Warning: Do Not Use Entropedia [NOTE: now cleared by Google Safebrowsing]

I had a warning on entropedia this afternoon from my virusscanner about some blackhole toolkit...
 
So far as I understand it, everyone (Witte, 711, Dr.D.C.) has done as much as they can, and are now waiting on Google etc to update their malware listings.

the paypal file has been changed agan; this time to domain paddelscorner.de .

Weirdly enough, it seems like the perps are using german registered domain names all the time.

Maybe this goes without saying, but never run any program from a webpage that sends you an unsolicited update. This especially goes for flash installer software.

There seems to be some kind of security hole on the entropedia server that allows files/this file to be updated. It could be bugs in .asp code (check IIS log), microsoft server software (make sure all servicepacks are installed), configuration (for instance cgi enabled) or a dormant user login (for instance, a hidden user account created by OEM/computer manufacturer with a, for the infiltrator, a known password).

It goes without saying, but microsoft based servers should be placed behidn a firewall only allowing the explicitly intended ports through (for instance port 80/tcp). If ports used for remote administration needs to be opened (for instance rdp, possibly ftp) those should be secured (at least by limiting the IP address that can access them).
 
Last edited:
whatever the issue turns out to be, I hope they fix it and announce what the problem was, when its safe to use again.

trying to play with out info is turning out to be a pia
 
Well I'm just gonna have to use the site with IE... thankfully McAfee automatically blocks the compromised content.
 
I also don't have a problem when using ie, which is not my fave browser but whatevas. As long as I can get the info somehow! :D
 
if 2 out of 3 browsers and protection programs view this to be a threat. the 1 browser that does not complaint about the threat, is not likely to be safer.

Anyone can disable or ignore the warning msg in any of the other browsers. but that's not addressing the threat (if any).
 
if 2 out of 3 browsers and protection programs view this to be a threat. the 1 browser that does not complaint about the threat, is not likely to be safer.

Anyone can disable or ignore the warning msg in any of the other browsers. but that's not addressing the threat (if any).

The inclusion of bad code is still there.

Since it apparently isn't a one-time occurance, the most sensible thing to do right now would be to unplug the server, copy the data that's safe to copy to a removable media, and replace the harddrive with a brand new; and from there perform a fresh install. On this new install care should be taken of course to keep it as secure as possible. FOr instance, the web files should be kept on Another volume than the system (so a directory traversal bug can't enter directories like c:\windows) and NTFs file permissions should be set and doublechecked in a paranoid way, especially the permissions that include full Control/change/write.

Also best is to not use the default created web instance, but to create a new one so there isn't any surprice things set up by default (like the cgi permissions old windows servers used to have in "/scripts" directory). (CGI permssions isn't used for asp web pages.)

The old harddrive should be kept intact for forensics.
The reovable media should then be read through some unexptected operating system, such as Linux, that's unlikely to interprete things like startup.inf or bogus resource files.

Again, the server should be taken offline as fast as possible, both to safe the setup to try to find what caused all this mess, but of course also so that someone who doesn't "hang" on this forum goes into the wiki and catches anthing bad on the computer. (If you get this Blackhole trojan and you don't Catch in time, you might need to have to do a full reinstall on yoru computer, possibly also reset the MBR.)
 
if 2 out of 3 browsers and protection programs view this to be a threat. the 1 browser that does not complaint about the threat, is not likely to be safer.

Anyone can disable or ignore the warning msg in any of the other browsers. but that's not addressing the threat (if any).

You are correct but thankfully McAfee blocks the content in question
 
I love u entropedia, get well soon
:baby::shower:
 
when are we gonna have it back?
You don't realize how much you need something until it's take away!
 
Entropedia has now been cleared by Google Safebrowsing. I'll edit the thread title to indicate that.
 
McAfee is still blocking content when i load the page with IE.
 
Search doesn't work for me, neither do links to further pages (123etc), both Chrome and IE.
 
Search doesn't work for me, neither do links to further pages (123etc), both Chrome and IE.

The search worked for me just now.
 
Using IE and 2 very efficient Malware, Virus/Firewall in sandbox ...no issue currently.
 
Search doesn't work for me, neither do links to further pages (123etc), both Chrome and IE.

try with the regular adress and not the new IP and it should work fine.
Atleast for me, and I have the same problem as you with chrome with the new IP
 
Apparently that donation button that got infected is not on a master template used throughout entropiawiki.com.

I was looking up a specific materials statistics to see what it was used for in crafting and those pages need to be fixed as well.

Most of the first page clicks work but the deeper you get into the site to get to information you hit that infected javascript.

I notice it on about every material I look up the details of. I get as far as the list but when I click for full details I get the malicious software error detection.
 
I should be more clear.

The Search box on the left side works.

But if I go to the Creatures page for example and try to do a search in the Filter area, I get a blank page, same with Weapons, etc.

Also, clicking the 123... links for more pages doesn't do anything at all.

Those links are like

javascript:__doPostBack('ctl00$ContentPlaceHolder1$DG1$ctl30$ctl08','')

If I go into the Chrome javascript console and click one of those links it shows

Uncaught ReferenceError: __doPostBack is not defined

I've tried everything I can think of, different browsers, checked javascript settings, security settings, logged out/in, shift-refresh...
 
I have no problem with doing searches, Xen. No problem with filtering the Weapons or Creatures either.

However there's an issue with adding new items to some tables - including Weapons and Blueprints, but not Creatures - and I sent Witte an email last night to advise him of that.
 
I should be more clear.

The Search box on the left side works.

But if I go to the Creatures page for example and try to do a search in the Filter area, I get a blank page, same with Weapons, etc.

Also, clicking the 123... links for more pages doesn't do anything at all.

Those links are like



If I go into the Chrome javascript console and click one of those links it shows



I've tried everything I can think of, different browsers, checked javascript settings, security settings, logged out/in, shift-refresh...

Ok, the problem was I was accessing the internet through my phone in a somewhat illicit manner which was causing various little problems, now that I have normal broadband again everything works fine.
 
Back
Top