Help | Contact Us
NukeWorker.com
NukeWorker Menu So What Is This?

Author Topic: So What Is This?  (Read 50855 times)

0 Members and 1 Guest are viewing this topic.

Fermi2

  • Guest
So What Is This?
« on: Sep 06, 2012, 07:31 »
http://therlade.pro/ir040xzxwug/

My anti virus program is picking this up when I try opening nukeworker. It was blocking nukeworker completely so I turned Webshield off. When Nukeworker opened the antivirus program blocked the above...

drayer54

  • Guest
Re: So What Is This?
« Reply #1 on: Sep 06, 2012, 08:41 »
I've had similar issues and can't access the site from certain networks. I get an antivirus warning and denied completely.

Offline HydroDave63

Re: So What Is This?
« Reply #2 on: Sep 06, 2012, 10:02 »
http://health.phys.iit.edu/archives/2012-July/036665.html

Some fellow at CDC got the malware warning July 10th.

Offline Marlin

  • Forum Staff
  • *
  • Posts: 11515
  • Total likes: 503
  • Karma: 5125
  • Gender: Male
  • Stop Global Whining!!!
Re: So What Is This?
« Reply #3 on: Sep 06, 2012, 10:16 »
I am having the same problem, it comes and goes so I just try periodically until it lets me in. I have no problem entering PolySci just the main board.

Offline Rennhack

Re: So What Is This?
« Reply #4 on: Sep 07, 2012, 02:27 »
I appreciate the reports. I'm looking into it.  We have a lot of complex software, and it's not always easy to figure out what those hackers have messed up.

Offline Rennhack

Re: So What Is This?
« Reply #5 on: Sep 07, 2012, 03:11 »
I'm hunting and deleting and removing... let me know if you stop getting the warnings.  Also, any details you can provide, especially if it can tell me what files to look at.

Fermi2

  • Guest
Re: So What Is This?
« Reply #6 on: Sep 07, 2012, 11:23 »
Mine denied me for 3 days. Avast has an option where you can exclude sites from it's Webshield. I tried excluding but it wouldn't let me in. So I turned Web Shield off. It let Nukeworker on because that was the url I was trying to get into but it stopped that thing I just posted.

I haven't tried logging on at home again.

Mike it didn't give a folder or file, it only gave me what I posted here.

Offline Rennhack

Re: So What Is This?
« Reply #7 on: Sep 07, 2012, 02:27 »
Best as I can tell AVG claims we have the "Phoenix exploit kit" on 16 Pages, but it wont mention what 16 they are.  Could be a false positive.

I scanned the site with 30 others scanners (including Google Safe Browsing), and they all came up clean... only AVG 'thinks' we have an issue.

http://scanurl.net/?u=http%3A%2F%2Fwww.nukeworker.com&uesb=Check+This+URL#results
http://siteinspector.comodo.com/public/reports/5738151
https://www.virustotal.com/url/02254d6374e5fa6788547a79fe2f7e822a3834d7c5e606c275bc24aa91856b1d/analysis/1347041852/
http://online2.drweb.com/cache/?i=4b6c193d8e6fa63daf0127948146d587
http://urlvoid.com/scan/nukeworker.com/
http://urlquery.net/report.php?id=166421
http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.nukeworker.com


I made a few minor changes anyways, let me know if you are still getting the warnings.

Honestly, if Google doesn't think we have an issue, and 30 other scanners think we are safe.... the problem may be with AVG trying to sell more software or something.  I've scanned the site with many virus scanners, and they find nothing.  AVG claims something is there, but wont say where it is specifically.  Very vague...
« Last Edit: Sep 07, 2012, 02:49 by Rennhack »

Offline Rennhack

Re: So What Is This?
« Reply #8 on: Sep 07, 2012, 02:53 »
I've see that kind of activity before when our site was clean, but the client side computer (yours) had a virus that redirected your website requests through bad websites.

I guess it's possible that AVG is the only software that can detect this really old virus threat, and the other 30 (including norton and google) can't.

Fermi2

  • Guest
Re: So What Is This?
« Reply #9 on: Sep 07, 2012, 10:39 »
From other computers I don't get banned or locked out. I don't have AVG, I have a free anti virus called Avast. So far they haven't tried selling me anything. I turned Avast Webshield off it let me in here but blocked that other site again.

drayer54

  • Guest
Re: So What Is This?
« Reply #10 on: Sep 08, 2012, 11:56 »
Mine just says Malware detected and blocks the site entirely. I've noticed this since last Tuesday.

Offline HydroDave63

Re: So What Is This?
« Reply #11 on: Sep 08, 2012, 01:11 »
An excellent description of the Phoenix exploit found here:

http://labs.m86security.com/tag/phoenix-exploit-kit-3-0/

Offline Marlin

  • Forum Staff
  • *
  • Posts: 11515
  • Total likes: 503
  • Karma: 5125
  • Gender: Male
  • Stop Global Whining!!!
Re: So What Is This?
« Reply #12 on: Sep 08, 2012, 01:36 »
An excellent description of the Phoenix exploit found here:

http://labs.m86security.com/tag/phoenix-exploit-kit-3-0/


Thanks HD I just had a WordPress site dumped on me and I am suffered vapor lock of the brain trying to come up to speed. I don't believe that Mike is using WordPress.

Offline Rennhack

Re: So What Is This?
« Reply #13 on: Sep 08, 2012, 01:43 »
Mine just says Malware detected and blocks the site entirely. I've noticed this since last Tuesday.

Does it STILL do that?
« Last Edit: Sep 09, 2012, 12:28 by Rennhack »

Offline HydroDave63

Re: So What Is This?
« Reply #14 on: Sep 08, 2012, 02:26 »
Thanks HD I just had a WordPress site dumped on me and I am suffered vapor lock of the brain trying to come up to speed. I don't believe that Mike is using WordPress.

My speculation is that UncaBuff is on an infected server in Kampuchea, and when he uploaded some pics it rode aboard, since the delivery method seems to be FTP. But I'm no coder.

Fermi2

  • Guest
Re: So What Is This?
« Reply #15 on: Sep 08, 2012, 11:51 »
Does it STILL to that?

In my case yes.

Offline HydroDave63

Re: So What Is This?
« Reply #16 on: Sep 09, 2012, 09:31 »
Anyone running XP needs to be especially careful, and update Java to Version 7 Update 7. That seems to be how this thing exploits people running v6 and older browsers and older OS

Fermi2

  • Guest
Re: So What Is This?
« Reply #17 on: Sep 09, 2012, 10:21 »
Yep still having to turn avast off so I can get here.

drayer54

  • Guest
Re: So What Is This?
« Reply #18 on: Sep 10, 2012, 02:20 »
Blocked request: location contains malicious content
Threat: Mal/ObfJS-CZ

Threat source : http://www.nukeworker.com/
The requested location contained malicious content and was blocked from downloading

Offline HydroDave63

Re: So What Is This?
« Reply #19 on: Sep 10, 2012, 02:44 »
Blocked request: location contains malicious content
Threat: Mal/ObfJS-CZ

Threat source : http://www.nukeworker.com/
The requested location contained malicious content and was blocked from downloading

what site listed that?

OLzenizin

  • Guest
Re: So What Is This?
« Reply #20 on: Sep 12, 2012, 08:45 »
it comes and goes so I just try periodically until it lets me in. I have no problem entering PolySci just the main board.

Offline Marlin

  • Forum Staff
  • *
  • Posts: 11515
  • Total likes: 503
  • Karma: 5125
  • Gender: Male
  • Stop Global Whining!!!
Re: So What Is This?
« Reply #21 on: Sep 12, 2012, 09:05 »
After a week of no problem it's back.

Offline GLW

Re: So What Is This?
« Reply #22 on: Sep 12, 2012, 12:32 »
symantec does not seem to be having any trouble coping with this one,...

that or I'm completely hosed but don't know it yet,... :P ;) :) 8)

been there, dun that,... the doormat to hell does not read "welcome", the doormat to hell reads "it's just business"

Offline Rennhack

Re: So What Is This?
« Reply #23 on: Sep 17, 2012, 11:37 »
how about now, deleted some more stuff...

drayer54

  • Guest
Re: So What Is This?
« Reply #24 on: Sep 18, 2012, 07:18 »
how about now, deleted some more stuff...

I'll check today.

Offline DontGoToNPTU

Re: So What Is This?
« Reply #25 on: Sep 18, 2012, 11:23 »
I was having the same warning from NIS but I'm not having it today.

drayer54

  • Guest
Re: So What Is This?
« Reply #26 on: Sep 19, 2012, 12:02 »
Still there.

Offline retread

  • Old, fat meter reader
  • Heavy User
  • ****
  • Posts: 434
  • Total likes: 0
  • Karma: 420
  • Gender: Male
  • Every day above ground is a good one
Re: So What Is This?
« Reply #27 on: Sep 23, 2012, 04:55 »
I'm using Avira and getting warnings.
In dwelling, be close to the land.
In meditation, go deep in the heart.
In dealing with others, be patient and kind.
In speech, be true.
In ruling, be just.
In business, be competent.

Offline HydroDave63

Re: So What Is This?
« Reply #28 on: Sep 23, 2012, 05:24 »
How many of us that get these warnings, are running Firefox, IE8 or Google Chrome?

I run Firefox

Offline GLW

Re: So What Is This?
« Reply #29 on: Sep 23, 2012, 06:03 »
How many of us that get these warnings, are running Firefox, IE8 or Google Chrome?

I run Firefox

As stated earlier I have Symantec and no issues,...

Typically (nearly exclusively) browse with Firefox,...

On a sidenote, my Dell Inspiron 5000, with XP/McAfee/Firefox suffered a severe issue in June of this issue year (doh!),...

wiped it and reloaded to get rid of the problem,...

I did not waste much time with it as I back up to a portable hard drive often and would just as soon start with a clean slate and registry in four hours as muck around for twelve,...

But I suspect it was an issue with firefox and a McAfee update not working too well together, possibly with a third factor from something like this as I access nukeworker on the Dell with XP also,...
« Last Edit: Sep 24, 2012, 08:58 by GLW »

been there, dun that,... the doormat to hell does not read "welcome", the doormat to hell reads "it's just business"

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #30 on: Sep 23, 2012, 07:58 »
On my laptop, using FF and windows security essentials, I can come to NW.com just fine.

On my desktop, using FF and avast, it blocks me from coming to NW.com and gives a red malware warning.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline Rennhack

Re: So What Is This?
« Reply #31 on: Sep 23, 2012, 08:17 »
On my laptop, using FF and windows security essentials, I can come to NW.com just fine.

On my desktop, using FF and avast, it blocks me from coming to NW.com and gives a red malware warning.

I appreciate the updates.  I use FF (some times ie9) and windows defender, and I never get these 'warnings'.  I also never get infected.

I scanned the site several times, and they found nothing wrong.  I don't want to say its a false positive... but I'm really having trouble finding any issues.

Offline HydroDave63

Re: So What Is This?
« Reply #32 on: Sep 23, 2012, 08:18 »
The weird thing is, Kaspersky will do the red alert thing, but then in the fix phase, recommends ignore. Uh, yeah. So I do massive Firefox cache purge, the framer bug adds crap into the profile.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #33 on: Sep 23, 2012, 08:36 »
I haven't tried anything to remedy the issue yet, but still after my nrc exam.

Oh one other thing, I can no longer come to nw.com directly from work, I have to go the forums. So I can't see the home page. I forget the error it gives, but will post when I try it in the next few days.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline OldHP

  • Very Heavy User
  • *****
  • Posts: 502
  • Total likes: 0
  • Karma: 276
  • Gender: Male
  • Tell Recruiters to use NukeWorker.com
Re: So What Is This?
« Reply #34 on: Sep 23, 2012, 10:55 »
I use ie or ff with McAfee and have not experienced a problem, as yet!
Humor is a wonderful way to prevent hardening of the attitudes! unknown
The government is like a baby's alimentary canal, with a happy appetite at one end and no responsibility at the other. Regan

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #35 on: Sep 24, 2012, 09:24 »
I haven't tried anything to remedy the issue yet, but still after my nrc exam.

Oh one other thing, I can no longer come to nw.com directly from work, I have to go the forums. So I can't see the home page. I forget the error it gives, but will post when I try it in the next few days.

Justin

Ok so at work, when I try to go to www.nukeworker.com, the company "blocking" software says this;

"McAfee Web Gateway received an ICAP communication error while talking to an ICAP server, and
bypassing on this error is not enabled."


But I can go to www.nukeworker.com/forum  just fine.

That's on both IE and FF.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline HydroDave63

Re: So What Is This?
« Reply #36 on: Sep 24, 2012, 11:34 »
The ICAP error probably comes from the iframer trying to connect to the fake ICAP server.

Here is a fact-filled article on this iframer script, and why it is hard to detect. Chock full of coder stuff way over my head:

http://www.esotech.org/resources/cms/wordpress/wordpress-header-javascript-and-iframe-injection-problem-solution-and-analysis


While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content…I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching.

This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!!
Overview

Bottom line this is how it works:

    Something Injects Code into wp-settings.php
    function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info.
    CURL sends a string from third party server and injects javascript
    javascript communicates with yet another server and injects an iframe
    iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers.
    CURL’d server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while.
    Repeat.


(more pages follow)
« Last Edit: Sep 24, 2012, 11:35 by HydroDave63 »

Offline Rennhack

Re: So What Is This?
« Reply #37 on: Sep 24, 2012, 02:18 »
Thanks Dave.

God this is frustrating.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #38 on: Sep 24, 2012, 03:02 »
The ICAP error probably comes from the iframer trying to connect to the fake ICAP server.

Here is a fact-filled article on this iframer script, and why it is hard to detect. Chock full of coder stuff way over my head:

http://www.esotech.org/resources/cms/wordpress/wordpress-header-javascript-and-iframe-injection-problem-solution-and-analysis


While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content…I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching.

This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!!
Overview

Bottom line this is how it works:

    Something Injects Code into wp-settings.php
    function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info.
    CURL sends a string from third party server and injects javascript
    javascript communicates with yet another server and injects an iframe
    iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers.
    CURL’d server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while.
    Repeat.


(more pages follow)

So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline HydroDave63

Re: So What Is This?
« Reply #39 on: Sep 24, 2012, 03:49 »
So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?

Justin

That was my take on it as well. Kaspersky tells me I'm afflicted about every third day or so. I wipe it clean, lather rinse repeat. As the article describes, it is pretty well hidden, and looks like the reason it nails us viewers is to pimp out our browser profile/cookies/etc info to the receptor site.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #40 on: Sep 24, 2012, 10:30 »
Ok my avast says this is the issue;

Infection:   JS:Redirector-MA [Trj]


I don't know what that means, just trying to give as much data as possible to help with the investigation.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline OldHP

  • Very Heavy User
  • *****
  • Posts: 502
  • Total likes: 0
  • Karma: 276
  • Gender: Male
  • Tell Recruiters to use NukeWorker.com
Re: So What Is This?
« Reply #41 on: Sep 24, 2012, 11:04 »
So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?  Justin 

That was my take on it as well. Kaspersky tells me I'm afflicted about every third day or so. I wipe it clean, lather rinse repeat. As the article describes, it is pretty well hidden, and looks like the reason it nails us viewers is to pimp out our browser profile/cookies/etc info to the receptor site. 

Or, could the folks having the problem have picked up the 'fake' somewhere else?  Like Ya'll, I don't know.  At this point I have not had a problem, I'll question my BIL and his brother when I see them this weekend!  Sorry Mike, no answers, just questions!
Humor is a wonderful way to prevent hardening of the attitudes! unknown
The government is like a baby's alimentary canal, with a happy appetite at one end and no responsibility at the other. Regan

Offline RDTroja

  • Site Heretic
  • Gold Member
  • *
  • Posts: 3753
  • Total likes: 132
  • Karma: 4546
  • Gender: Male
  • I knew I got into IT for a reason!
Re: So What Is This?
« Reply #42 on: Sep 24, 2012, 11:42 »
I have Sophos at work (WinXP Pro/IE8) and AVG Pro at home (Windows7 Pro 64/IE8) and I have not had any messages at all.
"I won't eat anything that has intelligent life, but I'd gladly eat a network executive or a politician."

                                  -Marty Feldman

"Politics is supposed to be the second-oldest profession. I have come to understand that it bears a very close resemblance to the first."
                                  -Ronald Reagan

I have never made but one prayer to God, a very short one: 'O Lord, make my enemies ridiculous.' And God granted it.

                                  - Voltaire

Offline Rennhack

Re: So What Is This?
« Reply #43 on: Sep 26, 2012, 01:39 »
So... If it isn't happening in the forum, which has forum software, and banner ad software... It may NOT be those parts of the site.

I've also had no reports from any other pages of the site, so really that theory doesn't work... but the forum is more heavily used than other parts.

I can try disabling the picture software, and the picture on the home page, and see if that makes it go away.

I guess we will have to try disabling parts of the site one by one until we figure it out.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #44 on: Sep 26, 2012, 06:40 »
Update; My avast on my PC is no longer warning me. I haven't tried the site from work lately.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #45 on: Sep 27, 2012, 09:08 »
Update number 2: I no longer get the error above, at work.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline Rennhack

Re: So What Is This?
« Reply #46 on: Sep 27, 2012, 02:29 »
I found one malicious program in the /logs/ section yesterday and removed it.  I'm in the process of re-uploading the ad server software and photo gallery & Software with security patches.  I'm on a satellite and cell phone conn3ection so it takes a while.  I recently finished re-downloading a local copy of the site.


Offline Rennhack

Re: So What Is This?
« Reply #47 on: Sep 27, 2012, 02:29 »
Expect some down time tonight while I update some software.

Offline GLW

Re: So What Is This?
« Reply #48 on: Sep 27, 2012, 06:04 »
Expect some down time tonight while I update some software.


been there, dun that,... the doormat to hell does not read "welcome", the doormat to hell reads "it's just business"

Offline Rennhack

Re: So What Is This?
« Reply #49 on: Oct 01, 2012, 03:12 »
It's been quiet for a few days. I assume that means we figured it out finally.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #50 on: Oct 01, 2012, 06:29 »
All good here!

Thanks!

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline Marlin

  • Forum Staff
  • *
  • Posts: 11515
  • Total likes: 503
  • Karma: 5125
  • Gender: Male
  • Stop Global Whining!!!
Re: So What Is This?
« Reply #51 on: Oct 01, 2012, 06:37 »
No more problems here.

Offline HydroDave63

Re: So What Is This?
« Reply #52 on: Oct 01, 2012, 08:23 »
Looks like lots of member photo galleries were nuked! But at least the bug is gone  :)

I tried to upload, but got a no permission error
« Last Edit: Oct 01, 2012, 08:26 by HydroDave63 »

Offline OldHP

  • Very Heavy User
  • *****
  • Posts: 502
  • Total likes: 0
  • Karma: 276
  • Gender: Male
  • Tell Recruiters to use NukeWorker.com
Re: So What Is This?
« Reply #53 on: Oct 01, 2012, 08:28 »
The only thing I can see is whatever changes were made also changed the server clock.  It is ~ 2030 EDT and the site is showing that it is 10/02/12!
Humor is a wonderful way to prevent hardening of the attitudes! unknown
The government is like a baby's alimentary canal, with a happy appetite at one end and no responsibility at the other. Regan

Offline Rennhack

Re: So What Is This?
« Reply #54 on: Oct 01, 2012, 08:53 »
The only thing I can see is whatever changes were made also changed the server clock.  It is ~ 2030 EDT and the site is showing that it is 10/02/12!

The server time hasen't changed.

Check your profile's time offset:

http://www.nukeworker.com/forum/index.php?action=profile;sa=theme

Offline OldHP

  • Very Heavy User
  • *****
  • Posts: 502
  • Total likes: 0
  • Karma: 276
  • Gender: Male
  • Tell Recruiters to use NukeWorker.com
Re: So What Is This?
« Reply #55 on: Oct 01, 2012, 09:20 »
It is showing correct at local time.  Your post shows up as (today - 10-02-12, 0053)
Humor is a wonderful way to prevent hardening of the attitudes! unknown
The government is like a baby's alimentary canal, with a happy appetite at one end and no responsibility at the other. Regan

Offline Rennhack

Re: So What Is This?
« Reply #56 on: Oct 02, 2012, 12:32 »
Weird.

Offline HydroDave63

Re: So What Is This?
« Reply #57 on: Nov 06, 2012, 08:40 »
Iframer alert tonight. Looks like allfashion and his bot buddies are back

Offline Rennhack

Re: So What Is This?
« Reply #58 on: Nov 07, 2012, 05:32 »
Marlin alerted me to this yesterday as well.  I'm out of town workign an outage for the next three weeks.  I don't have any of my tools with me.  I may not be able to fix this untill I get back home.

Offline Rennhack

Re: So What Is This?
« Reply #59 on: Nov 11, 2012, 08:30 »
I got a day off. I downloaded an ftp program. (free, and its better than the one I have at home that I paid big bucks -- I have a new preferred ftp program! Filezilla)

I think I found and fixed some issues.  So let me know if its resolved.
« Last Edit: Nov 11, 2012, 08:39 by Rennhack »

Offline HydroDave63

Re: So What Is This?
« Reply #60 on: Nov 11, 2012, 09:47 »
I think I found and fixed some issues.  So let me know if its resolved.

Big K still gives me the Red warning and blocks me from the front page.

Offline Rennhack

Re: So What Is This?
« Reply #61 on: Nov 11, 2012, 10:56 »
Big K still gives me the Red warning and blocks me from the front page.
Thanks for the feedback.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #62 on: Nov 11, 2012, 10:59 »
On my main machine, my Avast is blocking the site again.

On my laptop, Microsoft security essentials gives no warning of anything.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline Marlin

  • Forum Staff
  • *
  • Posts: 11515
  • Total likes: 503
  • Karma: 5125
  • Gender: Male
  • Stop Global Whining!!!
Re: So What Is This?
« Reply #63 on: Nov 11, 2012, 01:40 »
I have access again. Thanx.

Offline Rennhack

Re: So What Is This?
« Reply #64 on: Nov 11, 2012, 02:09 »
I made one more change.  Hopefully that fixes it.

Offline Rennhack

Re: So What Is This?
« Reply #65 on: Nov 14, 2012, 09:41 »
Did that last change fix it?

Offline Marlin

  • Forum Staff
  • *
  • Posts: 11515
  • Total likes: 503
  • Karma: 5125
  • Gender: Male
  • Stop Global Whining!!!
Re: So What Is This?
« Reply #66 on: Nov 14, 2012, 10:44 »
No problems here.

Offline HydroDave63

Re: So What Is This?
« Reply #67 on: Nov 14, 2012, 08:53 »
Did that last change fix it?

Kaspersky + Firefox = Red threat window

Kaspersky + Chrome = Just fine

This tells me that the threat is aimed at Firefox and IE code, since Kaspersky is the common input but differing results. But IMHO, the Iframer problem is still resident.

My "fix" was to renew my Gold for another year and download Chrome ;)

Offline Rennhack

Re: So What Is This?
« Reply #68 on: Nov 14, 2012, 09:40 »
Kaspersky + Firefox = Red threat window

Kaspersky + Chrome = Just fine

This tells me that the threat is aimed at Firefox and IE code, since Kaspersky is the common input but differing results. But IMHO, the Iframer problem is still resident.

My "fix" was to renew my Gold for another year and download Chrome ;)

Thanks for the update.  I'll look into it again Sunday (my day off).

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #69 on: Nov 14, 2012, 11:09 »
Blocked by avast + firefox.

Blocked at work.

OK with firefox + microsoft security essentials.
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Fermi2

  • Guest
Re: So What Is This?
« Reply #70 on: Nov 15, 2012, 11:23 »
Just started getting blocked at home with avasts and firefox

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #71 on: Nov 15, 2012, 05:21 »
Blocked by avast + firefox.

Blocked at work.

OK with firefox + microsoft security essentials.


Update from work...,

It's blocked by my work's firewall when using firefox,

but when I use IE, it isn't blocked and works just fine.

I agree with HD..., something is targeting FF. Here is what my work's firewall says;


Request Blocked by Proactive Scanning
Your request to URL "http://www.nukeworker.com/forum//" has been Blocked by McAfee Web Gateway Proactive Scanning. The program could potentially perform operations, which is not allowed by your administrator at this time.

Malware Name:    McAfeeGW: Heuristic.BehavesLike.JS.Infe cted.A
URL:    http://www.nukeworker.com/forum/
File:    http://www.nukeworker.com/forum//
File Type:    -
Reputation Level:    Neutral




Hope it helps.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline Rennhack

Re: So What Is This?
« Reply #72 on: Nov 15, 2012, 07:41 »
The files I 'fixed' have been reinfected.... This one is gonna suck.  My outage ends on the 24th.  Until then, I'll try to keep up with it.  Fixing the files each night they are infecting.

They have some of the forum files, and now some of the adserver files laced with crap.
« Last Edit: Nov 15, 2012, 07:42 by Rennhack »

Offline Rennhack

Re: So What Is This?
« Reply #73 on: Nov 15, 2012, 07:58 »
So... I replaced the adserver files and the forum files (that were altered), and I locked the forum files.  I hope this helps.

Keeps the updates coming in.

Offline Rennhack

Re: So What Is This?
« Reply #74 on: Nov 15, 2012, 08:01 »
I downloaded an ftp program. (free, and its better than the one I have at home that I paid big bucks for -- I have a new preferred ftp program! Filezilla)

http://filezilla-project.org/

That file zilla is a great tool in our fight against these people.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #75 on: Nov 16, 2012, 12:31 »
Avast + firefox no longer blocked.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline Rennhack

Re: So What Is This?
« Reply #76 on: Nov 16, 2012, 08:04 »
They hit another file today.  However, I'm at least staying on top of it now.

Offline Rennhack

Re: So What Is This?
« Reply #77 on: Nov 17, 2012, 09:03 »
They hit another file today.  However, I'm at least staying on top of it now.

No files were assaulted today.

Offline Rennhack

Re: So What Is This?
« Reply #78 on: Nov 18, 2012, 12:10 »
They hit another file today.  Again, I'm keeping on it.  -- of course, finding the exploit they are using is still alluding me.  What they are doing is finding files that are writable, and somehow uploading a file to replace it.

Offline Rennhack

Re: So What Is This?
« Reply #79 on: Nov 21, 2012, 07:18 »
2 days, no new infections.

Offline Rennhack

Re: So What Is This?
« Reply #80 on: Nov 22, 2012, 05:51 »
Nothing today.  -- Just to be clear, I haven't figured what exploit they are using.  I'm just making the file they are infecting non-writable so they cant inject them with germs.

 


NukeWorker ™ is a registered trademark of NukeWorker.com ™, LLC © 1996-2020 All rights reserved.
All material on this Web Site, including text, photographs, graphics, code and/or software, are protected by international copyright/trademark laws and treaties. Unauthorized use is not permitted. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute, in any manner, the material on this web site or any portion of it. Doing so will result in severe civil and criminal penalties, and will be prosecuted to the maximum extent possible under the law.
Privacy Statement | Terms of Use | Code of Conduct | Spam Policy | Advertising Info | Contact Us | Forum Rules | Password Problem?