CAG Hacked - PHPBB Destroyer - Fake Plugin

CheapyD

Head Cheap Ass
Staff member
Feedback
14 (100%)
Last night, it seems CAG, along with several other sites running PHPBB forum software (including SpeedTv.com), were compromised. So far, it does not appear to be serious and seems like only a redirect link was inserted into the forum pages. No information was lost.

Of course this is little consolation to those who installed the malware plugin. I thought I made the necessary updates to prevent this from happening, but apparently my changes never took. My apologies.

Thanks to everyone who emailed me about the problem and I hope you can get your PCs back to normal quickly. Thanks to Defender for helping to get the site back up quickly.

Here are Defender's plugin removal steps:

We have a serious problem. We were hacked. If you have downloaded the file PLUGIN_INSTALL.EXE that was a fake patch to your computer you must delete it asap. DO NOT INSTALL. If you have please follow the instructions below to remove it. I make no claims that this will help you or that you won't screw your computer up. This is what I did and it worked for me. Print or copy this immediately!!!!! Read all instructions BEFORE attempting. Make sure you understand them,

1. Remove your computer from the web. You should just unplug the network cable.

2. If you have system restore on...you must shut if off immediately.

3. Shut down your computer. You can ctr-alt-del and go to USERS. From there you can choose to logoff..then shutdown.

4. Reboot your computer and hold the F8 key. This will bring up a boot menu option from windows.

5. Choose SAFE MODE.

6. Search your computer for a file named sp2patch.exe

7. Go into c:/windows/system32/ and delete the folder (remember the folder name please) that sp2patch.exe was inside.

8. Go to the start button and click RUN.

9. Run REGEDIT

NOTE: Please be very careful here.
10. Do a search in regedit for the key,value, and date for CSRSS.EXE (note:this is a clone of a real windows component) Delete anything found with that key where the directory is from the folder in step 7.

11. Do a search for sp2patch.exe in regedit as well. DELETE any entries found.

12. Reboot into normal windows mode.

13. If you reboot and do not get any errors then you may have been successful. If you ctr-alt-del you can see the system processes. If you see only 1 csrss.exe then you have it.

14. Shut down, attach your network cable again and reboot.

-Defender
Good Luck!
 
First off, Great job guys. Secondly, what other sites were down that were running php? And lastly, any clue or suspicion as to who did it other than those eaxposed.com people?
 
[quote name='dental_regurgitation']Nobody with common sense installed the plugin... you could tell it was fishy right away.[/quote]

By the way, where was this plug in? Was it introduced on the site last night?
 
[quote name='PittsburghAfterDark']And people wonder why I'm on a Mac and browse with Safari.[/quote]

* High-Five's PittsburghAfterDark *

Like a moron, I clicked the link (but never installed it). Even if I had, it wouldn't have worked on a Mac.

The whole thing sucks, though. I hope no one was really affected.
 
Good work on getting the site back up so quickly...I was scared their would be nothing for me to read while at work
 
I downloaded it on a Lab pc I have at home, knowing it was a virus or trojan of some sorts. I guess I was just curious to see what would happen and since it was my test pc,, I had nothing to lose. When it installed, it started playing some Michael Jackson song and was running something from the command prompt. After installing, my system wouldnt shutdown, but I didnt notice anyything else wrong. After I had my fun, I just re-imaged the machine and I'm back up and running..
 
I tried it just to see what it'd do, but MS Antispyware was up to the task. Didn't even get through.

Great job getting the site back up.
 
[quote name='dental_regurgitation']Nobody with common sense installed the plugin... you could tell it was fishy right away.[/quote]

Shoulda told that to my friend. :( He was over late last night, and I had went to the bathroom. I came back, and he said he had downloaded something. Then, my PC wouldn't shut down...I was pissed. :evil: I hope I got rid of all of it...
 
I saw the plugin last night and I didnt download it. I was frankly suspicious.

I know Cheapy D would have mentioned something days before doing something like having a plugin.

I am sooooo glad I followed my instincts!
 
Apparently Firefox never picked it up because I never saw any downloads. Plus it doesn't hurt to have Norton as backup. :)

Glad you were able to get everything back up and running so quickly.
 
I download it last night. It wouldn't let me shutdown, I did a system restore and it fix it. It show it has only one csrss.exe running in system process. I even did a search for a sp2patch.exe, it was located at windows/preface not system32/ I just delete it anyway and also did a regedit and delete the whole folder.
 
Anyone know what the plugin does to your computer besides making it not shutdown correctly?... besides the michael jackson music?
 
[quote name='Professor Oreo']Anyone know what the plugin does to your computer besides making it not shutdown correctly?... besides the michael jackson music?[/quote]

I never got any music with mine...
 
[quote name='SpeedFire']I browse with Firefox, and it owns... but lets not jack CheapyD's thread :p

Glad for the responsive reaction.[/quote]

Actually, I use an alternative browser, Opera to browse CAG at home. Since I switched to DSL, I thought it would be a good idea to not use Explorer so much since all the hackers attack Explorer.
 
my Laptop was infected since I was curious last night :(. Anyway I am using win 2k and looks like the plugin doesn't really work for win 2k but it does causing I couldnot reboot my laptop.

I have removed it manually by deleting the sub directory under system32 which contain csrss.exe and all registry which has that directory and the csrss.exe under need it.

Looks like it works as usual now.
 
So I don't get it- it seems as if it was just a punk-ass stunt more than anything, and it was easily removed... I wonder what the whole point of the attack is. I mean, at least terrorists announce why they did what they did.

WTG on getting the site up so quick! WoOt!
 
Umm the software was malware.

It was either a keylogger or it was simply just sending your files to another place.

If you had the fake patch running and logged into your paypal/ebay or any account for that matter...GO CHANGE YOUR PASSWORDS ASAP.
 
I downloaded it, but deleted it. I im'd Scorch and were we looking for a mod to IM. Luckily we got in contact with punq. It was pretty cool tryin to figure out what the hell was going on. Thanks CheapyD!
 
After playing halo 2, i came back to the PC to refresh CAG, "forums hacked" was everywhere. Thanks to CheapyD and the CAG crew, i'm glad everything is back up and running. Hope Moxio didn't get the plug-in, him listening to music could have serious effects.
 
I downloaded it so I could scan it and see if it was bad or not... but like an idiot, i slipped while right-clicking and clicked open instead of scan. It came up and asked for the number of ports or w.e, and I closed it right away. Could that have done anything to my system? Im at school right now so I cant do anything about it... yet.
 
like an idiot i dl'ed it. i ran AVG scan, but it didn't detect anything. i'm gonna edit the registry tonight. the only thing i could find wrong was that it wouldn't let me shut the pc down.

it's shut down now, but i left the machine on last night in standby mode. oh well, i hope my nekkid pics don't end up next to Fred Durst's(sp?).
 
I downloaded it. I tried to run/open it, but it didn't do anything. I shut my comp down, and it wouldn't. So I manually turned it off. Rebooted my comp, and everything seems to be fine. There's only one csrss.exe running in the Processes tab...

After reading Defender's warning, I immediately deleted the plugin_install.exe. I'm just wondering, am I infected? Since it didn't want to shut down for me the first time...but everything seems to be A-OK right now.
 
favourite_character.jpg


He's on the case.
 
bread's done
Back
Top