Announcement

Collapse
No announcement yet.

Site infected?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Site infected?

    OK, so browsing on CS! earlier today I started getting these whenever I load a page:


    Now, just a few minutes ago, I started getting these pop-ups on CS! even through Safari's pop-up blocker:


    I get the sinking feeling that malware has infected the site. Is anyone else getting this?
    Tags: None
  • #2
    a trojan horse appeared on my computer this morning

    first ive ever had in 1.5 years on this laptop

    is that related? im in the process of formatting right now just saving everything to disc then going into recobvery
    I wasnt put on this earth to make you feel like a man ~ Mary Bertone

    Comment

    • #3
      I believe that the admins are aware of the situation and are looking into it.
      Thanks for the details.
      I'm sure that will be helpful.
      Too tired of living and too tired to end it. What a conundrum.

      Comment

      • #4
        Sound like you got hit through email. MIME is generally only used in emails.

        I've been on throughout the day, I've gotten nothing. No warnings or anything.
        I've lost my mind ages ago. If you find it, please hide it.

        Comment

        • #5
          Quoth LostMyMind View Post
          Sound like you got hit through email. MIME is generally only used in emails.

          I've been on throughout the day, I've gotten nothing. No warnings or anything.
          I wish it was the case. It specifically seems to be attacking through java. I had to disable Java on firefox to get through. And its trying to Download a .wmf file into computers. Scriptkiddies is more likely.

          Comment

          • #6
            Quoth Immortal1982 View Post
            I wish it was the case. It specifically seems to be attacking through java. I had to disable Java on firefox to get through. And its trying to Download a .wmf file into computers. Scriptkiddies is more likely.
            xpl.wmf is the file that is showing up as what is to be downloaded. A quick google search revealed that it's a trojan virus. Seems the virus is a fan of hitting forums. I noticed a post in some other forum in the search about the same exact problem/virus.
            "I've found that when you want to know the truth about someone, that someone is probably the last person you should ask." - House

            Comment

            • #7
              Under investigation. Have taken a step or three, but I am about to contact the creators of the board software. It seems that there is possibly some security hole. If the site goes down, we are going to get it back. I have the databases backed up every Sunday, so we may lose a week's worth of posts, but that would be all.

              Rapscallion

              Comment

              • #8
                I checked my system (Win2K, Netscape 7.2) and do not have the .wmf file in question.
                I'd like to suggest that those Windows users who do have that file set their file types to show ALL extensions so we can find out what that file really is (on my system, all the .wmf files I found were clip art, nothing executable).
                "Crazy may always be open for business, but on the full moon, it has buy one get one free specials." - WishfulSpirit

                "Sometimes customers remind me of zombies, but I'm pretty sure that zombies are smarter." - MelindaJoy77

                Comment

                • #9
                  Thanks for that, though I'm more interested in anyone who's seen aberrant behaviour when visiting the site - asking to download files.

                  Rapscallion

                  Comment

                  • #10
                    If it helps anybody, I noticed when adding in the following line to hosts file I don't have a problem with firefox wanting to download the .wmf file:

                    127.0.0.1 proffy209.com

                    Basically proffy209.com is where the file is attempting to be downloaded from.
                    Last edited by LionMan; 08-20-2006, 08:12 AM.

                    Comment

                    • #11
                      All clear here... *stands guard & fixes bayonet*
                      "I reject your reality and substitute my own"....Adam Savage-Mythbuster

                      Must remember to stop using "brain of death" on slower morons.... I meant customers.

                      Comment

                      • #12
                        FWIW I use mac and on IE got asked if I wanted a cookie (same name each time, I think--zhmbscwdgk.biz, name=dial, content=uniq. I said yes the first time, then no for each launch afterwards--each time I then got a box full of gibberish asking me to approve a browser script, which I of course refused and force-quit. (I assumed the cookie was related to my new moderated status until the strange behavior set in.)

                        As the site was loading much more slowly than usual, I noticed it pausing to load bag.htm--don't know if that's related to my name, new status, coincidence or hack.

                        Tried Firefox (which I also rarely use and hadn't configured to reject cookies), couldn't believe it was what caused the monitor to go off (!) but I was able to see by opening the laptop that it was asking me to approve some kind of Windows script or file (don't recall language like that before).

                        Safari I had no problem with, but I noticed a ton of new caches and folders from each time I launched it--though upon investigation I found that to also be true for the handful of other times I used it in the past (I wasn't prompted to accept or reject cookies in my settings for this program).

                        Examined cookies in all browsers, nothing else suspicious, but let me know if I can offer more clues. Good luck.
                        I second that Frederick Douglass quote--unfortunately, so do a lot of SCs.

                        Comment

                        • #13
                          Looks like Raps and gang did get the code eliminated. i don't see any problems. Cache virus info, and how to get rid of it for those still infected. It was fairly simple. I just cleared the java cache and updated to the latest version.

                          Comment

                          • #14
                            The wmf virus only works on windows computers who have not had windows updated in 2+ years. But it does slow the website (client side) down like crazy.

                            Good job server dudes, I just hope it don't become like the dutch boy story where you might run out of fingers to plug the holes.
                            I've lost my mind ages ago. If you find it, please hide it.

                            Comment

                            • #15
                              The vBulletin team appear to have found how the scum got in.

                              Dealing with it.

                              We're waiting for a report on whether or not anything else was done, but we think we're in the clear for now.

                              Rapscallion
                              Last edited by Rapscallion; 08-20-2006, 05:11 PM.

                              Comment

                              Previous template Next
                              Working...
                              X