geekhack hacked again!?

User avatar
Zehkul

30 Jun 2012, 22:54

I know that site tried to do something (blocked for me anyway, but I saw many scripts), and several others had antivirus notifications. And it doesn’t even really matter if they do try to infect PCs, all that matters is that they COULD.

And even if there wasn’t anything else besides the rootworm text, it’s still ridiculous to let it stay like that. That site needs to be taken offline, and I’d show a status message of when geekhack will be available again, if I want to keep as many users as possible, that is.

User avatar
didja

30 Jun 2012, 23:27

silat wrote:Do you have any proof what so ever that anyone has been infected?
Do you have any proof people haven't? The server has been compromised multiple times and is still compromised. The only safe assumption is that it is and has been infecting visitors.

User avatar
absyrd

30 Jun 2012, 23:31

ripster wrote:They are a forum?

Uh oh.

I'd send them a DoubleShot Melissa Kerned key as a peace offering.

Image
Good idea. Some of them probably just did this due to anger resulting from missing out on the recent "Dibs" sales.

User avatar
TexasFlood

01 Jul 2012, 02:19

didja wrote:
silat wrote:Do you have any proof what so ever that anyone has been infected?
Do you have any proof people haven't? The server has been compromised multiple times and is still compromised. The only safe assumption is that it is and has been infecting visitors.
My initial reaction was that this is all being blown out of out of proportion. While I still feel that way, I would also agree that it's the safe thing to assume danger given a server having been compromised multiple times and either still compromised or left in a state that appears so. There was an indication that it was intentionally left this way. While this doesn't make logical sense to me, I also no longer see any apparentl redirects or obviously malicious active content.

Even when the infected server web page was active, all I saw was the injected redirect from JS.Alescurf.C, no damage or permanent infection. But the potential is obviously there. Reportedly the attackers were able to get into geekhack and performer (either literally or equivalent) a "rm -fr" command. I don't know how that was accomplished but one has to respect that danger even if there is no proof (and I don't see any) that it can happen to a client simply hitting the server. Also at least one person reported in this thread seeing Downloader.Psyme. From what I saw at symantec, this is a version of an old (2004), low risk trojan. Apparently it exploits vulnerability in older versions of MS Internet Explorer to launch other Trojan programs on the infected machine. I don't run an older IE so probably wouldn't have been effected by this one. It's pretty scarey though as, for some running an old version of IE, it -potentially- can launch arbitrary code which could do basically anything. Of course if you're running an old version of IE, you're basically asking for trouble and almost certainly will get it, but still.

User avatar
GH1391401

01 Jul 2012, 02:41

What theme will be used? It would be great if we could have something that didn't look like your typical web forum circa 1999.

User avatar
jdcarpe

01 Jul 2012, 05:40

Was it prophetic that I had just checked out The Cuckoo's Egg by Clifford Stoll from my local library a few days before GH went down?

Has R00TW0RM infected my local library, as well? Maybe R00TW0RM is also a B00KW0RM!

Image

ripster

01 Jul 2012, 05:48

TexasFlood wrote:
didja wrote:
silat wrote:Do you have any proof what so ever that anyone has been infected?
Do you have any proof people haven't? The server has been compromised multiple times and is still compromised. The only safe assumption is that it is and has been infecting visitors.
My initial reaction was that this is all being blown out of out of proportion. While I still feel that way, I would also agree that it's the safe thing to assume danger given a server having been compromised multiple times and either still compromised or left in a state that appears so. There was an indication that it was intentionally left this way. While this doesn't make logical sense to me, I also no longer see any apparentl redirects or obviously malicious active content.

Even when the infected server web page was active, all I saw was the injected redirect from JS.Alescurf.C, no damage or permanent infection. But the potential is obviously there. Reportedly the attackers were able to get into geekhack and performer (either literally or equivalent) a "rm -fr" command. I don't know how that was accomplished but one has to respect that danger even if there is no proof (and I don't see any) that it can happen to a client simply hitting the server. Also at least one person reported in this thread seeing Downloader.Psyme. From what I saw at symantec, this is a version of an old (2004), low risk trojan. Apparently it exploits vulnerability in older versions of MS Internet Explorer to launch other Trojan programs on the infected machine. I don't run an older IE so probably wouldn't have been effected by this one. It's pretty scarey though as, for some running an old version of IE, it -potentially- can launch arbitrary code which could do basically anything. Of course if you're running an old version of IE, you're basically asking for trouble and almost certainly will get it, but still.
You are ALWAYS so mellow though.

Baaaaaaaaa
Baaaaa
Baaa

You weren't the one that had to deal with THIS!

http://deskthority.net/geekhacker-refug ... tml#p55850
Image

And what about all the people posting at Reddit and OCN about having to reinstall Windows and do multiple scans?

User avatar
thegunner100

01 Jul 2012, 06:01

Good thing I only use one password per website, and I've somehow never been infected while using Opera.

User avatar
TexasFlood

01 Jul 2012, 06:17

ripster wrote:You are ALWAYS so mellow though.

Baaaaaaaaa
Baaaaa
Baaa

You weren't the one that had to deal with THIS!

http://deskthority.net/geekhacker-refug ... tml#p55850
Image

And what about all the people posting at Reddit and OCN about having to reinstall Windows and do multiple scans?
I did see that, just a redirect as I posted shortly after you originally posted the above. No way that would result in a Windows reinstall. The only suggestion in the OCN thread you linked to earlier that a Windows reinstall was needed was by you who it does not appear had to do so. Scanning is always a good idea and we should all be doing so regularly. Not sure anyone HAD TO do a scan for this but sounds wise. Again in the OCN thread you linked didn't see anything unusual found in those scans. If you would like to link to some of the other threads about this, please do so and maybe I'll be educated. :geek:

User avatar
GH1391401

01 Jul 2012, 06:33

You can pretty easily configure a browser to avoid issues like the one shown above.

User avatar
silat

01 Jul 2012, 06:34

didja wrote:
silat wrote:Do you have any proof what so ever that anyone has been infected?
Do you have any proof people haven't? The server has been compromised multiple times and is still compromised. The only safe assumption is that it is and has been infecting visitors.
So you answer a question with a question? You know what that says?
Ok my proof is I am not infected. And I have not read one post that can verify an infection definitively coming from GH.
So your turn. What proof or evidence do you have?

I have visited the RootWorm page multiple times. Scanned with Emisoft, Malwarebytes, Superanti and nothing shows up.

User avatar
ChaoticKinesis

01 Jul 2012, 07:17

TexasFlood wrote:
ripster wrote:You are ALWAYS so mellow though.

Baaaaaaaaa
Baaaaa
Baaa

You weren't the one that had to deal with THIS!

http://deskthority.net/geekhacker-refug ... tml#p55850
Image

And what about all the people posting at Reddit and OCN about having to reinstall Windows and do multiple scans?
I did see that, just a redirect as I posted shortly after you originally posted the above. No way that would result in a Windows reinstall. The only suggestion in the OCN thread you linked to earlier that a Windows reinstall was needed was by you who it does not appear had to do so. Scanning is always a good idea and we should all be doing so regularly. Not sure anyone HAD TO do a scan for this but sounds wise. Again in the OCN thread you linked didn't see anything unusual found in those scans. If you would like to link to some of the other threads about this, please do so and maybe I'll be educated. :geek:
As far as I can tell, the matter of malware and the need to reinstall Windows was blown way out of proportion by Ripster and several others on OCN and elsewhere. I saw a few people say they had trojans, which they suggested may have been due to Geekhack, with dozens more saying nothing at all on the subject of having their PC infected. I ran a number of different scans on both home and work computers and none of them found anything. I'm fairly confident that this is not because my AV automatically blocked it, since I have it set to warn me and never take action automatically.

As for people on OCN reinstalling Windows, the fact that a few preemptively decided to reinstall their OS, on a forum where doing so is commonplace for many users, does not say much.

ripster

01 Jul 2012, 08:20

Perhaps.

However I would think everyone agrees it does little for the Geekhack Brand Name:
R00TW0RM

Expiration Date: 2012-08-18 00:47:23
At least R00TW0RM chose Times Roman font to class it up a bit.

User avatar
TexasFlood

01 Jul 2012, 08:22

ripster wrote:Perhaps.

However I would think everyone agrees it does little for the Geekhack Brand Name:
R00TW0RM

Expiration Date: 2012-08-18 00:47:23
At least R00TW0RM chose Times Roman font to class it up a bit.
That I won't argue...

User avatar
Stevie Wonder

01 Jul 2012, 08:28

Holy bejesus, should I sell my McAfee/Intel stock?

User avatar
TexasFlood

01 Jul 2012, 08:38

Stevie Wonder wrote:Holy bejesus, should I sell my McAfee/Intel stock?
When you believe in things that you don't understand
Then you suffer, superstition ain't the way, yeh, yeh

Don't you worry 'bout a thing

User avatar
ChaoticKinesis

01 Jul 2012, 09:25

ripster wrote:Perhaps.

However I would think everyone agrees it does little for the Geekhack Brand Name:
R00TW0RM

Expiration Date: 2012-08-18 00:47:23
At least R00TW0RM chose Times Roman font to class it up a bit.
Agreed regarding the brand name. As for the font, checking the HTML shows they selected nothing so it's just your browser's default. Maybe you can give them a listen on fonts. :D

ripster

01 Jul 2012, 09:30

Interesting reads all over the web if you search for Geekhack/R00TW0RM.

https://www.vbulletin.com/forum/showthr ... o-R00TW0RM
Edit: Also the possibility they have a shell script or similar on the site that was put up when you were initially hacked, with something like that they can continue to gain access despite a security patch being applied.
OUCH!

And of course just about every other forum is wondering WTF! Anandtech, OCN, HArdForum, Reddit...even 4chan!

http://forums.overclockers.com.au/showt ... p=14509128
whos ripster?
The guy who actually supplies all info relating to keyboards at Geekhack
.

http://forums.anandtech.com/showthread.php?p=33621232
http://forum.lowyat.net/topic/2329609/+1300



I think you guys are underestimating the damage they could cause at any time. However we can all agree the R00TW0RM branding campaign is proving HIGHLY successful.

User avatar
off

01 Jul 2012, 15:05

silat wrote:
didja wrote:
silat wrote:Do you have any proof what so ever that anyone has been infected?
Do you have any proof people haven't?
So you answer a question with a question? You know what that says?
Do you?

And could everyone please get some more sense in their usage of the quoting facility... (on this page TF/CK/Rip)

User avatar
rainb1ood

01 Jul 2012, 15:33

I'm not sure if this has been pointed out yet but are the iTrader ratings also backed up?

We need those too

mickd

01 Jul 2012, 16:15

It was mentioned and the answer was very likely that it won't be migrated over unless they find a compatible version of iTrader for the new forum software they're going to use (smf).

User avatar
TexasFlood

01 Jul 2012, 17:45

off wrote:And could everyone please get some more sense in their usage of the quoting facility... (on this page TF/CK/Rip)
Could you be more specific about how my use of quoting needs more sense?

User avatar
off

01 Jul 2012, 17:57

Yes ofcourse: imho quoting of posts should be limited to either quoting just the relevant part if still on the same page, and quoting images should be rare. /dicatoritrol
I'm hoping you agree on that; for it leaves more room for new info on pages.

Thankfully I've just realised how part of the issues with that can be resolved, like so:
TexasFlood wrote:Could you be more specific about how my use of quoting needs more sense?
Now if that could become a built-in automated standard for quoting, it'd be even more workable.

ripster

01 Jul 2012, 18:55

LIke this? A Vb Forum that is NOT R00TW0RMED?

http://forums.overclockers.com.au/showp ... count=5665
kazen wrote:whos ripster?


lol
kandrews wrote:The guy who actually supplies all info relating to keyboards at Geekhack.

I think he's the only one who has over 50'000 posts alone. But lately he has disappeared due to some ban placed on him by iMav.

I think it's to do with his general behaviour which was getting somewhat nasty at GH (but that is only a feeling not actual fact).

A lot of people hate his guts but I love all the effort he had put into Geekhack including his wiki with detailed descriptions on everything to do with keyboards and marble-mice (YES, I do actually read his stuff, very informative).

I can never be ungrateful for all his effort he had put into that place because we all depend on the work he had done to label and categorise correctly, every known keyboard that was ever made. Sometimes you have to give credit where it's deserved, and he has rightly claimed that from me.
Ripster wrote:Thanks, and he is one of my favorite dudes too!

Spends a LOT of time here under name Ripster55, especially since Geekhack is R00TW0RMED!

http://www.reddit.com/r/keyboards/
The tricky thing is to put user names in quotes, no spaces. And you can only nest 3 quotes deep.

Oh wait. The Color thing is fucked up.

User avatar
thegunner100

01 Jul 2012, 18:59

All my seller feedback... NOOOO

User avatar
MagicMeatball

01 Jul 2012, 19:01

TexasFlood wrote:
off wrote:And could everyone please get some more sense in their usage of the quoting facility... (on this page TF/CK/Rip)
Could you be more specific about how my use of quoting needs more sense?
I grab the snippet of the exact quote I am referencing. Not sure why it's being made out as such a big deal.
Last edited by MagicMeatball on 01 Jul 2012, 19:19, edited 1 time in total.

User avatar
TexasFlood

01 Jul 2012, 19:12

off wrote:imho quoting of posts should be limited to either quoting just the relevant part if still on the same page, and quoting images should be rare.
I'm hoping you agree on that; for it leaves more room for new info on pages.
I do agree however feel that already do so. Admittedly I did quote an image above, but even in that post I edited down the quoted material. If you look back at my historical posts, I believe you will find that unedited quotes and quoting images is indeed rare for me.

off wrote:Thankfully I've just realised how part of the issues with that can be resolved, like so:
TexasFlood wrote:Could you be more specific about how my use of quoting needs more sense?
Now if that could become a built-in automated standard for quoting, it'd be even more workable.
That's a good ideal and would agree that a reference back to the originally quoted post is a good idea and many forums I use have some form of this implemented. For the benefit of anyone reading this, in case it wasn't obvious what off did there, he added a hyperlink to the quoted poster name, back to the quoted post.

User avatar
silat

01 Jul 2012, 19:47

didja wrote:
silat wrote:Do you have any proof what so ever that anyone has been infected?
Do you have any proof people haven't? The server has been compromised multiple times and is still compromised. The only safe assumption is that it is and has been infecting visitors.
Assumptions? LOL

User avatar
silat

01 Jul 2012, 19:52

off said: "Do you?

And could everyone please get some more sense in their usage of the quoting facility... (on this page TF/CK/Rip)

1. I was not the poster who "claimed" there were infections.
2. I asked for proof of the "claim".
3. I click the quote button and have nothing to with the text that it grabs.

yttrium

02 Jul 2012, 01:06

I'm in possession of one of the switch testers. The forum went down before I was able to obtain the shipping info for the next person... what do?

Post Reply

Return to “Geekhacker refugee camp”