Hack Attack Sorted

spool32 · Post by **spool32** » Thu Jun 11, 2009 1:08 am

At the risk of the bastard reading this and just stomping us again, I think
I can say that the attacks have been fixed.
Please let me know if more problems occur...

-spool32

Demonseed · Post by **Demonseed** » Thu Jun 11, 2009 6:13 pm

Coolio -
What they need to do with IPV6 is to embed GPS targetting co-ordinates in the IP address, that'd soon put a stop to it

spool32 · Post by **spool32** » Thu Jun 11, 2009 8:52 pm

noway dude.. I'll suffer a few cross-site scripting attacks to prevent "them" from GPS-locating me via my IP address.

Demonseed · Post by **Demonseed** » Thu Jun 11, 2009 11:27 pm

They already do that via your cellphone but yeah - I think we'll keep the targeting stuff for Santa . . .

Speedracer · Post by **Speedracer** » Sat Jun 13, 2009 7:05 am

spool32 wrote:noway dude.. I'll suffer a few cross-site scripting attacks to prevent "them" from GPS-locating me via my IP address.

Dude, I'm totally watching you from my satellite camera right now.

Belasco · Post by **Belasco** » Sat Jun 13, 2009 8:12 am

spool32 wrote:noway dude.. I'll suffer a few cross-site scripting attacks to prevent "them" from GPS-locating me via my IP address.

sweetheart...I hate to break it to you, but "they" already have Googlemaps and IP look ups.

spool32 · Post by **spool32** » Sat Jun 13, 2009 5:48 pm

Hush you, we'll end up running our lives through an anonymizer.

Demonseed · Post by **Demonseed** » Sat Jun 13, 2009 6:12 pm

You mean you don't already ????

There is no such thing as "too paranoid" you know

spool32 · Post by **spool32** » Sat Jun 20, 2009 3:42 am

rowr!

For anyone not an Avlissian reading this, the wider internet community has been a fantastic help in sorting out the source of the constant compromises we've been suffering under. For the curious, the attack seems to be called the "r57shell exploit". I've removed what appears to be the source of the attacks from our webserver, and (cross fingers) that should be the end of it.

Whew. Fucking haxxorz.

-spool32

Korennya · Post by **Korennya** » Sat Jun 20, 2009 6:16 pm

This shitz have just annoying adware crap? or was there hidden files attemptint to DL passwords/personal info as well? I got hit with it last night and after a few hours of cleaning the system reports to be clean, but i'm still hesitant to go anywhere that requires entering a password let alone putting in any type of financial information.

And does anyone know how to removed specific system restore information? The only way I could get entirely cleaned out was to do a system scan followed by a system restore as it wasn't allowing regedits anymore. An unfortunate side effect is that now the virus is "stored" on the machine in one of the system restore data files, which only the OneCare Live program is detecting. Trendmicro's and AVG both don't seem to find those files.

THe restore I chose was from last week so it shoudl be clean, and the only way I know to purge the system restore files is to clear all but the most recent. That in theory should leave me clean now, but I'd rather have the option of removing all the restore files from the past day instead.

spool32 · Post by **spool32** » Sat Jun 20, 2009 6:22 pm

I don't know what exploits were pushed down from the target of the scross-site scripting. Try MalwareBytes for a very thorough removal of everything related to it.

http://www.malwarebytes.org/

gutemensch · Post by **gutemensch** » Sat Jun 20, 2009 6:26 pm

If your running something like AVG, Trendmirco, or some of the others. Look into Threatfire by PcTools. Its a light weight second tier protection against maleware, trojans and worms.

Sathsarrion · Post by **Sathsarrion** » Sun Jun 21, 2009 1:18 am

It was possibly just luck at my end, but Comodo AV/firewall appears to have been very effective at squashing this bug.

Using Firefox without Adblock, and set to allow all popups from this site and no other security besides Comodo, and I never saw even a hint of the attack. MalwareBytes couldn't find anything either.

Korennya · Post by **Korennya** » Sun Jun 21, 2009 2:36 pm

Tried malware bytes which didn't find anything but cookies. Interestingly though, I had AVG running at the same time doing it's active resident thingie and while maleware was searching each file on the machine, AVG caught the virus's that got packed into the system restore files that it had missed earlier.

I'll run another 15th or so scan today while i'm out and hope everything comes up negative this time.

Is this threatfire a resident program or one you have to run manully everynow and then?

gutemensch · Post by **gutemensch** » Sun Jun 21, 2009 4:03 pm

Its resident program with an active shield and scheduled scans.

http://www.threatfire.com/

If it was in the system restore there a decent chance it can reappear. Then best turn off system restore and delete all restore points with a disk cleanup. Scan again and if the system is clean. Then you can turn system restore back on.

Did you run a smart scan or a full scan in maleware?

Korennya · Post by **Korennya** » Mon Jun 22, 2009 12:50 am

I have since run every possible scan in these programs. Smart scans. full scan. Fast slow.. etc. They system restore files were deleted by the AVG/MALBITES combo scan. Or more accurately they were placed in the "virus vault" to which I said screw that shit and deleted them. The system has since run 2 "slow" scans through AVG and one through malware and come up clean all three times. THus far it looks good.

The World of Avlis

Hack Attack Sorted

Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted

Re: Hack Attack Sorted