Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Monday, November 29, 2004

Xpire and Splitinfinity moves to the forums

The Xpire / Splitinfinity hackers have now apparently returned and are exploiting a well known vulnerability in earlier versions of PHPBB - only instead of defacing the front pages (as many of the recent attacks exploiting this have done), they're inserting lines of javascript code into the boards which then redirect to the new infection sites, using the same IFRAMES vulnerability. Make sure you have oranger.biz in your HOSTS file with immediate effect!
Its not redirecting all the time, but when it is, you'd better tread carefully...

If logged in as Admin, the infective code will show up in "Forum Description" in the Forum Management menu as a series of numbers - these need to be deleted, and the admin then needs to update the board to 2.0.11 immediately.

Below are just some of the files that try and hit you:

Shiva Burka Trojan horse
FTP99CMP Trojan horse
Backdoor/SubSeven Trojan horse
Default Block Ultor's Trojan horse.
Default Block RASmin Trojan horse
Default Block Bla Trojan horse
Default Block Filenail Trojan horse
Default Block SubSeven 2.1/2.2 Trojan horse
Default Block WinCrash Trojan horse

If you don't want the hassle of hundreds of your board's users complaining about your site ruining their PCs (along with the strain of rebuilding your site), please upgrade asap.

In the next few days, I will be compiling and updating a permanent list of sites / servers affected by this problem. Please spread the word and point as many people as you can to the Xpire / Splitinfinity information pages, as we can't afford to let this thing spread any further than it has done. Submit this information to as many news sites as you can - if we all make a noise, someone has to listen. We've already made progress in this area, but the message needs to spread faster, especially as new methods are now being employed to infect end-users.

The document below has been updated to include details of another infection site - an interesting (and scary!) read:

DOWNLOAD:

Download the complete rundown in PDF format - detailing the server exploit, the packet injection process, the malware downloads, infected sites, how to protect your server and desktop PC:

Xpire/Splitinfinity Exploit: Server hack / Malware install analysis

Mirror, kindly hosted by Spyware Warrior.com

posted by paperghost at 5:55 AM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.