java problem and more - Page 7

Catfish · 10-05-10, 10:57 AM

Hello,

6 p.m. here in Germany , all works now, no red screen anymore.

Seems it has something to do with the Java-pumped ads (?). I have written to MS (where this red unsafe screen obviously comes from) that the Website itself sure is not an unsafe one

Greetings,
Kai

Herr-Berbunch · 10-05-10, 02:26 PM

Looks ok here too today. Fingers crossed.

RickC Sniper · 10-05-10, 05:00 PM

I came here today and got the unsafe website warning again with IE8 but then after cleaning out my history and temp files it did not show up.

So...this was a website issue and my pc should not have been affected?

I ran a scan of my pc and it found nothing but I realize my AV isn't top-of-the-line. (MS Security Essentials)

Onkel Neal · 10-05-10, 10:25 PM

I don't think there was an issue, there was something with the java script that was triggering some AV systems, not all of them. I checked all the forum files and none were "infected". I also replaced the forum system files with new copies, just to be sure. My tech finally sent in his report:

Quote:

When we looked at your server and ran a shell scan nothing was found, everything looked good and we simply upgraded the rest of your system packages that were outdated. I can appreciate though that the delays are not good, our sales queue unfortunately is extremely low priority at the moment so will go ahead and close this ticket.

Since it took so long for him to get with me, I also hired the datacenter advance support to go through the server with a fine tooth comb:

Quote:

Hello,
Our system administrators will begin the initial security audit and hardening for your server in 24 hours. During our initial audit our system administrators will do the following:
-Disable insecure services currently running and/or enabled
-Delete unnecessary user accounts
-Harden the SSH daemon (*nix systems)
-Secure mounted partitions
-Install and configure a software firewall (if you do not already have one installed or use an external firewall)
-Check running processes for insecure, unnecessary, or rogue processes
-Update the system kernel (*nix systems)
-Run a port scan to check for vulnerabilities
-Install and run a Rootkit check
-Run a system wide trojan detection task (including your forums)
-Update outdated services (this will vary depending on your current system configuration)
-Harden PHP by enabling SUHosin (This will not be performed unless you have cPanel, Plesk or DirectAdmin installed)
We will also perform ongoing security checks in maintenance which include:
Monitoring the Exim/Qmail queue
Perform audits with McAfee, Symantec, F-Secure, and Norton Anti-Virus systems.
Conducting Monthly Audits (similar to the initial audit described above)

***IMPORTANT***
If you have any custom applications running on the server (such as remote backup via CDP, a gaming server application, custom Apache configuration, etc. ) please reply to this ticket IMMEDIATELY so that our system administrators know about your custom software or configuration. This will allow us to configure our initial security audit to take your custom server configuration into account, ensuring that all of your applications continue to work correctly.
If we do not hear back from you within 24 hours, our administrators will assume that you have a default server configuration and would like all of the security precautions mentioned above enabled and/or installed on your server.
An initial audit report will be e-mailed to you once it has been completed. If you have any questions or comments please reply to this ticket. Thank you!
Regards,
Advanced Services Team
http://www.theplanet.com/

The server is clean, so I can't say what the problem was. I do appreciate the alerts, it's better to be safe than sorry.

Catfish · 10-07-10, 08:01 AM

Hello,
sorry but since yesterday, october 6th, the red screen is present again (Germany here).
Switching "off" the so-called smart screen filter in IE8, the red window does not come up. Switch the smart screen filter to "on", and the red window appears. Strange enough testing the site via smart screen filter tells me that the site is safe. And then the red window comes up again.

Seems the site has been added to a list at MS, don't know why though

Maybe a direct request at MS ?

Greetings,
Catfish

SeaWolf U-57 · 10-07-10, 08:04 AM

java download link is back

Magic1111 · 10-07-10, 01:10 PM

The problem is still with me ....!

Uploaded with ImageShack.us

I´ve since days the same Problem....!

Best regards,
Magic

Dowly · 10-07-10, 01:45 PM

G35Driver's forums have the same issue as above, definitely an Trojan.

Neal, here's the Trojan URL (as it seems to be quite hard to read from the above image):

\\91.188.60.234\public\photo1.jpg

stabiz · 10-07-10, 06:51 PM

Yep, its back and its in the ads.

SeaWolf U-57 · 10-08-10, 02:23 AM

91.188.60.234 server don’t look like that’s in America

I wonder if that’s a members I.P also

Dowly · 10-08-10, 02:32 AM

Sagade Ltd is still evil
http://www.computersecurityarticles....is-still-evil/

Onkel Neal · 10-08-10, 10:31 PM

I wish this would happen on my computer so I would know what you're talking about. How is this "in the ads"? What ads? Only in the forum? Which style? I removed the flash ad.

Onkel Neal · 10-08-10, 11:03 PM

After reading the forum Dowly mentioned, I saw something about Google analytics, so I have removed that from SmartDark, and looked out the other styles. Please let me know if the problem persists.

Onkel Neal · 10-09-10, 06:55 AM

10-9-10 update:

Quote:

Hello Neal,

A virus scan on your account does not show anything suspicious:

root@server2 [/home/subsimc/public_html/radioroom]# find -type f -not -name "*.7z" -not -name "*.rar" -not -name "*.zip" | sed 's/ /\\ /g' | xargs clamscan -i
xargs: unmatched single quote; by default quotes are special to xargs unless you use the -0 option

----------- SCAN SUMMARY -----------
Known viruses: 841714
Engine version: 0.96.3
Scanned directories: 0
Scanned files: 2347
Infected files: 0
Data scanned: 14.03 MB
Data read: 8.27 MB (ratio 1.70:1)
Time: 5.846 sec (0 m 5 s)

I am also unable to find any reference to the URL your client is complaining about or hidden functions that could provide a vector of attack in your site's code or database (except for thread 175495).

As such, the context clues suggest that they are suffering from a localized infection that will need to be removed using a virus scanner.

The only contraindication to this is that some browsers are reporting that the site is unsecure (though mine did not). If this continues, we'll need to exact URL that is causing the issue and the referring URL if they clicked through to your site so that we can attempt to reproduce the issue.

Regards,
Adam VanKirk
Systems Administrator, Advanced Services
RHCE, Security+

Anyone have the exact URL and referring URL mentioned above?

KeineK · 10-09-10, 10:50 AM

Avast reports the domain as "drerlre.co.cc"

10-05-10, 02:26 PM	#92
Herr-Berbunch Kaiser Bill's batman Join Date: May 2010 Location: AN72 Posts: 13,203 Downloads: 76 Uploads: 0	Looks ok here too today. Fingers crossed. __________________

10-05-10, 05:00 PM	#93
RickC Sniper Undetectable Join Date: Sep 1999 Location: Colorado Posts: 1,221 Downloads: 132 Uploads: 0	I came here today and got the unsafe website warning again with IE8 but then after cleaning out my history and temp files it did not show up. So...this was a website issue and my pc should not have been affected? I ran a scan of my pc and it found nothing but I realize my AV isn't top-of-the-line. (MS Security Essentials) __________________ Support Subsim http://www.subsim.com/store.html

10-07-10, 01:10 PM	#97
Magic1111 Silent Hunter Join Date: Sep 2008 Location: Germany - Sailing on U-552 in North Atlantic Posts: 4,429 Downloads: 783 Uploads: 0	The problem is still with me ....! Uploaded with ImageShack.us I´ve since days the same Problem....! Best regards, Magic __________________

10-07-10, 06:51 PM	#99
stabiz Silent Hunter Join Date: Jun 2006 Location: Norway Posts: 4,224 Downloads: 14 Uploads: 0	Yep, its back and its in the ads. __________________

10-08-10, 10:31 PM	#102
Onkel Neal Born to Run Silent Join Date: Jan 1997 Location: Cougar Trap, Texas Posts: 21,385 Downloads: 541 Uploads: 224	I wish this would happen on my computer so I would know what you're talking about. How is this "in the ads"? What ads? Only in the forum? Which style? I removed the flash ad. __________________ SUBSIM - 26 Years on the Web

10-05-10, 10:57 AM	#91
Catfish Dipped Squirrel Operative Join Date: Sep 2001 Location: ..where the ocean meets the sky Posts: 17,802 Downloads: 38 Uploads: 0	Hello, 6 p.m. here in Germany , all works now, no red screen anymore. Seems it has something to do with the Java-pumped ads (?). I have written to MS (where this red unsafe screen obviously comes from) that the Website itself sure is not an unsafe one Greetings, Kai

10-07-10, 08:01 AM	#95
Catfish Dipped Squirrel Operative Join Date: Sep 2001 Location: ..where the ocean meets the sky Posts: 17,802 Downloads: 38 Uploads: 0	Hello, sorry but since yesterday, october 6th, the red screen is present again (Germany here). Switching "off" the so-called smart screen filter in IE8, the red window does not come up. Switch the smart screen filter to "on", and the red window appears. Strange enough testing the site via smart screen filter tells me that the site is safe. And then the red window comes up again. Seems the site has been added to a list at MS, don't know why though Maybe a direct request at MS ? Greetings, Catfish

10-07-10, 08:04 AM	#96
SeaWolf U-57 Ace of the Deep Join Date: May 2008 Posts: 1,231 Downloads: 92 Uploads: 0	java download link is back

10-07-10, 01:45 PM	#98
Dowly Lucky Jack Join Date: Apr 2005 Location: Finland Posts: 25,055 Downloads: 32 Uploads: 0	G35Driver's forums have the same issue as above, definitely an Trojan. Neal, here's the Trojan URL (as it seems to be quite hard to read from the above image): \\91.188.60.234\public\photo1.jpg

10-08-10, 02:23 AM	#100
SeaWolf U-57 Ace of the Deep Join Date: May 2008 Posts: 1,231 Downloads: 92 Uploads: 0	91.188.60.234 server don’t look like that’s in America I wonder if that’s a members I.P also

10-08-10, 02:32 AM	#101
Dowly Lucky Jack Join Date: Apr 2005 Location: Finland Posts: 25,055 Downloads: 32 Uploads: 0	Sagade Ltd is still evil http://www.computersecurityarticles....is-still-evil/

10-08-10, 11:03 PM	#103
Onkel Neal Born to Run Silent Join Date: Jan 1997 Location: Cougar Trap, Texas Posts: 21,385 Downloads: 541 Uploads: 224	After reading the forum Dowly mentioned, I saw something about Google analytics, so I have removed that from SmartDark, and looked out the other styles. Please let me know if the problem persists. __________________ SUBSIM - 26 Years on the Web

10-09-10, 10:50 AM	#105
KeineK Swabbie Join Date: Mar 2010 Posts: 11 Downloads: 18 Uploads: 0	Avast reports the domain as "drerlre.co.cc"