Twokinds ARCHIVE Forums

Anyone who allowed an ActiveX control to run on their computer while going to any of the pages on this server in the past day or two please check your computers for a file named "~.exe". If your computer does have this running on it please use Task Manager to stop it and then locate and delete it by using the search function.

My computer's treating the "~" as a wildcard, it seems.

Try placing "quotes" around the search term.

Either it's a tricksy little [censored] or I'm clean.

OK... the board is clean thanks to the emergency upgrade to phpBB3. Quite honestly, I was just expecting Tom to remove the code from the infected pages (though it would take time), instead of upgrading.

Does anyone want to discuss the hack (the code, not the method) itself? The problem has been solved, and while looking through the code is interesting (bitwise operations, ignoring every 4th character in the encrypted string, etc.) it's not of interest to anyone... except maybe KitWiz and Robbie, and that may be better done over PM, if they care.

I normally would, but you lose me at bitwise operations. I hate bitwise operations. XD

My friend and I took 2 hours to work the whole thing out at school today. If I could find the person who wrote this, I'd probably congratulate them on their work, followed by kicking them really hard for applying it to bad stuff. It's bitshifting a number left by a varying number of places, doing a bitwise OR with another number, taking that number and bitwise XORing it with 156, then bitwise ANDing it with 255 to get it down to 8 bits. That doesn't include using the number of places that you bitwise shift the original number by as a variable to tell whether or not to skip the number (it skips every 4th ciphered character, but still uses that character as a starting point for the next operation.

We filled up the entire whiteboard (which is about 5 meters long and a meter high, if that's any indication to the work that we did. But it was FUN!!!)

Well, I guess that's one way to fix the forums, or should I say replace the forums.

But what's all that math good for?

All I understand is:
1) 2kinds forum compromised (SQL injection? Webhost compromised? Some other flaw?)
2) Attackers inserted scripts that do some stuff but in the end try to open a corrupted .pdf file
3) Acrobat crashes, producing a certain side effect (running arbitrary code?)
4) Fixing the whole problem by upgrading to phpbb3

I have firefox and loving the noscript plugin <3

I believe the effects included but were not limited to AR crashes.

This kind of attack is probably a result of the webhost being compromised... SQL injection is database-oriented, this was the insertion of code in individual php files. As for the opening a corrupted pdf file, the goal is to probably run arbitrary code, yes.

Upgrading the forum didn't fix the "whole" problem though - it just stopped the forum from displaying the script that starts doing stuff. All the servers involved in this are probably still up and running, and still spreading the malicious .pdf file.

As for the math, that was trying to figure out how the code was deciphered by the inserted script. It was hidden behind a layer of obfuscation. Why did I do it? For fun, I guess.

I would imagine this is a drive-by download attack, so yeah, it's webhost-level: our server was vulnerable to the scripts that cause this modification, so a crawler identified us and we got infected. Though I will admit to not noticing anything fishy going on under IE7, and I'd expect to have seen something with this if it were working properly. That kind of suggests to me that the attack was out of a kit -- the guy who wrote it originally was very clever but the guy who threw it against us was perhaps less so? This sort of attack would be included in a number of the new hacker libraries, including metaploit, I think.

So it wasn't my pc's fault yesterday when mcafee tried blocking the execution of scripts.

Plain and simple though, what files should we check or pc for, and delete? I heard "~.exe" but is it exactly "~.exe" or ending in that? Any others?

Anything executable is a serious risk -- .exe, .bat, .scr, and .com were the classics. However, I've heard of malicious code being embedded in jpegs too. And nowadays, most people have their computers setup to open files according to their contents instead of by the extension, so a black hat can just rename a file to a harmless extension, and when you open it, it infects you anyway. That's what's caught me in the past: I purposely picked up something I knew was viral to look at it, renamed it to something harmless, and when I tried to take a look at it, Windows helpfully noticed it was an executable instead of a text file and ran it for me instead of opening it in Vim. I was not very pleased with the discovery of that setting, needless to say.

Oh nice. :)


Also, I can't quote avwolf's post from the post editor...

When I click the 'quote' button it redirects to "http://twokindscomic.com/forum/avwolf"
Result: http://img252.imageshack.us/img252/1268/scrnvz2.png

EDIT: Apparently by clicking the 'quote' button in the post editor/creator whatever, leads to "http://twokindscomic.com/forum/*insert name of quoted person*"