Greetings!

Welcome to Scifi-Meshes.com! Click one of these buttons to join in on the fun.

Virus ?

trekkitrekki939 Posts: 1,394Member
edited January 2018 in General Discussion #1
Hello,
with me always strange sides on and my virus scanner beats constantly alarm. Is that correct ?:confused:
Post edited by trekki on

Posts

  • I14R10I14R1070 Posts: 140Member
    Me too. Trojan for mining bitcoins.
  • rojrenrojren2298 Louisville, Kentucky USAPosts: 1,970Member
    "...aborted connection on cdn.cloudcoins.co because it was infected with JS:Miner-C [Trj]..."
  • MadKoiFishMadKoiFish9711 Posts: 5,302Member
    Yeah just block the site at the host file. Thinking that these urls that are injected are rotating through it is time I think to abandon ship again.

    tumblr_n01q5skTTo1rzu2xzo2_400.gif

    https://coinhive.com/*
    another url to block.
    there are some other fishy things as well like "blob:http://*";
    Each day we draw closer to the end.
  • MadKoiFishMadKoiFish9711 Posts: 5,302Member
    Gonna actually bump this to use ublock origin (chrome and firefox) and just block all 3rd party scripts and what not on the site. I do not think ABP can do this without messing with the language it uses to block by site, it is all or nothing or henpecking the content as it arrives.

    I hate to say it this way as it also prohibits the REAL adverts for the site as well. I think ublock though can green light certain things. Make sure to google how the columns work. I managed to block third party and retain the google ads with the following URL info.

    https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide

    I have been using ublock on my tablet as ABP is utter crap on android, no element blocks no custom filters just some lame vpn like behavior that chews up ram and cycles leading to eating the battery in less than a hour. Takes a while to figure out what does what but eh it works so far.
    Each day we draw closer to the end.
  • komarokomaro348 CanadaPosts: 752Member
    I use adblock for firefox, but had to include the coin URL. I hope they could put a wordpress forum/social platform of some sort...at least they cold relied on stronger security plugins.
  • MadKoiFishMadKoiFish9711 Posts: 5,302Member
    As said elsewhere or maybe here it is the issue of vbulletin not supporting older software to which this site runs on. Google vbulletin hack or vbulletin security hole. Plugs have nothing to do with it.

    As for the urls yeah someone aught to report all those crud tumblr ones and all the ones that randomly show up. Also note do not search sfm via google or a search engine as that will send you to a redirect of some sort which is a common hack as well.

    spam-spam-bacon-n-spam.png
    As mentioned I would use a script or adblocker that can block all 3rd party scripts or frames. And can selectively block or allow specific elements or scripts. In that image you can see the red on the right in 3rd party means anything no matter what if it does not contain the sfm url on it it wont run.

    Also note adblockers do not necessarily block hacks bad scripts etc just adverts. Most have subscriptions that allow you to add exploits hacks etc or bad urls. I would technically use a hosts file to block those as well. Known evil urls and stop them loading on the system from any application. Like all those damned adobe hive/botnet urls and ips.

    To note in the past I recommended ABP but that app starts to gloat like mad and does not always block frames or elements you select. Worse is if you use a tab manager or other tool to load last tabs or windows from the last session ABP will not be in effect on any pages loading in focus or behind other tabs. This is a new behavior for it either it is something Firefox broke or it is ABP playing games or a limitation. So far Ublock Origin is the cleanest and fastest evcen with my HUGE list of ABP custom blocks and subscribing to a tonne of ublock subs. Onbly complain is the pop ups and element blocking is cludgy vs ABPs add ins.

    Heh that list of crappy Russian image sites has grown.
    </head>
    <body>
    <div style="text-indent:-9999px; position:fixed">
    
    <a href="http://asuszenfone2.tumblr.com/">asuszenfone</a>
    <a href="http://izlehdfilm.tumblr.com/">film</a>
    <a href="https://guncelbegenihileleriinstagram.tumblr.com/">guncel be&#287;eni</a>
    <a href="https://guncelinstagramhileleri2017.tumblr.com/">guncel instagram</a>
    <a href="https://guncelinstagramtakipciyollari.tumblr.com/">instagram takipci</a>
    <a href="http://guncelhaberlerbugun.tumblr.com/">haberler</a>
    <a href="http://guncelhaberlerturkiye.tumblr.com/">guncel haberler</a>
    <a href="https://guncelinstagramtakiphileleri2017.tumblr.com/">instagram takip hileleri</a>
    <a href="http://haberlerioku.tumblr.com/">haberleri</a>
    <a href="https://instabayim.tumblr.com/">instabayim be&#287;eni</a>
    <a href="https://instabayimbegeni.tumblr.com/">instabayim</a>
    <a href="https://instagram200begenihilesi.tumblr.com/">instagram 200</a>
    <a href="https://instagram200takipcihilesi.tumblr.com/">instagram 200 takipci</a>
    <a href="https://instagram200yorumhilesi.tumblr.com/">instagram 200 yorum</a>
    <a href="https://instagrambegenihilesiucretsiz.tumblr.com/">instagram be&#287;eni hilesi</a>
    <a href="https://instagrambegenikasmahilesi.tumblr.com/">instagram be&#287;eni kasma</a>
    <a href="https://instagramgiris.tumblr.com/">instagram</a>
    <a href="https://instagramtakipciarttirma.tumblr.com/">instagram takipci</a>
    <a href="https://instagramtakipcikazan.tumblr.com/">instagram takipci</a>
    <a href="http://lgg5fiyati.tumblr.com/">lg5</a>
    <a href="http://samsungnote7.tumblr.com/">samsungnote</a>
    <a href="http://sondakikaturkiye.tumblr.com/">sondakika</a>
    <a href="http://sonyxperiaz5.tumblr.com/">sony</a>
    <a href="https://takipcigondermearaci.tumblr.com/">takipci</a>
    <a href="https://takipcigondermesitesi.tumblr.com/">takipci gonderme</a>
    <a href="http://turkiyesondakika.tumblr.com/">son dakika turkiye</a>
    <a href="http://diziizleyabanci.tumblr.com/">dizi</a>
    <a href="http://yenihaberleristanbul.tumblr.com/">haberler</a>
    <a href="https://instagramgunceltakipcikasma.tumblr.com/">instagram guncel takipci</a>
    <a href="https://ucretsizinstagramtakipcikas.tumblr.com/">ucretsiz instagram takipci</a>
    <a href="https://ucretsizinstagram500takip.tumblr.com/">ucretsiz instagram 500</a>
    <a href="https://ucretsizinstagramhileler.tumblr.com/">ucretsiz instagram</a>
    <a href="https://bedavainstagramtakipci.tumblr.com/">bedava instagram</a>
    <a href="https://ucretsizguncelinstagramtakip.tumblr.com/">ucretsiz guncel instagram</a>
    <a href="https://guncelinstagramhilelerikasma.tumblr.com/">guncel instagram hileleri</a>
    <a href="https://instagramtakipcikasmaucretsiz.tumblr.com/">instagram takipci</a>
    <a href="https://ucretsiztakipcihileinstagram.tumblr.com/">ucretsiz takipci</a>
    <a href="https://ucretsizinstagramhileleriguncel.tumblr.com/">ucretsiz instagram</a>
    <a href="https://ucretsizinstagramtakipcibegeni.tumblr.com/">takipci ve be&#287;eni</a>
    <a href="https://ucretsizinstagramhileleri.tumblr.com/">ucretsiz instagram</a>
    <a href="https://ucretsizinstagramtakipcihile.tumblr.com/">takipci</a>
    <a href="https://ucretsizinstagramtakipci.tumblr.com/">instagram</a>
    <a href="https://instagramtakipcikasmasitleri.tumblr.com/">instagram</a>
    <a href="https://ucretsizinstagramtakipcisite.tumblr.com/">instagram takipci</a>
    <a href="https://ucretsizinstagramtakipkasma.tumblr.com/">instagram takip</a>
    <a href="https://ucretsizinstagramtakipci1k.tumblr.com/">ilk ucretsiz</a>
    <a href="https://ucretsiztakipcikasmasiteniz.tumblr.com/">ucretsiz takipci kasma</a>
    <a href="https://instagramucretsiz1ktakipci.tumblr.com/">instagram ucretsiz</a>
    <a href="https://instagram1000takipcikazan.tumblr.com/">instagram 1000</a>
    <a href="https://instagram500takipcihileleri.tumblr.com/">instagram 500</a>
    <a href="https://instagramfenomentakipci.tumblr.com/">instagram</a>
    <a href="https://instagramucretsizbegenihilesi.tumblr.com/">instagram ucretsiz</a>
    <a href="https://instagramtakipcikazanmahile.tumblr.com/">instagram takipci</a>
    <a href="https://instagramfenomenyollari.tumblr.com/">instagram fenomen</a>
    <a href="https://instagramguncelbegenihile.tumblr.com/">instagram guncel</a>
    <a href="https://instagramgunceltakipci.tumblr.com/">instagram guncel</a>
    <a href="https://instagramtakibetakiphilesi.tumblr.com/">instagram takip</a>
    <a href="https://instagramtakipciucretsiz.tumblr.com/">instagram takipci ucretsiz</a>
    <a href="https://instagramtakipcikasmayollar.tumblr.com/">instagram takipci</a>
    <a href="https://instagramtakipciarttirmasite.tumblr.com/">instagram takipci</a>
    <a href="https://instagramtakipciucretsizkasma.tumblr.com/">instagram takipci ucretsiz</a>
    <a href="https://instagramtakipcikasalim.tumblr.com/">hemen takipci</a>
    <a href="https://instagramucretsizgunceltakipci.tumblr.com/">guncel instagram ucretsiz</a>
    <a href="https://instagramtakipci.tumblr.com/">instagram takipci</a>
    <a href="https://instagramtakipcinasilkasilir.tumblr.com/">instagram takipci nas&#305;l</a>
    <a href="https://instagrambegenihileguncel.tumblr.com/">instagram be&#287;eni</a>
    <a href="https://instagramtakipcinasilarrtir.tumblr.com/">instagram takipci nas&#305;l</a>
    <a href="https://instagramtakipcihileleriguncel.tumblr.com/">instagram takipci</a>
    <a href="https://instagramtakipcikasmahile.tumblr.com/">instagram takipci kasma</a>
    <a href="https://instagramucretsiztakipci.tumblr.com/">instagram ucretsiz</a>
    <a href="http://internetgazetesi.tumblr.com/">internet gazetesi</a>
    <a href="http://iphone8fiyati.tumblr.com/">iphone 8</a>
    
    </div>
    

    dunno what that crap does short of exist in the code. It is only on the site's root so shrug.
    Each day we draw closer to the end.
  • GuerrillaGuerrilla789 HelsinkiPosts: 2,865Administrator
    The first crypto-miner was pretty easy to find and remove (it was encrypted but stuck out), but I haven't even figured out where this one is injected yet. You can circumvent the issue by adding crypto-loot.com to your adblock or whatever you're running (My ublock actually blocked it on its own).

    Pretty sure the Turkish SEO crap on the index has been there ever since the last hack, but I haven't figured out where it gets added to the index. The file integrity checker is useless and I don't actually have access to default vbulletin files that I know 100% to be clean. As far as I can tell, it doesn't really do anything other than lurk right off the page trying to generate search engine rankings (which it probably isn't, since this blackhat SEO bull**** isn't supposed to work anymore).

    The redirects are a bigger issue, but like MKF said, they are very complicated to fix on our version of vBulletin.

    I realize this isn't ideal, and we really are working on something big to fix this, but in the meantime here are a couple of things to work around the biggest issues:

    1. Read the previous post from MKF. Good information there.
    2. The two crypto miners spotted so far are cloudcoins.co (which I'm pretty sure I removed) and crypto-loot.com (which I'm furiously looking for). Add both to your ad-blocker, if they're not there already.
    3. You should probably run an ad-blocker here (I run ublock origin). Some form of no-script might be a good idea too, but may mess with actual site functionality
    4. Onlly access the site by typing in the complete URL or use a bookmark or whatever. Don't enter through a search engine, and access the forum index directly (www.scifi-meshes.com/forums/) to avoid most redirects.
    5. Maybe don't access the site on mobile for the time being
    Comco: i entered it manually in the back end
    Join our fancy Discord Server!
  • GuerrillaGuerrilla789 HelsinkiPosts: 2,865Administrator
    Ok, spent better part of a working day digging through some very suspicious suspicious files. SEO crap and crypto-miner should be gone, at least for the time being, and I managed to track down and close down some security holes along the way. Redirects will need more research.

    I'm a little worried that the fixes I made are temporary, so you should keep your eyes open in any case, but at least we'll have a better handle on what happens if/when suspicious stuff appears on the index again.
    Comco: i entered it manually in the back end
    Join our fancy Discord Server!
  • MadKoiFishMadKoiFish9711 Posts: 5,302Member
    well it lasted all but a day? least the loot thing isnt there atm just the others. Interesting thing is it is only on the new posts results vs inside of any one thread.

    spamo.jpg


    heh they come and go. Anyhow I had posted something saying thanks but it seems it got eaten or something so thanks for thew work at cleaning things up.
    Each day we draw closer to the end.
  • GuerrillaGuerrilla789 HelsinkiPosts: 2,865Administrator
    Hmm... I can't seem to replicate that. I'm only getting the google things, and those are supposed to be there, as far as I know. Where did you find those and do they show up in the page source as well?
    Comco: i entered it manually in the back end
    Join our fancy Discord Server!
  • MadKoiFishMadKoiFish9711 Posts: 5,302Member
    they randomly show up on "new posts".

    http://www.scifi-meshes.com/forums/search.php?do=getnew&contenttype=vBForum_Post

    I have not seen anything direct but I am assuming it is injected through some css or what not. That or directly through the dns but that wouldn't fit the original hack. I have eliminated my machine as I see these on 4 other pcs and a public IP and they show up. Only once in say 3 searches I would say. I have yet to get them to show up in the root url or while browsing anymore.

    I will try to gram the source code next time I see them, but if it is generated in some outside resource it wont show.
    Each day we draw closer to the end.
  • GuerrillaGuerrilla789 HelsinkiPosts: 2,865Administrator
    Yeah, I've read some of the redirectsonly run once a day, try to hide themselves from admin accounts, and do all kinds of sneaky **** to avoid detection, which makes them really tricky to pin down. An element name or some similar clue would narrow down the code to sift through.

    I'll check the search related stuff. Seems like a good place to start.
    Comco: i entered it manually in the back end
    Join our fancy Discord Server!
  • GuerrillaGuerrilla789 HelsinkiPosts: 2,865Administrator
    Cleaned up some javascript, but it wasn't exactly a surgical strike, so please report anything broken. Ideally, at least oei1 and mfio should be gone.
    Comco: i entered it manually in the back end
    Join our fancy Discord Server!
  • MadKoiFishMadKoiFish9711 Posts: 5,302Member
    Looks like you got em as I am sure they all interrelated to each other.
    Each day we draw closer to the end.
  • GuerrillaGuerrilla789 HelsinkiPosts: 2,865Administrator
    Monitoring is warning about naughty javascript again (probably a myfilestore redirect), but I haven't been able to locate anything in the usual suspects yet.

    Let me know, if you spot any weirdness and try to make note of when and how it occurred, to hopefully narrow down the code I have to sift through a little.
    Comco: i entered it manually in the back end
    Join our fancy Discord Server!
  • MadKoiFishMadKoiFish9711 Posts: 5,302Member
    My file store is the one that screws up search engine results IE search for anything about sfm or click any outside links to SFM and it redirects you to some crap spam site.

    https://club.myce.com/t/vbulletin-myfilestore-hack-find-the-traces-and-remove-them/304794

    I haven't read this all the way through but it might help? A bit old though 2013. There seems to be a lot out there as it seems fairly common to the abandonware editions of vB.
    Each day we draw closer to the end.
  • GuerrillaGuerrilla789 HelsinkiPosts: 2,865Administrator
    Yeah, I've been reading that a lot lately.

    Anyway, located the dodgy code in datastore and removed it. Scans are showing up clean, so I guess we're good until the next time.
    Comco: i entered it manually in the back end
    Join our fancy Discord Server!
  • SchimpfySchimpfy396 Posts: 1,632Member
    Thanks! It's nice being able to come here without the AVG warning. :D
  • GuerrillaGuerrilla789 HelsinkiPosts: 2,865Administrator
    Redirects popped up again for a while. Should be cleaned up now.
    Comco: i entered it manually in the back end
    Join our fancy Discord Server!
  • GuerrillaGuerrilla789 HelsinkiPosts: 2,865Administrator
    ... and again. Cleaned.
    Comco: i entered it manually in the back end
    Join our fancy Discord Server!
Sign In or Register to comment.