PDA

View Full Version : FAO: SARAH. Trojan, keylogger, etc.



lenneth
11-08-2008, 10:52 PM
I picked up a bunch of crap from what I can only assume was a brief visit (using Opera) to the FFS main site and/or GH.

Don't recall the name of the trojan atm but it was associated with a file called "orz.exe". orz.exe would reinitialize in my processes when I visited the forums this morning, and I don't know if that had something to do with the weirdness we experienced this morning or not. Every time I visited the forums, something would boot up the orz.exe until I ended the process. it wouldn't return until I checked the forums.

Anyway, got that cleaned up via TrendMicro's Housecall (it had little info on the trojan itself, just some crap about being a backdoor program + other stuff ~_~ ). ALSO, I'm pretty sure it was putting an entry in my Services (control panel > administrative tools > services) called "Security 2@)#@#%*" or something (literally a bunch of random characters that definitely didn't belong there). I disabled it (it masks itself as "stopped" even though when you check properties it is listed as "started") and it is no longer there so I think Housecall cleared that up.

After that, I came across something called "LoveFly.dll" and "smart.dll" (in Windows/system32) which are keyloggers to steal WoW account passwords only, apparently. Those were easy enough to remove, but I can only assume they came from FFS as well, since it's the only gaming site I go to regularly and it'd make sense that a file that specific would target gaming sites.

ANYWAY. I know at least the Trojan was from FFS and the orz.exe file reinitializing is a concern because it came up on the forums. I don't make a habit of visiting GH or the main site so I can avoid those, but if there's something on the forums that would sorta suck. It suggests something in the code of the forums is working with the trojan. Unless something with the code errors this morning was to explain.

I couldn't get a hold of you on IRC so I figured I'd post it here. Also just to notify anyone else who may have been at the site to check for those things (orz.exe, weird entry in Services, smart.dll/LoveFly.dll). The .dll files I think I picked up on Oct 25, according to the "Date Modified" dealy.


Update: Still have the weird entry in my Services. "Security Control" is what it's called and it's description is full of random/weird characters. Associated with the file "zordisa.dll" which is a trojan/backdoor. Not sure if this is from FFS but I really wouldn't doubt it given the other crap I've picked up ;\ Back to fixing this, I guess.

TeknoBlade
11-08-2008, 11:18 PM
Windows Forefront picked up a worm when I visited the FFS main page a few days ago. It was Java-based, so I would say it's from advertisers.

lenneth
11-08-2008, 11:50 PM
I think this has been a problem for awhile now. I know you need to make money from advertisers to keep the site going Sarah, but surely there's a program or company out there that is a bit more secure. I don't know if it's a 3rd party exploiting these ads or the companies themselves, but I feel like I'm taking a chance even coming to the forums.

As an additional update, I went through the registry and got rid of everything. Used a boot disk (I THINK THATS WHAT ITS CALLED) to manually delete the zordisa.dll and orz.exe (which apparently was still around). Also had to delete the Security Control service via command prompt. I think I'm mostly in the clearn now :<

Valyrious
11-09-2008, 05:12 AM
http://img90.imageshack.us/img90/677/65359791ug0.jpg

I have to use IE just to post on this site. Everytime I click ignore and click a thread, it gives the same thing and won't let me make posts.

Sarah
11-09-2008, 05:36 AM
it has nothing to do with ads. some scripts were exploited. I removed the injected code but I haven't tracked down the exploit & patched it yet; working on that, hopefully ketzu can help.

everything should be removed now. if you get a specific warning or find suspicious code, let me know.

the google/firefox warning should be removed in a few days.

lenneth
11-09-2008, 10:22 AM
Is the script exploitation the reason why that one file would be reinitialized upon visiting the forums? I'm curious about how all this crap works now.

Opera has let me down as well ;(

thomasdaly
11-09-2008, 01:50 PM
i got a trojan aswell i got rid of it who did it and why

Erebus Wraith
11-09-2008, 02:07 PM
I didn't get a virus or anything but I kept getting cookie errors when I tried to open a thread. I couldn't figure out why, yet today it works just peachy.

Valyrious
11-09-2008, 03:41 PM
it has nothing to do with ads. some scripts were exploited. I removed the injected code but I haven't tracked down the exploit & patched it yet; working on that, hopefully ketzu can help.

everything should be removed now. if you get a specific warning or find suspicious code, let me know.

the google/firefox warning should be removed in a few days.
It's gone for me now. Thanks.

sergioalb64
11-09-2008, 04:51 PM
Antivirus detected two trojans on two visits yesterday. This morning I got the Google warning, but I'm glad that it's gone now :)

jewess crabcake
11-09-2008, 04:57 PM
I think it was a keylogger or something because I checked the source code and there was an iframe that led to an IP that wasn't part of FFS. If Sarah wants it it's still in my history.

Sarah
11-10-2008, 01:41 AM
the iframe was removed

gironimo appleton
11-10-2008, 01:52 AM
Nigga hacked teh gibson!

maybe an update is in line

makkadamia
12-06-2008, 04:11 PM
The attacking-thingy is back again :(

TM
12-06-2008, 05:24 PM
MAN I JUST LOST ALL MY PORN!

Maxx Skywalker
12-07-2008, 10:27 PM
That would explain why the site is going so slow.

Cayakii
02-07-2009, 08:23 PM
I hope the problem is fixed now...

Sarah
02-07-2009, 09:00 PM
it's been fixed. the site going slow is unrelated.

Chelf
02-07-2009, 11:43 PM
it's been fixed. the site going slow is unrelated.

Hey Sarah. Question. If you guys seem to get all these injections...are the forums in anyway integrated with the site? If so, is it possible for you to upgrade the forums to the latest version (3.8.1)? Since there were some security exploits in vBulletin 3.6.9, IIRC. I can update the skin XML if needed.

Sarah
02-07-2009, 11:46 PM
we're going to be updating the forums but that's not what's being exploited

Chelf
02-07-2009, 11:54 PM
Ah. I didn't know if the site was integrated with the forums or something. My mistake. Sorry.

Sarah
02-07-2009, 11:59 PM
np ~

Chelf
02-08-2009, 12:18 AM
Well, at least Google Chrome doesn't seem to care about injections.

=D

But Chrome makes some webpages look bad.

KusanagiShiro
02-10-2009, 04:02 PM
The Firefox "Reported Attack Site" problem is back again. I am getting problems, and have to use Internet Exploder just to post!

ajf8908
02-14-2009, 10:31 PM
Google Chrome seems to be posting a warning when I go to the main page.

ROKI
02-15-2009, 02:22 AM
Indeed, the FireFox Alert is back, it happens to me too.

aarontiger
02-15-2009, 09:52 PM
I picked up Trojan virus. however my computer blocked it out.