www.replacementdocs.com, THREAT SITE!
I've not been here for a while so this might have already been posted (I had a quick search but didn't find anything) but when I recently went to the popular replacementdocs.com the damn site managed to install an exploit on one of my PC's, this exploit kit makes a mess of many windows applications like windows update which it prevents working and it also stopped my anti virus updating and some other programs from working correctly, Comodo anti virus/firewall suite with real time scanning didn't stop it :lynch: but found and removed most of it when I ran a scan (bit late now!) but the programs still didn't work correctly and after spending a while trying to fix everything I gave up and used a back up image file to rebuild the entire drive.
I was as usual curious as to what had happened and what this exploit was so I used a spare expendable HDD and loaded AVG link scanner and revisited Replacement docs.com, If your not familiar with AVG link scanner it checks websites you search for with google and reports if they are safe sites etc, this is a free AVG plugin for Firefox and you don't need to be using any AVG products to use it. Now, the annoying thing is that AVG link scanner does not initially report the site as dangerous but as soon as you go to the site it freaks and reports that it has blocked the site from trying to send a black hole exploit kit, that's great if you have the link scanner but if you don't have it your anti virus might not stop it, so you might want to give the site a miss :nono: |
And how does it install that? You need to download something, or is it in the adds?
There is very often such exploits in adds, and sites which use a third party company to cycle adds on their sites often have such problem even though they really have no way to prevent it. |
Quote:
http://www.fazerfetish.eclipse.co.uk...20exploit2.jpg |
The site has been probably hijacked by a third party, unless they suddenly turned evil. I once witnessed PhotoBucket.com being hijacked and spreading a virus, they admitted it outright via email and all.
If you want to test it, besides all that software that doesn't protect you in the end, the first thing you must do is NOT surfing with an admin account, or enabling UAC, for God's sake. Nothing would have happened, even if you had no anti-virus. |
I've disabled the link we have on main page just to be sure.
Please keep me updated and if possible contact the administrator of the site reporting him what you have experienced. |
If it is like I think and you want real protection, go get SpywareBlaster.
It don't stop threats from developing in your computer, it prevents you from accessing them. Ultimate protection (as long as you keep the list up to date). |
The website looks like it is running phpNuke, which is notable for being easy to compromise.
|
I am noticed this exploit on last week and send the letter to admin. No answer was receved, and site is still infected.
It tries to execute [somerandomname].pdf. On most of pages (but site could have the same ads on every page, so it's not matter anything). As my Opera have all such autoruns disabled, it simply suggest to download it for me. When I downloaded it, yes, my scanner immediately said "it is a virus!" So I, personally, simply denied download every time after that. :) Update: Checked it right now. "auto-pdf" is gone. But no any explanations posted. As I installed new update of Opera, it may be simply false negative. Can anyone check it too? |
It looks like the problem has been sorted this update is on the site and AVG link scanner no longer blocks the site.
"Wow, those hackers have been busy these past few weeks. I kept removing the malware and they kept putting it back because I didn't have the time to really fix the vulnerability that allowed them to put the malware on the site in the first place. So, I just had to sit down and really take the time to fix it right. It took most of the day, but it's done. And I'm pretty sure that will mark the end of the hacking and malware. I gave everything a good once over to make sure the key features are still operational, but as always, if you notice anything weird, let me know. Thanks! Read/Post Comment: 0bysleepyonFriday 10 June 2011" |
Yes, we have been in contact with the owner of replacementdocs.com. Initially he removed the malware but it kept coming back, until he fixed the vulnerability. Now he's reasonably sure that it's over.
|
Pay attention guys, the malware is back.
|
Hmm, we need superhackzorz whitehat team! Assemble!!!!
|
I guess we'll have to leave our links to them suspended for a longer time. :(
|
I haven't visited replacementdocs in months, but somehow my Yahoo, Gmail, and Facebook emails accounts have all been hijacked and virus scans have revealed nothing. Yahoo was the worst, I kept changing my password and someone kept changing it to something else minutes later. I haven't had any problems in 13 hours so far, though. Still, I've been backing up everything on my computer so I can clean install since I can't be sure I have a virus, even though I'm careful about those things. I don't know how else that could happen.
|
Do you ask for help? I would split it off to the Tech Corner then, you know.
|
Whoever is running the replacementdocs site should shut it down if they can't sort it out as the bloody site is still infecting, the hackers seem to have changed things because when I checked it today using a spare drive now AVG link scanner finds nothing and the site does not appear to load completely but something is being d/loaded as it's churning away and straight away I was getting a "svchost" repeatedly trying to get online.
Maybe "sleepy" who runs the site is asleep, SHUT IT DOWN IF YOU CAN'T SORT IT AS THIS CRAP MUST BE INFECTING LOTS OF PC's :lynch: |
I have no clue how my emails got hijacked. I'm in hour 27 of reinstalling everything on my computer. I mostly just have games left. It's insane how slow Windows Update is, though.
|
ARE YOU ASKING FOR HELP?!
This thread is about threats at replacementdocs, not about your e-mails! |
Calm down, Lurksen, he's saying how upsetting hackers can be and commiserating with the owner of replacementdocs *patpat*
try to simmer down http://i524.photobucket.com/albums/c...tFINALTINY.gif |
Quote:
|
I'm calm. I only did all caps because he didn't answer my question but went further on his threadnapping career.
|
WY U NOT HELP MI WIT MAKROSOFT WORD
|
If I needed help, I would've asked for help. Jeez, I check this thread a week later and see a spaz attack. Do your lamaze and breathe. Sorry for trying to share a possible connection with emails getting hijacked and all of these game site hacks that have been going on lately.
|
It was off topic, and anyone could have read it as a plea for help, I also did.
|
Quote:
Quote:
Hmmm... :umm: I wonder if you know (Bill) Gates of Hell... :devil: Or is Bill Gates in Hell? ;) Windows Vista... Hasta la Vista, baby :XP: :rocket: |
I do not read the whole thread, but let me get this right: replacementdocs is infected with malware? 'Cause I visited the site a few times in the last several weeks and do not notice anything unusual. Would the downloaded documents be infected with virus or anything?
I am asking this because I did download a few manuals from the site lately. I do not care much about the site malware itself since I am browsing with Linux. However I do care about the downloaded manuals since now and then I still boot up to Windows to play games (the ones not yet playable in Linux with wine) and chances are I do open those downloaded manuals under Windows. In Windows I use Avira, and so far it does not detect anything on those manuals. |
The manuals themselves are not infected.
|
It was a cross-site drive-by-download attack, the malware trying to download themselves were PDFs, but different from the manuals. Depending on your browser preferences the malicious PDFs could succeed in being downloaded without user consent, or could prompt a dialog box... There was probably a social engineering component, that a user might be less suspicious of an unsolicited PDF download if it was at replacementdocs.com, but it probably relied on most browsers being configured to open PDFs right away without user interaction with the Acrobat plugin. Also probably they targeted only Acrobar Reader for Windows only (I'm speculating here).
|
Quote:
|
My Firefox is configured to open PDF right away with Adobe Acrobat Reader plugin. So far I do not see any PDF downloaded other than those I really choose to download. No dialog box prompt either.
Anyway, at least it is good to know that the manual themselves are not infected. |
Quote:
:hello: |
Would running Sandboxie help avoid any infections from replacementdocs? And it looks like Acrobat Reader X has a "protected view" which is supposed to run PDFs in a sandbox, which might help too.
|
Yes Sandboxie should prevent it. Excepts attacks purposely designed to circumvent sandboxes, but that's unlikely. But the best solution is: do not use an administrator account with UAC disabled.
The protected mode AFAIK only blocks links clicked by the user from the PDF, and other active content. This was probably not even a valid PDF file with malicious content, but an exploit, something that uses a vulnerability in Acrobat to inject code that has nothing to do with PDF. (Again if this code hadn't been run in an administrator account with elevated privileges, nothing too bad could have happened.) If you opened this file with other PDF reader that it wasn't designed to exploit, you would probably get nothing but an error complaining that it's not a valid PDF file. But I'm just presuming, I never had a sample. |
Well, I went to replacementdocs.com yesterday to see if they had a manual for a game I wanted to play and then I got generic browser screen with this message:
"NOTICE: This domain name expired on 07/03/2011 and is pending renewal or deletion" Noooooooooooooooooooooooooooooo!!!!!!!!!!! Please don't say that replacementdocs.com is dead! Please no!:crybaby: |
It's OK now.
|
I also found that Replacementdocs is still down. I checked with both IE and Firefox.
|
Try www.replacementdocs.com instead of replacementdocs.com.
By the way, Opera shows a malware warning and flags the site as potentially harmful. It's not a detection, it's because there has been reports. |
I'm also getting the 'NOTICE: This domain name expired on 07/03/2011 and is pending renewal or deletion.' message. :no:
|
it's down.. your dns records must be old japo
|
Quote:
|
Well, does anybody here know what happened to it?
Apparently, Sleepy's own email doesn't even work anymore... And Wikipedia's deleted it's entry of it... |
Japo, please tell me what IP does pinging RD's website give you?
|
The www subdomain gives me the same message now. Dunno maybe it's the way it was dismantled and I happened to pick the precise moment. I don't know if I can retrieve past DNS translations, but if I could probably you could too.
Anyway from whois.domaintools.com I get the address 69.163.167.61. But currently it displays a "Site Temporarily Unavailable" message ("bad_httpd_conf"), so it may be ReplacementDocs after all. |
Quote:
|
All in accordance with the best of their policies :p
Quote:
|
WWWHHHYYY?!?!?!?
|
Well, someone surely has to know more about this.
There were others uploading over there after all. Is anyone still in contact with Sleepy? Will it come back? Is it gone for good? Is there a substitute site that one could go to instead? |
I only know the @replacementdocs.com email address, and I don't think that will work now. :(
|
It seems to be back online... at least for now.
|
Yes!!! It's back! :woot:
|
From what I read, sounds like he reverse engineered the site to stop all the hacking and malware...
|
From your post, it looks like you don't understand what reverse engineering is - because it's not that. :)
|
The site is back up again:clap:
|
*collective sigh of relief*
|
The current time is 05:23 AM (GMT) |
Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.