3dmm.com might be infected

Eukos · 05-17-2013, 11:38 PM

I haven't been exactly very active lately, but I showed in today to check what's ringing and after a quick google search I got redirected to a site called filestore72.info. No, don't attempt to visit that site since it executes malicious code and will most likely affect your computer.

It's caused by a vBulletin hack apparently, 3dmm is the only forum I visit that uses it so this is the place to go.

Here is a guide that should say what's shaking:
http://club.myce.com/f20/vbulletin-m...e-them-332219/

I have had these issues before, with exactly those sites.
I have been using Chrome until a few weeks ago when I switched to Opera and have experienced now the same.

Space Goat, please check if your forum is infected, just to be sure. I am about to shut the net here down and see if my PC has been infected. Good night!

Eukos · 05-18-2013, 12:16 AM

Scan finished quicker than I expected.

Quote:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.05.17.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 7.0.6002.18005
eukara :: EUKARA-PC [administrator]

Protection: Enabled

18/05/2013 01:48:14
mbam-log-2013-05-18 (01-48-14).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\System32\msvfd32.exe (Trojan.Clicker.CT) -> Quarantined and deleted successfully.
C:\Users\eukara\AppData\Local\Temp\IXP001.TMP\flau dit.exe (Trojan.Clicker.CT) -> Quarantined and deleted successfully.
C:\Users\eukara\AppData\Local\Temp\mrt86F0.tmp\std rt.exe (Trojan.Clicker.CT) -> Quarantined and deleted successfully.

(end)

The malware is dated TODAY. And you guys are the only forum that I've visited

Tuna Hematoma · 05-18-2013, 12:17 AM

Space Goat probably wont be around here any time soon. He's pretty down since Dick Trickle killed himself

Space Goat · 05-18-2013, 11:54 AM

I'm looking into it now, I will update this thread shortly with what I find (if anything).

Space Goat · 05-18-2013, 02:03 PM

I've not found any evidence that the site has been compromised.

I tried reproducing the redirect you described, and was never able to. I used my own account, a dummy account, with and without proxies, google, yahoo, firefox, IE, every combination I could think of - and was never redirected.

I also searched through my plugin list and found no obfuscated code like what was documented in the thread you referred to. Also, this site uses no third-party plugins. All the custom plugins on this site were written by myself, and none of them appear to have been modified recently without my knowledge.

Another thing that makes me doubtful is that it was suggested the attacker is gaining entry to these sites through the admin control panel in vBulletin. If that is true, then it is extremely unlikely to work at 3dmm.com, because I added my own custom two-factor authentication method for all resources used by the admin panel way back in 2005. It is one-of-a-kind, and although defeatable, I would be really surprised if anyone took the time to bother with it if their objective is to infect as many sites as possible.

Last but not least, with the exception of the main page and maybe a few of the custom movie/review/mod pages, all content on this website is excluded by web crawlers, and has been for at least a couple of years now. Given the extremely reduced visibility this site receives on search engines presently, I can't really see what value infecting this site with a malicious redirect like this would have.

This is not to say that I don't believe you, and I intend to continue investigating - especially if other people begin reporting the same behavior. However, I think you also need to consider that your PC could have been infected elsewhere, and whatever it is, happens to be causing the same redirects to be applied to random search results in google.

You might be able to provide me with some more clues by answering the following... How often are you able to reproduce the redirect, what page are you trying to open, and with what search engine?

Space Goat · 04:47 PM

I just took a look at the raw access logs from the past 3 weeks and found no record of anyone ever accessing the "misc.php" file along with the parameters this hack uses for its redirect. I feel 100% confident now that 3dmm.com is NOT infected, at least not with the same hack that is documented in the thread you referenced.

I should also point out that the vBSEO plugin appears to be at the center of most of these malicious redirect reports, and that 3dmm.com has never used this plugin.

Furthermore, while I was searching through the raw access logs, I traced the early HTTP requests from the IP address you used when you created this thread. The very first request of yours to reach the 3dmm.com server was at 18:38:57 EDT for index.php. The next request was at 18:39:03 EDT for forumdisplay.php?f=5 (you opened the testing forum). This was only about 6 seconds later, and you never re-requested index.php between these two requests. Based off this data, I'm making an educated guess that the redirect never came from 3dmm.com, because if it had, I would expect to see a re-request for index.php (you would have had to close the attack site and open 3dmm.com again) and also a longer amount of time between the first request and the second.

I will still continue to monitor this though, and of course, if anyone else experiences the problem, please note the time it occurred and report it to me ASAP.

Izak MD · 05-18-2013, 05:14 PM

thanks space goat!! youre a good guy!!

Eukos · 05-18-2013, 05:19 PM

Thanks so much Goat!
I am still buff about how I got infected with this though...
It must have been some other site, not another forum though.

BjergClimber · 05-18-2013, 07:23 PM

Quote:

Originally Posted by Eukos

I am still buff about how I got infected with this though...

what exactly did you get infected with? steroids?

Bobby Swisha · 05-18-2013, 08:16 PM

we get a thread like this about once a month now. last time it was from chris lohr.

Space Goat · 05-18-2013, 08:23 PM

Chris' problem was likely an issue with his DNS server, and the website he was getting redirected to wasn't malicious. I don't recall any other incidents prior to that one.

Slime · 05-19-2013, 01:04 AM

yeah i stopped using google DNS and haven't had my problem since

Compcat · 05-19-2013, 04:56 AM

Quote:

Originally Posted by Tuna Hematoma

Space Goat probably wont be around here any time soon. He's pretty down since Dick Trickle killed himself

haha, i had to look up the name. as i was typing it into google i felt like an idiot because it sounds like such a stupid fake name. lo and behold, there was actually a man named dick trickle.

Evil Ash · 05-19-2013, 07:21 AM

My names Eukos and I'm too smart to get viruses from looking at porn so I'm going to blame 3dmm and some crazy code or something.

Eukos · 05-19-2013, 12:29 PM

I only said it might be infected, because this is the only forum I visited recently that uses vbulletin and the thing gets injected into them.
So if theres a chance that my fellow 3dmm buddies could be under the risk of being infected with some malware shit I'd tell them 'cause I'm not a cunt

Space Goat · 05-19-2013, 12:56 PM

I will admit, it is concerning you described the exact problem that seems to be affecting a lot of vbulletin forums. I ruled out the attack method described in the thread you linked me to, but I haven't ruled out yet the possibility of another method of infection that is causing the same thing.

Are you ever able to reproduce it, Eukos?

Eukos · 05-19-2013, 01:42 PM

I haven't experienced it again since I cleaned my computer from their malware, so no not yet, but seeing as it happened quite a few times in the past, one of the websites I visit regularly has to be infected.

I haven't found anything suspicious in my browsing history, the only boards I've visited recently was 3dmm and the boards that I found due to researching the virus. I don't go onto any suspicious websites really, I barely ever use google anymore and just do what I want over my bookmarks.

Scdaniel Greeny · 06-15-2013, 09:38 PM

I'm not getting it, But a while back, emuparidise almost gave my whole PC a virus! but failed, i restarted the PC quick and never got back on there again!

Nixon · 06-16-2013, 01:46 PM

stay in the 3d movie maker sections please

Ness · 06-25-2013, 03:25 AM

*BUMP*
ok... that'll teach SCD a lesson

Eukos · 07-20-2013, 07:31 PM

It seems like I have solved this thing.
I could only redo this on Google Chrome, it seems like Firefox is not affected by this... but no guarantees.
Like Goat had said earlier, the vBSEO is in the center of this thing, MYSQL injection or whatever... plugin hacks inserted into a forum which redirectes to the fishy "file site" when coming from Google (to catch the least attention I assume since most forum goers have their site bookmarked)

Once you got redirected site you need to leave immediately.
Meaning 3dmm hasn't been infected but most other forums.

05-17-2013, 11:38 PM	#1
Eukos Senior Member Join Date: Feb 2012 Posts: 3,133	3dmm.com might be infected I haven't been exactly very active lately, but I showed in today to check what's ringing and after a quick google search I got redirected to a site called filestore72.info. No, don't attempt to visit that site since it executes malicious code and will most likely affect your computer. It's caused by a vBulletin hack apparently, 3dmm is the only forum I visit that uses it so this is the place to go. Here is a guide that should say what's shaking: http://club.myce.com/f20/vbulletin-m...e-them-332219/ I have had these issues before, with exactly those sites. I have been using Chrome until a few weeks ago when I switched to Opera and have experienced now the same. Space Goat, please check if your forum is infected, just to be sure. I am about to shut the net here down and see if my PC has been infected. Good night!
Eukos Senior Member Join Date: Feb 2012 Posts: 3,133

05-18-2013, 04:29 PM	#6
Space Goat Administrator Join Date: Sep 2001 Posts: 6,042	I just took a look at the raw access logs from the past 3 weeks and found no record of anyone ever accessing the "misc.php" file along with the parameters this hack uses for its redirect. I feel 100% confident now that 3dmm.com is NOT infected, at least not with the same hack that is documented in the thread you referenced. I should also point out that the vBSEO plugin appears to be at the center of most of these malicious redirect reports, and that 3dmm.com has never used this plugin. Furthermore, while I was searching through the raw access logs, I traced the early HTTP requests from the IP address you used when you created this thread. The very first request of yours to reach the 3dmm.com server was at 18:38:57 EDT for index.php. The next request was at 18:39:03 EDT for forumdisplay.php?f=5 (you opened the testing forum). This was only about 6 seconds later, and you never re-requested index.php between these two requests. Based off this data, I'm making an educated guess that the redirect never came from 3dmm.com, because if it had, I would expect to see a re-request for index.php (you would have had to close the attack site and open 3dmm.com again) and also a longer amount of time between the first request and the second. I will still continue to monitor this though, and of course, if anyone else experiences the problem, please note the time it occurred and report it to me ASAP.
	Last edited by Space Goat : 05-18-2013 at 04:47 PM.

05-18-2013, 05:14 PM	#7
Izak MD Senior Member Join Date: Feb 2002 Posts: 8,877	thanks space goat!! youre a good guy!!
Izak MD Senior Member Join Date: Feb 2002 Posts: 8,877

05-18-2013, 05:19 PM	#8
Eukos Senior Member Join Date: Feb 2012 Posts: 3,133	Thanks so much Goat! I am still buff about how I got infected with this though... It must have been some other site, not another forum though.
Eukos Senior Member Join Date: Feb 2012 Posts: 3,133

05-19-2013, 01:04 AM	#12
Slime Senior Member Join Date: Oct 2001 Posts: 24,891	yeah i stopped using google DNS and haven't had my problem since
Slime Senior Member Join Date: Oct 2001 Posts: 24,891

05-18-2013, 12:17 AM	#3
Tuna Hematoma Senior Member Join Date: Oct 2001 Posts: 10,055	Space Goat probably wont be around here any time soon. He's pretty down since Dick Trickle killed himself

05-18-2013, 11:54 AM	#4
Space Goat Administrator Join Date: Sep 2001 Posts: 6,042	I'm looking into it now, I will update this thread shortly with what I find (if anything).

05-18-2013, 02:03 PM	#5
Space Goat Administrator Join Date: Sep 2001 Posts: 6,042	I've not found any evidence that the site has been compromised. I tried reproducing the redirect you described, and was never able to. I used my own account, a dummy account, with and without proxies, google, yahoo, firefox, IE, every combination I could think of - and was never redirected. I also searched through my plugin list and found no obfuscated code like what was documented in the thread you referred to. Also, this site uses no third-party plugins. All the custom plugins on this site were written by myself, and none of them appear to have been modified recently without my knowledge. Another thing that makes me doubtful is that it was suggested the attacker is gaining entry to these sites through the admin control panel in vBulletin. If that is true, then it is extremely unlikely to work at 3dmm.com, because I added my own custom two-factor authentication method for all resources used by the admin panel way back in 2005. It is one-of-a-kind, and although defeatable, I would be really surprised if anyone took the time to bother with it if their objective is to infect as many sites as possible. Last but not least, with the exception of the main page and maybe a few of the custom movie/review/mod pages, all content on this website is excluded by web crawlers, and has been for at least a couple of years now. Given the extremely reduced visibility this site receives on search engines presently, I can't really see what value infecting this site with a malicious redirect like this would have. This is not to say that I don't believe you, and I intend to continue investigating - especially if other people begin reporting the same behavior. However, I think you also need to consider that your PC could have been infected elsewhere, and whatever it is, happens to be causing the same redirects to be applied to random search results in google. You might be able to provide me with some more clues by answering the following... How often are you able to reproduce the redirect, what page are you trying to open, and with what search engine?

05-18-2013, 08:16 PM	#10
Bobby Swisha Senior Member Join Date: Apr 2002 Posts: 46,012	we get a thread like this about once a month now. last time it was from chris lohr.

05-18-2013, 08:23 PM	#11
Space Goat Administrator Join Date: Sep 2001 Posts: 6,042	Chris' problem was likely an issue with his DNS server, and the website he was getting redirected to wasn't malicious. I don't recall any other incidents prior to that one.

05-19-2013, 07:21 AM	#14
Evil Ash Senior Member Join Date: Apr 2003 Posts: 15,534	My names Eukos and I'm too smart to get viruses from looking at porn so I'm going to blame 3dmm and some crazy code or something.
Evil Ash Senior Member Join Date: Apr 2003 Posts: 15,534

05-19-2013, 12:29 PM	#15
Eukos Senior Member Join Date: Feb 2012 Posts: 3,133	I only said it might be infected, because this is the only forum I visited recently that uses vbulletin and the thing gets injected into them. So if theres a chance that my fellow 3dmm buddies could be under the risk of being infected with some malware shit I'd tell them 'cause I'm not a cunt
Eukos Senior Member Join Date: Feb 2012 Posts: 3,133

05-19-2013, 12:56 PM	#16
Space Goat Administrator Join Date: Sep 2001 Posts: 6,042	I will admit, it is concerning you described the exact problem that seems to be affecting a lot of vbulletin forums. I ruled out the attack method described in the thread you linked me to, but I haven't ruled out yet the possibility of another method of infection that is causing the same thing. Are you ever able to reproduce it, Eukos?

05-19-2013, 01:42 PM	#17
Eukos Senior Member Join Date: Feb 2012 Posts: 3,133	I haven't experienced it again since I cleaned my computer from their malware, so no not yet, but seeing as it happened quite a few times in the past, one of the websites I visit regularly has to be infected. I haven't found anything suspicious in my browsing history, the only boards I've visited recently was 3dmm and the boards that I found due to researching the virus. I don't go onto any suspicious websites really, I barely ever use google anymore and just do what I want over my bookmarks.
Eukos Senior Member Join Date: Feb 2012 Posts: 3,133

06-15-2013, 09:38 PM	#18
Scdaniel Greeny Junior Member Join Date: Jul 2012 Posts: 192	I'm not getting it, But a while back, emuparidise almost gave my whole PC a virus! but failed, i restarted the PC quick and never got back on there again!

06-16-2013, 01:46 PM	#19
Nixon Senior Member Join Date: Aug 2008 Posts: 4,293	stay in the 3d movie maker sections please
Nixon Senior Member Join Date: Aug 2008 Posts: 4,293

06-25-2013, 03:25 AM	#20
Ness Banned Join Date: Jun 2013 Posts: 4	BUMP ok... that'll teach SCD a lesson
Ness Banned Join Date: Jun 2013 Posts: 4

07-20-2013, 07:31 PM	#21
Eukos Senior Member Join Date: Feb 2012 Posts: 3,133	It seems like I have solved this thing. I could only redo this on Google Chrome, it seems like Firefox is not affected by this... but no guarantees. Like Goat had said earlier, the vBSEO is in the center of this thing, MYSQL injection or whatever... plugin hacks inserted into a forum which redirectes to the fishy "file site" when coming from Google (to catch the least attention I assume since most forum goers have their site bookmarked) Once you got redirected site you need to leave immediately. Meaning 3dmm hasn't been infected but most other forums.
Eukos Senior Member Join Date: Feb 2012 Posts: 3,133