Author Topic: So What Is This? (Read 72238 times)

Fermi2 · « **on:** Sep 06, 2012, 07:31 »

http://therlade.pro/ir040xzxwug/

My anti virus program is picking this up when I try opening nukeworker. It was blocking nukeworker completely so I turned Webshield off. When Nukeworker opened the antivirus program blocked the above...

drayer54 · « **Reply #1 on:** Sep 06, 2012, 08:41 »

I've had similar issues and can't access the site from certain networks. I get an antivirus warning and denied completely.

HydroDave63 · « **Reply #2 on:** Sep 06, 2012, 10:02 »

http://health.phys.iit.edu/archives/2012-July/036665.html

Some fellow at CDC got the malware warning July 10th.

Marlin · « **Reply #3 on:** Sep 06, 2012, 10:16 »

I am having the same problem, it comes and goes so I just try periodically until it lets me in. I have no problem entering PolySci just the main board.

Rennhack · « **Reply #4 on:** Sep 07, 2012, 02:27 »

I appreciate the reports. I'm looking into it. We have a lot of complex software, and it's not always easy to figure out what those hackers have messed up.

Rennhack · « **Reply #5 on:** Sep 07, 2012, 03:11 »

I'm hunting and deleting and removing... let me know if you stop getting the warnings. Also, any details you can provide, especially if it can tell me what files to look at.

Fermi2 · « **Reply #6 on:** Sep 07, 2012, 11:23 »

Mine denied me for 3 days. Avast has an option where you can exclude sites from it's Webshield. I tried excluding but it wouldn't let me in. So I turned Web Shield off. It let Nukeworker on because that was the url I was trying to get into but it stopped that thing I just posted.

I haven't tried logging on at home again.

Mike it didn't give a folder or file, it only gave me what I posted here.

Rennhack · « **Reply #7 on:** Sep 07, 2012, 02:27 »

Best as I can tell AVG claims we have the "Phoenix exploit kit" on 16 Pages, but it wont mention what 16 they are. Could be a false positive.

I scanned the site with 30 others scanners (including Google Safe Browsing), and they all came up clean... only AVG 'thinks' we have an issue.

http://scanurl.net/?u=http%3A%2F%2Fwww.nukeworker.com&uesb=Check+This+URL#results
http://siteinspector.comodo.com/public/reports/5738151
https://www.virustotal.com/url/02254d6374e5fa6788547a79fe2f7e822a3834d7c5e606c275bc24aa91856b1d/analysis/1347041852/
http://online2.drweb.com/cache/?i=4b6c193d8e6fa63daf0127948146d587
http://urlvoid.com/scan/nukeworker.com/
http://urlquery.net/report.php?id=166421
http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.nukeworker.com

I made a few minor changes anyways, let me know if you are still getting the warnings.

Honestly, if Google doesn't think we have an issue, and 30 other scanners think we are safe.... the problem may be with AVG trying to sell more software or something. I've scanned the site with many virus scanners, and they find nothing. AVG claims something is there, but wont say where it is specifically. Very vague...

Rennhack · « **Reply #8 on:** Sep 07, 2012, 02:53 »

I've see that kind of activity before when our site was clean, but the client side computer (yours) had a virus that redirected your website requests through bad websites.

I guess it's possible that AVG is the only software that can detect this really old virus threat, and the other 30 (including norton and google) can't.

Fermi2 · « **Reply #9 on:** Sep 07, 2012, 10:39 »

From other computers I don't get banned or locked out. I don't have AVG, I have a free anti virus called Avast. So far they haven't tried selling me anything. I turned Avast Webshield off it let me in here but blocked that other site again.

drayer54 · « **Reply #10 on:** Sep 08, 2012, 11:56 »

Mine just says Malware detected and blocks the site entirely. I've noticed this since last Tuesday.

HydroDave63 · « **Reply #11 on:** Sep 08, 2012, 01:11 »

An excellent description of the Phoenix exploit found here:

http://labs.m86security.com/tag/phoenix-exploit-kit-3-0/

Marlin · « **Reply #12 on:** Sep 08, 2012, 01:36 »

Quote from: HydroDave63 on Sep 08, 2012, 01:11

An excellent description of the Phoenix exploit found here:

http://labs.m86security.com/tag/phoenix-exploit-kit-3-0/

Thanks HD I just had a WordPress site dumped on me and I am suffered vapor lock of the brain trying to come up to speed. I don't believe that Mike is using WordPress.

Rennhack · « **Reply #13 on:** Sep 08, 2012, 01:43 »

Quote from: Drayer on Sep 08, 2012, 11:56

Mine just says Malware detected and blocks the site entirely. I've noticed this since last Tuesday.

Does it STILL do that?

HydroDave63 · « **Reply #14 on:** Sep 08, 2012, 02:26 »

Quote from: Marlin on Sep 08, 2012, 01:36

Thanks HD I just had a WordPress site dumped on me and I am suffered vapor lock of the brain trying to come up to speed. I don't believe that Mike is using WordPress.

My speculation is that UncaBuff is on an infected server in Kampuchea, and when he uploaded some pics it rode aboard, since the delivery method seems to be FTP. But I'm no coder.

Fermi2 · « **Reply #15 on:** Sep 08, 2012, 11:51 »

Quote from: Rennhack on Sep 08, 2012, 01:43

Does it STILL to that?

In my case yes.

HydroDave63 · « **Reply #16 on:** Sep 09, 2012, 09:31 »

Anyone running XP needs to be especially careful, and update Java to Version 7 Update 7. That seems to be how this thing exploits people running v6 and older browsers and older OS

Fermi2 · « **Reply #17 on:** Sep 09, 2012, 10:21 »

Yep still having to turn avast off so I can get here.

drayer54 · « **Reply #18 on:** Sep 10, 2012, 02:20 »

Blocked request: location contains malicious content
Threat: Mal/ObfJS-CZ

Threat source : http://www.nukeworker.com/
The requested location contained malicious content and was blocked from downloading

HydroDave63 · « **Reply #19 on:** Sep 10, 2012, 02:44 »

Quote from: Drayer on Sep 10, 2012, 02:20

Blocked request: location contains malicious content
Threat: Mal/ObfJS-CZ

Threat source : http://www.nukeworker.com/
The requested location contained malicious content and was blocked from downloading

what site listed that?

OLzenizin · « **Reply #20 on:** Sep 12, 2012, 08:45 »

it comes and goes so I just try periodically until it lets me in. I have no problem entering PolySci just the main board.

Marlin · « **Reply #21 on:** Sep 12, 2012, 09:05 »

After a week of no problem it's back.

GLW · « **Reply #22 on:** Sep 12, 2012, 12:32 »

symantec does not seem to be having any trouble coping with this one,...

that or I'm completely hosed but don't know it yet,...

Rennhack · « **Reply #23 on:** Sep 17, 2012, 11:37 »

how about now, deleted some more stuff...

drayer54 · « **Reply #24 on:** Sep 18, 2012, 07:18 »

Quote from: Rennhack on Sep 17, 2012, 11:37

how about now, deleted some more stuff...

I'll check today.

Author Topic: So What Is This? (Read 72238 times)

Fermi2

drayer54

Fermi2

Fermi2

drayer54

Fermi2

Fermi2

drayer54

OLzenizin

drayer54