XeNTaX

XeNTaX attacked by virus
August 28th, 2010 by Mr.Mouse and Craptain

If you wondered why we were down, we suffered an attack by a bot. The last few days our host and us worked hard to remove the infection. We will spend some more time to update the code to latest versions as we go. Sorry for the inconvenience.

Webmaster note: We were hit by a virus called Gumblar. It was a more sophisticated virus than usual. It used the password stored in the scp client of one of our webmasters to gain access to our server. Once it had access, it added obfuscated and encoded javascript to all index.html, index.php, etc files, in order to spread the infection.

If you have visited the xentax main site or any of the xentax subdomains from the 25th of august to the 28th, it’s probably a good idea to run a virus scanner. If you’re a webmaster who stores ftp or scp passwords in a local client, check your site’s source code for suspicious scripts.

We are still cleaning up this shit, and are taking this opportunity to upgrade our forum and blog software as well. We will be busy with this at least until sunday, because as usual real life gets in the way: a friend of ours is getting married today.
Sorry for the downtime and the inconvenience it may have caused.

Final edit: The javascript exploits a weakness in adobe acrobat reader and flash, probably only in Windows. So if you run Linux or other Unix clones, you get to be smug and self satisfied that this particular virus doesn’t target you. If you run OSX you can remain clueless about this whole conversation.

I was noticing the javascript there during those days. Nod32 kept saying it was blocking the connections. Lucky me right?

Oh and my comp full with trojan horses. I delete some of them (shit) but the new is coming
Avast blocking conection but virus come. So you need new antivurs. Microsoft Security Essentials safe my comp for now and delete 5 trojan in windows temp folder and interenet temp folder. I think my comp is clear now.

"Mark forums read" stopped working for me.

I am glad I have an all-in-one antivirus software
It blocked the attack right away ^~^

I am happy xentax is back

I am a looser
avast warned me, I thought "hey it's xentax, how dumb is this virus scanner?"
and I added an exception to the realtime protection...

how dumb am I

Lol I've had nod32 for about 3 years now and never once had a virus get through. I like it cause it doesn't bog down your computer like those other ones do. I need my computer's proformance for getting good FPS in pcsx2

I don't think there was a virus that is downloaded on your PC. It's more likely a session/cookie stealer or something.
Anyway, if someone can provide me with a sample (exe,dll,ocx,sys, etc.) i'll be happy to reverse engineer it (that's my main hobby these days ).

XpoZed wrote:I don't think there was a virus that is downloaded on your PC. It's more likely a session/cookie stealer or something.
Anyway, if someone can provide me with a sample (exe,dll,ocx,sys, etc.) i'll be happy to reverse engineer it (that's my main hobby these days ).

Yes U're right, I ran a full scan and nothing stood out.
It seems to hack FTP account throught filezilla to propagate throught javascript,
I checked my website and no javascript was added,

I'm happy to see XentaX running up again. Some days ago Avast! blocked my conection to this site warning me there was a virus, or something like that.

Regards.

Glad to see things up and running again so quickly. Good work, Mr.Mouse and company.

I noticed a small bug the mark forum read no longer works after the site restore.

Actually I does work for me. Cache problem? Does anyone else have this bug?

im using firefox its only the mark forum read that does not work for me i can go into any thread and the mark read works.

Dont know about that, but you should integrate the "tanks" system back after the update.