Author Topic: Is Aminet OK/infected? (Read 7640 times)

desiv · « **on:** May 11, 2012, 04:51:22 AM »

I couldn't download anything from there from my Amiga using either iBrowse or AWeb.

I poked my laptop at it, and Avast AV said it stopped a bad program....
I couldn't download from there either.
(Every thing I tried to DL actually downloads a script that's encoded, that sounds bad...)

(Note: don't go running there if you have Windows just to see if it's safe! :-)

desiv

Gulliver · « **Reply #1 on:** May 11, 2012, 04:55:57 AM »

I also get a similar virus alert with NOD32

darkage · « **Reply #2 on:** May 11, 2012, 04:58:23 AM »

I got similar too for Symantec.. Probably a real threat since other Virus Scanners are picking it up..

LoadWB · « **Reply #3 on:** May 11, 2012, 05:19:50 AM »

AVG: Script/Exploit.Kit

Paulie85 · « **Reply #4 on:** May 11, 2012, 05:20:03 AM »

Slightly off topic but Norton 360 always shreds Hollywood on my PC before I can use it.

Duce · « **Reply #5 on:** May 11, 2012, 05:58:47 AM »

Same thing here - main page flags Eset NOD32/Eset Smart Security the minute I visit the main Aminet page.

Piru · « **Reply #6 on:** May 11, 2012, 06:01:58 AM »

Yes, aminet is infected. It attempts a drive-by attacks against windows systems via java vulnerability, at least. It likely attempts to use several attack vectors depending on the targets system: java, flash, pdf, and vulnerabilities in the browsers themselves.

Here's how you can see the initial javascript payload regardless of the platform:

Code: [Select]

curl --user-agent 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)' http://aminet.net/util/arc/lha.run | less

Modifying e(s) the end of the code to document.write(s) we can see the actual payload decoded. It opens an iframe with URL "http://.ibiz.cc/?go=2" that'll perform the actual drive-by attack:

Lurch · « **Reply #7 on:** May 11, 2012, 10:56:48 AM »

aminet is toast, explains why grunch is dying

Robert17 · « **Reply #8 on:** May 11, 2012, 11:05:48 AM »

I hope it can be sorted out, Where would we be without Aminet? :-(

carls · « **Reply #9 on:** May 11, 2012, 12:07:14 PM »

Quote from: Robert17;692720

I hope it can be sorted out, Where would we be without Aminet? :-(

Don't fear, you don't need the web for everything... yet.

Code: [Select]

ncftp> open ftp.aminet.net
Connecting to 69.163.220.116...
ProFTPD 1.3.3a Server (My FTP server) [::ffff:69.163.220.116]
Logging in...
Anonymous access granted, restrictions apply
Logged in to ftp.aminet.net.
ncftp / > ls
biz/                      gfx/                      pix/
comm/                     INDEX                     pub/
demo/                     INDEX.gz                  README.BEFORE.UPLOAD
dev/                      info/                     RECENT
disk/                     man                       RECENT.gz
docs/                     misc/                     robots.txt
driver/                   mods/                     text/
favicon.gif               MOTD                      touch
favicon.ico               mus/                      TREE
game/                     new/                      util/
ncftp / >

Piru · « **Reply #10 on:** May 11, 2012, 12:33:07 PM »

Quote from: carls;692725

Don't fear, you don't need the web for everything... yet.

Unfortunately you cannot trust anything coming from aminet at this stage. The FTP could be distributing malware as well, though luckily windows binaries are in the minority...

cgutjahr · « **Reply #11 on:** May 11, 2012, 01:23:33 PM »

Thanks for pointing out the problem. Unfortunately, I'm on my way out, and I won't be back in civilisation until Sunday. I alarmed the server admin (nicomen), I hope he sees my mail asap and has the time to investigate and fix the problem.

number6 · « **Reply #12 on:** May 11, 2012, 01:51:35 PM »

Quote from: cgutjahr;692730

Thanks for pointing out the problem. Unfortunately, I'm on my way out, and I won't be back in civilisation until Sunday. I alarmed the server admin (nicomen), I hope he sees my mail asap and has the time to investigate and fix the problem.

From your post March 30, 2012 on AW, I notice:

Quote

our hoster decided to make some changes for the sake of security

Perhaps a connection?

#6

Gulliver · « **Reply #13 on:** May 11, 2012, 02:49:28 PM »

It is fixed now.
Aminet seems clean and working

Piru · « **Reply #14 on:** May 11, 2012, 03:04:47 PM »

I'd like to hear an explanation for this however. Unless if the method of original penetration can be figured out and blocked it could happen again and again (as has happened with certain other amiga related sites). Also, it seems that the domain name used to distribute the malware expired (or was changed deliberately).

Some official word from aminet would be in order I'd say.

Author Topic: Is Aminet OK/infected? (Read 7640 times)

desiv

Is Aminet OK/infected?

Gulliver

Re: Is Aminet OK/infected?

darkage

Re: Is Aminet OK/infected?

LoadWB

Re: Is Aminet OK/infected?

Paulie85

Re: Is Aminet OK/infected?

Duce

Re: Is Aminet OK/infected?

Piru

Re: Is Aminet OK/infected?

Lurch

Re: Is Aminet OK/infected?

Robert17

Re: Is Aminet OK/infected?

carls

Re: Is Aminet OK/infected?

Piru

Re: Is Aminet OK/infected?

cgutjahr

Re: Is Aminet OK/infected?

number6

Re: Is Aminet OK/infected?

Gulliver

Re: Is Aminet OK/infected?

Piru

Re: Is Aminet OK/infected?