So What Is This?

[Fermi2]

http://therlade.pro/ir040xzxwug/

My anti virus program is picking this up when I try opening nukeworker. It was blocking nukeworker completely so I turned Webshield off. When Nukeworker opened the antivirus program blocked the above...

[drayer54]

I've had similar issues and can't access the site from certain networks. I get an antivirus warning and denied completely.

[HydroDave63]

http://health.phys.iit.edu/archives/2012-July/036665.html

Some fellow at CDC got the malware warning July 10th.

[Marlin]

I am having the same problem, it comes and goes so I just try periodically until it lets me in. I have no problem entering PolySci just the main board.

[Rennhack]

I appreciate the reports. I'm looking into it.  We have a lot of complex software, and it's not always easy to figure out what those hackers have messed up.

[Rennhack]

I'm hunting and deleting and removing... let me know if you stop getting the warnings.  Also, any details you can provide, especially if it can tell me what files to look at.

[Fermi2]

Mine denied me for 3 days. Avast has an option where you can exclude sites from it's Webshield. I tried excluding but it wouldn't let me in. So I turned Web Shield off. It let Nukeworker on because that was the url I was trying to get into but it stopped that thing I just posted.

I haven't tried logging on at home again.

Mike it didn't give a folder or file, it only gave me what I posted here.

[Rennhack]

Best as I can tell AVG claims we have the "Phoenix exploit kit" on 16 Pages, but it wont mention what 16 they are.  Could be a false positive.

I scanned the site with 30 others scanners (including Google Safe Browsing), and they all came up clean... only AVG 'thinks' we have an issue.

http://scanurl.net/?u=http%3A%2F%2Fwww.nukeworker.com&uesb=Check+This+URL#results
http://siteinspector.comodo.com/public/reports/5738151
https://www.virustotal.com/url/02254d6374e5fa6788547a79fe2f7e822a3834d7c5e606c275bc24aa91856b1d/analysis/1347041852/
http://online2.drweb.com/cache/?i=4b6c193d8e6fa63daf0127948146d587
http://urlvoid.com/scan/nukeworker.com/
http://urlquery.net/report.php?id=166421
http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.nukeworker.com


I made a few minor changes anyways, let me know if you are still getting the warnings.

Honestly, if Google doesn't think we have an issue, and 30 other scanners think we are safe.... the problem may be with AVG trying to sell more software or something.  I've scanned the site with many virus scanners, and they find nothing.  AVG claims something is there, but wont say where it is specifically.  Very vague...

[Rennhack]

I've see that kind of activity before when our site was clean, but the client side computer (yours) had a virus that redirected your website requests through bad websites.

I guess it's possible that AVG is the only software that can detect this really old virus threat, and the other 30 (including norton and google) can't.

[Fermi2]

From other computers I don't get banned or locked out. I don't have AVG, I have a free anti virus called Avast. So far they haven't tried selling me anything. I turned Avast Webshield off it let me in here but blocked that other site again.

[drayer54]

Mine just says Malware detected and blocks the site entirely. I've noticed this since last Tuesday.

[HydroDave63]

An excellent description of the Phoenix exploit found here:

http://labs.m86security.com/tag/phoenix-exploit-kit-3-0/

[Marlin]

An excellent description of the Phoenix exploit found here:

http://labs.m86security.com/tag/phoenix-exploit-kit-3-0/

Thanks HD I just had a WordPress site dumped on me and I am suffered vapor lock of the brain trying to come up to speed. I don't believe that Mike is using WordPress.

[Rennhack]

Mine just says Malware detected and blocks the site entirely. I've noticed this since last Tuesday.

Does it STILL do that?

[HydroDave63]

Thanks HD I just had a WordPress site dumped on me and I am suffered vapor lock of the brain trying to come up to speed. I don't believe that Mike is using WordPress.

My speculation is that UncaBuff is on an infected server in Kampuchea, and when he uploaded some pics it rode aboard, since the delivery method seems to be FTP. But I'm no coder.

[Fermi2]

Does it STILL to that?

In my case yes.

[HydroDave63]

Anyone running XP needs to be especially careful, and update Java to Version 7 Update 7. That seems to be how this thing exploits people running v6 and older browsers and older OS

[Fermi2]

Yep still having to turn avast off so I can get here.

[drayer54]

Blocked request: location contains malicious content
Threat: Mal/ObfJS-CZ

Threat source : http://www.nukeworker.com/
The requested location contained malicious content and was blocked from downloading

[HydroDave63]

Blocked request: location contains malicious content
Threat: Mal/ObfJS-CZ

Threat source : http://www.nukeworker.com/
The requested location contained malicious content and was blocked from downloading

what site listed that?

[OLzenizin]

it comes and goes so I just try periodically until it lets me in. I have no problem entering PolySci just the main board.

[Marlin]

After a week of no problem it's back.

[GLW]

symantec does not seem to be having any trouble coping with this one,...

that or I'm completely hosed but don't know it yet,...

[Rennhack]

how about now, deleted some more stuff...

[drayer54]

how about now, deleted some more stuff...

I'll check today.

[DontGoToNPTU]

I was having the same warning from NIS but I'm not having it today.

[drayer54]

Still there.

[retread]

I'm using Avira and getting warnings.

[HydroDave63]

How many of us that get these warnings, are running Firefox, IE8 or Google Chrome?

I run Firefox

[GLW]

How many of us that get these warnings, are running Firefox, IE8 or Google Chrome?

I run Firefox

As stated earlier I have Symantec and no issues,...

Typically (nearly exclusively) browse with Firefox,...

On a sidenote, my Dell Inspiron 5000, with XP/McAfee/Firefox suffered a severe issue in June of this issue year (doh!),...

wiped it and reloaded to get rid of the problem,...

I did not waste much time with it as I back up to a portable hard drive often and would just as soon start with a clean slate and registry in four hours as muck around for twelve,...

But I suspect it was an issue with firefox and a McAfee update not working too well together, possibly with a third factor from something like this as I access nukeworker on the Dell with XP also,...

[Higgs]

On my laptop, using FF and windows security essentials, I can come to NW.com just fine.

On my desktop, using FF and avast, it blocks me from coming to NW.com and gives a red malware warning.

Justin

[Rennhack]

On my laptop, using FF and windows security essentials, I can come to NW.com just fine.

On my desktop, using FF and avast, it blocks me from coming to NW.com and gives a red malware warning.

I appreciate the updates.  I use FF (some times ie9) and windows defender, and I never get these 'warnings'.  I also never get infected.

I scanned the site several times, and they found nothing wrong.  I don't want to say its a false positive... but I'm really having trouble finding any issues.

[HydroDave63]

The weird thing is, Kaspersky will do the red alert thing, but then in the fix phase, recommends ignore. Uh, yeah. So I do massive Firefox cache purge, the framer bug adds crap into the profile.

[Higgs]

I haven't tried anything to remedy the issue yet, but still after my nrc exam.

Oh one other thing, I can no longer come to nw.com directly from work, I have to go the forums. So I can't see the home page. I forget the error it gives, but will post when I try it in the next few days.

Justin

[OldHP]

I use ie or ff with McAfee and have not experienced a problem, as yet!

[Higgs]

I haven't tried anything to remedy the issue yet, but still after my nrc exam.

Oh one other thing, I can no longer come to nw.com directly from work, I have to go the forums. So I can't see the home page. I forget the error it gives, but will post when I try it in the next few days.

Justin

Ok so at work, when I try to go to www.nukeworker.com, the company "blocking" software says this;

"McAfee Web Gateway received an ICAP communication error while talking to an ICAP server, and
bypassing on this error is not enabled."


But I can go to www.nukeworker.com/forum  just fine.

That's on both IE and FF.

Justin

[HydroDave63]

The ICAP error probably comes from the iframer trying to connect to the fake ICAP server.

Here is a fact-filled article on this iframer script, and why it is hard to detect. Chock full of coder stuff way over my head:

http://www.esotech.org/resources/cms/wordpress/wordpress-header-javascript-and-iframe-injection-problem-solution-and-analysis

While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content...I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching.

This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!!
Overview

Bottom line this is how it works:

   Something Injects Code into wp-settings.php
   function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info.
   CURL sends a string from third party server and injects javascript
   javascript communicates with yet another server and injects an iframe
   iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers.
   CURL'd server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while.
   Repeat.

(more pages follow)

[Rennhack]

Thanks Dave.

God this is frustrating.

[Higgs]

The ICAP error probably comes from the iframer trying to connect to the fake ICAP server.

Here is a fact-filled article on this iframer script, and why it is hard to detect. Chock full of coder stuff way over my head:

http://www.esotech.org/resources/cms/wordpress/wordpress-header-javascript-and-iframe-injection-problem-solution-and-analysis

While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content...I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching.

This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!!
Overview

Bottom line this is how it works:

   Something Injects Code into wp-settings.php
   function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info.
   CURL sends a string from third party server and injects javascript
   javascript communicates with yet another server and injects an iframe
   iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers.
   CURL'd server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while.
   Repeat.

(more pages follow)

So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?

Justin

[HydroDave63]

So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?

Justin

That was my take on it as well. Kaspersky tells me I'm afflicted about every third day or so. I wipe it clean, lather rinse repeat. As the article describes, it is pretty well hidden, and looks like the reason it nails us viewers is to pimp out our browser profile/cookies/etc info to the receptor site.

[Higgs]

Ok my avast says this is the issue;

Infection:   JS:Redirector-MA [Trj]


I don't know what that means, just trying to give as much data as possible to help with the investigation.

Justin

[OldHP]

So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?  Justin 

That was my take on it as well. Kaspersky tells me I'm afflicted about every third day or so. I wipe it clean, lather rinse repeat. As the article describes, it is pretty well hidden, and looks like the reason it nails us viewers is to pimp out our browser profile/cookies/etc info to the receptor site. 

Or, could the folks having the problem have picked up the 'fake' somewhere else?  Like Ya'll, I don't know.  At this point I have not had a problem, I'll question my BIL and his brother when I see them this weekend!  Sorry Mike, no answers, just questions!

[RDTroja]

I have Sophos at work (WinXP Pro/IE8) and AVG Pro at home (Windows7 Pro 64/IE8) and I have not had any messages at all.

[Rennhack]

So... If it isn't happening in the forum, which has forum software, and banner ad software... It may NOT be those parts of the site.

I've also had no reports from any other pages of the site, so really that theory doesn't work... but the forum is more heavily used than other parts.

I can try disabling the picture software, and the picture on the home page, and see if that makes it go away.

I guess we will have to try disabling parts of the site one by one until we figure it out.

[Higgs]

Update; My avast on my PC is no longer warning me. I haven't tried the site from work lately.

Justin

[Higgs]

Update number 2: I no longer get the error above, at work.

Justin

[Rennhack]

I found one malicious program in the /logs/ section yesterday and removed it.  I'm in the process of re-uploading the ad server software and photo gallery & Software with security patches.  I'm on a satellite and cell phone conn3ection so it takes a while.  I recently finished re-downloading a local copy of the site.

[Rennhack]

Expect some down time tonight while I update some software.

[GLW]

Expect some down time tonight while I update some software.

[Rennhack]

It's been quiet for a few days. I assume that means we figured it out finally.

[Higgs]

All good here!

Thanks!

Justin

[Marlin]

No more problems here.

[HydroDave63]

Looks like lots of member photo galleries were nuked! But at least the bug is gone  

I tried to upload, but got a no permission error

[OldHP]

The only thing I can see is whatever changes were made also changed the server clock.  It is ~ 2030 EDT and the site is showing that it is 10/02/12!

[Rennhack]

The only thing I can see is whatever changes were made also changed the server clock.  It is ~ 2030 EDT and the site is showing that it is 10/02/12!

The server time hasen't changed.

Check your profile's time offset:

http://www.nukeworker.com/forum/index.php?action=profile;sa=theme

[OldHP]

It is showing correct at local time.  Your post shows up as (today - 10-02-12, 0053)

[Rennhack]

Weird.

[HydroDave63]

Iframer alert tonight. Looks like allfashion and his bot buddies are back

[Rennhack]

Marlin alerted me to this yesterday as well.  I'm out of town workign an outage for the next three weeks.  I don't have any of my tools with me.  I may not be able to fix this untill I get back home.

[Rennhack]

I got a day off. I downloaded an ftp program. (free, and its better than the one I have at home that I paid big bucks -- I have a new preferred ftp program! Filezilla)

I think I found and fixed some issues.  So let me know if its resolved.

[HydroDave63]

I think I found and fixed some issues.  So let me know if its resolved.

Big K still gives me the Red warning and blocks me from the front page.

[Rennhack]

Big K still gives me the Red warning and blocks me from the front page.

Thanks for the feedback.

[Higgs]

On my main machine, my Avast is blocking the site again.

On my laptop, Microsoft security essentials gives no warning of anything.

Justin

[Marlin]

I have access again. Thanx.

[Rennhack]

I made one more change.  Hopefully that fixes it.

[Rennhack]

Did that last change fix it?

[Marlin]

No problems here.

[HydroDave63]

Did that last change fix it?

Kaspersky + Firefox = Red threat window

Kaspersky + Chrome = Just fine

This tells me that the threat is aimed at Firefox and IE code, since Kaspersky is the common input but differing results. But IMHO, the Iframer problem is still resident.

My "fix" was to renew my Gold for another year and download Chrome

[Rennhack]

Kaspersky + Firefox = Red threat window

Kaspersky + Chrome = Just fine

This tells me that the threat is aimed at Firefox and IE code, since Kaspersky is the common input but differing results. But IMHO, the Iframer problem is still resident.

My "fix" was to renew my Gold for another year and download Chrome

Thanks for the update.  I'll look into it again Sunday (my day off).

[Higgs]

Blocked by avast + firefox.

Blocked at work.

OK with firefox + microsoft security essentials.

[Fermi2]

Just started getting blocked at home with avasts and firefox

[Higgs]

Blocked by avast + firefox.

Blocked at work.

OK with firefox + microsoft security essentials.

Update from work...,

It's blocked by my work's firewall when using firefox,

but when I use IE, it isn't blocked and works just fine.

I agree with HD..., something is targeting FF. Here is what my work's firewall says;


Request Blocked by Proactive Scanning
Your request to URL "http://www.nukeworker.com/forum//" has been Blocked by McAfee Web Gateway Proactive Scanning. The program could potentially perform operations, which is not allowed by your administrator at this time.

Malware Name:    McAfeeGW: Heuristic.BehavesLike.JS.Infected.A
URL:    http://www.nukeworker.com/forum/
File:    http://www.nukeworker.com/forum//
File Type:    -
Reputation Level:    Neutral




Hope it helps.

Justin

[Rennhack]

The files I 'fixed' have been reinfected.... This one is gonna suck.  My outage ends on the 24th.  Until then, I'll try to keep up with it.  Fixing the files each night they are infecting.

They have some of the forum files, and now some of the adserver files laced with crap.

[Rennhack]

So... I replaced the adserver files and the forum files (that were altered), and I locked the forum files.  I hope this helps.

Keeps the updates coming in.

[Rennhack]

I downloaded an ftp program. (free, and its better than the one I have at home that I paid big bucks for -- I have a new preferred ftp program! Filezilla)

http://filezilla-project.org/

That file zilla is a great tool in our fight against these people.

[Higgs]

Avast + firefox no longer blocked.

Justin

[Rennhack]

They hit another file today.  However, I'm at least staying on top of it now.

[Rennhack]

They hit another file today.  However, I'm at least staying on top of it now.

No files were assaulted today.

[Rennhack]

They hit another file today.  Again, I'm keeping on it.  -- of course, finding the exploit they are using is still alluding me.  What they are doing is finding files that are writable, and somehow uploading a file to replace it.

[Rennhack]

2 days, no new infections.

[Rennhack]

Nothing today.  -- Just to be clear, I haven't figured what exploit they are using.  I'm just making the file they are infecting non-writable so they cant inject them with germs.