Did the GBS Penultimate Archive get infected?
Moderator: Moderators
Did the GBS Penultimate Archive get infected?
I just browsed there right now, and I received a warning from my antivirus that an infected file got dumped into Firefox's cache. Moreover, it seems to have launched Acrobat Reader for unknown reasons. AdBlock also listed a few unfamiliar sites having embeds and iframes in the page, though I didn't have time to write them down or anything.
Yes. The javascript being generated is trying to write out a .exe file.
http://pastebin.com/d17168fc3
http://pastebin.com/d17168fc3
NSFs I've ripped:
http://www.angelfire.com/nc/ugetab/
A Searchable list of NSFs from other sites. In Internet Explorer, go to Edit>Find (on This Page)...
http://www.angelfire.com/nc/ugetab/NSFList.txt
http://www.angelfire.com/nc/ugetab/
A Searchable list of NSFs from other sites. In Internet Explorer, go to Edit>Find (on This Page)...
http://www.angelfire.com/nc/ugetab/NSFList.txt
Re: Did the GBS Penultimate Archive get infected?
Quite possible, unfortunately (I had to remove some virii links from Hoot Archive files).Drag wrote:I just browsed there right now, and I received a warning from my antivirus that an infected file got dumped into Firefox's cache. Moreover, it seems to have launched Acrobat Reader for unknown reasons. AdBlock also listed a few unfamiliar sites having embeds and iframes in the page, though I didn't have time to write them down or anything.
Dunno what's the cause though... I'll see if there are any leaks and try to patch things up if possible.
//Edit
Removed the malware link, removed the page counter from Hoot Archive. Hope this was the cause...
If you viewed that page with Internet Explorer, you're likely infected. I modified it, and used some NoScript protection to prevent the PDF part from being downloaded while I worked out the code to put it to a text box.
NSFs I've ripped:
http://www.angelfire.com/nc/ugetab/
A Searchable list of NSFs from other sites. In Internet Explorer, go to Edit>Find (on This Page)...
http://www.angelfire.com/nc/ugetab/NSFList.txt
http://www.angelfire.com/nc/ugetab/
A Searchable list of NSFs from other sites. In Internet Explorer, go to Edit>Find (on This Page)...
http://www.angelfire.com/nc/ugetab/NSFList.txt
That and everything hosted on Hoot Archive account (so, GBS site, kingshriek's rip site, think that's all).ugetab wrote:If you viewed that page with Internet Explorer, you're likely infected. I modified it, and used some NoScript protection to prevent the PDF part from being downloaded while I worked out the code to put it to a text box.
I've removed malware links from all sites, let's hope that's enough.
I used FF with Noscript. I could run the Javascript and the Noscript plugin still killed the PDF execution. Since I knew it was malware from the start, I checked for write logs by Firefox, and looked for stuff going wrong, but it looks like it couldn't work even with permission to execute.
NSFs I've ripped:
http://www.angelfire.com/nc/ugetab/
A Searchable list of NSFs from other sites. In Internet Explorer, go to Edit>Find (on This Page)...
http://www.angelfire.com/nc/ugetab/NSFList.txt
http://www.angelfire.com/nc/ugetab/
A Searchable list of NSFs from other sites. In Internet Explorer, go to Edit>Find (on This Page)...
http://www.angelfire.com/nc/ugetab/NSFList.txt