Jump to content

Do we have a virus?


Bain
 Share

Recommended Posts

My anti-virus program has intercepted the yuck below the last two times I logged onto TIJ. Is my anti-virus misinterpreting something, or have we been hit?

URL: ateperblizko.com/main.php?page

Process: file://C:\Program Files (x86)\Internet E...

Infection: js:Downloader-BDR [Trj]

Edited Michael Brown:Took out the http off URL so it's not a link.

Link to comment
Share on other sites

As soon as I read the title and saw who posted it, I thought "oh, this is gonna be good"........

Ha, ha. This time, I've turned off the bullshit and am actually being serious.

I didn't check in over the weekend, so I'm reading the 6,342,985 new posts, and I'm continually getting warnings that the virus is being blocked.

Link to comment
Share on other sites

As soon as I read the title and saw who posted it, I thought "oh, this is gonna be good"........

Ha, ha. This time, I've turned off the bullshit and am actually being serious.

I didn't check in over the weekend, so I'm reading the 6,342,985 new posts, and I'm continually getting warnings that the virus is being blocked.

Yeah, I got it too.

It was only a matter of time before the Bain Strain made it to NY.

Link to comment
Share on other sites

That happened to me over the weekend too, when I tried to view forum feeds here. I didn't copy it so I can't say for sure, but the "js:downloader" was on my screen as well.

It has happened to me before and it's not a virus. It seems to be related to the RSS feed or feed reader. I usually use the feed reader built into my browser (IE or Firefox). Sometimes it corrects itself, but sometimes I have to reset my feeds.

If anyone has a recommendation for a great RSS reader, please share.

Link to comment
Share on other sites

Hi,

I'm not sure. Yesterday I did have a pop-up occur while I was on this site. Cyber Defender grabbed it instantly and told me to block it so I did. I don't know if it came from here or somewhere else; I had about ten tabs on various places on the net open simultaneously so it could have come from any one of them. If it continues maybe Mike Brown can contact the ISP and ask them to scan their system.

ONE TEAM - ONE FIGHT!!!

Mike

Link to comment
Share on other sites

Yes it looks like we were hit with an attack from a Russian hacker site.

TIJ User: Falknat

Uploaded a php script to the server it was in the Falknat directory named 332.php. I have the file saved and will decompile it when I get a minute.

He has no posts, so I'm still not sure how he triggered the script? The only .php file we have running is on the addthis buttons (bookmarks.php) and it's on their site.

I disabled the php scripts on the server so they won't run at all now. The site runs in asp anyway.

We still need to fix how he uploaded the file and find out how he linked to it. Anyone delete a post from him? What pages triggered it?

This is all I have on him right now:

email:Fantom-pro@mail.ru

IP 188.64.170.188

Host h1net188-64-170-188.h1host.ru

Country Code RU

Country Name Russian Federation

Latitude 60

Longitude 100

Click to Enlarge
20111213141044_201112395054_6be459f99bb6.gif

9.12 KB

Link to comment
Share on other sites

What page any info to go with it? I'm not getting anything but google's alert?

See: http://www.daviswj.net/misc/Clipboard01.jpg

Pops up with just about any main forum page load (though apparently not when reading an individual topic). The "More Details ..." link in the image just leads to a generic Avast page on how they've blocked a threat.

Bill Davis

Link to comment
Share on other sites

All I get is the Google alert. Nothing from Norton.

Ditto. Nothing in my Norton history that seems to be linked to this.

If I'm reading the Google alert details correctly, just getting rid of the script, virus, whatever, may not be enough. It seems someone will then have to convince the nerds at Google that everything is now clear.

Meanwhile, I suspect our traffic is going to get very light. I doubt many will risk clicking on the ignore option.

Link to comment
Share on other sites

I looks like I got but wanted to make absolutely sure. Php was enabled by default and we certainly don't need it. It looks like I found how it was uploaded. From everything I read this is a php hack and disabling all php is going to stop it dead. I wanted to make sure that it didn't inject any scripts also anywhere. I scanned the site a couple times now and all looks okay so far.

Link to comment
Share on other sites

Now the rest of the story.

Chad tells me that the other night he nucked some horses-ass-with-teeth link dropper that had posted all over the site and locked the numbnuts' profile. It took him Chad a while to clean up the mess and he fired off a possibly intemperate email to the malefactor. Not long afterward, viola', we got malware - from Russion without love, no less.

I think that Chad pissed the guy off and the guy did something to drop a dime with google claiming that TIJ is infected and that's why it's only google that keeps creating the alert. I suspect he's also figured a way to cause that little warning "Warn your friends to avoid this website" and he's sitting back on his Ruskie ass swigging a fifth of Vodka and is chortling about the whole thing.

According to Google, they'll scan us tonight. If their software finds the scrip again, they'll keep the alert up. If it's gone, their software will automatically remove the alert.

The Russians have some of the best cyber crime hackers in the world; and, unlike most hackers, they aren't very passive. Piss one off and you end up with a pig wrestle on your hands. I think we'll get a little muddy before we get rid of Boris.

ONE TEAM - ONE FIGHT!!!

Mike

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...