Ivo
Established Member
Scan complete. 1,302,005 objects, and nothing - not even any tracking software.
-
Our new ticketing site is now live! Using either this or the original site (both powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!
Virus Warning Accessing This Forum
- Thread starter northwichcat
- Start date
- Status
Scan complete. 1,302,005 objects, and nothing - not even any tracking software.
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R
RailUK Forums
Schnellzug
Established Member
yes, i got a couple of messages saying that Norton had blocked something or other. It might have been helpful if I'd remembered what they were.
Ivo
Established Member
Here's a surprise: I'm now getting adverts for anti-virus software :roll:
Still, more useful than what I had last month!
Still, more useful than what I had last month!
90019
Established Member
Solar panels?
Xenophon PCDGS
Veteran Member
I ran a full deep scan with the Norton 360 Anti-Virus (1,743,746 entries checked) and logged back on line.
I now keep receiving pop-up notes saying "Your browser blocked this website from displaying content with security certificate errors" every time that I try to make a posting entry. This did not happen before I caused the deep scan to take effect.
I now keep receiving pop-up notes saying "Your browser blocked this website from displaying content with security certificate errors" every time that I try to make a posting entry. This did not happen before I caused the deep scan to take effect.
Last edited:
I use a bookmark to get here so I can't comment on the Google issue, but I have noticed Opera getting twitchy with this site recently - keeps warning me about clickjacking.
watching my proxy logs I can see requests made to these two URLs each time a page is loaded:
http://javascript-collection.in/jquery.compatibility.js
http://gamessilver.in/in.cgi?
(wouldn't recommend following either of those!)
only seems to affect thread contents pages rather than topic lists...
a quick search through the php code for those two URLs might shed a bit of light?
Googling those two URLs doesn't turn up much, except the javascript one gives a result in Russian, which is rarely a good sign...!
watching my proxy logs I can see requests made to these two URLs each time a page is loaded:
http://javascript-collection.in/jquery.compatibility.js
http://gamessilver.in/in.cgi?
(wouldn't recommend following either of those!)
only seems to affect thread contents pages rather than topic lists...
a quick search through the php code for those two URLs might shed a bit of light?
Googling those two URLs doesn't turn up much, except the javascript one gives a result in Russian, which is rarely a good sign...!
StoneRoad
Member
when coming here just now to sign in, my firewall/antivirus told me that a trojan or something called 'blackhole' (I think it was) had been blocked.
The Colonel
Member
- Joined
- 1 Feb 2011
- Messages
- 261
I've just had this when logging in.
Statto
Established Member
That's the message i got, but i did a full scan which gave the all clear, no Viruses.
MidnightFlyer
Veteran Member
- Joined
- 16 May 2010
- Messages
- 12,856
Is it a good or bad sign that I've noticed absolutely no difference and everything is running smoothly at my end?
Jordy
Established Member
Probably a good thing.
Ivo
Established Member
Given the two Virus threads have been merged, this post is now worthless.
Last edited:
Peter Mugridge
Veteran Member
My anti virus* is giving the blocked content with security certificate errors message in the form of a yellow bar across the top of the page, time 22.23. So whatever it is must still be present.
*Computer Associates, updates itself automatically every hour.
*Computer Associates, updates itself automatically every hour.
Xenophon PCDGS
Veteran Member
Peter, see my posting # 35. This appears to be quite similar to what you describe here. Norton 360 ultra-deep scan found THREE "Blackhole" attempts to ingress my HP Pavilion desktop.
deltic1989
Established Member
After seeing this thread I've done a scan on my laptop, no problems to report here.
As this forum runs vBulletin, I know that the forum I ran for a magazine (I've now left the company) was hacked.
My understanding is that it's rogue code put in an ad slot. And it's clever enough to divert the first time, and then (presumably using cookies or the IP address) working the next. So, most people would be redirected to a dodgy site (and invited to buy some scareware or something) but not the second time - making it incredibly hard for someone to spot. Especially when so many ad slots are dynamic, and based on the content of the page or other factors (cookies on machine showing what sites a visitor has been to recently).
It needs to be fixed, however, as sooner or later, Google will start flagging it on search results as a dodgy site - and then the traffic will fall hugely. It may even result in pages being removed entirely from Google (although you can apply to be rescanned once you can confirm the problem has been fixed).
I clicked the link as detailed at the start and did get a redirect, although Opera then picked up on it as being dodgy so I never proceeded. Upon clicking again later, it worked fine. Let me stress again; the admins on here must take it seriously! The page linked may have subject matter that is getting certain ads to appear, which are infected. If it's Google AdSense, there may well be a case of reporting the code to Google to fix. For the record, we also used AdSense.
Finally, in case anyone is worried - I think that the hack is simply to get you to go to another site to buy something, rather than something to infect your machine.
My understanding is that it's rogue code put in an ad slot. And it's clever enough to divert the first time, and then (presumably using cookies or the IP address) working the next. So, most people would be redirected to a dodgy site (and invited to buy some scareware or something) but not the second time - making it incredibly hard for someone to spot. Especially when so many ad slots are dynamic, and based on the content of the page or other factors (cookies on machine showing what sites a visitor has been to recently).
It needs to be fixed, however, as sooner or later, Google will start flagging it on search results as a dodgy site - and then the traffic will fall hugely. It may even result in pages being removed entirely from Google (although you can apply to be rescanned once you can confirm the problem has been fixed).
I clicked the link as detailed at the start and did get a redirect, although Opera then picked up on it as being dodgy so I never proceeded. Upon clicking again later, it worked fine. Let me stress again; the admins on here must take it seriously! The page linked may have subject matter that is getting certain ads to appear, which are infected. If it's Google AdSense, there may well be a case of reporting the code to Google to fix. For the record, we also used AdSense.
Finally, in case anyone is worried - I think that the hack is simply to get you to go to another site to buy something, rather than something to infect your machine.
Ivo
Established Member
Progress is definitely being made on the forum's part, so kudos for that. For those that haven't noticed, there is now a Global Announcement relating to this issue.
For future reference: This is only valid until 10/03/2012.
For future reference: This is only valid until 10/03/2012.
I've noticed that McAfee sometimes displays a warning bar at the top of the page saying that it has blocked content. The content must be ad related though, because the page always looks the way it should. I've never thought much about it as I get it on other sites too, some much bigger than RailUK.
We are working to get this removed. I apologise for the delay.
The offending URLs are hosted on the following domains:
javascript-collection.in
gamessilver.in
(do not attempt to go to either of these sites)
They will of course re-direct to many other URLs.
Adding these URLs to your "black list" (depending on what software you use) or in a host-file to redirect to 127.0.0.1 will prevent the sites it redirects to being attempted to load on your computer. This attack is affecting other forums as well (I found a music forum with the exact same issue).
I recommend ensuring your operating system is up to date (all latest updates/patches etc installed), an up to date browser, and anti-virus software or equivalent installed and up to date.
I also run No script for added security, however it can be a bit of a pain at times (I personally think it's worth it; I add the sites I use to the trusted list when I visit them for the first time).
If you have an insecure OS/browser and/or no anti-virus software or have any concerns then do not visit this forum until around 1pm tomorrow by which time I hope we will have it fixed (at the latest I would hope)
The offending URLs are hosted on the following domains:
javascript-collection.in
gamessilver.in
(do not attempt to go to either of these sites)
They will of course re-direct to many other URLs.
Adding these URLs to your "black list" (depending on what software you use) or in a host-file to redirect to 127.0.0.1 will prevent the sites it redirects to being attempted to load on your computer. This attack is affecting other forums as well (I found a music forum with the exact same issue).
I recommend ensuring your operating system is up to date (all latest updates/patches etc installed), an up to date browser, and anti-virus software or equivalent installed and up to date.
I also run No script for added security, however it can be a bit of a pain at times (I personally think it's worth it; I add the sites I use to the trusted list when I visit them for the first time).
If you have an insecure OS/browser and/or no anti-virus software or have any concerns then do not visit this forum until around 1pm tomorrow by which time I hope we will have it fixed (at the latest I would hope)
Last edited:
Schnellzug
Established Member
it's just done it now, It said
"Norton has blocked: Web Attack: Exploit Website 9", I think it was.
"Norton has blocked: Web Attack: Exploit Website 9", I think it was.
headshot119
Established Member
Just to advise the forum staff that Google Chrome and Firefox now give an attack site warning when trying use the forum.
Ivo
Established Member
When accessing the site directly, I had an unknown configuration-related error message appear (see attachment). Google also resulted in the same response as mentioned by headshot119. Further to this, Hotmail SmartScreen (or whatever if it is called) is blocking all attachments and hyperlinks in forum e-mails as "suspicious". Using such a link however is how I finally accessed the site this morning...!
Regarding the attachment though, note how the "domain" is noted as railouk.
Regarding the attachment though, note how the "domain" is noted as railouk.
Attachments
Snapper
Established Member
The site gets blocked by my protection software which labels it a 'reported attack page'..
We are replacing infected files on the server today so you will get some configuration errors from time to time.
If anyone is not able to block javascript-collection.in and gamessilver.in then I would advise against using accessing the forum until we have resolved the issues.
I have both of these domains blocked using a hosts file, which I would strongly recommend.
If anyone is not able to block javascript-collection.in and gamessilver.in then I would advise against using accessing the forum until we have resolved the issues.
I have both of these domains blocked using a hosts file, which I would strongly recommend.
First class
Established Member
- Joined
- 9 Aug 2008
- Messages
- 2,731
The site wouldn't even load for the last hour for me. Got some weird code message. Imagine it's to do with the fix being applied.
Lampshade
Established Member
I'm getting 'Malware detected' on Google Chrome, nothing from the antivirus though.
First class
Established Member
- Joined
- 9 Aug 2008
- Messages
- 2,731
Here's a host file for Windows 7 which has blocked these if anyone wants to use it to overwrite their existing one.
Open it up and copy the content to your existing one found in
%SystemRoot%\system32\drivers\etc\hosts
Open it up and copy the content to your existing one found in
%SystemRoot%\system32\drivers\etc\hosts
Badger
Member
I use noscript and was still effected by the initial redirect - which means it must have been done with something like PHP header('url'), rather than javascript. However due to noscript the redirected site itself (in theory) couldn't harm my PC.
Noscript shows javascript-collection.in is still trying to run scripts though.
You'll get this while files are down for editing to fix them. All that message really means is "config.php is missing".
Noscript shows javascript-collection.in is still trying to run scripts though.
You'll get this while files are down for editing to fix them. All that message really means is "config.php is missing".
- Status