Virus attack
- Thread starter Laurie
- Start date
Roger W
Well-known member
My Kaspersky threw up a "Trojan - access denied" flash when I logged on just now.
For the backroom boys' info, it is logged as being at http://domaingranted(dot)net(slash)B6jsr(and a lot of other stuff)...UkK17p8b/pdfx(dot)html
I can provide the missing bit in the middle if anyone needs it.
Roger
For the backroom boys' info, it is logged as being at http://domaingranted(dot)net(slash)B6jsr(and a lot of other stuff)...UkK17p8b/pdfx(dot)html
I can provide the missing bit in the middle if anyone needs it.
Roger
rhychydwr1
Active member
Same happened to me but AVIS wiped it.
bubba
Administrator
Can the people who've had this issue please give as much information as they can?
e.g.
- full error message from the AV software
- which AV software
- which browser (+version)
- OS
I've not noticed anything untoward at all whilst using the site using FF17 on Windows and I do run AV and anti-malware scanners.
e.g.
- full error message from the AV software
- which AV software
- which browser (+version)
- OS
I've not noticed anything untoward at all whilst using the site using FF17 on Windows and I do run AV and anti-malware scanners.
Roger W
Well-known member
Using IE9 and Kaspersky Internet Security 2012.
Operating system: Windows 7
Have logged on and off again 3/4 times today.
First time, Kaspersky denied a Trojan (HEUR: Trojan.Script.Generic):
http://domaingranted( dot )net/B6jsra0jwqq01bI80( I'm putting a gap in here 'cos I don't want to risk posting an active doodah )WW0ggsq0sMbY0ZEjJ0IN6J0XwG10OxND0jymk0YRv009FiY0icJw172l30QUkK17p8b/pdfx( dot )html
Next two times, denied phishing URL:
http://rtffeatureand( dot )org/5u3FLR02z3b0eRLx0GQu( space as before )T0e4DX0LicG0fcJB0zCua0Dwyt0NK3o05i1Y0Obm30ugiq11e7V0yH0w0WQei0N0PK/
This last time, got the phishing ULR when I went on UKCaving and then the Trojan when I actually logged on.
Roger
Operating system: Windows 7
Have logged on and off again 3/4 times today.
First time, Kaspersky denied a Trojan (HEUR: Trojan.Script.Generic):
http://domaingranted( dot )net/B6jsra0jwqq01bI80( I'm putting a gap in here 'cos I don't want to risk posting an active doodah )WW0ggsq0sMbY0ZEjJ0IN6J0XwG10OxND0jymk0YRv009FiY0icJw172l30QUkK17p8b/pdfx( dot )html
Next two times, denied phishing URL:
http://rtffeatureand( dot )org/5u3FLR02z3b0eRLx0GQu( space as before )T0e4DX0LicG0fcJB0zCua0Dwyt0NK3o05i1Y0Obm30ugiq11e7V0yH0w0WQei0N0PK/
This last time, got the phishing ULR when I went on UKCaving and then the Trojan when I actually logged on.
Roger
bubba
Administrator
The two domains (domaingranted and rtffeatureand) both seem to be dodgy URLs (Chrome flags them as malicious), as correctly identified by your copy of Kaspersky, which is why it's doing it's job blocking them.
The question is why are you getting these when you're using ukcaving?
Is ukcaving.com the only site that is causing this issue? It might be worth trying some other randomly chosen SMF based forums that are unrelated, for example: this one or this one - do either of these throw up problems?
Have you tried using a different browser like Firefox or Chrome? Same issues?
I'm running Win 7 and have checked ukcaving using IE9 without issue. I've also checked for any server changes and can't see any.
I'm not by any means a web security expert but when we've had problems like this before it's generally down to the user's machine being infected by some adware/malware.
I would suggest using your AV to do a full system scan. I would also download and do a full scan using Malwarebytes Anti Malware and something like Spybot
If all that comes back negative then we probably have an issue on the server but given that some of us are using the site without issue I'm inclined to think that perhaps your machine has a nasty on it. I'm sorry if this isn't what you want to hear but I hope I'm right and the server hasn't been compromised.
The question is why are you getting these when you're using ukcaving?
Is ukcaving.com the only site that is causing this issue? It might be worth trying some other randomly chosen SMF based forums that are unrelated, for example: this one or this one - do either of these throw up problems?
Have you tried using a different browser like Firefox or Chrome? Same issues?
I'm running Win 7 and have checked ukcaving using IE9 without issue. I've also checked for any server changes and can't see any.
I'm not by any means a web security expert but when we've had problems like this before it's generally down to the user's machine being infected by some adware/malware.
I would suggest using your AV to do a full system scan. I would also download and do a full scan using Malwarebytes Anti Malware and something like Spybot
If all that comes back negative then we probably have an issue on the server but given that some of us are using the site without issue I'm inclined to think that perhaps your machine has a nasty on it. I'm sorry if this isn't what you want to hear but I hope I'm right and the server hasn't been compromised.
Alex
Well-known member
I ended up with a virus at around that date, did not think UKcaving caused it, it could have been unrelated but I spent a good 4 hours getting rid of it and restoring firewalls etc. It was a nasty virus that infected servies.exe which of course crashed the computer when AVG tried to remove it. With that fixed (from a windows 7 cd) I had to spend several hours restoring my firewall, windows defender and other services the virus messed with.
danthecavingman
Member
Evening all, just now from my Norton 360 as I logged in:
Category: Intrusion Prevention
Date & Time, 2013-06-14 19:18:52
Risk, High
Activity,An intrusion attempt by 53df:7d06::0 was blocked
Status,Blocked
Recommended Action,No Action Required
IPS Alert Name,Web Attack: Java CVE-2013-2423 RCE
Default Action,No Action Required
Action Taken,No Action Required
Attacking Computer,"53df:7d06::0, 80"
Attacker URL,"www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=atom.jar&k=5358709419027932&h=bc5c75e226ea4554"
Destination Address, "c0a8:146::801:740a:80fa:ffff, 50442",
Source Address, 53df:7d06::0
Traffic Description "TCP, www-http"
Network traffic from <b>www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=atom.jar&k=5358709419027932&h=bc5c75e226ea4554</b> matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\JAVA\JRE7\BIN\JAVA.EXE.
To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.
Category: Intrusion Prevention
Date & Time, 2013-06-14 19:18:52
Risk, High
Activity,An intrusion attempt by 53df:7d06::0 was blocked
Status,Blocked
Recommended Action,No Action Required
IPS Alert Name,Web Attack: Java CVE-2013-2423 RCE
Default Action,No Action Required
Action Taken,No Action Required
Attacking Computer,"53df:7d06::0, 80"
Attacker URL,"www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=atom.jar&k=5358709419027932&h=bc5c75e226ea4554"
Destination Address, "c0a8:146::801:740a:80fa:ffff, 50442",
Source Address, 53df:7d06::0
Traffic Description "TCP, www-http"
Network traffic from <b>www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=atom.jar&k=5358709419027932&h=bc5c75e226ea4554</b> matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\JAVA\JRE7\BIN\JAVA.EXE.
To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.
danthecavingman
Member
Guys,
This as well....
Category: Intrusion Prevention
Date & Time, 2013-06-14 19:18:52
Risk, High
Activity,An intrusion attempt by 53df:7d06::0 was blocked
Status, Blocked
Recommended Action, No Action Required
IPS Alert Name, Web Attack: Malicious Java File Download 9
Default Action, No Action Required
Action Taken, No Action Required
Attacking Computer, 53df:7d06::0, 80
Attacker URL, www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=5358709419027910&h=bc5c75e226ea4554
Destination Address, c0a8:146::801:740a:80fa:ffff, 50443
Source Address, 53df:7d06::0
Traffic Description TCP, www-http
Network traffic from <b>www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=5358709419027910&h=bc5c75e226ea4554</b> matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\JAVA\JRE7\BIN\JAVA.EXE. To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.
This as well....
Category: Intrusion Prevention
Date & Time, 2013-06-14 19:18:52
Risk, High
Activity,An intrusion attempt by 53df:7d06::0 was blocked
Status, Blocked
Recommended Action, No Action Required
IPS Alert Name, Web Attack: Malicious Java File Download 9
Default Action, No Action Required
Action Taken, No Action Required
Attacking Computer, 53df:7d06::0, 80
Attacker URL, www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=5358709419027910&h=bc5c75e226ea4554
Destination Address, c0a8:146::801:740a:80fa:ffff, 50443
Source Address, 53df:7d06::0
Traffic Description TCP, www-http
Network traffic from <b>www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=5358709419027910&h=bc5c75e226ea4554</b> matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\JAVA\JRE7\BIN\JAVA.EXE. To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.
RobinGriffiths
Well-known member
tiny_mce a wysiwyg browser based html editor. I've used it in the past at work. The url at which the javascript is referenced might be compromised ?
