Malicious script inserted into our site

[Rollyco]

Sorry for the downtime, everyone.

We suffered an intrusion and had to shut the site down in order to conduct a security audit. It took so long because real-life responsibilities were taking up all of my time.

The attacker inserted a trojan dropper into the site. You may have noticed antivirus warnings while browsing the site. We don't know the exact nature of the trojan, but if you regularly visit Akiba-Online with an old version of your browser or Java/Flash/etc plugins, or noticed strange prompts, you might want to conduct a full system scan to ensure that you weren't infected with anything.

The attacker also had access to the database. If you have an easy-to-guess password on Akiba-Online, you might want to change it. Also, if you use the same password on other sites, you may want to visit those sites and change the password.

FYI: a good password is randomly generated, at least 14 characters long, and used only on one site. Google search for "random password generator".

If you have any concerns or comments, post in this thread.

 

[Rollyco]

For those that are interested, the malicious domains were akiba-online[dot]ipq[dot]co and xxl[dot]collegeslutz[dot]com. Do not visit those sites unless you know what you're doing. They are dangerous.

Attached to this post is the malicious javascript inserted into our pages and a java applet downloaded by the dropper. The archive password is VIRUS. Do not download unless you know what you're doing. If anybody wants to take a look and comment, feel free. (Java developers, can you deobfuscate?)

 

[justjim2]

Thank you

Thank you for taking time to root out the virus, malware, etc. I have noticed unrelated I am sure to this that my Google/Chrome browsing often is redirected to tell me "this page cannot be displayed" or some variation of the message. I guess after awhile it comes with the territory? Such is life! Compared to not too many years ago, browsing is much quicker even with dealing with these annoyances. Still...
Jim

 

[BlackSphere]

Are our passwords hashed?

 

[Rollyco]

Yes, the passwords are hashed using a md5(md5($pass).$uniquesalt) scheme. However, GPU bruteforcing can crack short passwords and easy-to-guess passwords rather quickly. An nVidia GTX250 can hash 140 million vBulletin passwords per second.

 

[Sergil]

Would a 9 character password be considered short? o.o Also, thanks for letting us know.

 

[Rollyco]

Would a 9 character password be considered short?

That depends. "iloveyou1" is too easy to crack. "xoF$^JX63" is adequate. If your account is valuable in some way (you are staff, or you have enemies), 9 random characters are absolutely not enough.

 

[Desu]

was the intrusion due to an already known VB vulnerability (without going into details)?

 

[spikier]

good job. good job ^___^.

thank you, rollyco & others. for your constant hard efforts to keep this site going.

 

[Rollyco]

was the intrusion due to an already known VB vulnerability (without going into details)?

No comment.

 

[Desu]

No comment.

understood.
thanks anyway

 

[inc3st4ddict3d]

thanks alot Rollyco.

missed our home....!!

 

[desioner]

Would our e-mail addresses have also been compromised?

 

[Rollyco]

If he wanted to, he could have found out your email address.

 

[gyoza ramen & a beer]

Can only access the site through Google. Typing "akiba-online.com", which always opened the site, now displays only a blank page with "akiba-online is back" in the upper-left corner.

 

[aj_chichi]

I got :scared: not because of the hacker.. but because I cant access any good porn for the past 2 days andalaugh:

Ahahahha anyway.. Its a good thing he didnt flush the account database :rofl:

 

[kraidazen]

Can only access the site through Google. Typing "akiba-online.com", which always opened the site, now displays only a blank page with "akiba-online is back" in the upper-left corner.

same here

 

[Rollyco]

The DNS records were probably only partially updated. www.akiba-online.com points to the right IP address, but akiba-online.com doesn't. Wait for chompy to fix it.

 

[Zombieman]

So how nasty is this trojan? Also He didn't get are email addresses right?

 

[Syobon]

I'm glad that i use sandboxie those days :tea: