FAO NEAL: Reported Attack Site? Anyone else getting this too? - Page 9

Respenus · 10-21-10, 12:33 AM

Adding my small input, I've had Kaspersky Pure report infected links before trying to load together with Subsim.com. Now, even when blocking, it didn't stop the site from functioning, which would mean that there was some background link somewhere.

I'm just glad I can access Subsim again.

Castout · 10-21-10, 12:51 AM

Quote:

Originally Posted by Molon Labe

Defamation lawsuit time!

It's left with google trying to defame subsim or advanced hackers not happy with subsim content.

And judging from subsim content it could range from North Korea, Iran, Obama, or the corrupt children in Singapore offended by my blog link or simply a recently disgruntled immature forum member. . . .

But we never know for sure but the intention is surely to ruin the site's reputation and bring down the number of visitors and would be visitors.....to discourage them information or seeing content on this site.

My AV didn't report anything while loading subsim . . .so if there were something it was brief . .. .

divingbluefrog · 10-21-10, 02:00 AM

I've got the red warning for two days, tried several scans with various progs and found nothing.
This morning it's gone.

Molon Labe · 10-21-10, 03:12 AM

Back to normal here too. (Firefox user)

Stiebler · 10-21-10, 04:20 AM

I, too, am no longer experiencing 'attack site' complaints when using FireFox.

It is, perhaps, a little unfair to refer to stopbadware.org as a 'fly-by-night' company; worse, like another poster on this thread, to suggest that it might be involved in extortion.

I made a formal complaint yesterday to their contact e-mail address concerning the facts that:
a) SubSim was not an attack site (evidence: I had accessed SubSim.com repeatedly with FireFox and Internet Explorer, and then had made numerous anti-malware sweeps with different competing anti-virus/anti-spyware programs - no threat was ever seen.)
b) That there was no means for users to communicate to them on their web-pages that there was, in fact, no threat (or no longer a threat) and they should conduct fresh trials for malware.

I received, promptly back by e-mail, a friendly and knowledgeable answer acknowledging my points, stating that SubSim had already been taken off their 'attack sites' list, and agreeing that the real problem probably was attributable to links by users to infected third-party sites (a problem which could affect *any* website that allows readers to make comments, as well as SubSim itself), or alternatively malware delivered by one of SubSim's advertisers (probably unknowingly).

They still haven't addressed point (b) though.

Neal, if you're reading this:
I don't know whether the 'attack sites' problem is connected or not, but a click on my signature brings up a blank page, despite the fact that the files it should access are still there (seen by FTP). PM also sent.

Stiebler.

Castout · 10-21-10, 04:36 AM

It's gone now the attack site warning is now GONE!

rsslcs · 10-21-10, 05:19 AM

I am still getting a red "malware detected!" warning, using Google Chrome.

SashaKA001 · 10-21-10, 05:35 AM

here can help you find the culprit.

the_tyrant · 10-21-10, 05:46 AM

Quote:

Originally Posted by SashaKA001

here can help you find the culprit.

I can't read the language but can you send the file mentioned on the third line through filedropper.com

Dowly · 10-21-10, 06:35 AM

Quote:

Originally Posted by the_tyrant

I can't read the language but can you send the file mentioned on the third line through filedropper.com

That'd be the trojan, why on earth would he want to infect his PC just so he can send it to you?

longam · 10-21-10, 07:09 AM

Received a FF update and problem is gone. Don't know if there related.

Onkel Neal · 10-21-10, 07:25 AM

Quote:

Originally Posted by SashaKA001

here can help you find the culprit.

Thanks, can you translate the Cyrrilic text? When was that screenshot taken? Does anyone with English Kapeinsky AV get this? I will have to check again but I am pretty sure there are no javascripts in the forum other than the stock forum files.

thanks
Neal

Respenus · 10-21-10, 07:57 AM

Just got this:

21.10.2010 14:51:45 Web Anti-Virus Detected: HEUR:Exploit.Script.Generic Firefox betaword.co.cc /images/js.php//JIM

21.10.2010 14:51:47 Web Anti-Virus Detected: Trojan-Downloader.Java.Agent.hx Java(TM) Platform SE binary betaword.co.cc /images/jar5.php/bpac/a.class

21.10.2010 14:51:49 Web Anti-Virus Detected: Trojan-Downloader.Java.Agent.hw Java(TM) Platform SE binary betaword.co.cc /images/j.php/M8PFGFzL.class

This attack repeated 4 times. I'm using KAV Pure English version, latest database.

Man I just love KAV. Slows down computers to a halt, but creates a damn good barrier.

Hope this helps a bit.

SeaWolf U-57 · 10-21-10, 08:34 AM

Quote:

Originally Posted by Neal Stevens

Seawolf, so far I have not been able to determine there ever was any trojans on the Subsim server. You may think there was, with your free AV system warning you, but that and $1 will buy a cup of coffee.

There may have been some problems with the Google ads being served (becoming more common, read this for more), I removed the ads from the forum.

Yes, a few people had AV warnings, but that does not prove anything, AVs often have false alarms. I checked the server and files, The Planet checked the server and files, and Admin Geeks checked the server and file--nothing has been discovered.

With the current Firefox/Chrome alerts, I have had the Planet Advance Support team check everything again. Still, nothing malicious has been found:

If SOMETHING evil had been found by these professionals, they would have fixed it and I would be 100% glad to report this. We could fix it and move on.

I am not saying there is absolutely nothing wrong, just that we cannot find anything wrong. I think the problem originated from Google ads, and some awesome dope reported Subsim as an evil site, and now Google is blacklisting us. Thanks, Google!

I am going to have an independent vBulletin technician check the database and files tomorrow, to double-check the work done by TPAS. Better safe than sorry.

Will report what I find, thanks.
Neal

I Found this in my quarantine folder of Nod32 it was never allowed to install

29/09/2010 …. drerlre.co.cc/client.zip… java/TrojanDownloader.agent.NBU trojan
29/09/2010 … drerlre .co.cc/1.zip ….. A variant of java/Mugade

(I removed the http:// to stop them being active links)

I connected using my Firefox browser

As for you saying that my antivirus is a free $1 worthless package I would reply well At least it found the Trojans and blocked them the first time and to prove to you it was Real I was stupid enough to let them in.

29/09/2010 … drerlre.co.cc/client.zip …java/trojandownloader.agent.nbu
29/09/2010 … drerlre.co.cc/1.zip … a variant of java/mugade
I already said that they seemed to have gone

But I dont see why other people who in this instance are just blowing wind try to
Rubbish anyone who reported this

Dowly · 10-21-10, 08:59 AM

I can vouch that the trojan Seawolf is speaking of was there, I tried one of the links he posted above back then and my Avast picked it up aswell.

I also googled the address and it was listed on multiple malware/trojan prevention sites as a a trojan.

I have no idea why only few are getting these things, tho.

One thing to note is that most of these trojans (I think all but one) that have been reported are all coming from co.cc ending URLs.

10-21-10, 12:33 AM	#121
Respenus Ace of the Deep Join Date: Sep 2006 Posts: 1,169 Downloads: 0 Uploads: 0	Adding my small input, I've had Kaspersky Pure report infected links before trying to load together with Subsim.com. Now, even when blocking, it didn't stop the site from functioning, which would mean that there was some background link somewhere. I'm just glad I can access Subsim again. __________________

10-21-10, 02:00 AM	#123
divingbluefrog Medic Join Date: Jan 2006 Posts: 164 Downloads: 63 Uploads: 1	I've got the red warning for two days, tried several scans with various progs and found nothing. This morning it's gone. Last edited by divingbluefrog; 10-21-10 at 02:22 AM.

10-21-10, 03:12 AM	#124
Molon Labe Silent Hunter Join Date: Jun 2004 Location: Along the Watchtower Posts: 3,810 Downloads: 27 Uploads: 5	Back to normal here too. (Firefox user) __________________

10-21-10, 04:20 AM	#125
Stiebler Fuel Supplier Join Date: Oct 2005 Location: London, UK Posts: 1,237 Downloads: 29 Uploads: 4	I, too, am no longer experiencing 'attack site' complaints when using FireFox. It is, perhaps, a little unfair to refer to stopbadware.org as a 'fly-by-night' company; worse, like another poster on this thread, to suggest that it might be involved in extortion. I made a formal complaint yesterday to their contact e-mail address concerning the facts that: a) SubSim was not an attack site (evidence: I had accessed SubSim.com repeatedly with FireFox and Internet Explorer, and then had made numerous anti-malware sweeps with different competing anti-virus/anti-spyware programs - no threat was ever seen.) b) That there was no means for users to communicate to them on their web-pages that there was, in fact, no threat (or no longer a threat) and they should conduct fresh trials for malware. I received, promptly back by e-mail, a friendly and knowledgeable answer acknowledging my points, stating that SubSim had already been taken off their 'attack sites' list, and agreeing that the real problem probably was attributable to links by users to infected third-party sites (a problem which could affect any website that allows readers to make comments, as well as SubSim itself), or alternatively malware delivered by one of SubSim's advertisers (probably unknowingly). They still haven't addressed point (b) though. Neal, if you're reading this: I don't know whether the 'attack sites' problem is connected or not, but a click on my signature brings up a blank page, despite the fact that the files it should access are still there (seen by FTP). PM also sent. Stiebler. __________________ NYGM Tonnage War Mod - More than a mod: it's an experience!

10-21-10, 04:36 AM	#126
Castout Silent Hunter Join Date: Nov 2006 Location: Jakarta Posts: 4,794 Downloads: 89 Uploads: 6	It's gone now the attack site warning is now GONE! __________________ My blog: http://exposingsingapore.wordpress.com/

10-21-10, 05:19 AM	#127
rsslcs Bosun Join Date: May 2009 Location: Stoke Posts: 67 Downloads: 72 Uploads: 0	I am still getting a red "malware detected!" warning, using Google Chrome.

10-21-10, 05:35 AM	#128
SashaKA001 中国水兵 Join Date: Mar 2010 Location: 47°46′46″N, 37°14′51″E Posts: 271 Downloads: 231 Uploads: 0	here can help you find the culprit.

10-21-10, 07:09 AM	#131
longam Admiral Join Date: Jun 2005 Posts: 2,014 Downloads: 26 Uploads: 0	Received a FF update and problem is gone. Don't know if there related.

10-21-10, 07:57 AM	#133
Respenus Ace of the Deep Join Date: Sep 2006 Posts: 1,169 Downloads: 0 Uploads: 0	Just got this: 21.10.2010 14:51:45 Web Anti-Virus Detected: HEUR:Exploit.Script.Generic Firefox betaword.co.cc /images/js.php//JIM 21.10.2010 14:51:47 Web Anti-Virus Detected: Trojan-Downloader.Java.Agent.hx Java(TM) Platform SE binary betaword.co.cc /images/jar5.php/bpac/a.class 21.10.2010 14:51:49 Web Anti-Virus Detected: Trojan-Downloader.Java.Agent.hw Java(TM) Platform SE binary betaword.co.cc /images/j.php/M8PFGFzL.class This attack repeated 4 times. I'm using KAV Pure English version, latest database. Man I just love KAV. Slows down computers to a halt, but creates a damn good barrier. Hope this helps a bit. __________________ Last edited by Respenus; 10-21-10 at 08:37 AM.

10-21-10, 08:59 AM	#135
Dowly Lucky Jack Join Date: Apr 2005 Location: Finland Posts: 25,005 Downloads: 32 Uploads: 0	I can vouch that the trojan Seawolf is speaking of was there, I tried one of the links he posted above back then and my Avast picked it up aswell. I also googled the address and it was listed on multiple malware/trojan prevention sites as a a trojan. I have no idea why only few are getting these things, tho. One thing to note is that most of these trojans (I think all but one) that have been reported are all coming from co.cc ending URLs.