»

[desiv]

I couldn't download anything from there from my Amiga using either iBrowse or AWeb.

I poked my laptop at it, and Avast AV said it stopped a bad program....
I couldn't download from there either.
(Every thing I tried to DL actually downloads a script that's encoded, that sounds bad...)

(Note: don't go running there if you have Windows just to see if it's safe! :-)

desiv

[Gulliver]

I also get a similar virus alert with NOD32

[darkage]

I got similar too for Symantec.. Probably a real threat since other Virus Scanners are picking it up..

[LoadWB]

AVG: Script/Exploit.Kit

[Paulie85]

Slightly off topic but Norton 360 always shreds Hollywood on my PC before I can use it.

[Duce]

Same thing here - main page flags Eset NOD32/Eset Smart Security the minute I visit the main Aminet page.

[Piru]

Yes, aminet is infected. It attempts a drive-by attacks against windows systems via java vulnerability, at least. It likely attempts to use several attack vectors depending on the targets system: java, flash, pdf, and vulnerabilities in the browsers themselves.

Here's how you can see the initial javascript payload regardless of the platform:

Code:

curl --user-agent 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)' http://aminet.net/util/arc/lha.run | less

Modifying e(s) the end of the code to document.write(s) we can see the actual payload decoded. It opens an iframe with URL "http://<censored>.ibiz.cc/?go=2" that'll perform the actual drive-by attack:

[Lurch]

aminet is toast, explains why grunch is dying

[Robert17]

I hope it can be sorted out, Where would we be without Aminet? :-(

[carls]

Quote:

Originally Posted by Robert17

I hope it can be sorted out, Where would we be without Aminet? :-(

Don't fear, you don't need the web for everything... yet.

Code:

ncftp> open ftp.aminet.net
Connecting to 69.163.220.116...
ProFTPD 1.3.3a Server (My FTP server) [::ffff:69.163.220.116]
Logging in...
Anonymous access granted, restrictions apply
Logged in to ftp.aminet.net.
ncftp / > ls
biz/                      gfx/                      pix/
comm/                     INDEX                     pub/
demo/                     INDEX.gz                  README.BEFORE.UPLOAD
dev/                      info/                     RECENT
disk/                     man                       RECENT.gz
docs/                     misc/                     robots.txt
driver/                   mods/                     text/
favicon.gif               MOTD                      touch
favicon.ico               mus/                      TREE
game/                     new/                      util/
ncftp / >

[Piru]

Quote:

Originally Posted by carls

Don't fear, you don't need the web for everything... yet.

Unfortunately you cannot trust anything coming from aminet at this stage. The FTP could be distributing malware as well, though luckily windows binaries are in the minority...

[cgutjahr]

Thanks for pointing out the problem. Unfortunately, I'm on my way out, and I won't be back in civilisation until Sunday. I alarmed the server admin (nicomen), I hope he sees my mail asap and has the time to investigate and fix the problem.

[number6]

Quote:

Originally Posted by cgutjahr

Thanks for pointing out the problem. Unfortunately, I'm on my way out, and I won't be back in civilisation until Sunday. I alarmed the server admin (nicomen), I hope he sees my mail asap and has the time to investigate and fix the problem.

From your post March 30, 2012 on AW, I notice:

Quote:

our hoster decided to make some changes for the sake of security

Perhaps a connection?

#6

[Gulliver]

It is fixed now.
Aminet seems clean and working

[Piru]

I'd like to hear an explanation for this however. Unless if the method of original penetration can be figured out and blocked it could happen again and again (as has happened with certain other amiga related sites). Also, it seems that the domain name used to distribute the malware expired (or was changed deliberately).

Some official word from aminet would be in order I'd say.