READ THIS NOW: Freaks has been hacked!

Go To Last Post
92 posts / 0 new

Pages

Author
Message
#1
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Hi,

As several folks have noticed in avrfreaks.net forum this board is currently under attack from a PHP exploit. The admins will be able to clear it but they are not back until 5th Jan so for the time being I'd suggest everyone edit the "hosts" file on their system to effectively make the following domain names inactive. In Windows the file to edit is \windows\system32\drivers\etc\hosts and in Linux it is /etc/hosts

You will find that this already has at least a single entry to map "localhost" to 127.0.0.1 (which reminds me that I've seen a great T-shirt that says "There's no place like 127.0.0.1"! ;) )

Domains I've seen accessed while fetching avrfreaks pages are go.richtraffic.ru, www.mob-marketing.ru and trafficshop.biz so my "hosts" has:

127.0.0.1       localhost
127.0.1.0       go.richtraffic.ru
127.0.1.0       www.mob-marketing.ru
127.0.1.0       trafficshop.biz

The key thing here is that it doesn't really matter what IP addres you have these domains mapped to as long as it's not their live IP addresses.

Cliff

Last Edited: Mon. Jan 5, 2009 - 10:21 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

If you are using Firefox as your browser, get the addons NoScript and AdBlock Plus. :D You can allow avrfreaks.net in NoScript settings,but nothing else on this page.

Er.. shouldn't this be in the site related section of the forum?
https://www.avrfreaks.net/index.p...

If you think education is expensive, try ignorance.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Thanks, I added these to the list of blocked domains in my router configuration (except localhost :wink: ).

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

? I only have the local host on mine.

Smiley

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

It's always sad when those who once sold amway or vacuum cleaners door to door learn enough about puters to become spammers. It's amazing how much work these low lifes will do to avoid working for a living.

Brad

No Fate But What We Make!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

AtomicZombie wrote:
It's always sad when those who once sold amway or vacuum cleaners door to door learn enough about puters to become spammers. It's amazing how much work these low lifes will do to avoid working for a living.

Brad

:?:

Russians sold Amway products? Russians sold vacuum cleaners door to door?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

smileymicros wrote:
? I only have the local host on mine.

Smiley


The idea is that you add those additional lines I show above below the localhost line. The effect of this is that when the browser triesd to make a DNS resolution for trafficshop.biz or whatever it will first look in "hosts". Resolve it to be 127.x.x.x and make an HTTP request back to your own machine (which almost certainly isn't running an HTTP server) so nothing gets reported to trafficshop.biz and nothing nefarious is fetched back - in effect it makes it impossible to access those sites just as you now won't be able to access them by typing the address into the address bar of the browser either

Cliff

Last Edited: Wed. Dec 31, 2008 - 06:08 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I have a feeling that this is an Internet Exploder exploit as I use Firefox and this is not shown in my hosts file. Just for fun I typed one of the addresses into a browser window and the page loads with cyrilic characters on the screen.

If it is an IE only exploit it just drives home the reason I changed years ago, was catching too many things from IE.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

There sure are a lot of .ru addresses flashing across the bottom of my browser though. Makes you wonder what they are trying to steal.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

So what happens if they find out and change their IP address? I haven't seen anything poppping up as I have popups blocked.

John Samperi

Ampertronics Pty. Ltd.

https://www.ampertronics.com.au

* Electronic Design * Custom Products * Contract Assembly

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

clawson wrote:
smileymicros wrote:
? I only have the local host on mine.

Smiley


The idea is that you add those additional lines I show above below the localhost line. The effect of this is that when the browser triesd to make a DNS resolution for trafficshop.biz or whatever it will first look in "hosts". Resolve it to be 127.x.x.x and make an HTTP request back to your own machine (which almost certainly isn't running an HTTP server) so nothing gets reported to trafficshop.biz and nothing nefarious is fetched back - in effect it makes it impossible to access those sites just as you now won't be able to access them by typing the address into the address bar of the browser either

Cliff

Being a Borg, I have a subscription to Microsoft Window Live OneCare that is supposed to block this kind of stuff. I also have various firewalls enabled on my computer and the home network. I really don't want to learn any more about this, but...

Do I still need to worry?

Smiley

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Firewalls won't protect you from this - you have to allow browsers to connect to the internet, or they won't work at all.

Securing your browser is the first line of defense. Anti virus and anti spyware apps will catch the rest,but if the browser is secure these things won't get into your system in the first place.

If you think education is expensive, try ignorance.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I'm a PHP developer in my real job. If they really are using a php exploit, it means that they are potentially running whatever code they want on the avrfreaks.net server. :( They likely gained access by way of a weakness in PHP itself, or one of the applications used to build the site. This means they may have access to hashed passwords, messages, and other things stored in the databases associated with this site. If they're running code on the server, client side antivirus or anti-malware won't even see it.

From what I can see, they are injecting obfuscated javascript into every page that loads a few other scripts, which in turn pings several servers. If you want to look at the code, it's injected as several script blocks and an iframe just above the login block in the left sidebar. Firebug will show you the decoded scripts. It looks fairly harmless from our end, but who knows what they're up to. There are various vulnerabilities that they could be using to try to infect users of old browsers.

My recommendation is to at least add the suggested lines to your hosts file. That prevents the rogue javascript from being fetched. Changing your password after the exploit is removed would be a good idea. If you use your avrfreaks.net password on other sites, I'd suggest changing it everywhere else.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

A quick search turns up several SQL injection exploits for the PNphpBB2 module used here. They don't involve running any PHP code on the server. But they could allow someone to insert javascript code into regions of the site by altering the tables containing the content. Hopefully that's the case rather than a true PHP-based vulnerability.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Unix / Linux / OS X users can block this without editing /etc/hosts by running:

sudo ipfw add deny from any to go.richtraffic.ru,www.mob-marketing.ru,trafficshop.biz

(Edit: This should be a single line, not broken at the dash)

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

There is at least one other URL that flashes by, but I haven't been able to grab enough of it to block it. Anyone know what it is?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

dsp-5 something

also
disp-2.richtraffic.ru
disp-3.richtraffic.ru
disp-4.richtraffic.ru

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Is there a way to block all .ru domains with the host file? At least just for a little while?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The_village_idiot wrote:
Is there a way to block all .ru domains with the host file? At least just for a little while?

The hosts file won't work.

Here are some options:
If you can control the DNS server you use, create a zone for .ru and dump the requests.

Create a WPAD file for your browser. It basically tells the browser how to access a site. (Either a proxy or directly) Have the WPAD file point to a localnet IP for the proxy server when attempting to to visit a *.ru site

If you control a proxy server, dump requests for *.ru.

If the server is actually located in Russia, route the IPs for that .cc to a bogus IP. These addresses for these networks can be looked up online.

Best Wishes,
Mike

Edit was to clean up brain fart. zone -> hosts in first line.

Mike Coles http://blips.net
'bluelip' http://diyaday.com

Last Edited: Thu. Jan 1, 2009 - 09:48 PM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The WPAD file should look like this:

function FindProxyForURL(url, host)
{
if (host.indexOf('.ru') != -1) return "PROXY 127.0.0.2:3128";

return "DIRECT";
}

Save the file as wpad-block-ru.txt or whatever you'd like someplace convenient. In the browser settings, change the entry for "Automatic Proxy Configuration Script" (or similar) to point to your new file.

The file may need to be tuned as I didn't try it out.

Mike Coles http://blips.net
'bluelip' http://diyaday.com

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Might be time to upgrade to a newer Firefox, I think some of this blocking may be built in, I'll have to fire up a different computer and check it.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Also they seem to be looking at this thread and adapting the urls so dumping all of .ru might be a good idea for a while (at least until the change).

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Quote:

Might be time to upgrade to a newer Firefox

As emuler has posted above you should
Quote:

get the addons NoScript and AdBlock Plus

I have FireFox 3.0.5 (ie very new) on my new machine but had missed those and was hit by the script. IE. a new FireFox only will not protect you in this respect.

You will notice that the posting editor of AVRfreaks stops working when scripts are turned off/refused. Personally I allow scripts while editing a post only.

As of January 15, 2018, Site fix-up work has begun! Now do your part and report any bugs or deficiencies here

No guarantees, but if we don't report problems they won't get much of  a chance to be fixed! Details/discussions at link given just above.

 

"Some questions have no answers."[C Baird] "There comes a point where the spoon-feeding has to stop and the independent thinking has to start." [C Lawson] "There are always ways to disagree, without being disagreeable."[E Weddington] "Words represent concepts. Use the wrong words, communicate the wrong concept." [J Morin] "Persistence only goes so far if you set yourself up for failure." [Kartman]

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The_village_idiot wrote:
Might be time to upgrade to a newer Firefox, I think some of this blocking may be built in, I'll have to fire up a different computer and check it.

I didn't see anything in the about:config URL (using 3.0.4), but it looks like the add-ons LeechBlock and Blocksite can be used to block *.ru websites.

Mike Coles http://blips.net
'bluelip' http://diyaday.com

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Blocksite addon for Firefox seems to do the trick. I added http://*.ru to the blacklist on firefox 3.x and an info bar pops up that says something was blocked. I put an older version on this computer for the older version of FF but it is not giving me the warning, I think it is working though. Someone tell me when the issue is fixed so that I can stop blocking all .ru sites.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Siteblock doesn't work on my older version and not sure I want to log in on the other computer, but it definiately seems to work on that machine.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Siteblock works on FF 2.x too, won't even let you search google for .ru sites for a check!

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The_village_idiot wrote:
Siteblock works on FF 2.x too, won't even let you search google for .ru sites for a check!

Must be running a regex on the full string instead of just the hostname part.

Mike Coles http://blips.net
'bluelip' http://diyaday.com

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

The_village_idiot wrote:
Siteblock works on FF 2.x too, won't even let you search google for .ru sites for a check!

How about www.rubberducky.com or www.runnersworld.com?

--
Mike

Mike Coles http://blips.net
'bluelip' http://diyaday.com

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Both are completely blocked, but you could white list them to see them (I assume).

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

You can not mix whitelist and blacklist entries, so the blocking would need to be more specific to open those sites.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

http://*.*.ru works and allows other sites to work too.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Quote:

You will notice that the posting editor of AVRfreaks stops working when scripts are turned off/refused. Personally I allow scripts while editing a post only.

Click the NoScript icon at the bottom right of the window and allow avrfreaks.net (temporarily allow it if you prefer). Do not use the option 'allow everything on this page' as that will leave you unprotected by NoScript.

If you think education is expensive, try ignorance.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I'm now back in England and using my regular work laptop on which I haven't yet edited the hosts file (in fact I came to read this thread to remind me what to block). So far, ouch wood, I'm not seeing it making any of the rogue requests so I'm guessing someone at fort Atmel has done something to stop this. (page loads times also seem increased which is often a sign that they've enabled further checking on the server).

Cliff

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Nope, still there. But it does look like they have cut back to only a single site instead of the three or four each time you loaded a page here.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

What exactly is it doing though?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Well, the freaks team seems to be working hard now...

As of January 15, 2018, Site fix-up work has begun! Now do your part and report any bugs or deficiencies here

No guarantees, but if we don't report problems they won't get much of  a chance to be fixed! Details/discussions at link given just above.

 

"Some questions have no answers."[C Baird] "There comes a point where the spoon-feeding has to stop and the independent thinking has to start." [C Lawson] "There are always ways to disagree, without being disagreeable."[E Weddington] "Words represent concepts. Use the wrong words, communicate the wrong concept." [J Morin] "Persistence only goes so far if you set yourself up for failure." [Kartman]

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Here is what I see happening:

There is a code on each page that calls up a java script to collects your IP address and sends it to “g o . r i c h t r a f f i c . r u” and “t r a f f i c s h o p . b i z”, there they compile a list of unique addresses and pay a dollar for each thousand unique addresses to whoever set it up. They then turn around and sell it to anyone willing to pay for that kind of information.

Here is a clean session with one of those servers:

GET /tds.js HTTP/1.1
Accept: */*
Referer: https://www.avrfreaks.net/
Accept-Language: en-ca
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)
Host: disp-4.richtraffic.ru
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.5.34
Date: Fri, 02 Jan 2009 23:54:45 GMT
Content-Type: application/x-javascript
Content-Length: 454
Last-Modified: Tue, 23 Dec 2008 10:01:05 GMT
Connection: keep-alive
Accept-Ranges: bytes

var html = '';
html += '';
html += '
';
document.write(html);

document.write("");

Rob

Last Edited: Sat. Jan 3, 2009 - 01:16 AM
  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

So
can we disable javascripts for all *.avrfreaks.net?
should we put the nefarious domain names in our hosts file and point it to nada?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I have tried it on my vista32 and it does not work for me here. Despite of the fact that I have the names pointed to 127.0.1.0 in my host file, my computer still connects to them. Moreover, I cannot find anywhere in vista where I could block IP addresses. Does anyone know?

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Well the site was down most of yesterday, but today I still see that something is being blocked, so I guess they didn't fix it yet.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Turned Blocksite off for something and forgot to turn it back on before coming here... I'm seeing about 10 different .ru sites flashing past on each page load now.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

It isn't right that avrfreaks.net's hosting service just leaves this invasion of privacy running for days and days.

Unacceptable.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I disagree about the hosting service. The only thing I've seen a hosting service do about a compromised site is shut it down if it's a threat to their network, or end user's privacy. It's typically the responsibility of the owner or contract developer to fix problems like this. Hosting nearly never includes software patches unless there's a maintenance contract attached.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I must admit, this may not be the best solution but it is a start.

When viewing any page on AVRFreaks we are downloading things from Russia that we don’t know why. Attachment 1 is a screen shot from my network monitor showing just one such visit. Notice 9 Russian and Latvian IP addresses, representing 16 sessions (I have seen as many as 19 IP addresses at one point). All this with my IE7 set to ‘Medium-high (default)’ security setting for internet zone. I’ve looked around, tried different things and found that by disabling the Active Scripting (see attachment 2) in my Security Settings for Internet Zone I totally eliminated download requests for all Russian and Latvian IP addresses (see attachment 3). I’m sure disabling the Active Scripting is not the answer, but it should cut down on false traffic and allow us to use AVRFreaks.
The effect of disabling the Active Scripting is that some things just won’t work as they should, certain pages won’t load, etc.

Rob

Attachment(s): 

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

stevech wrote:
It isn't right that avrfreaks.net's hosting service just leaves this invasion of privacy running for days and days.

Unacceptable.


Exactly how much did you subscription cost you? As already noted - Atmel have been on holiday over Christmas and New Year.

Anyway as they are now back I'm going to take the "Announcement" status off this thread so it will break loose and eventually be lost in the void..

Cliff

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Clawson:

Quote:
Exactly how much did you subscription cost you?

Not sure this is really the issue here. While the user forum as many others, get their revenue from advertising.
I would hope that the freaks web management could have a web site that is based on security for all users. With out the users, no organization is going spend funds on that site. However, I doubt that the site is going to lose many if any subscribers.

Since accessing the freaks web pages I just noticed that I get a warning (Firefox) that my access to my email (HORDE)
was not allowed because there was a redirect of page and not allowed. So, currently I can not look at my email because I am worried that if I 'allow' then the redirect will cause problems.

If the web site has been hacked, then I would expect some sort of official announcement from the folks who are holding the reins for the web site.

And I do purchase some AVR products from the advertisers on this web site.

In the mean time I will have to use a lot of time to see what the heck is going on with the redirection warning I am getting from the browser.

If there is any additional information that can shed some light on this, it will be greatly appreciated.

I'll believe corporations
are people when Texas executes one.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Well, I don't understand how you get to "hosts files" and I don't see any "site blocks" in either Fire Fox or no scripts?

I'll believe corporations
are people when Texas executes one.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

Not that it matters now, but BlockSite is an add on for Firefox. Click the tools tab, then scroll down to add ons and click. In the lower right corner of the menu will be a link to get extensions, click it and search for BlockSite or site blocker and it should get you there.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

I'd like to punctuate this discussion with:

When/if the site is similarly hacked in the future, I would hope that the moderators can and do disable the site until admins can remove the malware from the server.

  • 1
  • 2
  • 3
  • 4
  • 5
Total votes: 0

stevech wrote:
I'd like to punctuate this discussion with:

When/if the site is similarly hacked in the future, I would hope that the moderators can and do disable the site until admins can remove the malware from the server.

As stated before, the ability to disable the entire site is reserved to the administrators. All moderators can do is move/delete/delete individual posts and threads.

Pages

Topic locked