Do we have a virus?

[Bain]

My anti-virus program has intercepted the yuck below the last two times I logged onto TIJ. Is my anti-virus misinterpreting something, or have we been hit?

URL: ateperblizko.com/main.php?page

Process: file://C:\Program Files (x86)\Internet E...

Infection: js:Downloader-BDR [Trj]

Edited Michael Brown:Took out the http off URL so it's not a link.

[Brandon Whitmore]

As soon as I read the title and saw who posted it, I thought "oh, this is gonna be good"........

[Bain]

As soon as I read the title and saw who posted it, I thought "oh, this is gonna be good"........

Ha, ha. This time, I've turned off the bullshit and am actually being serious.

I didn't check in over the weekend, so I'm reading the 6,342,985 new posts, and I'm continually getting warnings that the virus is being blocked.

[Chad Fabry]

As soon as I read the title and saw who posted it, I thought "oh, this is gonna be good"........

Ha, ha. This time, I've turned off the bullshit and am actually being serious.

I didn't check in over the weekend, so I'm reading the 6,342,985 new posts, and I'm continually getting warnings that the virus is being blocked.

Yeah, I got it too.

It was only a matter of time before the Bain Strain made it to NY.

[Ben H]

As soon as I read the title and saw who posted it, I thought "oh, this is gonna be good"........

I wish we had a like button.

[kurt]

Nuthin here.......but I'm on a Mac.

[caryseidner]

That happened to me over the weekend too, when I tried to view forum feeds here. I didn't copy it so I can't say for sure, but the "js:downloader" was on my screen as well.

It has happened to me before and it's not a virus. It seems to be related to the RSS feed or feed reader. I usually use the feed reader built into my browser (IE or Firefox). Sometimes it corrects itself, but sometimes I have to reset my feeds.

If anyone has a recommendation for a great RSS reader, please share.

[Scottpat]

I'm getting it as well when I refresh a page or log on the site.

[hausdok]

Hi,

I'm not sure. Yesterday I did have a pop-up occur while I was on this site. Cyber Defender grabbed it instantly and told me to block it so I did. I don't know if it came from here or somewhere else; I had about ten tabs on various places on the net open simultaneously so it could have come from any one of them. If it continues maybe Mike Brown can contact the ISP and ask them to scan their system.

ONE TEAM - ONE FIGHT!!!

Mike

[Tom Raymond]

I've gotten the warning several times today. It says the outfit in Bain's post is known to distribute malware. It gives me the option to retreat in 'safe browsing mode' or 'proceed anyway'. Since I'm at the day job and my computer is a POS I selected the later hoping it would net me a new one.

No such luck, dammit!

[hausdok]

I just got off the phone with Mike Brown. He'll be looking into it.

OT - OF!!!

M.

[Michael Brown]

Yes it looks like we were hit with an attack from a Russian hacker site.

TIJ User: Falknat

Uploaded a php script to the server it was in the Falknat directory named 332.php. I have the file saved and will decompile it when I get a minute.

He has no posts, so I'm still not sure how he triggered the script? The only .php file we have running is on the addthis buttons (bookmarks.php) and it's on their site.

I disabled the php scripts on the server so they won't run at all now. The site runs in asp anyway.

We still need to fix how he uploaded the file and find out how he linked to it. Anyone delete a post from him? What pages triggered it?

This is all I have on him right now:

email:Fantom-pro@mail.ru

IP 188.64.170.188

Host h1net188-64-170-188.h1host.ru

Country Code RU

Country Name Russian Federation

Latitude 60

Longitude 100

Click to Enlarge

9.12 KB

[Bill Davis]

Using Avast antivirus, still seeing the same alert.

[Michael Brown]

What page any info to go with it? I'm not getting anything but google's alert?

[Bill Davis]

What page any info to go with it? I'm not getting anything but google's alert?

See: http://www.daviswj.net/misc/Clipboard01.jpg

Pops up with just about any main forum page load (though apparently not when reading an individual topic). The "More Details ..." link in the image just leads to a generic Avast page on how they've blocked a threat.

Bill Davis

[Robert Jones]

All I get is the Google alert. Nothing from Norton.

[Richard Moore]

All I get is the Google alert. Nothing from Norton.

Ditto. Nothing in my Norton history that seems to be linked to this.

If I'm reading the Google alert details correctly, just getting rid of the script, virus, whatever, may not be enough. It seems someone will then have to convince the nerds at Google that everything is now clear.

Meanwhile, I suspect our traffic is going to get very light. I doubt many will risk clicking on the ignore option.

[Michael Brown]

I looks like I got but wanted to make absolutely sure. Php was enabled by default and we certainly don't need it. It looks like I found how it was uploaded. From everything I read this is a php hack and disabling all php is going to stop it dead. I wanted to make sure that it didn't inject any scripts also anywhere. I scanned the site a couple times now and all looks okay so far.

[Bain]

It's changed a little, or at least the wording's different. Maybe this will help you better understand it, Mike.

Infection Details

URL: https://www.inspectorsjournal.com/Forum/i...

Process: file://C:\Program Files (x86)\Internet E...

Infection: html:Iframe-inf

Warn your friends to avoid this website

[John Dirks Jr]

My Google Chrome browser picked it up too.

[gtblum]

My TIJ icon sends me to a Utube page. If I back page it from there, TIJ shows up. It kept shifting back to Utube earlier.

[Marc]

Chrome picks it up. IE does not. I suspect that what we perceive to be a google warning is not being done by google at all. It's part of the hack, a trojan.

Marc

[hausdok]

Now the rest of the story.

Chad tells me that the other night he nucked some horses-ass-with-teeth link dropper that had posted all over the site and locked the numbnuts' profile. It took him Chad a while to clean up the mess and he fired off a possibly intemperate email to the malefactor. Not long afterward, viola', we got malware - from Russion without love, no less.

I think that Chad pissed the guy off and the guy did something to drop a dime with google claiming that TIJ is infected and that's why it's only google that keeps creating the alert. I suspect he's also figured a way to cause that little warning "Warn your friends to avoid this website" and he's sitting back on his Ruskie ass swigging a fifth of Vodka and is chortling about the whole thing.

According to Google, they'll scan us tonight. If their software finds the scrip again, they'll keep the alert up. If it's gone, their software will automatically remove the alert.

The Russians have some of the best cyber crime hackers in the world; and, unlike most hackers, they aren't very passive. Piss one off and you end up with a pig wrestle on your hands. I think we'll get a little muddy before we get rid of Boris.

ONE TEAM - ONE FIGHT!!!

Mike

[randynavarro]

Cool Mike. Sounds like a Guy Noir episode.

[hausdok]

Ooooo...K

Had to google that too.

OT - OF!!!

M.