Bain Posted December 13, 2011 Report Share Posted December 13, 2011 My anti-virus program has intercepted the yuck below the last two times I logged onto TIJ. Is my anti-virus misinterpreting something, or have we been hit? URL: ateperblizko.com/main.php?page Process: file://C:\Program Files (x86)\Internet E... Infection: js:Downloader-BDR [Trj] Edited Michael Brown:Took out the http off URL so it's not a link. Link to comment Share on other sites More sharing options...
Brandon Whitmore Posted December 13, 2011 Report Share Posted December 13, 2011 As soon as I read the title and saw who posted it, I thought "oh, this is gonna be good"........ Link to comment Share on other sites More sharing options...
Bain Posted December 13, 2011 Author Report Share Posted December 13, 2011 As soon as I read the title and saw who posted it, I thought "oh, this is gonna be good"........ Ha, ha. This time, I've turned off the bullshit and am actually being serious. I didn't check in over the weekend, so I'm reading the 6,342,985 new posts, and I'm continually getting warnings that the virus is being blocked. Link to comment Share on other sites More sharing options...
Chad Fabry Posted December 13, 2011 Report Share Posted December 13, 2011 As soon as I read the title and saw who posted it, I thought "oh, this is gonna be good"........ Ha, ha. This time, I've turned off the bullshit and am actually being serious. I didn't check in over the weekend, so I'm reading the 6,342,985 new posts, and I'm continually getting warnings that the virus is being blocked. Yeah, I got it too. It was only a matter of time before the Bain Strain made it to NY. Link to comment Share on other sites More sharing options...
Ben H Posted December 13, 2011 Report Share Posted December 13, 2011 As soon as I read the title and saw who posted it, I thought "oh, this is gonna be good"........ I wish we had a like button. Link to comment Share on other sites More sharing options...
kurt Posted December 13, 2011 Report Share Posted December 13, 2011 Nuthin here.......but I'm on a Mac. Link to comment Share on other sites More sharing options...
caryseidner Posted December 13, 2011 Report Share Posted December 13, 2011 That happened to me over the weekend too, when I tried to view forum feeds here. I didn't copy it so I can't say for sure, but the "js:downloader" was on my screen as well. It has happened to me before and it's not a virus. It seems to be related to the RSS feed or feed reader. I usually use the feed reader built into my browser (IE or Firefox). Sometimes it corrects itself, but sometimes I have to reset my feeds. If anyone has a recommendation for a great RSS reader, please share. Link to comment Share on other sites More sharing options...
Scottpat Posted December 13, 2011 Report Share Posted December 13, 2011 I'm getting it as well when I refresh a page or log on the site. Link to comment Share on other sites More sharing options...
hausdok Posted December 13, 2011 Report Share Posted December 13, 2011 Hi, I'm not sure. Yesterday I did have a pop-up occur while I was on this site. Cyber Defender grabbed it instantly and told me to block it so I did. I don't know if it came from here or somewhere else; I had about ten tabs on various places on the net open simultaneously so it could have come from any one of them. If it continues maybe Mike Brown can contact the ISP and ask them to scan their system. ONE TEAM - ONE FIGHT!!! Mike Link to comment Share on other sites More sharing options...
Tom Raymond Posted December 13, 2011 Report Share Posted December 13, 2011 I've gotten the warning several times today. It says the outfit in Bain's post is known to distribute malware. It gives me the option to retreat in 'safe browsing mode' or 'proceed anyway'. Since I'm at the day job and my computer is a POS I selected the later hoping it would net me a new one. No such luck, dammit! Link to comment Share on other sites More sharing options...
hausdok Posted December 13, 2011 Report Share Posted December 13, 2011 I just got off the phone with Mike Brown. He'll be looking into it. OT - OF!!! M. Link to comment Share on other sites More sharing options...
Michael Brown Posted December 13, 2011 Report Share Posted December 13, 2011 Yes it looks like we were hit with an attack from a Russian hacker site. TIJ User: Falknat Uploaded a php script to the server it was in the Falknat directory named 332.php. I have the file saved and will decompile it when I get a minute. He has no posts, so I'm still not sure how he triggered the script? The only .php file we have running is on the addthis buttons (bookmarks.php) and it's on their site. I disabled the php scripts on the server so they won't run at all now. The site runs in asp anyway. We still need to fix how he uploaded the file and find out how he linked to it. Anyone delete a post from him? What pages triggered it? This is all I have on him right now: email:Fantom-pro@mail.ru IP 188.64.170.188 Host h1net188-64-170-188.h1host.ru Country Code RU Country Name Russian Federation Latitude 60 Longitude 100 Click to Enlarge 9.12 KB Link to comment Share on other sites More sharing options...
Bill Davis Posted December 13, 2011 Report Share Posted December 13, 2011 Using Avast antivirus, still seeing the same alert. Link to comment Share on other sites More sharing options...
Michael Brown Posted December 13, 2011 Report Share Posted December 13, 2011 What page any info to go with it? I'm not getting anything but google's alert? Link to comment Share on other sites More sharing options...
Bill Davis Posted December 13, 2011 Report Share Posted December 13, 2011 What page any info to go with it? I'm not getting anything but google's alert? See: http://www.daviswj.net/misc/Clipboard01.jpg Pops up with just about any main forum page load (though apparently not when reading an individual topic). The "More Details ..." link in the image just leads to a generic Avast page on how they've blocked a threat. Bill Davis Link to comment Share on other sites More sharing options...
Robert Jones Posted December 13, 2011 Report Share Posted December 13, 2011 All I get is the Google alert. Nothing from Norton. Link to comment Share on other sites More sharing options...
Richard Moore Posted December 13, 2011 Report Share Posted December 13, 2011 All I get is the Google alert. Nothing from Norton. Ditto. Nothing in my Norton history that seems to be linked to this. If I'm reading the Google alert details correctly, just getting rid of the script, virus, whatever, may not be enough. It seems someone will then have to convince the nerds at Google that everything is now clear. Meanwhile, I suspect our traffic is going to get very light. I doubt many will risk clicking on the ignore option. Link to comment Share on other sites More sharing options...
Michael Brown Posted December 13, 2011 Report Share Posted December 13, 2011 I looks like I got but wanted to make absolutely sure. Php was enabled by default and we certainly don't need it. It looks like I found how it was uploaded. From everything I read this is a php hack and disabling all php is going to stop it dead. I wanted to make sure that it didn't inject any scripts also anywhere. I scanned the site a couple times now and all looks okay so far. Link to comment Share on other sites More sharing options...
Bain Posted December 13, 2011 Author Report Share Posted December 13, 2011 It's changed a little, or at least the wording's different. Maybe this will help you better understand it, Mike. Infection Details URL: https://www.inspectorsjournal.com/Forum/i... Process: file://C:\Program Files (x86)\Internet E... Infection: html:Iframe-inf Warn your friends to avoid this website Link to comment Share on other sites More sharing options...
John Dirks Jr Posted December 13, 2011 Report Share Posted December 13, 2011 My Google Chrome browser picked it up too. Link to comment Share on other sites More sharing options...
gtblum Posted December 14, 2011 Report Share Posted December 14, 2011 My TIJ icon sends me to a Utube page. If I back page it from there, TIJ shows up. It kept shifting back to Utube earlier. Link to comment Share on other sites More sharing options...
Marc Posted December 14, 2011 Report Share Posted December 14, 2011 Chrome picks it up. IE does not. I suspect that what we perceive to be a google warning is not being done by google at all. It's part of the hack, a trojan. Marc Link to comment Share on other sites More sharing options...
hausdok Posted December 14, 2011 Report Share Posted December 14, 2011 Now the rest of the story. Chad tells me that the other night he nucked some horses-ass-with-teeth link dropper that had posted all over the site and locked the numbnuts' profile. It took him Chad a while to clean up the mess and he fired off a possibly intemperate email to the malefactor. Not long afterward, viola', we got malware - from Russion without love, no less. I think that Chad pissed the guy off and the guy did something to drop a dime with google claiming that TIJ is infected and that's why it's only google that keeps creating the alert. I suspect he's also figured a way to cause that little warning "Warn your friends to avoid this website" and he's sitting back on his Ruskie ass swigging a fifth of Vodka and is chortling about the whole thing. According to Google, they'll scan us tonight. If their software finds the scrip again, they'll keep the alert up. If it's gone, their software will automatically remove the alert. The Russians have some of the best cyber crime hackers in the world; and, unlike most hackers, they aren't very passive. Piss one off and you end up with a pig wrestle on your hands. I think we'll get a little muddy before we get rid of Boris. ONE TEAM - ONE FIGHT!!! Mike Link to comment Share on other sites More sharing options...
randynavarro Posted December 14, 2011 Report Share Posted December 14, 2011 Cool Mike. Sounds like a Guy Noir episode. Link to comment Share on other sites More sharing options...
hausdok Posted December 14, 2011 Report Share Posted December 14, 2011 Ooooo...K Had to google that too. OT - OF!!! M. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now