XeNTaX attacked by virus

Post by **Mr.Mouse** » Sun Aug 29, 2010 5:12 pm

Yes. We will try to get everything back in. For now, new registrations have been disabled.

Post by **Dinoguy1000** » Mon Aug 30, 2010 2:55 am

XpoZed wrote:I don't think there was a virus that is downloaded on your PC. It's more likely a session/cookie stealer or something.
Anyway, if someone can provide me with a sample (exe,dll,ocx,sys, etc.) i'll be happy to reverse engineer it (that's my main hobby these days ).

It was almost certainly Gumblar, based on de-obfuscating the obfuscated javascript which was inserted on numerous pages. Maybe not a virus, true, but still some type of malware.

It's worth noting that people with properly-upgraded Windows systems and Acrobat/Flash installations may not have had anything to worry about, but you should still run a virus scan just in case (this is one of the basic maintenance tasks you should be regularly running anyways).

One last note, we don't load any scripts, images, or other resources from external URLs (to the best of my knowledge; there may be a couple of images on the wiki loaded from Wikimedia Commons), so you should be able to safely block any such resources from loading.

Post by **Mr.Mouse** » Mon Aug 30, 2010 6:38 am

chrrox wrote:im using firefox its only the mark forum read that does not work for me i can go into any thread and the mark read works.

Hmm. http://www.phpbb-seo.com/en/phpbb-forum ... e3678.html This seems to be a phpbb issue

DMorrone · Post by **DMorrone** » Mon Aug 30, 2010 4:45 pm

Mr.Mouse wrote:
chrrox wrote:im using firefox its only the mark forum read that does not work for me i can go into any thread and the mark read works.
Hmm. http://www.phpbb-seo.com/en/phpbb-forum ... e3678.html This seems to be a phpbb issue

Looking at it again, it's an issue back in 2008, so I'm not sure how relevant it is now. Working in Chrome, the button functions as desired. We're still looking into it.

Captain · Post by **Captain** » Mon Aug 30, 2010 6:00 pm

DMorrone wrote:Working in Chrome, the button functions as desired. We're still looking into it.

The button works in the subsections, like here, but doesn't work on the main forum index. I'm pretty sure it's not a browser issue. Tried it myself on Chrome, same result as in Firefox.

DMorrone · Post by **DMorrone** » Mon Aug 30, 2010 7:16 pm

Craptain wrote:
DMorrone wrote:Working in Chrome, the button functions as desired. We're still looking into it.
The button works in the subsections, like here, but doesn't work on the main forum index. I'm pretty sure it's not a browser issue. Tried it myself on Chrome, same result as in Firefox.

Looks like there is a very recent debate as to how this button should ultimately function:

http://www.phpbb.com/community/viewtopi ... &t=2101636

Polefish · Post by **Polefish** » Tue Aug 31, 2010 6:24 pm

Damn I was fucked hard by this virus. Wasn't able to work for 2 days cause of this shit.

XpoZed · Post by **XpoZed** » Tue Aug 31, 2010 6:29 pm

Can anyone send me the virus ? The infected PDF or something will be fine too.

Post by **Mr.Mouse** » Tue Aug 31, 2010 6:39 pm

XpoZed wrote:Can anyone send me the virus ? The infected PDF or something will be fine too.

Turns out our computers were clean, or at least a multitude of scanners found nothing.

But whatever it was and where it came from, it injected the sites pages with this :

Post by **Rheini** » Tue Aug 31, 2010 6:55 pm

I didn't notice anything? What happens if you visit a site that's infected with it?
And what about the pdf etc. stuff? xentax doesn't use anything like flash, pdf...

XpoZed · Post by **XpoZed** » Tue Aug 31, 2010 7:13 pm

Mr.Mouse wrote: Turns out our computers were clean, or at least a multitude of scanners found nothing.

But whatever it was and where it came from, it injected the sites pages with this :

Thanks, but i've already got this... it just do a document.write('<script type="text/javascript" src="URL SNIP"> </script>')
Then from URL SNIP we had similar script that do a document.write with script again, this time to something like URL SNIP, and there was only a redirect to google.com

That's why i've said that this is probably only a logger.

Anyway, if someone got the virus, i'll be happy to play with his bits'n bytes.

@Rheini i've seen similar javascript exploits like this one, that redirect the user to a PDF document with exploit in it. And if you already have installed acrobat reader, that is exploitable (old version etc), you get infected.

Post by **Rheini** » Tue Aug 31, 2010 7:29 pm

Thank god i don't have that damn Acrobat Reader installed at all (Foxit

)
I do have Flash though (with Opera)

Post by **Mr.Mouse** » Wed Sep 01, 2010 9:57 pm

Registrations are back on.

Post by **Dinoguy1000** » Wed Sep 01, 2010 10:30 pm

Awesome!

*registers 839583 dummy accounts*

Zerox · Post by **Zerox** » Fri Sep 10, 2010 9:41 pm

While attempting to go to the page to download Noesis I got this while using firefox:

This is the link I followed: http://oasis.xentax.com/index.php?content=downloads

Edit: I see it was already reported in his Noesis thread. My apologies.

XeNTaX

XeNTaX

XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus

Re: XeNTaX attacked by virus