Jump to content











Photo
- - - - -

Your Website is compromised!!

malware compromised

  • Please log in to reply
10 replies to this topic

#1 revrepo

revrepo
  • Members
  • 5 posts
  •  
    Canada

Posted 13 January 2015 - 03:28 PM

Hello fellow reboot users & admins,

 
I have created this account & topic to let you know I have discovered your website is likely or was likely compromised.
 
Details:
 
hxxp://reboot.pro/topic/17445-fast-boot-windows-pe-30/?ipbv=2869ecba9b8260ad11731742946f6708&f=public/js/ips.quickpm.js
 
redirects users to hxxp://alnera.eu/D371FF06.js?cp=reboot.pro
 
This is a DotkaChef EK pattern from 2013ish
 
alnera.eu is sinkholed but this shows your website is/was compromised
 
wget  --user-agent="Mozilla/5.0 (Windows NT 5.2; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" 'reboot.pro/topic/17445-fast-boot-windows-pe-30/?ipbv=2869ecba9b8260ad11731742946f6708&f=public/js/ips.quickpm.js'
 
--2015-01-13 10:23:40--  http://reboot.pro/to.../ips.quickpm.js
 
Resolving reboot.pro (reboot.pro)... 104.28.9.123, 104.28.8.123, 2400:cb00:2048:1::681c:97b, ...
Connecting to reboot.pro (reboot.pro)|104.28.9.123|:80... connected.
 
HTTP request sent, awaiting response... 302 Found
 
--2015-01-13 10:24:00--  http://alnera.eu/D37...s?cp=reboot.pro
Resolving alnera.eu (alnera.eu)... 31.170.178.179, 31.170.179.179
 
Connecting to alnera.eu (alnera.eu)|31.170.178.179|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/html]
 
Please let me know if you need further details and i would request you investigate this.

Edited by revrepo, 13 January 2015 - 03:32 PM.


#2 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10448 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 13 January 2015 - 04:59 PM

Hello,

 

Thanks, there have been complaints about alnera.eu but my impression is that it was deployed directly by google adwords, not by the site itself.

 

I've renamed ips.quickpm.js to something else. Not sure if this file is compromised or not, doesn't really affect much the forum functioning in either way while we see what is happening.

 

Which steps do you think can be taken to clean/remove this problem?

 

Otherwise my opinion remains the same, google delivers the alnera javascript through the advertisement network.



#3 revrepo

revrepo
  • Members
  • 5 posts
  •  
    Canada

Posted 13 January 2015 - 05:19 PM

Well I can tell you alnera.eu was bad in 2013 and since then has been sink-holed
 
This appears to be part of an old compromise back in 2013 affecting IP.Board specifically
 
 
I would contact IP.Board and ask them what to do.


#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13689 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 January 2015 - 05:35 PM

Still it seems like not being such a catastrophe :unsure::
https://www.virustot...sis/1421169651/
http://www.google.co...?site=alnera.eu
 
The site is registered to a member of the RIPE NCC:
https://www.ripe.net.../cz.neroso.html
 
and regularly registered on EURID:
http://www.eurid.eu/

DomainDomain name alnera.eu
Status REGISTERED (What this means)
Registered March 20, 2014
Expiry date March 31, 2015
Last update March 20, 2014, 9:39 pm

RegistrantName Anna Bednarova
Organisation NEROSO Inst., s.r.o.
Language Czech

 
Just for the record:
http://reboot.pro/to...alneraeu-virus/

Of course everything (and the contrary of it) is possible on the Internet...
 
:duff:
Wonko

#5 revrepo

revrepo
  • Members
  • 5 posts
  •  
    Canada

Posted 13 January 2015 - 06:02 PM

Correct, that's because they have sink-holed that domain.

 

It was bad in 2013 and they took it over to stop malicious redirects like this site has been doing.

 

Just because its not being malicious now means nothing, the website was exploited back in 2013 and might still back backdoor access, you never know.

 

Best plan is to contact IP.Board for help and verify files.

 

You can see a old report here:

 

http://www.malware-t...7/08/index.html

 

alnera.eu redirects to malicious EKs



#6 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10448 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 13 January 2015 - 06:26 PM

No hope for IPB support. They'll say something along the lines: "Install your forum from scratch", to which I'll reply: "but that way we lose the attachments and other tweaks made on the forum", to which they reply: "you asked for a solution".

 

Basically, their support ends up causing more harm than a virus. We are still suffering from the times when the post content was trashed during an upgrade.



#7 revrepo

revrepo
  • Members
  • 5 posts
  •  
    Canada

Posted 13 January 2015 - 06:37 PM

Well then,

 

Removing that file is good start but there is no knowing what backdoors might have been setup.

 

Looks like a new platform is in order.



#8 Zoso

Zoso

    Silver Member

  • Advanced user
  • 640 posts
  •  
    Isle of Man

Posted 13 January 2015 - 08:22 PM





Looks like a new platform is in order.


hi revrepo, thanks for the alert about this.

the old forum (boot-land) software seemed to work flawlessly..

it wasnt as fashionable but it functioned much better than this one IMO.

so ironic that the highest tech subjects you can find about anywhere are on such a buggy forum.

I think function over fashion is the best route in all cases. it can lead to Ferrari-ish results in the long run too.

oh well, whatever works best for you Nuno. it is better than nothing like it is!

thanks

#9 revrepo

revrepo
  • Members
  • 5 posts
  •  
    Canada

Posted 13 January 2015 - 08:26 PM

Your Welcome :)

 

Just trying to help and save your users before something malicious happens again.



#10 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10448 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 13 January 2015 - 10:26 PM

My friends, I wish that it was possible to accommodate each and every request but not an easy option.

 

Moving to another platform is an extreme option. Most members (like myself) have grown around forums built with IPB and it just works more or less the same manner for everyone when hoping across sites to participate.

 

In addition, changing to another forum software means a loss of attachments, user accounts and posts in some manner or other. While in the current process, we are completing a decade of existence with more or less the same data. IPB isn't the best software for a forum but works better than say, phpBB and a few others. Changing to MyBB was on top of the table back in 2011 but then was considered that the cost of change didn't really brought an overall improvement.

 

A forum software that recently caught my interest was the one seen on this site: http://forums.dotnetfoundation.org/

 

It is called Discourse. Looks great, seems to be headed on a way where transition wouldn't seem problematic but at the same time breaks with the current way of finding content around here and requires everyone to use a more recent web browser, which is very often not the case that I see from the analytics.

 

So, it seems that the only upgrade we will have is going to happen within one year when the next IPB series are released.

 

What I could probably do in the meanwhile is try to identify the files inside the forum software and match them against a vanilla edition of the forum, try to find if something was changed. However, this too requires time and plenty of effort so it might take me a while to be able of doing it.

 

Unless, someone with a fair reputation on the forum offers himself to proceed.



#11 Mikorist

Mikorist

    ▂ ▃ █ ▅ ▆

  • Advanced user
  • 737 posts
  •  
    United Nations

Posted 14 January 2015 - 02:08 AM

ips.quickpm.js is there again  :fine: 

The forum has been thoroughly scrubbed and cleaned from head to toe, disinfected from DotkaChef :w00t: :ph34r:), and upgraded to a fresh new version .
All should be fine again.
 
 
Have a nice day  :thumbsup:





Also tagged with one or more of these keywords: malware, compromised

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users