So What Is This?

DontGoToNPTU · Sep 18, 2012, 11:23

I was having the same warning from NIS but I'm not having it today.

drayer54 · Sep 19, 2012, 12:02

Still there.

retread · Sep 23, 2012, 04:55

I'm using Avira and getting warnings.

HydroDave63 · Sep 23, 2012, 05:24

How many of us that get these warnings, are running Firefox, IE8 or Google Chrome?

I run Firefox

GLW · Sep 23, 2012, 06:03

Quote from: HydroDave63 on Sep 23, 2012, 05:24
How many of us that get these warnings, are running Firefox, IE8 or Google Chrome?

I run Firefox

As stated earlier I have Symantec and no issues,...

Typically (nearly exclusively) browse with Firefox,...

On a sidenote, my Dell Inspiron 5000, with XP/McAfee/Firefox suffered a severe issue in June of this ~~issue~~ year (doh!),...

wiped it and reloaded to get rid of the problem,...

I did not waste much time with it as I back up to a portable hard drive often and would just as soon start with a clean slate and registry in four hours as muck around for twelve,...

But I suspect it was an issue with firefox and a McAfee update not working too well together, possibly with a third factor from something like this as I access nukeworker on the Dell with XP also,...

Higgs · Sep 23, 2012, 07:58

On my laptop, using FF and windows security essentials, I can come to NW.com just fine.

On my desktop, using FF and avast, it blocks me from coming to NW.com and gives a red malware warning.

Justin

Rennhack · Sep 23, 2012, 08:17

Quote from: Higgs on Sep 23, 2012, 07:58
On my laptop, using FF and windows security essentials, I can come to NW.com just fine.

On my desktop, using FF and avast, it blocks me from coming to NW.com and gives a red malware warning.

I appreciate the updates. I use FF (some times ie9) and windows defender, and I never get these 'warnings'. I also never get infected.

I scanned the site several times, and they found nothing wrong. I don't want to say its a false positive... but I'm really having trouble finding any issues.

HydroDave63 · Sep 23, 2012, 08:18

The weird thing is, Kaspersky will do the red alert thing, but then in the fix phase, recommends ignore. Uh, yeah. So I do massive Firefox cache purge, the framer bug adds crap into the profile.

Higgs · Sep 23, 2012, 08:36

I haven't tried anything to remedy the issue yet, but still after my nrc exam.

Oh one other thing, I can no longer come to nw.com directly from work, I have to go the forums. So I can't see the home page. I forget the error it gives, but will post when I try it in the next few days.

Justin

OldHP · Sep 23, 2012, 10:55

I use ie or ff with McAfee and have not experienced a problem, as yet!

Higgs · Sep 24, 2012, 09:24

Quote from: Higgs on Sep 23, 2012, 08:36
I haven't tried anything to remedy the issue yet, but still after my nrc exam.

Oh one other thing, I can no longer come to nw.com directly from work, I have to go the forums. So I can't see the home page. I forget the error it gives, but will post when I try it in the next few days.

Justin

Ok so at work, when I try to go to www.nukeworker.com, the company "blocking" software says this;

"McAfee Web Gateway received an ICAP communication error while talking to an ICAP server, and
bypassing on this error is not enabled."

But I can go to www.nukeworker.com/forum just fine.

That's on both IE and FF.

Justin

HydroDave63 · Sep 24, 2012, 11:34

The ICAP error probably comes from the iframer trying to connect to the fake ICAP server.

Here is a fact-filled article on this iframer script, and why it is hard to detect. Chock full of coder stuff way over my head:

http://www.esotech.org/resources/cms/wordpress/wordpress-header-javascript-and-iframe-injection-problem-solution-and-analysis

While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content...I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching.

This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!!
Overview

Bottom line this is how it works:

Something Injects Code into wp-settings.php
function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info.
CURL sends a string from third party server and injects javascript
javascript communicates with yet another server and injects an iframe
iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers.
CURL'd server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while.
Repeat.

(more pages follow)

Rennhack · Sep 24, 2012, 02:18

Thanks Dave.

God this is frustrating.

Higgs · Sep 24, 2012, 03:02

Quote from: HydroDave63 on Sep 24, 2012, 11:34
The ICAP error probably comes from the iframer trying to connect to the fake ICAP server.

Here is a fact-filled article on this iframer script, and why it is hard to detect. Chock full of coder stuff way over my head:

http://www.esotech.org/resources/cms/wordpress/wordpress-header-javascript-and-iframe-injection-problem-solution-and-analysis

While working on a development site, that sat idle before any actual work was done for a while, we noticed that some kind of iframe injection had occured. There was no trace of it in the database or the server code, nothing that said iFrame, nothing that added extra scripts. This was a brand new website, template from scratch with no plugins and no content...I Was pulling my hair out, but slowly started getting on to the situation, and with the help of Mike Brich from HavenLight Software, got right down to it after hours of investigation and head scratching.

This post will be very code intensive, but with full explanations, just a warning, I am jumping right into it!!
Overview

Bottom line this is how it works:

Something Injects Code into wp-settings.php
function counter_wordpress is decoded and sends a CURL request to a third party server with your computer info.
CURL sends a string from third party server and injects javascript
javascript communicates with yet another server and injects an iframe
iFrame injects all sorts of other scripts, popups, java programs, and other iFrames from other servers.
CURL'd server logs your IP and computer information, and the next time you visit hides itself, or prevents itself from showing its payload, for a while.
Repeat.

(more pages follow)

So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?

Justin

HydroDave63 · Sep 24, 2012, 03:49

Quote from: Higgs on Sep 24, 2012, 03:02
So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>?

Justin

That was my take on it as well. Kaspersky tells me I'm afflicted about every third day or so. I wipe it clean, lather rinse repeat. As the article describes, it is pretty well hidden, and looks like the reason it nails us viewers is to pimp out our browser profile/cookies/etc info to the receptor site.

Higgs · Sep 24, 2012, 10:30

Ok my avast says this is the issue;

Infection: JS:Redirector-MA [Trj]

I don't know what that means, just trying to give as much data as possible to help with the investigation.

Justin

OldHP · Sep 24, 2012, 11:04

Quote from: Higgs on Sep 24, 2012, 03:02
So am I reading this correct, that it seems like possibly nw.com may have a fake site injected into the php code that could be causing all of this>? Justin

Quote from: HydroDave63 on Sep 24, 2012, 03:49
That was my take on it as well. Kaspersky tells me I'm afflicted about every third day or so. I wipe it clean, lather rinse repeat. As the article describes, it is pretty well hidden, and looks like the reason it nails us viewers is to pimp out our browser profile/cookies/etc info to the receptor site.

Or, could the folks having the problem have picked up the 'fake' somewhere else? Like Ya'll, I don't know. At this point I have not had a problem, I'll question my BIL and his brother when I see them this weekend! Sorry Mike, no answers, just questions!

RDTroja · Sep 24, 2012, 11:42

I have Sophos at work (WinXP Pro/IE8) and AVG Pro at home (Windows7 Pro 64/IE8) and I have not had any messages at all.

Rennhack · Sep 26, 2012, 01:39

So... If it isn't happening in the forum, which has forum software, and banner ad software... It may NOT be those parts of the site.

I've also had no reports from any other pages of the site, so really that theory doesn't work... but the forum is more heavily used than other parts.

I can try disabling the picture software, and the picture on the home page, and see if that makes it go away.

I guess we will have to try disabling parts of the site one by one until we figure it out.

Higgs · Sep 26, 2012, 06:40

Update; My avast on my PC is no longer warning me. I haven't tried the site from work lately.

Justin

Higgs · Sep 27, 2012, 09:08

Update number 2: I no longer get the error above, at work.

Justin

Rennhack · Sep 27, 2012, 02:29

I found one malicious program in the /logs/ section yesterday and removed it. I'm in the process of re-uploading the ad server software and photo gallery & Software with security patches. I'm on a satellite and cell phone conn3ection so it takes a while. I recently finished re-downloading a local copy of the site.

Rennhack · Sep 27, 2012, 02:29

Expect some down time tonight while I update some software.

GLW · Sep 27, 2012, 06:04

Quote from: Rennhack on Sep 27, 2012, 02:29
Expect some down time tonight while I update some software.

Rennhack · Oct 01, 2012, 03:12

It's been quiet for a few days. I assume that means we figured it out finally.

So What Is This?

drayer54