UU was hacked last night - help us fix!

bt93 said:
when i tried to click on my notifications (from my macbook) a file began to download that my computer said was an application. i immediately stopped the download and reset my safari and deleted the download
Click to expand...
Now that I think of it, the same thing happened to me. I got a pop-up on Chrome that was trying to save a file called c:/
 
bbycrts said:
Ryan - I got a hit this morning when I tried to go to the UU main page. Here's the URL of the site that Avast hit on (jpg so it won't hotlink):

virushit.jpg
Click to expand...

I had the same thing happen and the same site hit. Mine went to the site like Matt's did. I am scanning right now to ensure I am not infected. Thank you Ryan for everything you do!
 
I was redirected to http://www3[dot]workfree36-td[dot]xorg[dot]pl/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG3KXsWYlGhnZWuVmA%3D%3D. No problems here, but I'm on a Mac.
 
Update: After telling my husband what happened, he said to get Malwarebytes and run it. It found a bunch of nasties in the form of backdoor bots and a trojan installer, although they weren't dated so who knows when I got them for sure. And yes, I'm running XP.


EDIT: Here is the log file, if that helps any.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4057

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/1/2010 1:35:42 PM
mbam-log-2010-05-01 (13-35-42).txt

Scan type: Full scan (C:\|E:\|F:\|)
Objects scanned: 174649
Time elapsed: 21 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\myname\Local Settings\Temp\WjVIZsM4.exe.part (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7.tmp (Trojan.Zbot) -> Quarantined and deleted successfully.
 
Last edited:
Matt Clara said:
I left the forum open on my computer last night, this morning when I refreshed the page, I could only see the stickies at the top, and when I clicked on them nothing happened. So I went to the root site, ukuleleunderground.com, to see if someone had posted an explanation as to what was going on. I immediately got a java pop-up that there might be a problem with the website, warning me of malware on the site. This was interesting, as I'm running Ubuntu, and I don't have any software installed to warn me of malware. Instead of clicking the Ok, or the Cancel buttons, I clicked the little red X in the upper right corner. I was immediately redirected to a new web page designed to look like a Virus scan interface with a Windows My Computer look, complete with the windows defender shield logo and little green scan progress lines climbing towards completion (again, less than effective in my case, because I'm not running windows). When the the completion bars complete, the site declares your computer to be infected, and another java pop up loads, instructing you to click Ok to download the software to clean up your computer. Again I clicked neither of the buttons presented me, and instead clicked the little close prompt X in the corner, and the software started downloading anyway. Ubuntu asked me if I wanted to save the download and I said no. It was a pretty slick setup, though, and I could see somebody (my mom) clicking Ok. The first trojan horse of this nature I encountered some years ago eventually tried to sell me software to clean up the mess that it had made. And it won't let your browser(s) search for a solution to the problem (or anything else) either. You just keep getting redirected. Frustrating as hell.
Click to expand...

I fell for this virus back in December or November. It destroyed my lap top. It looked so legit.
 
Matt Clara said:
I left the forum open on my computer last night, this morning when I refreshed the page, I could only see the stickies at the top, and when I clicked on them nothing happened. So I went to the root site, ukuleleunderground.com, to see if someone had posted an explanation as to what was going on. I immediately got a java pop-up that there might be a problem with the website, warning me of malware on the site. This was interesting, as I'm running Ubuntu, and I don't have any software installed to warn me of malware. Instead of clicking the Ok, or the Cancel buttons, I clicked the little red X in the upper right corner. I was immediately redirected to a new web page designed to look like a Virus scan interface with a Windows My Computer look, complete with the windows defender shield logo and little green scan progress lines climbing towards completion (again, less than effective in my case, because I'm not running windows). When the the completion bars complete, the site declares your computer to be infected, and another java pop up loads, instructing you to click Ok to download the software to clean up your computer. Again I clicked neither of the buttons presented me, and instead clicked the little close prompt X in the corner, and the software started downloading anyway. Ubuntu asked me if I wanted to save the download and I said no. It was a pretty slick setup, though, and I could see somebody (my mom) clicking Ok. The first trojan horse of this nature I encountered some years ago eventually tried to sell me software to clean up the mess that it had made. And it won't let your browser(s) search for a solution to the problem (or anything else) either. You just keep getting redirected. Frustrating as hell.
Click to expand...

A lot of people get trojans that way. You think you are closing the box by hitting the X, but don't do it!!! The designers of these things know you may click that close box X, or fall for a message about your computer being infected, so it doesn't do what you think it does. Anyone can easily build an image map that executes a script no matter where you click it.

NEVER CLICK ANYWHERE ON ANY BOX YOU WERE NOT EXPECTING.

Even though I usually run Ubuntu and my Firefox is well protected with no-script and several other pop-up and ad killers, I still occasionally get one of those stupid pop-ups. I immediately go to the system monitor and kill firefox and any pop ups. None of them can really do much in Ubuntu anyway, but why take a chance? Clamscan usually finds it sitting harmlessly in my Mozzilla folder.

Downloading the add-ons, No-Script, Web of Trust, and the Netcraft anti-phishing app into your Firefox will make your life better, even if you have to run Windows for some reason.

I guess everyone in the World is aware now that you also don't ever open email attachments from someone you don't know, or from your silly relatives (at least if they are like mine) who think its fun to send chain-mail attachments to each other loaded with hidden trojans and viruses.
 
Last edited:
Same deal here. I've just finished scanning and found a couple of pieces. All sorted now.

Thanks for getting this sorted so quickly and for the heads up
 
When I logged on this morning I think all I saw was a couple of stickies that would not open, I then did a google search for "ukulele hanger" to find a link to UU & when I clicked on one my computer alerted me that it blocked a Trojan horse virus. I then ran a check & my computer is fine.
 
AnnaUK said:
I just scanned my computer (PC with XP) and found 4 pieces of spyware had appeared. All gone now.
Click to expand...

ukeshale said:
Same deal here. I've just finished scanning and found a couple of pieces. All sorted now.
Click to expand...

Toucan Mango said:
I then ran a check & my computer is fine.
Click to expand...
I think if there's one thing my last post above shows, it's that no single A/V program is able to catch 100% of everything. Don't lull yourself into thinking that if "your" program didn't find something (or even if it did) that it found everything.
 
I'm guessing a skeleton password is like a skeleton key, in which it will open many things, in this case, maybe your email or paypal accounts, ebay, all sorts of things that would have the same password.

I ran malwarebytes and found 3 trojans, but I haven't scanned in a while, I like to think I'm very protective but obviously not. Will it help to post the logs Rayan?

And yes to the comment about multiple scanning programs. It's just like the scan I did, I did a quick scan first, 2 trojans, then a deep scan and another trojan, running another deep now to check, going to look into some more scanning software.
 
I didn't see any popups. I was just looking at a couple threads. This morning I checked the calendar and did birthday wishes. I am running XP, and I have the latest version of Firefox.

I may be having unrelated problems, possibly with iTunes going nuts (everything totally disappeared from iTunes late this morning. I'm pretty sure everything is still on my HD, but NOTHING is in iTunes now, and it was earlier today). And not only that, the program that seems to've unexpectedly shown up on my start menu might've been installed by Cat'r when he was repairing something he'd messed up in my codec packs. (??) Or it could've been installed by Keep It! (which allows you to grab YouTube videos). The name of the program (which I have not knowingly run) is 3ivx MPEG 4 5.0.3

I'm having Microsoft Security Essentials do a deep scan right now. This is going to take a WHILE.

And I'm going to have to ask Cat'r about how my computer is starting up. It might be the used external HD he gave me and set up is causing problems. My PC starts up, then there are a scary couple moments where the screen goes black and you hear nothing happening. So I don't know if I'm having unrelated hardware problems. I can't ask The Caterpillar about this stuff now because he's at a convention in St. Louis. So he can't help from there, even if he had the time.

What I am most concerned about is was whatever this was grabbing passwords? If I used this password for somewhere else, am I going to have to change ALL my passwords?? At Rayan's suggestion, earlier today over on Twitter, I changed my password here.

Thanks.

CountryMouse, who apologizes for rambling incoherently
 
Update: I had a trojan: JS/Adclicker. Microsoft Security Essentials is getting rid of it now.

iTunes was being flaky, but Cat'r told me what to do over the phone--it's fine now. Weird stuff (stuff I'm just not used to) happening at startup is normal because of the external HD. The program I didn't remember seeing was one that Cat'r had installed, so that's okay too.

All's well that ends well. :)

CountryMouse
 
Ack, I think I was on UU when it was probably being hacked. It would only show half the page, and wouldn't let me click on anything so I presumed the site was down and left.
Thus far nothing suspicious has happened to my computer, but I've got AVG running a scan right now to be on the safe side.
Thanks for the warning, and it really, really sucks that this happened to you guys!
 
My computer detected the www1.protectsys28-pd.xorg.pl, I think when I attempted to browse UU. I noticed the site was down at that pint. This was at 9:58AM PST. My browser is chrome.
 
I had a similar problem to above...firstly couldn't access the forums just a few stickies, then a suspicious pop up said it was scanning my machine and that I was infected. I closed everything and ran a full scan and now it appears ok.

I also changed my password when I got on here last night just to be sure!

I mean...what is the point for these people doing this kind of stuff...spite?

Hope everyone else is ok who experienced difficulties as well,
 
itsme said:
I think if there's one thing my last post above shows, it's that no single A/V program is able to catch 100% of everything. Don't lull yourself into thinking that if "your" program didn't find something (or even if it did) that it found everything.
Click to expand...

Yes, you're absolutely right. I've got two anti-virus programs for scanning.

I've scanned again today and it looks all clear (fingers crossed). But you're spot on, you can never be too careful. Thanks for the heads-up :)
 
You must log in or register to reply here.

Similar threads

Jerryc41
The Ukulele Magazine Website was Hacked
Replies
7
Views
885
Ukecaster
Ukecaster
A
ukulele-tabs.com was hacked
Replies
4
Views
956
bazmaz
bazmaz
Renaissance-Man
I was noodling on the banjolele today...
Replies
0
Views
44
Renaissance-Man
Renaissance-Man
Ad-LowG
New Uke Day (NUD) TYDE Koa Pocket Uke - It was meant to be!
2
Replies
21
Views
501
richntacoma
richntacoma
Canada Jim
"If I'd known I was gonna live this long, I'd have taken better care of myself." Eubie Blake
Replies
1
Views
99
Canada Jim
Canada Jim
Top Bottom