forums.totalwar.org busted?

[Nachtmeister]

Hello everyone, I hope to find some people here who might know me from the .org's EB forum
and may be even concerned about this themselves.
I apologize for posting not directly related to EB - but search engines are so far not yielding any
hits on this and I need to know whether the problem is with my machine or with the forum:



This is with current Opera Browser and Mozilla; there was something going around about an ad at the
bottom of every .org page trying to hijack Internet Explorer 7 but normally in Opera the ad was just
replaced by an error message without impeding the site's performance noticeably.
Now, the content can not be seen; even the user control panel is defunct.
Any ideas what's going on?
Obviously, this forum is *working* perfectly, so I doubt that it has something to do with my configuration.

[MarcusAureliusAntoninus]

Yeah, I'm having problems getting the org to work, too.
Unfortunate, too, since I haven't been to the forums in a week and finally had to the time to catch up on what I missed but can't since the internal EB forums are at the org.

[blado]

Yup, I can't get on either

[HunGeneral]

I have been having the same problem - only that by now nothing under EB bug reports can be seen...

[Vasiliyi]

Your not alone

[Tellos Athenaios]

Yes. Busted. Compromised. Malware.

Posted somewhere else about this; here goes:

Just look at the source code of the oddly empty EB forums...

HTML Code:

<div style="[B]display:none[/B]"><!--917560613--><p>As a result requests for  <a href="http://club-ajt.org/?ubfe=104">[I]free online 7 hand poker[/I]</a>  from the VAF are on the rise. <!--336198738--><p>This Notification may be cited as the Securities and Futures (Offers of Investments) (Collective  <a href="http://kinam.org/foro/index.php/?bfkz=163">james bond 007 casino royal</a>  Schemes) (Exemption) Notification 2002 and shall come into operation on 1st July 2002. <!--124322892-->

... To:

HTML Code:

<p>If you refer your friends and family we'll pay you even more  <a href="http://www.norwayfishing.nl/forum1/index.php?ryhm=127">roulette game online which</a>  and shares. <!--974359407--><p>This is the perfect site for women who are in need of quick  <a href="http://gnepal.com/forum/index.php?ywop=81">casino burnaby bc</a>  assistance. </div>

That's all injected code. Possibly there's injected JavaScript also; which is to say that if you *did* see a page with all sorts of adverts (I didn't because of the style="display:none;" and if there was JavaScript to make it appear, it didn't work in Opera) I would suggest doing a Virus/Adware/Spyware/Other-malware scans, as we are dealing with what looks to be an XSS attack [a hacker's favourite for silently installing software on a Windows system].

And:

Just did some further research:
Just did some further research:

The main Guild site totalwar.org is INFECTED with "RED SHERIFF" which is KNOWN MALWARE (Adware/Spyware).

So to repeat: run those adware/spyware/virus/and other malware scans!

Incidentally, you can clean up a RedSheriff infection with Ad-Aware, a free SpyWare removal tool by Lavasoft.

The insidious thing about Red Sheriff is that it is persistent -- like a virus, once you're infected, the infection remains. It can't run itself when you boot up, but once infected by a carrier (such as this board) it remains on your system until you reboot.

It also leaves a part of itself on your hard drive, in a data structure called a "cookie". This part must be removed manually, or by Ad-Aware.

Turn off JavaScript, folks ... these almost-viruses like RedSheriff ain't going away ... they're legal, if barely.

And lest you think I'm being Cassandra here, just do a "View Source" and look for this text near the end of the listing:

<!-- START RedSheriff Customer Intelligence V4 - Java v1.1 Revision: 1.8 -->
<!-- COPYRIGHT 2002 Red Sheriff Limited -->

If this is in the source and JavaScript is in your browser ... guess who's in your system?

Some of you might be wondering whether HW2 itself might be collecting a few extra resources between missions, but my firewall tells me SP is just that. As for MP -- who knows?

And further down:

k the thing is it's not the forum. It's the ads that run on the forum. If you look its in the ad script. What you need to do is disallow first and third party cookies. Then set allows to "prompt". When you go to any site on the net you'll be asked for a cookie, "just say no". 99% of the time you don't need them. You'll only need them when YOU want info stored for YOUR use later, such as login info for forums.

and run spybot. If you don't run with cookies disabled you will probably have 1.5 million evil registry entries and ad cookies from gator to alexa spread all over the place.

Note that disallowing first party cookies (sites you visit) may break rather a lot of sites. But he/she is very much correct on the risks not being worth any benefits (there are none) in allowing 3rd party cookies.

Shall I put up an announcement on the EB website?

[Nachtmeister]

Yes, I suppose this deserves an EB-site update...
I either access the .org via a "continue where quit" browser window or via the link on the EB website,
so if there are others who proceed as I do an announcement might keep some systems from being infected.
Or the usual link to the .org forum could be redirected to this thread; I'd edit a quote of your post to the OP.
Or it could be redirected to the thread where you first posted about this in a similar manner.

[Ludens]

I can't access the .Org at all, nor contact TosaInu. I am not sure what is going on, but I did receive a forum update this morning (last post made at 20:17 GMT), so I suppose the .Org was back online at some point.

[Dutchhoplite]

I'm missing everybody already

[ZiegenPeter]

What? like who? I'm happy to have a day without you guys!

[Ibn-Khaldun]

Just like others I also can't access .Org and looks like my PC is infected too one way or the other.

This all makes me wonder: Why would some people do this? Is it supposed be fun or something? Creating viruses/malware/other stuff that could hurt other people??

[Drewski]

I'd advise everyone to run a spyware check, if you've tried to visit The EB totalwar.org forum in the last 12 hrs or so. I picked up a medium risk:- Trojan-Dropper.Agent.AUIB from there (almost certainly from there anyway, can never be totally sure)...cleaned everything now, and went back to revisit to check. Didn't pick up anything in 6 revists. I ran Spyware Doctor, Spybot, and ATF cleaner.

Anyways, it looks to me that's its more than just simple adware. Hope they get it sorted soon. If it isn't too much to ask, we really need an announcement here when its completely safe to revisit.

[Drewski]

Just like others I also can't access .Org and looks like my PC is infected too one way or the other.

This all makes me wonder: Why would some people do this? Is it supposed be fun or something? Creating viruses/malware/other stuff that could hurt other people??

Its to make money. Spyware isn't generally written by disenchanted kids anymore, its written by teams of programmers. Its big business.

[Ibn-Khaldun]

Unfortunately you are right.

Also I would like an announcement when it's safe to visit .Org again!

[Ludens]

I also checked my computer for malware, but I found nothing. I use Firefox + NoScript, so I am supposed to be safe from XSS attacks.

[pevergreen]

I'ma run a scan now. I have AVG and SUPERantispyware running, so maybe im protected.

Firefox with adblock.

[sasamsa]

What does it infect anyways? I have firefox and and im not infected..
Is it IE only thing?

[pevergreen]

I had a few things, may be related, may not be.

But they certainly seem buggered.

[Juvenal]

Cheer up, it could be worse...

http://news.bbc.co.uk/1/hi/technology/8049780.stm

Flight simulator site Avsim has been "destroyed" by malicious hackers.

The site, which launched in 1996, covered all aspects of flight simulation, although its main focus was on Microsoft's Flight Simulator.

The attack took down the site's two servers and the owners had not established an external backup system.

The site's founder, Tom Allensworth, said that the site would be down for the foreseeable future and was unsure if would ever go back up.

"The method of the hack makes recovery difficult, if not impossible, to recover from," Mr Allensworth said in a statement.

"AVSIM is totally offline at this time and we expect to be so for some time to come. We are not able to predict when we will be back online, if we can come back at all. "

[bobbin]

I had the same problem but it seems I've managed to avoid picking up anything (ran avast viris scan, going to do a ad-aware just to be sure)

Do we just have to wait till this code is removed or is there another way to access the forums?