ASAP - Alliance of Security Analysis Professionals

Related Articles:
Major hack attack:20/11/2004

Main sites pulled:
25/11/2004

PHPBB Attack:
29/11/2004

Media Coverage of the attack

The Register
SANS.org
Punto-Informatico
Help Net Security
OSAC
Moenen.org
Terra-Informatica
Astalavista
G1gsw.org
Digitoday
C2 Wiki
Web Integrations
PHP-Nuke Brasil
IT Vikko
Portal Vol
Antiviruslab.com
Technical Root
Digiweb.cz

 

 

 




 




Index About us Forum Weblog PDA Contact Donate Links
Need a HJT fix? Visit the Forum for help.

Spyware
We're dedicated to removing spyware from your PC. Find out how.

Golden Shield
China's digital oppression continues.

Patents
Software patents could have you in court.

Security
Read the latest security news.

USA
The latest privacy news from across the Pond.

UK
Closer to home.
Nominated for


Xpire and Splitinfinity moves to the forums:
Ensure you are running the latest PHPBB!
29-11-04

The Xpire / Splitinfinity hackers have now apparently returned and are exploiting a well known vulnerability in earlier versions of PHPBB - only instead of defacing the front pages (as many of the recent attacks exploiting this have done), they're inserting lines of javascript code into the boards which then redirect to the new infection sites, using the same IFRAMES vulnerability. Make sure you have oranger.biz in your HOSTS file with immediate effect!
Its not redirecting all the time, but when it is, you'd better tread carefully...

If logged in as Admin, the infective code will show up in "Forum Description" in the Forum Management menu as a series of numbers - these need to be deleted, and the admin then needs to update the board to 2.0.11 immediately.

Below are just some of the files that try and hit you:

Shiva Burka Trojan horse
FTP99CMP Trojan horse
Backdoor/SubSeven Trojan horse
Default Block Ultor's Trojan horse.
Default Block RASmin Trojan horse
Default Block Bla Trojan horse
Default Block Filenail Trojan horse
Default Block SubSeven 2.1/2.2 Trojan horse
Default Block WinCrash Trojan horse

If you don't want the hassle of hundreds of your board's users complaining about your site ruining their PCs (along with the strain of rebuilding your site), please upgrade asap.

In the next few days, I will be compiling and updating a permanent list of sites / servers affected by this problem. Please spread the word and point as many people as you can to the Xpire / Splitinfinity information pages, as we can't afford to let this thing spread any further than it has done. Submit this information to as many news sites as you can - if we all make a noise, someone has to listen. We've already made progress in this area, but the message needs to spread faster, especially as new methods are now being employed to infect end-users.

The document below has been updated to include details of another infection site - an interesting (and scary!) read:

DOWNLOAD:

Download the complete rundown in PDF format - detailing the server exploit, the packet injection process, the malware downloads, infected sites, how to protect your server and desktop PC:

Xpire/Splitinfinity Exploit: Server hack / Malware install analysis

Mirror, kindly hosted by Spyware Warrior.com

Paperghost

Please help spread the word by placing a link to this article on your sites. As much exposure as possible is needed here.



All Content © Vitalsecurity.org 2004. All Rights Reserved
Click here to see all that copyright/about us mumbo-jumbo