse on SoR??
« Reply #21 on: March 16, 2009, 07:07:58 AM »
I got the same redirects on the family computer while looking at the forum coming from the main sor page(the first time ive had pop ups happen for a couple of years), it also created an 'add on' in internet explorer and a memory process that replaced the add on if you disable it. A quick scan and removal with malwarebytes antimalware sorted it out. I wonder if it is a random thingy or could it be getting in through the random google ads?

Offline Admin

  • Administrator
  • Supreme Robot
  • *****
  • Posts: 11,703
  • Helpful? 173
    • Society of Robots
Re: Trojan horse on SoR??
« Reply #22 on: March 16, 2009, 10:02:21 AM »
SoR has been rootkitted at the server level (meaning they changed files on the server that I can't access).

My host hasn't responded to my email . . .

so all I can say right now is:

BLOCK REDIRECTS in your browser

DISABLE JAVASCRIPT in your browser

Offline HDL_CinC_Dragon

  • Supreme Robot
  • *****
  • Posts: 1,261
  • Helpful? 5
Re: Trojan horse on SoR??
« Reply #23 on: March 16, 2009, 01:44:37 PM »
Google Chrome build 1.0.154.48 on Windows XP Home SP3  (dunno what the heck happened to my Pro copy....) with Norton Anti Virus Gaming Edition build 16.2.0.7
No problems here. Ill start looking at source code to see if im getting the malicious JS on my end


-EDIT-
I loaded several different SoR pages and looked through the page sources and found nothing out of the ordinary. I skimmed the whole thing and saw nothing that would be malicious.... has the problem been fixed already?
« Last Edit: March 16, 2009, 01:54:07 PM by HDL_CinC_Dragon »
United States Marine Corps
Infantry
Returns to society: 2014JAN11

Offline Admin

  • Administrator
  • Supreme Robot
  • *****
  • Posts: 11,703
  • Helpful? 173
    • Society of Robots
Re: Trojan horse on SoR??
« Reply #24 on: March 16, 2009, 08:03:38 PM »
No the problem has not been fixed.

It appears to be a hack that randomly appears only some percentage of the time.

Offline HDL_CinC_Dragon

  • Supreme Robot
  • *****
  • Posts: 1,261
  • Helpful? 5
Re: Trojan horse on SoR??
« Reply #25 on: March 17, 2009, 01:47:21 PM »
Hmm I just sat on step_by_step_robot_step1.shtml and refreshed about 20 times in Google Chrome and 20 times on Fire Fox and skimmed the source code each time and didnt come up with anything.... maybe it knows id strangle it with its own lines of code if it showed its ugly face?

Oh well, guess im done on this topic then lol
United States Marine Corps
Infantry
Returns to society: 2014JAN11

Offline offy

  • Supreme Robot
  • *****
  • Posts: 340
  • Helpful? 1
Re: Trojan horse on SoR??
« Reply #26 on: March 17, 2009, 03:18:45 PM »
I went through all the files, checking the code, javascript, and it all seems code. I am using FireFox 3 on Ubuntu 8.10.

@admin: I know a few really good hosts that don't get any problems that you may want to look into, send me a PM or something.

@all: If someone does get a trojan horse don't worry. You can remove them. If you need help just PM me.

Offline Admin

  • Administrator
  • Supreme Robot
  • *****
  • Posts: 11,703
  • Helpful? 173
    • Society of Robots
Re: Trojan horse on SoR??
« Reply #27 on: March 18, 2009, 12:05:18 AM »
My host claims their own rootkit scanner is often wrong. They also blame php.ini (which runs the forum) as the problem.

But the main SoR site doesn't use php . . .

So question to everyone, has the problem only happened on the regular site with .shtml pages, or does it also happen in the forum too?

Offline Admin

  • Administrator
  • Supreme Robot
  • *****
  • Posts: 11,703
  • Helpful? 173
    • Society of Robots
Re: Trojan horse on SoR??
« Reply #28 on: March 18, 2009, 12:44:15 AM »
Ok I found the hack, finally!

Apparently this forum was hacked through a php script . . . still trying to figure out how that infected non-forum pages . . .

I'm working with the SMF creators to figure this out:
http://www.simplemachines.org/community/index.php?topic=299718.0

In the meantime, please report any weirdness to me.

Offline Admin

  • Administrator
  • Supreme Robot
  • *****
  • Posts: 11,703
  • Helpful? 173
    • Society of Robots
Re: Trojan horse on SoR??
« Reply #29 on: March 18, 2009, 09:55:01 AM »
The next time someone sees the hack happen, please email me the exact url in the address bar that you see. I have a theory . . .

 


Get Your Ad Here