Virus threat contained in Maxthon Forums!

General Topics
1

A virus threat is found in Maxthon Forums when I tried to enter the site and log-In. Sorry for no Images but I G2G for now.

2

[b]There are actualy a few things going on:

http://img113.imageshack.us/img113/2964/mf0xl.png

This window is also opened on the Maxthon Forum:

http://img125.imageshack.us/img125/7562/mf010ip.png

I couldn’t close it from within the browser. Used TaskManager to close the browser.

There is also a virus warning about an exploit in the temp folder.
I also got a warning from Windows Defender about a WMF exploit.

Looks like someone has Hacked their forum. >:(

Alwil, make sure it doesn’t happen to ours… :'([/b]

3

I can confirm this file as malicous.

4

Thanks RejZoR
I used NortonGoback as an added precaution and went back to before visiting the Maxthon Forum. :slight_smile:

5

Well, this still remains a mystery

http://forum.avast.com/index.php?topic=18914.0

(no, its not “the” link - its a link to the discussion about the link)

6

Wonder how the Maxthon Forum members feel about this :-\

They must have gotten hacked this morning casue I was on there around 1:00AM

7

As of right now, that is still setting of the avast! bells and whistles… (Not Good)

8

bob…i was on maxthon forum early this am asking a question about getting my favorites from netscape 8.1 to maxthon(does anybody know how???)and no alerts at that time so i guess i am just staying away until all is clear ;D

9

does anyone know if it safe to go back on the maxthon forum :o

10

I’m not taking that risk…

11

Hi all. I’m new here and I can definitely attest to that infection being present at the Maxthon forum site as I got hit this Saturday myself and had to do a system restore to get my comp back. It is nasty and eats away at your cpu cycles to where you have none left to clean or do anything even in safe mode. I too got yhe explorer prompt bar.

I use Maxthon as my optional and fast becoming browser of choice. Over the last few days I began having some strange happenings at their site(s). Since I use their browser I thought it wise to join their forum site in addition to their home site. I had started a thread over at their forum site on customizing and utilizing some features on my browser and when I went to check for replies over the weekend, I no sooner clicked the link to the forum than I got bombarded by numerous hits of spyware. My windows security from XP told me I was infected, my SpybotSnD teatimer warned me of attempts for changes to my registry -as did my ‘regprotect’ sentry-, my startup monitor warned me of efforts to have things add themselves to my startup, my spywareguard did the same. I did reject after reject just to have others hit me time after time. Luckily thanks to my different sentry programs I was able to reject these changes to the registry and startup, but I was still infected in my windows/system32 folder and I had to run AdAware and SpybotSnD to clean stuff off and I appear to have restored things back to a clean state, still checking.

Anyway, I never did get to or was able to check my replies back at Maxthon and I don’t dare try again unless I know it’s safe to do so. I’m here tospread the word and came here from the pcmag forum after making a thread there about it and I was directed here as to the topic on it here, so here I am. I remember once someone, it was suspected the CoolWebSearch people, did a major DoS attack on SpywareInfo and other related good guys about a year or two ago but that was just a block for people not to be able to go to the help sites for hijackings and such but not an attack like this to visitors as with my case. Any similar experiences out there?

12

Just popped in with a sandboxed IE and at the top of the forum was a warning about the forum being infected with a trojan. Avast stayed quiet throughout

13

essexboy,
Is webshield active in the sandbox setup? That’s what alerted me when I went there a few days ago.
Also received an alert from Windows Defender as previously mentioned.

14

Hi Bob,

There is more on forums, well forums being compromised:
http://isc.sans.org/diary.php?storyid=1456
Invision Power Board is reported prone to an SQL injection vulnerability in its ‘ssi.php’ script. Due to improper filtering of user supplied data, ‘ssi.php’ is exploitable by attackers to pass SQL statements to the underlying database.

The impact of this vulnerability depends on the underlying database. It may be possible to corrupt/read sensitive data, execute commands/procedures on the database server or possibly exploit vulnerabilities in the database itself through this condition.

Version 1.3.1 Final of Invision Power Board is reported vulnerable. Other versions may also be affected as well.

More info: http://www.securityfocus.com/bid/10511/info/

The story of the malicious java injection, is true, isn’t it?

Be aware,

polonus

15

This is the word I get from a Moderator over at SpyWareInfo as to what it appears may be what has happened over at Maxthon:

"If they are running an unpatched Invision 2.1.5 they are vulnerable to an exploit which lets a hacker take complete control of the board and infect users with whatever they choose. We ourselves were attacked back in April, but managed to mess up their posts, shut down the board, and get a patch in before they could succeed.

All Invision boards should be updated to 2.1.6 with all the patches for it; the latest patch was issued June 30. "

Powered by Invision was the last thing I remember seeing before my attack began and I did not have enough hands to try and block the attacks and reject the changes that were being made to my box and to try and disconnect, but even then it was already too late.

16

Hi drpepper55,

It is one of the oldest tricks from the book, read a good article here:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html

New security-aware coders are coming out now, but old coders weren’t trained with security as a first priority, and we the users of the software have to suffer now.

On the other hand the owners of the forum could have built in some perimeter authentication security that make SQL injection
a lot more difficult to achieve.

polonus

17

To all Maxthon browser users…it is now safe to log-in to the Maxthon Forums again :slight_smile:

18

Thanks for the update, glad all is well-hopefully-and back on track and healthy. I’m gonna give it a bit and scope around to some of the other forums,-SWI, PCMag-and then try to give a visit and try to catch up on my replies to my topic I started there on some features of my Maxthon browser. I just don’t want to go through what I went through before with that nasty crud I picked up on Saturday, o7/01/2006. Thanks again, best to you…

19

Thanks polonus on the reply and the article and link. Looks like the news has spread through all of the help forums and hopefully this helped to minimize the damage to all on this garbage that was attacking visitors to the Maxthon forum site. Life is an adventure, isn’t it? Thanks again, best to you…

20

Yep my little whirly spins and updates incrementally basically the sandbox is to all intents and purposes a seperate drive with no access to main files (although it can change copies of them when running)