[Latest] Possible Infection

FriendlyFire

Hello everyone,

For those of you who have visited the site between last Sunday (or possibly earlier) and today at the time of posting, we have to warn everyone that we have evidence The Starport has been hacked and malicious code has been inserted into the code.

This code may have attempted to install malware on your machine, even though it seems like the behavior is erratic and will not infect every single viewer.

Therefore, we ask everyone to run virus scans and Adware scans as soon as possible and to make backups if you haven’t already done so. We are investigating the possible causes behind such an attack and have tightened our security guidelines for the time being (in short, the server is just about locked down for a while) and we hope this will not happen again.

If anyone has any information on the matter, we would like to hear from you below.

We are sincerely sorry for any inconvenience this may have caused and hope you will still trust us despite this problem.

Thank you,

FriendlyFire

OPR8R

could you please specify what kind of malware so the visitors can scan for it?

Worfeh

Its a root kit. With a nice Trojan.

Dragnite_MU

Would probs explain the popup i got yesterday but as i had a few websites open at the same time i wasnt sure which one it had come from.

The site that came up was this one

macromedia.name/feed/one.php

I left off the http:// bit so that people dont go and click on it.

w0dk4

I encountered that one too.

To reveal a rootkit, use Rootkitrevealer:

http://technet.microsoft.com/de-de/sysinternals/bb897445.aspx

Mindhunter

Spybot encountered something yesterday i wasnt sure where it came from but i guess it was from tsp.

Thx for the warning anyway, i hope u will not have stupid attacks like this one again.

Regards
Mind

Wolfie

i didnt get infected

idk why tho lol…maybe it was google chrome, or NOD32

i mean, im a comp geek but idk why im not infected

EDIT: When thinking of it, i blocked that site it tried redirecting me to anyways lol, explains it

Bas

Unfortunally, I bashed my registry till that I am not longer able to scan with Ad-Aware or Spybot without getting a crash.

But luckily, I can’t remeber that pages have poped up, PLUS, I am using NoScript (Paranoia!!) - And it saved me, I guess.

(But however, I got a “Out Of Range” crash again, but since I have this for…some weeks, I guess it is because of my Registry, HDD or RAM)

FriendlyFire

NoScript saved you. The whole thing was an iframe which had an incomplete address. On page execution, a small javascript would complete the script if a counter was set to a certain value. That means not everyone who visited the page have been infected and anyone with disabled Javascript would not have been infected.

Trent

Did it ask you to download & execute a file or did it use some browser flaw to do a drive by attack that didn’t require user interactions?

Worfeh

It was a flash thing, so allmost anyone with the flash plugins enabled could be infected.

cheeseontoast

im not infected lol

Tunicle

It may be worth listing which programs detect the infection.

From above so far I guess Spybot does.

English version of above rootkit revealer
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Worfeh

Avast and Avira do to.

Chips

Was it an issue to do with Joomla being out of date or an addon likewise being insufficient?

Worfeh

Our version is not out of date and we run the latest patches, but still … we have an idea what caused it, we don’t know exactly witch bothers me somewhat.

M0tah

Was *nix vulnerable as well, or was it Windows only?

Worfeh

Windows only.

I found out what it whas after i booted up in Linux and it started to ask me stuff about installing crap.