Jump to content
Have You Played Atari Today?
2600|5200|7800|Lynx|Jaguar|Forums|Store
IGNORED

Modern viruses in vintage Basic programs ?

Schmitzi

By Schmitzi
in TI-99/4A Computers

 Share

Recommended Posts

Schmitzi Quadrunner

+Schmitzi

Posted
Posted

 

Hi,

 

from time to time I read comments here that say, that the users local scanner or firewall complains about a virus.

IIRC, this happens while using emulators...

 

Today I found a TiBasic program (Waterrun from Michael Silberberg) that triggers the AtariAge firewall

(or something at their providers server construct)

 

And it does not matter if you try to post that text here as plain text, as .TXT-file, or as spoiler.

You´ll get the following message:

 

AA-Blocked.thumb.JPG.c159cfa8d2b8a0b48a44f8e902fb463d.JPG

 

This seems no problem at all, as I triggered the firewall more than 20 times now with snippets/fragments of the

basic code, to find out if a special text line is the cluprit. And I have no other problems afterwards, all seems OK.

 

And so it is:

You can find the TiBasic file inside this ZIP (posting this is OK),

and if you just paste LINE 370 or 380 whereever here around in a post or a message into AA,

you will get the error message :grin:

 

 

Waterrun.zip

 

 

PS: This is the text, as picture, which seems to look like a virus´ or intruders´ signature:

 

grafik.thumb.png.5762e0ca57427bde3b2469b5538d6f98.png

 

 

 

Link to comment
Share on other sites
arcadeshopper Quadrunner

+arcadeshopper

Posted
Posted
 
Hi,
 
from time to time I read comments here that say, that the users local scanner or firewall complains about a virus.
IIRC, this happens while using emulators...
 
Today I found a TiBasic program (Waterrun from Michael Silberberg) that triggers the AtariAge firewall
(or something at their providers server construct)
 
And it does not matter if you try to post that text here as plain text, as .TXT-file, or as spoiler.
You´ll get the following message:
 
AA-Blocked.thumb.JPG.c159cfa8d2b8a0b48a44f8e902fb463d.JPG
 
This seems no problem at all, as I triggered the firewall more than 20 times now with snippets/fragments of the
basic code, to find out if a special text line is the cluprit. And I have no other problems afterwards, all seems OK.
 
And so it is:
You can find the TiBasic file inside this ZIP (posting this is OK),
and if you just paste LINE 370 or 380 whereever here around in a post or a message into AA,
you will get the error message :grin:
 
 
Waterrun.zip
 
 
PS: This is the text, as picture, which seems to look like a virus´ or intruders´ signature:
 
grafik.thumb.png.5762e0ca57427bde3b2469b5538d6f98.png
 
 
 
@Albert

Sent from my Pixel 6 Pro using Tapatalk

Link to comment
Share on other sites
Albert Quadrunner

Albert

Posted
Posted

This is pretty interesting.  Yesterday I enabled Cloudflare's "Web Application Firewall" (WAF) to mitigate the new log4j exploit that's out in the wild.  This also looks for other known exploits, and I'm guessing that particular character sequence triggered the WAF. 

 

Yep, I just looked and found why it was blocked:

 

waf_false_positive.jpg

 

I've disabled this rule, so should be fine now.  Until you hit some other rule. :D

 

 ..Al

  • Like 4
Link to comment
Share on other sites
OLD CS1 Quadrunner

+OLD CS1

Posted
Posted
8 hours ago, Schmitzi said:

 

So this part of the text seems to be the problem in granular:

Just change the x into a H (to make it CALL CHAR again), and you´ll get the block:

 

CxAR(155,"FF818181818181FF")

CHAR is a SQL type.  Like the error note, the CloudFlare firewall also protects against SQL injections, so my guess it is thinks you are trying to send a SQL script and defining a type.

 

EDIT: Yeah, what he said.

 

  • Like 3
Link to comment
Share on other sites
mizapf Quadrunner

+mizapf

Posted
Posted

I just read about it; that Log4j bug leads to a rather nasty 0-day exploit. Anyone who is using Log4j version 2 should be alerted!

 

See also https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

 

Why on Earth should one add a parameter expansion / evaluation feature to the write method of a logging framework?! This is seriously crazy.

  • Like 2
Link to comment
Share on other sites
Asmusr Quadrunner

Asmusr

Posted
Posted
On 12/12/2021 at 8:51 PM, mizapf said:

Why on Earth should one add a parameter expansion / evaluation feature to the write method of a logging framework?! This is seriously crazy.

I assume it was added to be able to log information about the user that you would get from ldap into the access log instead of just the user's id. The real issue is the lack of escaping, which allows an outsider to inject these evaluated expressions via the user-agent string.

  • Like 3
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
AtariAge
Forums
Store
General
Follow AtariAge

Copyright ©1998-2023 AtariAge

×
×
  • Create New...