Malicious script inserted into our site

  • Throughout the month of April 2024, participate in the FileJoker Thread Contest OPEN TO EVERYONE!

    From 1st to 30th of April 2024, members can earn cash rewards by posting Filejoker-Exclusive threads in the Direct-Downloads subforums.

    There are $1000 in prizes, and the top prize is $450!

    For the full rules and how to enter, check out the thread
  • Akiba-Online is sponsored by FileJoker.

    FileJoker is a required filehost for all new posts and content replies in the Direct Downloads subforums.

    Failure to include FileJoker links for Direct Download posts will result in deletion of your posts or worse.

    For more information see     this thread.
Status
Not open for further replies.
R

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
Sorry for the downtime, everyone.

We suffered an intrusion and had to shut the site down in order to conduct a security audit. It took so long because real-life responsibilities were taking up all of my time.

The attacker inserted a trojan dropper into the site. You may have noticed antivirus warnings while browsing the site. We don't know the exact nature of the trojan, but if you regularly visit Akiba-Online with an old version of your browser or Java/Flash/etc plugins, or noticed strange prompts, you might want to conduct a full system scan to ensure that you weren't infected with anything.

The attacker also had access to the database. If you have an easy-to-guess password on Akiba-Online, you might want to change it. Also, if you use the same password on other sites, you may want to visit those sites and change the password.

FYI: a good password is randomly generated, at least 14 characters long, and used only on one site. Google search for "random password generator".

If you have any concerns or comments, post in this thread.
 
R

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
For those that are interested, the malicious domains were akiba-online[dot]ipq[dot]co and xxl[dot]collegeslutz[dot]com. Do not visit those sites unless you know what you're doing. They are dangerous.

Attached to this post is the malicious javascript inserted into our pages and a java applet downloaded by the dropper. The archive password is VIRUS. Do not download unless you know what you're doing. If anybody wants to take a look and comment, feel free. (Java developers, can you deobfuscate?)
 
justjim2

justjim2

Active Member
May 14, 2009
118
20
Thank you

Thank you for taking time to root out the virus, malware, etc. I have noticed unrelated I am sure to this that my Google/Chrome browsing often is redirected to tell me "this page cannot be displayed" or some variation of the message. I guess after awhile it comes with the territory? Such is life! Compared to not too many years ago, browsing is much quicker even with dealing with these annoyances. Still...
Jim
 
R

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
Yes, the passwords are hashed using a md5(md5($pass).$uniquesalt) scheme. However, GPU bruteforcing can crack short passwords and easy-to-guess passwords rather quickly. An nVidia GTX250 can hash 140 million vBulletin passwords per second.
 
S

Sergil

New Member
Jul 31, 2009
39
0
Would a 9 character password be considered short? o.o Also, thanks for letting us know.
 
R

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
Sergil said:
Would a 9 character password be considered short?
Click to expand...
That depends. "iloveyou1" is too easy to crack. "xoF$^JX63" is adequate. If your account is valuable in some way (you are staff, or you have enemies), 9 random characters are absolutely not enough.
 
Desu

Desu

アッチョンブリケ
Jun 25, 2009
2,367
767
was the intrusion due to an already known VB vulnerability (without going into details)?
 
spikier

spikier

JAPAN:みんなのあい
Nov 13, 2008
1,855
14,612
good job. good job ^___^.

thank you, rollyco & others. for your constant hard efforts to keep this site going.
 
R

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
desioner

desioner

Sustaining L.I.F.E.
Staff member
Super Moderator
Nov 22, 2006
4,880
50,752
Would our e-mail addresses have also been compromised?
 
R

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
If he wanted to, he could have found out your email address.
 
gyoza ramen & a beer

gyoza ramen & a beer

Active Member
Feb 20, 2009
548
32
Can only access the site through Google. Typing "akiba-online.com", which always opened the site, now displays only a blank page with "akiba-online is back" in the upper-left corner.
 
A

aj_chichi

Member
May 19, 2010
56
0
I got :scared: not because of the hacker.. but because I cant access any good porn for the past 2 days :pandalaugh:

Ahahahha anyway.. Its a good thing he didnt flush the account database :rofl:
 
R

Rollyco

Team Tomoe
Oct 4, 2007
3,562
34
The DNS records were probably only partially updated. www.akiba-online.com points to the right IP address, but akiba-online.com doesn't. Wait for chompy to fix it.
 
Status
Not open for further replies.
Top Bottom