Author Topic: So What Is This? (Read 72237 times)

Fermi2 · « **on:** Sep 06, 2012, 07:31 »

http://therlade.pro/ir040xzxwug/

My anti virus program is picking this up when I try opening nukeworker. It was blocking nukeworker completely so I turned Webshield off. When Nukeworker opened the antivirus program blocked the above...

drayer54 · « **Reply #1 on:** Sep 06, 2012, 08:41 »

I've had similar issues and can't access the site from certain networks. I get an antivirus warning and denied completely.

HydroDave63 · « **Reply #2 on:** Sep 06, 2012, 10:02 »

http://health.phys.iit.edu/archives/2012-July/036665.html

Some fellow at CDC got the malware warning July 10th.

Marlin · « **Reply #3 on:** Sep 06, 2012, 10:16 »

I am having the same problem, it comes and goes so I just try periodically until it lets me in. I have no problem entering PolySci just the main board.

Rennhack · « **Reply #4 on:** Sep 07, 2012, 02:27 »

I appreciate the reports. I'm looking into it. We have a lot of complex software, and it's not always easy to figure out what those hackers have messed up.

Rennhack · « **Reply #5 on:** Sep 07, 2012, 03:11 »

I'm hunting and deleting and removing... let me know if you stop getting the warnings. Also, any details you can provide, especially if it can tell me what files to look at.

Fermi2 · « **Reply #6 on:** Sep 07, 2012, 11:23 »

Mine denied me for 3 days. Avast has an option where you can exclude sites from it's Webshield. I tried excluding but it wouldn't let me in. So I turned Web Shield off. It let Nukeworker on because that was the url I was trying to get into but it stopped that thing I just posted.

I haven't tried logging on at home again.

Mike it didn't give a folder or file, it only gave me what I posted here.

Rennhack · « **Reply #7 on:** Sep 07, 2012, 02:27 »

Best as I can tell AVG claims we have the "Phoenix exploit kit" on 16 Pages, but it wont mention what 16 they are. Could be a false positive.

I scanned the site with 30 others scanners (including Google Safe Browsing), and they all came up clean... only AVG 'thinks' we have an issue.

http://scanurl.net/?u=http%3A%2F%2Fwww.nukeworker.com&uesb=Check+This+URL#results
http://siteinspector.comodo.com/public/reports/5738151
https://www.virustotal.com/url/02254d6374e5fa6788547a79fe2f7e822a3834d7c5e606c275bc24aa91856b1d/analysis/1347041852/
http://online2.drweb.com/cache/?i=4b6c193d8e6fa63daf0127948146d587
http://urlvoid.com/scan/nukeworker.com/
http://urlquery.net/report.php?id=166421
http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.nukeworker.com

I made a few minor changes anyways, let me know if you are still getting the warnings.

Honestly, if Google doesn't think we have an issue, and 30 other scanners think we are safe.... the problem may be with AVG trying to sell more software or something. I've scanned the site with many virus scanners, and they find nothing. AVG claims something is there, but wont say where it is specifically. Very vague...

Rennhack · « **Reply #8 on:** Sep 07, 2012, 02:53 »

I've see that kind of activity before when our site was clean, but the client side computer (yours) had a virus that redirected your website requests through bad websites.

I guess it's possible that AVG is the only software that can detect this really old virus threat, and the other 30 (including norton and google) can't.

Fermi2 · « **Reply #9 on:** Sep 07, 2012, 10:39 »

From other computers I don't get banned or locked out. I don't have AVG, I have a free anti virus called Avast. So far they haven't tried selling me anything. I turned Avast Webshield off it let me in here but blocked that other site again.

drayer54 · « **Reply #10 on:** Sep 08, 2012, 11:56 »

Mine just says Malware detected and blocks the site entirely. I've noticed this since last Tuesday.

HydroDave63 · « **Reply #11 on:** Sep 08, 2012, 01:11 »

An excellent description of the Phoenix exploit found here:

http://labs.m86security.com/tag/phoenix-exploit-kit-3-0/

Marlin · « **Reply #12 on:** Sep 08, 2012, 01:36 »

Quote from: HydroDave63 on Sep 08, 2012, 01:11

An excellent description of the Phoenix exploit found here:

http://labs.m86security.com/tag/phoenix-exploit-kit-3-0/

Thanks HD I just had a WordPress site dumped on me and I am suffered vapor lock of the brain trying to come up to speed. I don't believe that Mike is using WordPress.

Rennhack · « **Reply #13 on:** Sep 08, 2012, 01:43 »

Quote from: Drayer on Sep 08, 2012, 11:56

Mine just says Malware detected and blocks the site entirely. I've noticed this since last Tuesday.

Does it STILL do that?

HydroDave63 · « **Reply #14 on:** Sep 08, 2012, 02:26 »

Quote from: Marlin on Sep 08, 2012, 01:36

Thanks HD I just had a WordPress site dumped on me and I am suffered vapor lock of the brain trying to come up to speed. I don't believe that Mike is using WordPress.

My speculation is that UncaBuff is on an infected server in Kampuchea, and when he uploaded some pics it rode aboard, since the delivery method seems to be FTP. But I'm no coder.

Fermi2 · « **Reply #15 on:** Sep 08, 2012, 11:51 »

Quote from: Rennhack on Sep 08, 2012, 01:43

Does it STILL to that?

In my case yes.

HydroDave63 · « **Reply #16 on:** Sep 09, 2012, 09:31 »

Anyone running XP needs to be especially careful, and update Java to Version 7 Update 7. That seems to be how this thing exploits people running v6 and older browsers and older OS

Fermi2 · « **Reply #17 on:** Sep 09, 2012, 10:21 »

Yep still having to turn avast off so I can get here.

drayer54 · « **Reply #18 on:** Sep 10, 2012, 02:20 »

Blocked request: location contains malicious content
Threat: Mal/ObfJS-CZ

Threat source : http://www.nukeworker.com/
The requested location contained malicious content and was blocked from downloading

HydroDave63 · « **Reply #19 on:** Sep 10, 2012, 02:44 »

Quote from: Drayer on Sep 10, 2012, 02:20

Blocked request: location contains malicious content
Threat: Mal/ObfJS-CZ

Threat source : http://www.nukeworker.com/
The requested location contained malicious content and was blocked from downloading

what site listed that?

OLzenizin · « **Reply #20 on:** Sep 12, 2012, 08:45 »

it comes and goes so I just try periodically until it lets me in. I have no problem entering PolySci just the main board.

Marlin · « **Reply #21 on:** Sep 12, 2012, 09:05 »

After a week of no problem it's back.

GLW · « **Reply #22 on:** Sep 12, 2012, 12:32 »

symantec does not seem to be having any trouble coping with this one,...

that or I'm completely hosed but don't know it yet,...

Rennhack · « **Reply #23 on:** Sep 17, 2012, 11:37 »

how about now, deleted some more stuff...

drayer54 · « **Reply #24 on:** Sep 18, 2012, 07:18 »

Quote from: Rennhack on Sep 17, 2012, 11:37

how about now, deleted some more stuff...

I'll check today.

DontGoToNPTU · « **Reply #25 on:** Sep 18, 2012, 11:23 »

I was having the same warning from NIS but I'm not having it today.

drayer54 · « **Reply #26 on:** Sep 19, 2012, 12:02 »

Still there.

retread · « **Reply #27 on:** Sep 23, 2012, 04:55 »

I'm using Avira and getting warnings.

HydroDave63 · « **Reply #28 on:** Sep 23, 2012, 05:24 »

How many of us that get these warnings, are running Firefox, IE8 or Google Chrome?

I run Firefox

GLW · « **Reply #29 on:** Sep 23, 2012, 06:03 »

Quote from: HydroDave63 on Sep 23, 2012, 05:24

How many of us that get these warnings, are running Firefox, IE8 or Google Chrome?

I run Firefox

As stated earlier I have Symantec and no issues,...

Typically (nearly exclusively) browse with Firefox,...

On a sidenote, my Dell Inspiron 5000, with XP/McAfee/Firefox suffered a severe issue in June of this ~~issue~~ year (doh!),...

wiped it and reloaded to get rid of the problem,...

I did not waste much time with it as I back up to a portable hard drive often and would just as soon start with a clean slate and registry in four hours as muck around for twelve,...

But I suspect it was an issue with firefox and a McAfee update not working too well together, possibly with a third factor from something like this as I access nukeworker on the Dell with XP also,...

Higgs · « **Reply #30 on:** Sep 23, 2012, 07:58 »

On my laptop, using FF and windows security essentials, I can come to NW.com just fine.

On my desktop, using FF and avast, it blocks me from coming to NW.com and gives a red malware warning.

Justin

Rennhack · « **Reply #31 on:** Sep 23, 2012, 08:17 »

Quote from: Higgs on Sep 23, 2012, 07:58

On my laptop, using FF and windows security essentials, I can come to NW.com just fine.

On my desktop, using FF and avast, it blocks me from coming to NW.com and gives a red malware warning.

I appreciate the updates. I use FF (some times ie9) and windows defender, and I never get these 'warnings'. I also never get infected.

I scanned the site several times, and they found nothing wrong. I don't want to say its a false positive... but I'm really having trouble finding any issues.

HydroDave63 · « **Reply #32 on:** Sep 23, 2012, 08:18 »

The weird thing is, Kaspersky will do the red alert thing, but then in the fix phase, recommends ignore. Uh, yeah. So I do massive Firefox cache purge, the framer bug adds crap into the profile.

Higgs · « **Reply #33 on:** Sep 23, 2012, 08:36 »

I haven't tried anything to remedy the issue yet, but still after my nrc exam.

Oh one other thing, I can no longer come to nw.com directly from work, I have to go the forums. So I can't see the home page. I forget the error it gives, but will post when I try it in the next few days.

Justin

OldHP · « **Reply #34 on:** Sep 23, 2012, 10:55 »

I use ie or ff with McAfee and have not experienced a problem, as yet!

Higgs · « **Reply #35 on:** Sep 24, 2012, 09:24 »

Quote from: Higgs on Sep 23, 2012, 08:36

I haven't tried anything to remedy the issue yet, but still after my nrc exam.

Oh one other thing, I can no longer come to nw.com directly from work, I have to go the forums. So I can't see the home page. I forget the error it gives, but will post when I try it in the next few days.

Justin

Ok so at work, when I try to go to www.nukeworker.com, the company "blocking" software says this;

"McAfee Web Gateway received an ICAP communication error while talking to an ICAP server, and
bypassing on this error is not enabled."

But I can go to www.nukeworker.com/forum just fine.

That's on both IE and FF.

Justin

HydroDave63 · « **Reply #36 on:** Sep 24, 2012, 11:34 »

The ICAP error probably comes from the iframer trying to connect to the fake ICAP server.

Here is a fact-filled article on this iframer script, and why it is hard to detect. Chock full of coder stuff way over my head:

http://www.esotech.org/resources/cms/wordpress/wordpress-header-javascript-and-iframe-injection-problem-solution-and-analysis

While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content…I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching.

This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!!
Overview

Bottom line this is how it works:

   Something Injects Code into wp-settings.php
   function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info.
   CURL sends a string from third party server and injects javascript
   javascript communicates with yet another server and injects an iframe
   iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers.
   CURL’d server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while.
   Repeat.

(more pages follow)

Rennhack · « **Reply #37 on:** Sep 24, 2012, 02:18 »

Thanks Dave.

God this is frustrating.

Higgs · « **Reply #38 on:** Sep 24, 2012, 03:02 »

Quote from: HydroDave63 on Sep 24, 2012, 11:34

The ICAP error probably comes from the iframer trying to connect to the fake ICAP server.

Here is a fact-filled article on this iframer script, and why it is hard to detect. Chock full of coder stuff way over my head:

http://www.esotech.org/resources/cms/wordpress/wordpress-header-javascript-and-iframe-injection-problem-solution-and-analysis

While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content…I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching.

This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!!
Overview

Bottom line this is how it works:

   Something Injects Code into wp-settings.php
   function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info.
   CURL sends a string from third party server and injects javascript
   javascript communicates with yet another server and injects an iframe
   iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers.
   CURL’d server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while.
   Repeat.

(more pages follow)

So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?

Justin

HydroDave63 · « **Reply #39 on:** Sep 24, 2012, 03:49 »

Quote from: Higgs on Sep 24, 2012, 03:02

So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?

Justin

That was my take on it as well. Kaspersky tells me I'm afflicted about every third day or so. I wipe it clean, lather rinse repeat. As the article describes, it is pretty well hidden, and looks like the reason it nails us viewers is to pimp out our browser profile/cookies/etc info to the receptor site.

Higgs · « **Reply #40 on:** Sep 24, 2012, 10:30 »

Ok my avast says this is the issue;

Infection: JS:Redirector-MA [Trj]

I don't know what that means, just trying to give as much data as possible to help with the investigation.

Justin

OldHP · « **Reply #41 on:** Sep 24, 2012, 11:04 »

Quote from: Higgs on Sep 24, 2012, 03:02

So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>? Justin

Quote from: HydroDave63 on Sep 24, 2012, 03:49

That was my take on it as well. Kaspersky tells me I'm afflicted about every third day or so. I wipe it clean, lather rinse repeat. As the article describes, it is pretty well hidden, and looks like the reason it nails us viewers is to pimp out our browser profile/cookies/etc info to the receptor site.

Or, could the folks having the problem have picked up the 'fake' somewhere else? Like Ya'll, I don't know. At this point I have not had a problem, I'll question my BIL and his brother when I see them this weekend! Sorry Mike, no answers, just questions!

RDTroja · « **Reply #42 on:** Sep 24, 2012, 11:42 »

I have Sophos at work (WinXP Pro/IE8) and AVG Pro at home (Windows7 Pro 64/IE8) and I have not had any messages at all.

Rennhack · « **Reply #43 on:** Sep 26, 2012, 01:39 »

So... If it isn't happening in the forum, which has forum software, and banner ad software... It may NOT be those parts of the site.

I've also had no reports from any other pages of the site, so really that theory doesn't work... but the forum is more heavily used than other parts.

I can try disabling the picture software, and the picture on the home page, and see if that makes it go away.

I guess we will have to try disabling parts of the site one by one until we figure it out.

Higgs · « **Reply #44 on:** Sep 26, 2012, 06:40 »

Update; My avast on my PC is no longer warning me. I haven't tried the site from work lately.

Justin

Higgs · « **Reply #45 on:** Sep 27, 2012, 09:08 »

Update number 2: I no longer get the error above, at work.

Justin

Rennhack · « **Reply #46 on:** Sep 27, 2012, 02:29 »

I found one malicious program in the /logs/ section yesterday and removed it. I'm in the process of re-uploading the ad server software and photo gallery & Software with security patches. I'm on a satellite and cell phone conn3ection so it takes a while. I recently finished re-downloading a local copy of the site.

Rennhack · « **Reply #47 on:** Sep 27, 2012, 02:29 »

Expect some down time tonight while I update some software.

GLW · « **Reply #48 on:** Sep 27, 2012, 06:04 »

Quote from: Rennhack on Sep 27, 2012, 02:29

Expect some down time tonight while I update some software.

Rennhack · « **Reply #49 on:** Oct 01, 2012, 03:12 »

It's been quiet for a few days. I assume that means we figured it out finally.

Higgs · « **Reply #50 on:** Oct 01, 2012, 06:29 »

All good here!

Thanks!

Justin

Marlin · « **Reply #51 on:** Oct 01, 2012, 06:37 »

No more problems here.

HydroDave63 · « **Reply #52 on:** Oct 01, 2012, 08:23 »

Looks like lots of member photo galleries were nuked! But at least the bug is gone

I tried to upload, but got a no permission error

OldHP · « **Reply #53 on:** Oct 01, 2012, 08:28 »

The only thing I can see is whatever changes were made also changed the server clock. It is ~ 2030 EDT and the site is showing that it is 10/02/12!

Rennhack · « **Reply #54 on:** Oct 01, 2012, 08:53 »

Quote from: OldHP on Oct 01, 2012, 08:28

The only thing I can see is whatever changes were made also changed the server clock. It is ~ 2030 EDT and the site is showing that it is 10/02/12!

The server time hasen't changed.

Check your profile's time offset:

http://www.nukeworker.com/forum/index.php?action=profile;sa=theme

OldHP · « **Reply #55 on:** Oct 01, 2012, 09:20 »

It is showing correct at local time. Your post shows up as (today - 10-02-12, 0053)

Rennhack · « **Reply #56 on:** Oct 02, 2012, 12:32 »

Weird.

HydroDave63 · « **Reply #57 on:** Nov 06, 2012, 08:40 »

Iframer alert tonight. Looks like allfashion and his bot buddies are back

Rennhack · « **Reply #58 on:** Nov 07, 2012, 05:32 »

Marlin alerted me to this yesterday as well. I'm out of town workign an outage for the next three weeks. I don't have any of my tools with me. I may not be able to fix this untill I get back home.

Rennhack · « **Reply #59 on:** Nov 11, 2012, 08:30 »

I got a day off. I downloaded an ftp program. (free, and its better than the one I have at home that I paid big bucks -- I have a new preferred ftp program! Filezilla)

I think I found and fixed some issues. So let me know if its resolved.

HydroDave63 · « **Reply #60 on:** Nov 11, 2012, 09:47 »

Quote from: Rennhack on Nov 11, 2012, 08:30

I think I found and fixed some issues. So let me know if its resolved.

Big K still gives me the Red warning and blocks me from the front page.

Rennhack · « **Reply #61 on:** Nov 11, 2012, 10:56 »

Quote from: HydroDave63 on Nov 11, 2012, 09:47

Big K still gives me the Red warning and blocks me from the front page.

Thanks for the feedback.

Higgs · « **Reply #62 on:** Nov 11, 2012, 10:59 »

On my main machine, my Avast is blocking the site again.

On my laptop, Microsoft security essentials gives no warning of anything.

Justin

Marlin · « **Reply #63 on:** Nov 11, 2012, 01:40 »

I have access again. Thanx.

Rennhack · « **Reply #64 on:** Nov 11, 2012, 02:09 »

I made one more change. Hopefully that fixes it.

Rennhack · « **Reply #65 on:** Nov 14, 2012, 09:41 »

Did that last change fix it?

Marlin · « **Reply #66 on:** Nov 14, 2012, 10:44 »

No problems here.

HydroDave63 · « **Reply #67 on:** Nov 14, 2012, 08:53 »

Quote from: Rennhack on Nov 14, 2012, 09:41

Did that last change fix it?

Kaspersky + Firefox = Red threat window

Kaspersky + Chrome = Just fine

This tells me that the threat is aimed at Firefox and IE code, since Kaspersky is the common input but differing results. But IMHO, the Iframer problem is still resident.

My "fix" was to renew my Gold for another year and download Chrome

Rennhack · « **Reply #68 on:** Nov 14, 2012, 09:40 »

Quote from: HydroDave63 on Nov 14, 2012, 08:53

Kaspersky + Firefox = Red threat window

Kaspersky + Chrome = Just fine

This tells me that the threat is aimed at Firefox and IE code, since Kaspersky is the common input but differing results. But IMHO, the Iframer problem is still resident.

My "fix" was to renew my Gold for another year and download Chrome

Thanks for the update. I'll look into it again Sunday (my day off).

Higgs · « **Reply #69 on:** Nov 14, 2012, 11:09 »

Blocked by avast + firefox.

Blocked at work.

OK with firefox + microsoft security essentials.

Fermi2 · « **Reply #70 on:** Nov 15, 2012, 11:23 »

Just started getting blocked at home with avasts and firefox

Higgs · « **Reply #71 on:** Nov 15, 2012, 05:21 »

Quote from: Higgs on Nov 14, 2012, 11:09

Blocked by avast + firefox.

Blocked at work.

OK with firefox + microsoft security essentials.

Update from work...,

It's blocked by my work's firewall when using firefox,

but when I use IE, it isn't blocked and works just fine.

I agree with HD..., something is targeting FF. Here is what my work's firewall says;

Request Blocked by Proactive Scanning
Your request to URL "http://www.nukeworker.com/forum//" has been Blocked by McAfee Web Gateway Proactive Scanning. The program could potentially perform operations, which is not allowed by your administrator at this time.

Malware Name:    McAfeeGW: Heuristic.BehavesLike.JS.Infe cted.A
URL:    http://www.nukeworker.com/forum/
File:    http://www.nukeworker.com/forum//
File Type:    -
Reputation Level:    Neutral

Hope it helps.

Justin

Rennhack · « **Reply #72 on:** Nov 15, 2012, 07:41 »

The files I 'fixed' have been reinfected.... This one is gonna suck. My outage ends on the 24th. Until then, I'll try to keep up with it. Fixing the files each night they are infecting.

They have some of the forum files, and now some of the adserver files laced with crap.

Rennhack · « **Reply #73 on:** Nov 15, 2012, 07:58 »

So... I replaced the adserver files and the forum files (that were altered), and I locked the forum files. I hope this helps.

Keeps the updates coming in.

Rennhack · « **Reply #74 on:** Nov 15, 2012, 08:01 »

Quote from: Rennhack on Nov 11, 2012, 08:30

I downloaded an ftp program. (free, and its better than the one I have at home that I paid big bucks for -- I have a new preferred ftp program! Filezilla)

http://filezilla-project.org/

That file zilla is a great tool in our fight against these people.

Higgs · « **Reply #75 on:** Nov 16, 2012, 12:31 »

Avast + firefox no longer blocked.

Justin

Rennhack · « **Reply #76 on:** Nov 16, 2012, 08:04 »

They hit another file today. However, I'm at least staying on top of it now.

Rennhack · « **Reply #77 on:** Nov 17, 2012, 09:03 »

Quote from: Rennhack on Nov 16, 2012, 08:04

They hit another file today. However, I'm at least staying on top of it now.

No files were assaulted today.

Rennhack · « **Reply #78 on:** Nov 18, 2012, 12:10 »

They hit another file today. Again, I'm keeping on it. -- of course, finding the exploit they are using is still alluding me. What they are doing is finding files that are writable, and somehow uploading a file to replace it.

Rennhack · « **Reply #79 on:** Nov 21, 2012, 07:18 »

2 days, no new infections.

Rennhack · « **Reply #80 on:** Nov 22, 2012, 05:51 »

Nothing today. -- Just to be clear, I haven't figured what exploit they are using. I'm just making the file they are infecting non-writable so they cant inject them with germs.

Author Topic: So What Is This? (Read 72237 times)

Fermi2

drayer54

Fermi2

Fermi2

drayer54

Fermi2

Fermi2

drayer54

OLzenizin

drayer54

drayer54

Fermi2