Help | Contact Us
NukeWorker.com
NukeWorker Menu So What Is This?

Author Topic: So What Is This?  (Read 50853 times)

0 Members and 1 Guest are viewing this topic.

Offline DontGoToNPTU

Re: So What Is This?
« Reply #25 on: Sep 18, 2012, 11:23 »
I was having the same warning from NIS but I'm not having it today.

drayer54

  • Guest
Re: So What Is This?
« Reply #26 on: Sep 19, 2012, 12:02 »
Still there.

Offline retread

  • Old, fat meter reader
  • Heavy User
  • ****
  • Posts: 434
  • Total likes: 0
  • Karma: 420
  • Gender: Male
  • Every day above ground is a good one
Re: So What Is This?
« Reply #27 on: Sep 23, 2012, 04:55 »
I'm using Avira and getting warnings.
In dwelling, be close to the land.
In meditation, go deep in the heart.
In dealing with others, be patient and kind.
In speech, be true.
In ruling, be just.
In business, be competent.

Offline HydroDave63

Re: So What Is This?
« Reply #28 on: Sep 23, 2012, 05:24 »
How many of us that get these warnings, are running Firefox, IE8 or Google Chrome?

I run Firefox

Offline GLW

Re: So What Is This?
« Reply #29 on: Sep 23, 2012, 06:03 »
How many of us that get these warnings, are running Firefox, IE8 or Google Chrome?

I run Firefox

As stated earlier I have Symantec and no issues,...

Typically (nearly exclusively) browse with Firefox,...

On a sidenote, my Dell Inspiron 5000, with XP/McAfee/Firefox suffered a severe issue in June of this issue year (doh!),...

wiped it and reloaded to get rid of the problem,...

I did not waste much time with it as I back up to a portable hard drive often and would just as soon start with a clean slate and registry in four hours as muck around for twelve,...

But I suspect it was an issue with firefox and a McAfee update not working too well together, possibly with a third factor from something like this as I access nukeworker on the Dell with XP also,...
« Last Edit: Sep 24, 2012, 08:58 by GLW »

been there, dun that,... the doormat to hell does not read "welcome", the doormat to hell reads "it's just business"

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #30 on: Sep 23, 2012, 07:58 »
On my laptop, using FF and windows security essentials, I can come to NW.com just fine.

On my desktop, using FF and avast, it blocks me from coming to NW.com and gives a red malware warning.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline Rennhack

Re: So What Is This?
« Reply #31 on: Sep 23, 2012, 08:17 »
On my laptop, using FF and windows security essentials, I can come to NW.com just fine.

On my desktop, using FF and avast, it blocks me from coming to NW.com and gives a red malware warning.

I appreciate the updates.  I use FF (some times ie9) and windows defender, and I never get these 'warnings'.  I also never get infected.

I scanned the site several times, and they found nothing wrong.  I don't want to say its a false positive... but I'm really having trouble finding any issues.

Offline HydroDave63

Re: So What Is This?
« Reply #32 on: Sep 23, 2012, 08:18 »
The weird thing is, Kaspersky will do the red alert thing, but then in the fix phase, recommends ignore. Uh, yeah. So I do massive Firefox cache purge, the framer bug adds crap into the profile.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #33 on: Sep 23, 2012, 08:36 »
I haven't tried anything to remedy the issue yet, but still after my nrc exam.

Oh one other thing, I can no longer come to nw.com directly from work, I have to go the forums. So I can't see the home page. I forget the error it gives, but will post when I try it in the next few days.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline OldHP

  • Very Heavy User
  • *****
  • Posts: 502
  • Total likes: 0
  • Karma: 276
  • Gender: Male
  • Tell Recruiters to use NukeWorker.com
Re: So What Is This?
« Reply #34 on: Sep 23, 2012, 10:55 »
I use ie or ff with McAfee and have not experienced a problem, as yet!
Humor is a wonderful way to prevent hardening of the attitudes! unknown
The government is like a baby's alimentary canal, with a happy appetite at one end and no responsibility at the other. Regan

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #35 on: Sep 24, 2012, 09:24 »
I haven't tried anything to remedy the issue yet, but still after my nrc exam.

Oh one other thing, I can no longer come to nw.com directly from work, I have to go the forums. So I can't see the home page. I forget the error it gives, but will post when I try it in the next few days.

Justin

Ok so at work, when I try to go to www.nukeworker.com, the company "blocking" software says this;

"McAfee Web Gateway received an ICAP communication error while talking to an ICAP server, and
bypassing on this error is not enabled."


But I can go to www.nukeworker.com/forum  just fine.

That's on both IE and FF.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline HydroDave63

Re: So What Is This?
« Reply #36 on: Sep 24, 2012, 11:34 »
The ICAP error probably comes from the iframer trying to connect to the fake ICAP server.

Here is a fact-filled article on this iframer script, and why it is hard to detect. Chock full of coder stuff way over my head:

http://www.esotech.org/resources/cms/wordpress/wordpress-header-javascript-and-iframe-injection-problem-solution-and-analysis


While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content…I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching.

This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!!
Overview

Bottom line this is how it works:

    Something Injects Code into wp-settings.php
    function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info.
    CURL sends a string from third party server and injects javascript
    javascript communicates with yet another server and injects an iframe
    iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers.
    CURL’d server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while.
    Repeat.


(more pages follow)
« Last Edit: Sep 24, 2012, 11:35 by HydroDave63 »

Offline Rennhack

Re: So What Is This?
« Reply #37 on: Sep 24, 2012, 02:18 »
Thanks Dave.

God this is frustrating.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #38 on: Sep 24, 2012, 03:02 »
The ICAP error probably comes from the iframer trying to connect to the fake ICAP server.

Here is a fact-filled article on this iframer script, and why it is hard to detect. Chock full of coder stuff way over my head:

http://www.esotech.org/resources/cms/wordpress/wordpress-header-javascript-and-iframe-injection-problem-solution-and-analysis


While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content…I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching.

This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!!
Overview

Bottom line this is how it works:

    Something Injects Code into wp-settings.php
    function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info.
    CURL sends a string from third party server and injects javascript
    javascript communicates with yet another server and injects an iframe
    iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers.
    CURL’d server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while.
    Repeat.


(more pages follow)

So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline HydroDave63

Re: So What Is This?
« Reply #39 on: Sep 24, 2012, 03:49 »
So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?

Justin

That was my take on it as well. Kaspersky tells me I'm afflicted about every third day or so. I wipe it clean, lather rinse repeat. As the article describes, it is pretty well hidden, and looks like the reason it nails us viewers is to pimp out our browser profile/cookies/etc info to the receptor site.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #40 on: Sep 24, 2012, 10:30 »
Ok my avast says this is the issue;

Infection:   JS:Redirector-MA [Trj]


I don't know what that means, just trying to give as much data as possible to help with the investigation.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline OldHP

  • Very Heavy User
  • *****
  • Posts: 502
  • Total likes: 0
  • Karma: 276
  • Gender: Male
  • Tell Recruiters to use NukeWorker.com
Re: So What Is This?
« Reply #41 on: Sep 24, 2012, 11:04 »
So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?  Justin 

That was my take on it as well. Kaspersky tells me I'm afflicted about every third day or so. I wipe it clean, lather rinse repeat. As the article describes, it is pretty well hidden, and looks like the reason it nails us viewers is to pimp out our browser profile/cookies/etc info to the receptor site. 

Or, could the folks having the problem have picked up the 'fake' somewhere else?  Like Ya'll, I don't know.  At this point I have not had a problem, I'll question my BIL and his brother when I see them this weekend!  Sorry Mike, no answers, just questions!
Humor is a wonderful way to prevent hardening of the attitudes! unknown
The government is like a baby's alimentary canal, with a happy appetite at one end and no responsibility at the other. Regan

Offline RDTroja

  • Site Heretic
  • Gold Member
  • *
  • Posts: 3753
  • Total likes: 132
  • Karma: 4546
  • Gender: Male
  • I knew I got into IT for a reason!
Re: So What Is This?
« Reply #42 on: Sep 24, 2012, 11:42 »
I have Sophos at work (WinXP Pro/IE8) and AVG Pro at home (Windows7 Pro 64/IE8) and I have not had any messages at all.
"I won't eat anything that has intelligent life, but I'd gladly eat a network executive or a politician."

                                  -Marty Feldman

"Politics is supposed to be the second-oldest profession. I have come to understand that it bears a very close resemblance to the first."
                                  -Ronald Reagan

I have never made but one prayer to God, a very short one: 'O Lord, make my enemies ridiculous.' And God granted it.

                                  - Voltaire

Offline Rennhack

Re: So What Is This?
« Reply #43 on: Sep 26, 2012, 01:39 »
So... If it isn't happening in the forum, which has forum software, and banner ad software... It may NOT be those parts of the site.

I've also had no reports from any other pages of the site, so really that theory doesn't work... but the forum is more heavily used than other parts.

I can try disabling the picture software, and the picture on the home page, and see if that makes it go away.

I guess we will have to try disabling parts of the site one by one until we figure it out.

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #44 on: Sep 26, 2012, 06:40 »
Update; My avast on my PC is no longer warning me. I haven't tried the site from work lately.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline Higgs

  • SRO
  • Very Heavy User
  • *****
  • Posts: 1942
  • Total likes: 5
  • Karma: 1284
  • Gender: Male
  • Life has a melody...
Re: So What Is This?
« Reply #45 on: Sep 27, 2012, 09:08 »
Update number 2: I no longer get the error above, at work.

Justin
"How feeble is the mindset to accept defenselessness. How unnatural. How cheap. How cowardly. How pathetic.” - Ted Nugent

Offline Rennhack

Re: So What Is This?
« Reply #46 on: Sep 27, 2012, 02:29 »
I found one malicious program in the /logs/ section yesterday and removed it.  I'm in the process of re-uploading the ad server software and photo gallery & Software with security patches.  I'm on a satellite and cell phone conn3ection so it takes a while.  I recently finished re-downloading a local copy of the site.


Offline Rennhack

Re: So What Is This?
« Reply #47 on: Sep 27, 2012, 02:29 »
Expect some down time tonight while I update some software.

Offline GLW

Re: So What Is This?
« Reply #48 on: Sep 27, 2012, 06:04 »
Expect some down time tonight while I update some software.


been there, dun that,... the doormat to hell does not read "welcome", the doormat to hell reads "it's just business"

Offline Rennhack

Re: So What Is This?
« Reply #49 on: Oct 01, 2012, 03:12 »
It's been quiet for a few days. I assume that means we figured it out finally.

 


NukeWorker ™ is a registered trademark of NukeWorker.com ™, LLC © 1996-2020 All rights reserved.
All material on this Web Site, including text, photographs, graphics, code and/or software, are protected by international copyright/trademark laws and treaties. Unauthorized use is not permitted. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute, in any manner, the material on this web site or any portion of it. Doing so will result in severe civil and criminal penalties, and will be prosecuted to the maximum extent possible under the law.
Privacy Statement | Terms of Use | Code of Conduct | Spam Policy | Advertising Info | Contact Us | Forum Rules | Password Problem?