»

[carls]

Quote:

Originally Posted by Piru

Unfortunately you cannot trust anything coming from aminet at this stage. The FTP could be distributing malware as well, though luckily windows binaries are in the minority...

Correct. I should've considered Windows and Emulator users before posting. My bad.

[desiv]

As a side, I also ran a "full scan" on my machine to be safe. It found 1 instance of the file on my hard disk (not running, but waiting to be called I'm sure) and recommended a "boot scan" which I did.

The boot scan found a few more waiting to be called..

If you went there with a Windows machine, even tho your AV caught it, I'd recommend a full scan.
I'll use another product's scan after this to be sure...

desiv
(Didn't I say NOT to go there if you have Windows? It's bad enough I did.. And it's bad because I've seen encoded javascript "bad programs" before. Not enough to recognize them, but enough to know there probably shouldn't have been one on Aminet..)

[Hitek]

Now it appears that Amibay.com has been hit, but the code injection was done poorly, so the whole site is broke and just throws a php cookie/session error.

[desiv]

Quote:

Originally Posted by Hitek

Now it appears that Amibay.com has been hit, but the code injection was done poorly, so the whole site is broke and just throws a php cookie/session error.

I can still get to Amibay, although there were people there saying they were getting virus alerts..
I'm using Linux at the moment..
(No, I'm not saying there are no Linux baddies out there...)

Yeah, several people on Amibay are having problems with the main page if they are using Windows (not sure which versions), but several others using Linux aren't having issues..

desiv

[Hitek]

Interesting, I can get to it on my ubuntu box too, but not on my win7 box. I wonder if there is some OS detection going on there.

[zipper]

hxxp://ldsysgcaix.igg.biz/d/404.php?go=1 seems same type as the Aminet one.

[Hitek]

Quote:

Originally Posted by zipper

hxxp://XXXXXXXX.igg.biz/d/404.php?go=1 seems same type as the Aminet one.

yeah, that's what I was saying. Same type of injection attack used on aminet. Probably not a coincidence. The code seems to change as well. I got one earlier for XXXXXXXX.usa.cc/site/main.php? earlier.

[paul1981]

Quote:

Originally Posted by Hitek

Now it appears that Amibay.com has been hit, but the code injection was done poorly, so the whole site is broke and just throws a php cookie/session error.

DON'T GO THERE!!!
I just went there on my XP machine and that lovely java icon popped up on the toolbar and my hard drive started grinding away.... I PULLED THE PLUG!

STAY WELL AWAY!!

[Snoozy]

Whats happened to amibay? my pc won't let me go there (firefox)

How did they catch the virus from aminet? surely they must have had some form of protection?

[rockape]

Hi,

I tried logging into Amibay using an A1200 and got:


"Unable to add cookies, header already sent.
File: /homepages/1/d277227762/htdocs/amibay/forum/index.php(1) : eval()'d code
Line: 7"


Regards, Michael

aka rockape

[desiv]

Quote:

Originally Posted by Snoozy

..surely they must have had some form of protection?

Haven't you had that discussion yet,, where you learned that no protection is 100% effective??

desiv

[Snoozy]

Quote:

Originally Posted by desiv

Haven't you had that discussion yet,, where you learned that no protection is 100% effective??

desiv

Errrr what do you mean i thought the stork brought children once they were born

I dare not go to amibay at the moment - when did they get infected?

[TenWheeler]

Aminet is now clean. But Amibay is now infected.

[Hitek]

Quote:

Originally Posted by paul1981

DON'T GO THERE!!!
I just went there on my XP machine and that lovely java icon popped up on the toolbar and my hard drive started grinding away.... I PULLED THE PLUG!

STAY WELL AWAY!!

Do you not have virus protection? Any modern virus package should protect against that.

Quote:

Originally Posted by Snoozy

Whats happened to amibay? my pc won't let me go there (firefox)

How did they catch the virus from aminet? surely they must have had some form of protection?

Amibay didn't "catch" the virus from aminet, both sites appear to have been hacked at some level. It could have been somebody sneaking something in via sql injection, or someone gaining root level access to the server, it's hard to tell at this point.

Either way, I'm surprised it hasn't been fixed yet. I'm sure *someone* over there has to know about it.

Keith

[WotTheFook]

We do know about it, I've been researching it all evening.

AmiBay and ClassicAmiga have both been hit with the same script exploit attack that hit Aminet.

It has only been partially effective and the root access, FTP and e-mail have not been compromised. A config file has been corrupted and there is a URL redirect to an ibiz.cc site in place, however, this is only affecting the home page. You should block this ibiz.cc redirect if it comes up on your machine.

If a Java icon appears in your Systray, you should kill it immediately, as this is part of the exploit that is attempting to download malware to your machine.

We hope to have this repaired by tomorrow morning. We backed up the site early this morning and once we have checked the backup config files, we can get the site fully functional again.

In the interim, you can access via any other AmiBay page except the home page. A Google link that isn't the home page will let you access the site, but please ensure that your anti-virus and malware protection is up to date.

WotTheFook aka Merlin