search

adoxa / ansicon

Process ANSI escape sequences for Windows console programs.
http://ansicon.adoxa.vze.com/
Other
1.23k stars 130 forks source link

Site hacked #95

Closed andrewmill closed 7 years ago

andrewmill commented 8 years ago

The main page for this project is contains a link to to http://ansicon.adoxa.vze.com/, which redirects to http://adoxa.altervista.org/ansicon/. This second site has a page with a link to download a .zip file which contains the trojan: Invader.TWOO.

Something has gone bad with the external (non Github) site.

thomasleveil commented 8 years ago

Ping @adoxa

rquadling commented 8 years ago

Are you saying http://adoxa.altervista.org/ansicon/dl.php?f=ansicon contains the trojan?

rquadling commented 8 years ago

What detection system are you using? I've just looked at the files and compared it to my local copy (been using ANSICON for a VERY VERY long time!!!). Binary identical to my copies of 2 years old.

Without more details, I would suggest that this is a false positive.

fyrye commented 8 years ago

Confirmed with checksum comparisons on the files from the website and github.

CRC32    CRC64            SHA256                                                           SHA1                                     BLAKE2sp                                                                  Size  Name
-------- ---------------- ---------------------------------------------------------------- ---------------------------------------- ---------------------------------------------------------------- -------------  ------------
7517D39F 8FD6ED23446F7FC9 B886916DD47D5A8AE0A1A2EA55BAE1E43645820E50931E02738D0A799D3876B9 0C03EDF0491989647EE3722A3506081E2D3A68D9 0311BD609307B63B0C9769B20D26C339BF2288315A78E2E4624E605150F9A34D        100499  ansi166.zip
7517D39F 8FD6ED23446F7FC9 B886916DD47D5A8AE0A1A2EA55BAE1E43645820E50931E02738D0A799D3876B9 0C03EDF0491989647EE3722A3506081E2D3A68D9 0311BD609307B63B0C9769B20D26C339BF2288315A78E2E4624E605150F9A34D        100499  ansi166_github.zip
-------- ---------------- ---------------------------------------------------------------- ---------------------------------------- ---------------------------------------------------------------- -------------  ------------

Additionally VirusTotal on the hash found at https://www.virustotal.com/en/file/b886916dd47d5a8ae0a1a2ea55bae1e43645820e50931e02738d0a799d3876b9/analysis/ Looks like a heuristics false positive.

kittson commented 8 years ago

Would really help if author could comment on this.

Recent website file is different than github file. VirusTotal shows no issues on website's ansi166.zip but four on github's ansi160.zip. Probably false positive but I'm not installing the github version.

luislavena commented 7 years ago

Used Virus Total against both URLs:

In both cases the SHA256 reported match (see additional information tab)

andrewmill commented 7 years ago

I've re-downloaded and re-scanned with no alerts. Based on the checks done by others above it looks like I originally got a false positive in my anti-virus. Closing ticket ...