Malware on your site?

Moderators: odroid, meveric, mdrjr

Malware on your site?

Unread postby TeHashX » Sun Jan 22, 2017 12:57 am

Hi, I just discovered while navigating on this forum with google chrome and windows 10 http://wccftech.com/malware-targets-chrome-users/
Here is a screenshot
Attachments
Screenshot 2017-01-21 17.52.17.png
User avatar
TeHashX
 
Posts: 171
Joined: Wed Aug 13, 2014 4:14 am
languages_spoken: english
ODROIDs: C2

Re: Malware on your site?

Unread postby moon.linux » Sun Jan 22, 2017 11:18 am

I am using google chrome but could not observe this issue at my end.

Code: Select all
Version 55.0.2883.87 m (64-bit)
 
Google Chrome is up to date.


Try to update your google chrome.
moon.linux
 
Posts: 728
Joined: Thu Oct 02, 2014 11:42 pm
languages_spoken: english

Re: Malware on your site?

Unread postby TeHashX » Sun Jan 22, 2017 9:54 pm

moon.linux wrote:I am using google chrome but could not observe this issue at my end.

Code: Select all
Version 55.0.2883.87 m (64-bit)
 
Google Chrome is up to date.


Try to update your google chrome.

I have the same chrome version on my pc I get that message but on laptop, no... :(
User avatar
TeHashX
 
Posts: 171
Joined: Wed Aug 13, 2014 4:14 am
languages_spoken: english
ODROIDs: C2

Re: Malware on your site?

Unread postby deeproot » Tue Jan 24, 2017 2:21 am

same popup and problem here on
Version 55.0.2883.87 m (64-bit Windows) of chrome.

no extensions.
deeproot
 
Posts: 5
Joined: Fri Feb 13, 2015 1:47 pm
languages_spoken: english
ODROIDs: c1 c2

Re: Malware on your site?

Unread postby elatllat » Tue Jan 24, 2017 4:05 am

They are not using SSL (even though it's now free) so it's possible it's local virus or an intermediate node (I was surprised but I have actually seen this happen).
you might want to just install Adblock Plus as it can help but for me it's only reporting one blocked item (http://www.google-analytics.com).
No issues here on Chrome 55.0.2883.95 or FireFox 50.1.0.
font-family: "Lucida Grande", "Trebuchet MS", Verdana, Helvetica, Arial, sans-serif;
elatllat
 
Posts: 422
Joined: Tue Sep 01, 2015 8:54 am
languages_spoken: english
ODROIDs: XU4

Re: Malware on your site?

Unread postby Bendito999 » Tue Jan 24, 2017 7:58 am

I also ran into this problem, chrome Windows 10 coming from Google. Ublock Origin did not stop it. Of course I didn't click on it, but may be tempting for some people. I emailed the hardkernel team about it, hopefully they will read it.
Bendito999
 
Posts: 1
Joined: Tue Jan 24, 2017 7:56 am
languages_spoken: english
ODROIDs: C1

Re: Malware on your site?

Unread postby elatllat » Tue Jan 24, 2017 8:28 am

Can anyone who is having this issue inspect the update button and get the URL off it? (might have to trace an event)
elatllat
 
Posts: 422
Joined: Tue Sep 01, 2015 8:54 am
languages_spoken: english
ODROIDs: XU4

Re: Malware on your site?

Unread postby umiddelb » Tue Jan 24, 2017 5:37 pm

umiddelb
 
Posts: 394
Joined: Thu Jan 29, 2015 6:42 am
languages_spoken: English, German
ODROIDs: ODROID-C1, ODROID-XU4, ODROID-C2

Re: Malware on your site?

Unread postby crashoverride » Tue Jan 24, 2017 5:53 pm

So to clarify, the issue is not the HardKernel site. It is adware/malware that exists on the user's PC.
crashoverride
 
Posts: 2562
Joined: Tue Dec 30, 2014 8:42 pm
languages_spoken: english
ODROIDs: C1

Re: Malware on your site?

Unread postby elatllat » Tue Jan 24, 2017 9:53 pm

Yes, though if HK used SSL it would avoid user confusion of this sort.
elatllat
 
Posts: 422
Joined: Tue Sep 01, 2015 8:54 am
languages_spoken: english
ODROIDs: XU4

Re: Malware on your site?

Unread postby mad_ady » Wed Jan 25, 2017 1:22 am

SSL doesn't help with this. If the virus/adware is local and has injected itself (usually as a dll) in the browser process it can render whatever it wants in the DOM, independent of the transport method
User avatar
mad_ady
 
Posts: 1545
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU3, C1+, C2

Re: Malware on your site?

Unread postby elatllat » Wed Jan 25, 2017 1:38 am

mad_ady wrote:SSL doesn't help with this. If the virus/adware is local and has injected itself (usually as a dll) in the browser process it can render whatever it wants in the DOM, independent of the transport method

A virus can't modify a signed application, plugins are not stealthy enough though they are common, but so are proxies.
It's not about making things !00% secure it's about removing the most common attack vectors.
elatllat
 
Posts: 422
Joined: Tue Sep 01, 2015 8:54 am
languages_spoken: english
ODROIDs: XU4

Re: Malware on your site?

Unread postby infinity85 » Wed Jan 25, 2017 1:52 am

I had the same issue just 10 minutes ago on:
hardkernel.com
odroid.com/dokuwiki
forum.odroid.com

NO other websites affected!

And I dared to press the "update" button of the chrome popup referring to missing fonts.

It tried to download a "Chrome_Font.exe" from:
http://www.psellion.org/file.php;
Win32/Filecoder.Xmas.A Trojaner;
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
24.01.2017 17:39:41 (UTC +1)

My Eset Smart security Antivirus cut the connection.

I'm scanning my computer right now.

*Edit*
Nothing found on the computer, also nothing installed that indicates such adware or so.
Since only hardkernel urls were affected and some people in this thread had exactly the same issue only in hardkernel sites, it looks like it is something going on on the hardkernel servers. This issue was there for round about 5 minutes and just vanished.

*EDIT#2*

followed the instructions on this website (of course checked the suggested software, whether it is trustworthy, before). None of it could find any trace of such a malware on my computer. Nor my Antivirus and antimalware, and nothing with windows built-in antivirus as well.

Are you guys sure that there is nothing wrong with your servers? I observed this issue for around 5 minutes. Worked before and after as usual. Actually it was a coincidence that I put the already loaded tab in foreground. Otherwise I wouldn't have seen this.


My Chrome installation: Version 55.0.2883.87 m (64-bit)
infinity85
 
Posts: 311
Joined: Tue May 24, 2016 4:26 am
languages_spoken: english, german
ODROIDs: Odroid C2

Re: Malware on your site?

Unread postby indium » Wed Jan 25, 2017 6:47 pm

No, it's not hardkernel servers, it looks much more like you are using infected Chrome binary. Looks like google chrome browser got cracked.
indium
 
Posts: 86
Joined: Thu May 28, 2015 2:27 pm
Location: Ukraine
languages_spoken: english, ukrainian

Re: Malware on your site?

Unread postby elatllat » Wed Jan 25, 2017 11:17 pm

infinity85 wrote:...NO other websites affected...

list exact URLs you saw this on an ones you did not see it on.

infinity85 wrote:...Nothing found on the computer...

Nothing short of a wireshark screenshot or reproducing the issue on a live linux image would convince me of that.

infinity85 wrote:...Chrome...

Interesting that it's not reproducible in Firefox or Edge.

infinity85 wrote:...psellion.org...

you should report that to 3 places:
https://safebrowsing.google.com/safebro ... are/?hl=en
https://www.mozilla.org/en-US/about/legal/fraud-report/
support@mavenhosting.com
elatllat
 
Posts: 422
Joined: Tue Sep 01, 2015 8:54 am
languages_spoken: english
ODROIDs: XU4

Re: Malware on your site?

Unread postby rooted » Thu Jan 26, 2017 1:44 am

Is there a separate binary that will run on Linux or is this malware windows only?
User avatar
rooted
 
Posts: 3487
Joined: Fri Dec 19, 2014 9:12 am
Location: Gulf of Mexico, US
languages_spoken: english
ODROIDs: C1
C1+
C2
XU3 Lite
XU4
VU7+
HiFi Shield 2
Smart Power (original)

Re: Malware on your site?

Unread postby elatllat » Thu Jan 26, 2017 1:52 am

rooted wrote:Is there a separate binary that will run on Linux or is this malware windows only?

It's not likely the malware will run on linux, but if you use chrome in linux to spoof a windows user agent and the problem is not on your local computer then you will see the same thing on linux proving it's on the odroid server, or an intermediate node (free SSL on the odroid server would fix this).
elatllat
 
Posts: 422
Joined: Tue Sep 01, 2015 8:54 am
languages_spoken: english
ODROIDs: XU4

Re: Malware on your site?

Unread postby moon.linux » Thu Jan 26, 2017 2:35 am

Try to unistall google crome and then install the latest version.

If possible capture the wireshark trace for analysis. That will be a good staring point to trace the root cause.
moon.linux
 
Posts: 728
Joined: Thu Oct 02, 2014 11:42 pm
languages_spoken: english

Re: Malware on your site?

Unread postby infinity85 » Thu Jan 26, 2017 3:21 am

19:12 to round about 19:14 (UTC+1). Again the same. This time on:
viewtopic.php?f=54&t=25568
http://odroid.com/dokuwiki/doku.php?id= ... rdware_i2c
but NOT on hardkernel.com (or I was too slow to load the hardkernel page). Other websites not affected!

and now during writing this post it is okay again.


Other websites checked:
http://www.dict.cc/
https://www.heise.de/
http://www.golem.de/
http://www.hardkernel.com/main/main.php
http://www.anandtech.com/
These websites did not have the issue at the same time, where I had it on the above mentioned hardkernel sites. If it is my computer, then how to find out, if it occurrs always for only a couple of minutes?
Last edited by infinity85 on Thu Jan 26, 2017 4:02 am, edited 1 time in total.
infinity85
 
Posts: 311
Joined: Tue May 24, 2016 4:26 am
languages_spoken: english, german
ODROIDs: Odroid C2

Re: Malware on your site?

Unread postby infinity85 » Thu Jan 26, 2017 3:44 am

indium wrote:No, it's not hardkernel servers, it looks much more like you are using infected Chrome binary. Looks like google chrome browser got cracked.

Hmm... I don't know how that could be possible. But now I also checked the checksums of the Chrome processes in windows Taskmanager and installed the same Chrome version in my Virtual Machine to compare the checksums of the binaries. They are the same (see attached screenshots).

moon.linux wrote:Try to unistall google crome and then install the latest version.

If possible capture the wireshark trace for analysis. That will be a good staring point to trace the root cause.

Never worked with wireshark that much. Would you be so kind and explain the steps for dummies? Also I would need to have the coincidence again, to see this issue. Happened again (as seen in my last post), but again just for some minutes.


@elatllat
sorry elatllat, but instead of working against the people, who report something suspicios here, we could work together to sort out what that could be. I scanned my computer with 3 different antiviruses, and followed the steps that were suggested to get rid of the "infection" claimed by by you. I don't exclude the chance, that my computer is infected, but after what I've done, it is quite unlikely. And it does not help if you don't bring something constructive to this topic.

How high is the chance, that some people report the same issue on hardkernel servers, and how high is the chance that these people are apparently only surfing on hardkernel servers their whole life and no oder websites?

elatllat wrote:
infinity85 wrote:...NO other websites affected...

list exact URLs you saw this on an ones you did not see it on.

https://forum.libreelec.tv/thread-3647- ... l#pid30158
https://wiki.ubuntuusers.de/Internet-TV/Stationen/
http://www.golem.de/news/der-grosse-ult ... 25435.html
https://www.google.de/webhp?sourceid=ch ... 20c2%20i2c

elatllat wrote:
infinity85 wrote:...Nothing found on the computer...

Nothing short of a wireshark screenshot or reproducing the issue on a live linux image would convince me of that.

It is not my task to convince you, at least I think so, because I don't see why that would matter? My aim here is to report something very concerning that occured for a timerange of round about 5 minutes at first on odroid.com/dokuwiki, then I went to hardkernel.com to see if it occurs there as well. For the first 3 seconds it did show everything as usual, but then the same issue appeared there as well (like seen in OP screenshot), because of this delay I supposed that the first 3 seconds were just cached correctly and then refreshed. So I went to forum.odroid.com and there it was the same with 3 seconds during loading, where everything seemed good as usual.

To make it clear to you.... the issue occurred for (I guess) less than 5 minutes of duration.

elatllat wrote:
infinity85 wrote:...Chrome...

Interesting that it's not reproducible in Firefox or Edge.

I am usually surfing with one browser and not with many at the same time. Do you always surf with 3 browsers at the same time on the same websites?
And have you been surfing/reloading a hardkernel-hosted website with firefox or edge in the time during 17:37 and 17:42 (UTC+1 local time in germany)? Even I couldn't reproduce it after 17:42...

Besides this: If you'd read the OP post, and checked the informative URL he posted, then you'd know that this attack is targeting chrome and not Firefox or Edge.


Good and constructive point here! I will do that.

Still I'm not sure about how to determine whether my computer is infected with something. But why only on hardkernel pages? Point is.. nothing is impossble, so I'm open for suggestions how to get things narrowed down!
Attachments
25-01-_2017_18-45-45_VM.png
My Virtual Machine, where I installed the same Chrome version (from google websites) today
(109.81 KiB) Downloaded 2060 times
25-01-_2017_18-47-08_Laptop.png
My Host, where I saw this issue yesterday and today for a short time (insalled since months)
(144.91 KiB) Downloaded 2060 times
infinity85
 
Posts: 311
Joined: Tue May 24, 2016 4:26 am
languages_spoken: english, german
ODROIDs: Odroid C2

Re: Malware on your site?

Unread postby elatllat » Thu Jan 26, 2017 4:03 am

infinity85 wrote:...working against the people...

understand it's hard for an admin to fix something he can't reproduce and has insufficient data on.
I understand it's hard for users to know or collect conclusive data so I was just offering some pointers (trying to help).

- Using a live Linux image is the only way to rule out your computer conclusively.
- ruling out your local network can be accomplished by using torbrowser or an encrypted vpn/proxy.
- odroid adding free SSL to the site is the only way to rule out all intermediate nodes.
- It's likely not worth attempting to reproduce due to it's intermittent nature without attempting the previous points, but if one were to try, sharing the same vpn and useragent should do the trick.
elatllat
 
Posts: 422
Joined: Tue Sep 01, 2015 8:54 am
languages_spoken: english
ODROIDs: XU4

Re: Malware on your site?

Unread postby crashoverride » Thu Jan 26, 2017 4:23 am

Make sure you cleared your browser cache and history. The page may have metadata indicating it should be cached forever or the auto-completion may be redirected without your knowledge.

[edit]
The information available states this ONLY affect Windows users with the Chrome browser. A linux virtual machine or live cd will not encouter it.
Last edited by crashoverride on Thu Jan 26, 2017 4:25 am, edited 1 time in total.
crashoverride
 
Posts: 2562
Joined: Tue Dec 30, 2014 8:42 pm
languages_spoken: english
ODROIDs: C1

Re: Malware on your site?

Unread postby infinity85 » Thu Jan 26, 2017 4:24 am

elatllat wrote:
infinity85 wrote:...working against the people...

understand it's hard for an admin to fix something he can't reproduce and has insufficient data on.
I understand it's hard for users to know or collect conclusive data so I was just offering some pointers (trying to help).

- Using a live Linux image is the only way to rule out your computer conclusively.
- ruling out your local network can be accomplished by using torbrowser or an encrypted vpn/proxy.
- odroid adding free SSL to the site is the only way to rule out all intermediate nodes.
- It's likely not worth attempting to reproduce due to it's intermittent nature without attempting the previous points, but if one were to try, sharing the same vpn and useragent should do the trick.

I understand that, don't worry. The strange point of your previous post is that you rule out the possibility that my computer is not infected and you sound as if you are absolutely certain that hardkernel servers are secure without questioning.

Read this paragraph:

How did the Chrome_Font.exe or BrowserMe Trojan get on my computer?
This infection was discovered by ProofPoint security researcher Kafeine being installed through compromised web sites that target visitors using the Chrome browser. When a visitor using Chrome visits one of these compromised web sites, a malicious script will rewrite the page to make it unreadable. The victim will then be prompted to download a updated font that supposedly will make the page readable again. You can see an example of the alert prompting the user to download this font.


Well... reading this, the possibility that harkernel servers are compromised somehow is not so uncertain. I checked all the indicators for this virus on my computer:
  • chrome.exe thread in taskmanager? --> none
  • Processes called BrowserMe.exe and Chrome_Font.exe running in Task Manager? --'> no
  • Virus scans? --> done plenty
  • Chrome binary checksums check? ---> done
  • Other websites affected? ---> no (but who knows, as it only appears on hardkernel sites some minutes a day or sporadically)


EDIT:
crashoverride wrote:Make sure you cleared your browser cache and history. The page may have metadata indicating it should be cached forever or the auto-completion may be redirected without your knowledge.

Thanks, cleared now. But some tabs were opened already, when it happened yesterday and today. In particular the forum.odroid.com tab was opened already.
After I saw the issue in a newly opened tab for odroid wiki, I reloaded the already opened forum.odroid.com tab and it occurred there as well, after 3s during reload. So a redirect is a bit strange, or is this possible?
infinity85
 
Posts: 311
Joined: Tue May 24, 2016 4:26 am
languages_spoken: english, german
ODROIDs: Odroid C2

Re: Malware on your site?

Unread postby crashoverride » Thu Jan 26, 2017 4:46 am

The problem is that "address bars" these days hide information to make them "friendly". I am suggesting that what is being shown may not necessarily be the actual URL.

[edit]
Since "address bars" now provide search results, its possible for a compromised machine to corrupt the information as faked search result/redirect.

[edit2]
Trust no one! :lol:

It is possible the site is compromised in some way. Hopefully an admin is looking into it.
crashoverride
 
Posts: 2562
Joined: Tue Dec 30, 2014 8:42 pm
languages_spoken: english
ODROIDs: C1

Re: Malware on your site?

Unread postby elatllat » Thu Jan 26, 2017 4:51 am

crashoverride wrote:The problem is that "address bars" these days hide information to make them "friendly". I am suggesting that what is being shown may not necessarily be the actual URL.

[edit]
Since "address bars" now provide search results, its possible for a compromised machine to corrupt the information as faked search result/redirect.

Cache poisoning is simple, but please link to any resource showing how to make the address bar otherwise incorrect.
elatllat
 
Posts: 422
Joined: Tue Sep 01, 2015 8:54 am
languages_spoken: english
ODROIDs: XU4

Re: Malware on your site?

Unread postby infinity85 » Thu Jan 26, 2017 5:16 am

crashoverride wrote:The problem is that "address bars" these days hide information to make them "friendly". I am suggesting that what is being shown may not necessarily be the actual URL.

Yeah, I know that, that is why I usually click always into the address bar to see/expand the real url, if something suspicious like this occurs.

crashoverride wrote:[edit]
Since "address bars" now provide search results, its possible for a compromised machine to corrupt the information as faked search result/redirect.

That is the reason I never use the search results dropping down the address bar ;)

crashoverride wrote:[edit2]
Trust no one! :lol:
YEAH!! :lol:

crashoverride wrote:It is possible the site is compromised in some way. Hopefully an admin is looking into it.


If the paragraph "How did the Chrome_Font.exe or BrowserMe Trojan get on my computer?, which I quoted in my previous post, is correct, then it is very likely that the website is compromised, as this is the way to spread the actual virus "Chrome_Font.exe" onto the visitors computers. In my case the "Chrome_Font.exe" hasn't been downloaded, so the "phishing" attempt was not successfully accomplished. And if this all is true, that means also that hardkernel servers are being used sporadically (for durations of a couple of minutes a day) to infect/phish chrome users.
infinity85
 
Posts: 311
Joined: Tue May 24, 2016 4:26 am
languages_spoken: english, german
ODROIDs: Odroid C2

Re: Malware on your site?

Unread postby rooted » Thu Jan 26, 2017 6:46 am

Odroid has been on the forum, hopefully he's seen this and can have the webmin look into it.
User avatar
rooted
 
Posts: 3487
Joined: Fri Dec 19, 2014 9:12 am
Location: Gulf of Mexico, US
languages_spoken: english
ODROIDs: C1
C1+
C2
XU3 Lite
XU4
VU7+
HiFi Shield 2
Smart Power (original)

Re: Malware on your site?

Unread postby odroid » Fri Jan 27, 2017 12:26 am

Because I'm having a biz trip in US and Korea team has a long vacation of Lunar new year holidays now.
So we can check this issue in the middle of next week.
Sorry about that.
User avatar
odroid
Site Admin
 
Posts: 22259
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English
ODROIDs: ODROID

Re: Malware on your site?

Unread postby onemoar » Fri Jan 27, 2017 5:19 am

confirmed site compromised looks like somebody is doing a man in the middle attack and injecting the page if you aren't logged in
IT IS NOT A local machine issue its a SITE ISSUE
and no waiting a week when your site have been hacked is not acceptable fix it or lock the forum down until its resolved

we have know way of knowing what else is compromised so I would advise not purchasing anything until the server is given a clean bill of health you don't want your credit-card or paypal details stolen
onemoar
 
Posts: 2
Joined: Thu Mar 24, 2016 5:38 am
languages_spoken: english

Re: Malware on your site?

Unread postby infinity85 » Sun Jan 29, 2017 9:58 pm

Again observed in the timerange: 13:51 to 13:54 UTC+1 (german time)

Affected only Forum and Wiki. Main hardkernel page (and products page etc.) not affected

Affected:
http://odroid.com/dokuwiki/doku.php
http://odroid.com/dokuwiki/doku.php?id= ... ing_u-boot
posting.php?mode=reply&f=54&t=25568

Not affected:
http://www.hardkernel.com/main/main.php
http://www.hardkernel.com/main/products/prdt_info.php

Assuming your server is hijacked somehow or infected (which seems to be quite certain by the time)... I'd like to know how you are securing the credentials for forum-login. Are the passwords encrypted or so? And what about your shop?
infinity85
 
Posts: 311
Joined: Tue May 24, 2016 4:26 am
languages_spoken: english, german
ODROIDs: Odroid C2

Re: Malware on your site?

Unread postby Fourdee » Mon Jan 30, 2017 12:59 am

Same here with Chrome 55, updated to 56. Issue resolved.
Untitled.png
http://DietPi.com - Lightweight justice for your Odroid.
DietPi web hosting is powered by http://MyVirtualServer.com
User avatar
Fourdee
 
Posts: 290
Joined: Fri Apr 03, 2015 5:01 am
languages_spoken: english
ODROIDs: C1 / C2 / XU4 + Cloudshell.

Re: Malware on your site?

Unread postby infinity85 » Mon Jan 30, 2017 1:20 am

Fourdee wrote:Same here with Chrome 55, updated to 56. Issue resolved.

Yeah, I reported it last wednesday to google after @elatllatsuggested me to do so, so perhaps chrome blocks it now.
But this is not a solution. It is just a protection. The actual issue on odroid servers remains and is really alarming.
Last edited by infinity85 on Tue Jan 31, 2017 7:53 am, edited 2 times in total.
infinity85
 
Posts: 311
Joined: Tue May 24, 2016 4:26 am
languages_spoken: english, german
ODROIDs: Odroid C2

Re: Malware on your site?

Unread postby brad » Tue Jan 31, 2017 7:49 am

Cisco opendns is blocking the forum due to a security threat for me today
brad
 
Posts: 394
Joined: Tue Mar 29, 2016 1:22 pm
Location: Australia
languages_spoken: english
ODROIDs: C2

Re: Malware on your site?

Unread postby odroid » Tue Jan 31, 2017 1:09 pm

We've been trying to find how to remove the malware.
We found something strange in our WiKi server PHP settings( on odroid.com server) and removed it.
This forum and WiKi are sharing a single server and Hardkernel.com server is physically/logically isolated.

But we are not sure if it is really fixed or not, since we couldn't reproduce the font download attack on Ubuntu Chrome.
Is it occurring only on the Windows PC which has Chrome version 55 or less?
User avatar
odroid
Site Admin
 
Posts: 22259
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English
ODROIDs: ODROID

Re: Malware on your site?

Unread postby infinity85 » Tue Jan 31, 2017 5:55 pm

odroid wrote:We've been trying to find how to remove the malware.
We found something strange in our WiKi server PHP settings( on odroid.com server) and removed it.
This forum and WiKi are sharing a single server and Hardkernel.com server is physically/logically isolated.

But we are not sure if it is really fixed or not, since we couldn't reproduce the font download attack on Ubuntu Chrome.
Is it occurring only on the Windows PC which has Chrome version 55 or less?

I'm pretty sure that the issue was also present on http://www.hardkernel.com last wednesday (when I first encountered the issue). The two times afterwards did only affect wiki and forum. So either you've changed/fixed this already on hardkernel.com last week or it is happening at different times now for the hardkernel.com server in contrast to the wiki and forum server.

Yes according to this source: http://wccftech.com/malware-targets-chrome-users/ (sorry, edited the link, was wrong before)
the trojan is targeting Windows Chrome.
According to @Fourdees post regarding Chrome 56, Chrome 56 is also showing the attack, but it handles it by blocking.

Your will have problems reproducing it, because it only shows up for periods of a few of minutes (perhaps spread throughout the day) before going back to (apparently) normal.
infinity85
 
Posts: 311
Joined: Tue May 24, 2016 4:26 am
languages_spoken: english, german
ODROIDs: Odroid C2

Re: Malware on your site?

Unread postby mad_ady » Wed Feb 01, 2017 2:35 pm

I've seen similar attacks which injected obfuscated code in some of the site's pages. Usually the de-obfuscation was done by using base64_decode, so you may want to grep for that and look into anything unusual.
User avatar
mad_ady
 
Posts: 1545
Joined: Wed Jul 15, 2015 5:00 pm
Location: Bucharest, Romania
languages_spoken: english
ODROIDs: XU3, C1+, C2

Re: Malware on your site?

Unread postby odroid » Wed Feb 01, 2017 5:40 pm

We searched hardkernel.com server storages and there was no affected file.

And we've removed the malware codes from affected many PHP sources in odroid.com server.
Also blocked a few IPs which could be an origin of the malware.
We will keep checking the PHP sources for a few more days.

If anybody meets the popup message again, please post a reply on this thread.
User avatar
odroid
Site Admin
 
Posts: 22259
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English
ODROIDs: ODROID

Re: Malware on your site?

Unread postby TeHashX » Wed Feb 01, 2017 6:18 pm

I updated to Version 56.0.2924.76 (64-bit) and I don't get that message for now but this forum has a very old version of phpbb, can you try to update for security reason?
Thanks!
viewtopic.php?f=54&t=20200#p133518
User avatar
TeHashX
 
Posts: 171
Joined: Wed Aug 13, 2014 4:14 am
languages_spoken: english
ODROIDs: C2

Re: Malware on your site?

Unread postby odroid » Wed Feb 01, 2017 6:48 pm

We will update the phpbb3 and doku-wiki in this month.
User avatar
odroid
Site Admin
 
Posts: 22259
Joined: Fri Feb 22, 2013 11:14 pm
languages_spoken: English
ODROIDs: ODROID

Re: Malware on your site?

Unread postby umiddelb » Wed Feb 01, 2017 9:57 pm

odroid wrote:We will update the phpbb3 and doku-wiki in this month.

You might consider to set up SSL/TLS transport encryption at this time and add some security measures like OSSEC and/or Suricata as well.
umiddelb
 
Posts: 394
Joined: Thu Jan 29, 2015 6:42 am
languages_spoken: English, German
ODROIDs: ODROID-C1, ODROID-XU4, ODROID-C2

Re: Malware on your site?

Unread postby TeHashX » Wed Feb 01, 2017 10:40 pm

umiddelb wrote:
odroid wrote:We will update the phpbb3 and doku-wiki in this month.

You might consider to set up SSL/TLS transport encryption at this time and add some security measures like OSSEC and/or Suricata as well.

Yes, especially Let's Encrypt is free https://letsencrypt.org
User avatar
TeHashX
 
Posts: 171
Joined: Wed Aug 13, 2014 4:14 am
languages_spoken: english
ODROIDs: C2

Re: Malware on your site?

Unread postby indium » Thu Feb 02, 2017 6:02 am

it's very interesting how those malware php-codes have gotten their way into the servers. does anybody have a source to read about this attack. is it fully investigated? because attacking clients described is not the most interesting part, as it turned out, the most interesting part is that the malware has broken linux (unbreakable, according to wikipedia :lol:)
really, how it managed to load malware php onto a machine? if there is underlying rootkit sitting deeply in the kernel, then just removing php files or installing newer version of phpbb or establishing ssl/tls connection will not be enough.
does hardkernel understand the full path of the malware into their servers?
indium
 
Posts: 86
Joined: Thu May 28, 2015 2:27 pm
Location: Ukraine
languages_spoken: english, ukrainian

Re: Malware on your site?

Unread postby umiddelb » Thu Feb 02, 2017 6:22 am

it's very interesting how those malware php-codes have gotten their way into the servers

https://www.cvedetails.com/vulnerability-list/vendor_id-1529/product_id-2635/Phpbb-Phpbb.html?
The entries there seem to be quite old, but some of them refer to "phpBB before 3.0.1".

I assume, you (HK) will set-up a fresh linux system and export/import acticle, user data, etc. from the existing forum to the new forum system. Just updating a compromised system inplace isn't recommended if you want to get rid of the attacker.
umiddelb
 
Posts: 394
Joined: Thu Jan 29, 2015 6:42 am
languages_spoken: English, German
ODROIDs: ODROID-C1, ODROID-XU4, ODROID-C2

Re: Malware on your site?

Unread postby ard » Thu Feb 02, 2017 8:32 pm

indium wrote:it's very interesting how those malware php-codes have gotten their way into the servers. does anybody have a source to read about this attack. is it fully investigated? because attacking clients described is not the most interesting part, as it turned out, the most interesting part is that the malware has broken linux (unbreakable, according to wikipedia :lol:)
really, how it managed to load malware php onto a machine?

Actually, you are just saying the culprit.
No, linux has not been compromised. But it is vey *hard* to make a php site secure. The very basis of php is insecure. The lack of namespace concepts.
There is a reason that you can run server-side lua on wikipedia, but no other language. Why? Because if you run a lua script with an empty namespace, it can't do anything, except return values (eat cpu and ram, but those can eventually be limited too).
ard
 
Posts: 44
Joined: Tue Jul 09, 2013 2:12 am
languages_spoken: english, dutch, german
ODROIDs: ODROID-U2

Re: Malware on your site?

Unread postby infinity85 » Mon Feb 13, 2017 9:32 pm

@hardkernel/Odroid
Could you please give an update regarding this topic?
Also I would (strongly) be interested in the "password" questions... what is about the users passwords here? I cannot understand that you don't reset all user passwords after this breach. Obviously that has to happen after you've completely clean-installed and updated your whole forum server to the recent security standards.
infinity85
 
Posts: 311
Joined: Tue May 24, 2016 4:26 am
languages_spoken: english, german
ODROIDs: Odroid C2

Re: Malware on your site?

Unread postby flickflack » Tue Feb 14, 2017 6:07 am

Hello

Sorry to disturb you, but I manage a PHPBB forum and I'm facing the same attack ! Could you give me (in PM) details on this attack to help me resolve it on my part.

I hope you will be able to help me ;(
flickflack
 
Posts: 1
Joined: Tue Feb 14, 2017 5:44 am
languages_spoken: english


Return to General Chat

Who is online

Users browsing this forum: No registered users and 3 guests