Dirty Forums

Dirty Forums (https://www.borndirty.org/forums/index.php)
-   underworld. (https://www.borndirty.org/forums/forumdisplay.php?f=5)
-   -   underworldlive.com hacked/malware? (https://www.borndirty.org/forums/showthread.php?t=18439)

darmok 10-20-2017 04:12 PM
underworldlive.com hacked/malware?
 
The official Underworld site is serving malware/junkware that appears when you click the "accept" button for cookies. It's coming from a script that's loaded directly from the page source, and the official site seems to use Wordpress, so chances are it got hacked. I figured I'd post about this here in the hopes that someone can bring it to the attention of the right person.

TheBang 10-20-2017 04:28 PM
Re: underworldlive.com hacked/malware?
 
I didn't see anything untoward try to get loaded. Do you have any more details?

darmok 10-20-2017 05:06 PM
Re: underworldlive.com hacked/malware?
 
1 Attachment(s)
This is the kind of popup I'm getting - but it seems to happen rarely, and is easiest to trigger when I visit from a new IP. Unfortunately I failed to capture exactly what's doing it here this time, and I can't get it to trigger again.

I'm positive it's not client-side - I've seen this multiple times on multiple computers, but only on underworldlive.com .

I'll keep trying to see if I can get it to happen again.

darmok 10-20-2017 05:48 PM
Re: underworldlive.com hacked/malware?
 
Caught it! It's a sneaky bastard, but it shows up if you visit from an IP that hasn't visited the site recently. I ended up tethering to my phone to catch it in the act (and toggling airplane mode to get a fresh IP). You'll see a script block at the bottom of the body that's responsible for the malware popunder. I didn't have any success with this on my Mac, so it might be doing user-agent checking as well.

Here's the source to the page I was served, in case it helps: https://pastebin.com/dgDtPiCD

TheBang 10-20-2017 06:28 PM
Re: underworldlive.com hacked/malware?
 
Oh yeah, you can totally see the malicious code at the very bottom of the HTML you pasted. That whole last block of JavaScript right before the end body tag. This part in particular is probably what caused your pop-up:

Code:
window.event;doOpen("http://helpcenterforall.bid/index/?MCPKV8")
You're right, it is really hard to get it to trigger. I was only able to get it using a fresh Edge browser once (subsequent visits didn't have it), but when I did get it, it had that same malicious JavaScript block as in your paste, causing this:

https://imgur.com/a/6ADUf

On the other loads, that JavaScript block doesn't appear.
Nice catch, thanks. I'll pass it along to management.

stimpee 10-21-2017 06:32 AM
Re: underworldlive.com hacked/malware?
 
Have also forwarded this to the UW management that I am in contact with.

crank 10-21-2017 12:47 PM
Re: underworldlive.com hacked/malware?
 
i hit it too. it didn't hit me- but i was shocked. and it was triggered on my phone as well.


All times are GMT -7. The time now is 03:22 PM.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.