Site virus !!

Got questions? We got answers....
User avatar
ICRage42
Supporting Member
Posts: 598
Joined: 07:24 am Jan 09 2013
Country:
Location: Kawasaki, Ninja Ohio

Site virus !!

Post by ICRage42 »

cornishwrecker220 wrote:Thanks for your help guys I`ll see what I can do at my end.....it flagged up again when I visited this site just now! ...its funny but it doesn't do it on any other site..only here :sad:
are you logged into another site when visiting or just browsing but not logged in I know your logged in here which is why I suspected some sort of keylogger etc.

also what is it saying is an exploit exactly?

what antivirus do you have?

like I said you might just be getting a pm and some antivirus think that is an exploit etc. Tools and functions associated with hacks virus or whatnot also share the same for good programs too. When you have a pm here it forces a pop up (believe you can disable) this in itself could create an exploit of sorts especially with pop up blocker etc.

Best thing to do is go to an earlier restore point if you have it enabled. Pick on a bit a while ago and takes a few minutes but atleast if its a recent setting you changed you should be back to normal.

Install anything new lately?
If you cant fix it with a hammer, you have an electrical problem.
User avatar
kawagumby
Gold Member
Gold Member
Posts: 927
Joined: 10:09 am Nov 30 2006
Country:
Location: California

Re: Site virus !!

Post by kawagumby »

I just picked up the same virus right now for the first time on this site, my AVG software says it blocked it.
1994 KDX200, Beta 200rr, yz125, yz250, kx100 modded for adult, gasgas contact 250.
User avatar
Julien D
KDXRider.net
KDXRider.net
Posts: 5858
Joined: 07:53 pm Nov 07 2008
Country: USA
Contact:

Re: Site virus !!

Post by Julien D »

Did it give you a file name? I wonder if the tapatalk redirect is causing a flag in AVG. There are other js redirects in play, too. Such as the redirect for the portal page, etc. I have AVG on my kids PC at home. I'll check it out after work. I'm 100% sure this is nothing to worry about at this point, but I would still like to get to the bottom of it.



Sent from my HTC6500LVW using Tapatalk
Image
User avatar
kawagumby
Gold Member
Gold Member
Posts: 927
Joined: 10:09 am Nov 30 2006
Country:
Location: California

Re: Site virus !!

Post by kawagumby »

I didn't write it all down, but two of the terms used were xploit javashield

edit: if it happens again I'll try to get all the info provided. thanks!
1994 KDX200, Beta 200rr, yz125, yz250, kx100 modded for adult, gasgas contact 250.
cornishwrecker220
Member
Posts: 743
Joined: 06:37 am Nov 22 2009
Country:
Location: united kingdom

Site virus !!

Post by cornishwrecker220 »

The name I get is...Exploit:JS/Neclu.C
Tried a search but nothing comes back on it?
My PC security ( Microsoft security essentials ) blocks it, cleans & removes the offender whilst informing me , I haven't downloaded anything or have I visited any `dodgy` sites, its strange how it has just appeared & only when I visit here.
User avatar
Gotanubike
Supporting Member III
Supporting Member III
Posts: 898
Joined: 01:00 pm May 22 2013
Country:
Location: Ontario, Can

Site virus !!

Post by Gotanubike »

Have you updated java since it was compromised last year? I think I have java disabled in my browser, unless a trusted application calls for it to be used, then I enable it temporarily. There was a warning issued by DHS last year to delete java, but it was fixed if i recall correctly... Try getting the latest updates from the java site
1990 KDX200
Bike Profile -> http://www.kdxrider.net/forums/viewtopi ... 61#p136315
Suspension Overhaul(Shock+89-92 conventional forks) -> http://www.kdxrider.net/forums/viewtopi ... 15&t=15255
96'-98' RM125 Showa 49mm fork swap -> http://www.kdxrider.net/forums/viewtopi ... 04&t=16994
KDXrider world map! -> https://www.zeemaps.com/map?group=186158
User avatar
ICRage42
Supporting Member
Posts: 598
Joined: 07:24 am Jan 09 2013
Country:
Location: Kawasaki, Ninja Ohio

Site virus !!

Post by ICRage42 »

If you cant fix it with a hammer, you have an electrical problem.
User avatar
ICRage42
Supporting Member
Posts: 598
Joined: 07:24 am Jan 09 2013
Country:
Location: Kawasaki, Ninja Ohio

Re: Site virus !!

Post by ICRage42 »

feb 7 5 days ago like I said not caught up yet.

I don't have it and Im not even running a firewall to get it :blink:
If you cant fix it with a hammer, you have an electrical problem.
User avatar
Gotanubike
Supporting Member III
Supporting Member III
Posts: 898
Joined: 01:00 pm May 22 2013
Country:
Location: Ontario, Can

Site virus !!

Post by Gotanubike »

I run a .jar to spoof a user account so I can watch NHL streams so I sorta need it hahah
1990 KDX200
Bike Profile -> http://www.kdxrider.net/forums/viewtopi ... 61#p136315
Suspension Overhaul(Shock+89-92 conventional forks) -> http://www.kdxrider.net/forums/viewtopi ... 15&t=15255
96'-98' RM125 Showa 49mm fork swap -> http://www.kdxrider.net/forums/viewtopi ... 04&t=16994
KDXrider world map! -> https://www.zeemaps.com/map?group=186158
User avatar
Julien D
KDXRider.net
KDXRider.net
Posts: 5858
Joined: 07:53 pm Nov 07 2008
Country: USA
Contact:

Re: Site virus !!

Post by Julien D »

I'm in the process of spinning up a new server on some VPS goodness. This will get us off the shared hosting service we've been using, and hopefully boost site performance quite a bit. Most of the file structure will be copied, but while I'm moving things I will be sure not to move anything that is not absolutely necessary. I don't know if this will help with your current issue, but we will see. I hope to have it live sometime within the next few weeks. Our current hosting agreement expires in April, I figured now is as good a time as any. :partyman:
Image
User avatar
kawagumby
Gold Member
Gold Member
Posts: 927
Joined: 10:09 am Nov 30 2006
Country:
Location: California

Re: Site virus !!

Post by kawagumby »

One of the two virus' AVG caught popped up again today (didn't yesterday).

Here are the details provided by AVG:

exploit javascript obfuscation (type 2875)

object name: kcu27yi.icecaprace.pw/2803557705/1392379860.htm
1994 KDX200, Beta 200rr, yz125, yz250, kx100 modded for adult, gasgas contact 250.
User avatar
Julien D
KDXRider.net
KDXRider.net
Posts: 5858
Joined: 07:53 pm Nov 07 2008
Country: USA
Contact:

Re: Site virus !!

Post by Julien D »

Can you do my a favor, hit the new site at http://162.243.75.126, login, and let me know if you get any alerts from there?

Thanks!

Jason
Image
User avatar
kawagumby
Gold Member
Gold Member
Posts: 927
Joined: 10:09 am Nov 30 2006
Country:
Location: California

Re: Site virus !!

Post by kawagumby »

Nothing yet from the new site - but even with the old site the virus' would only show up about every 5-6 log ons (at best) so whatever is happening it doesn't appear to be resident.

I'll hit the new site every time I log in for a while...

Tom
1994 KDX200, Beta 200rr, yz125, yz250, kx100 modded for adult, gasgas contact 250.
User avatar
Gotanubike
Supporting Member III
Supporting Member III
Posts: 898
Joined: 01:00 pm May 22 2013
Country:
Location: Ontario, Can

Site virus !!

Post by Gotanubike »

Did it give you an option to submit that virus to AVG? They'd likely add it to their database and have it blocked

I did a search on this AVG Javascript Obfuscation. this might be a worth a look AVG users, but read the comments. It seems it's false error reporting on behalf of AVG. It's what's known as a "false positive" or kdxrider.net was misidentified as a threat for using the same "program compilers or software libraries" that a malicious code author has been identified using on the same platform(I assume phpBB)

http://www.avgthreatlabs.com/virus-and- ... fuscation/

Also, not sure if you might have windows updates turned on? I have regular .net framework updates come in, and could have something to do with it.


Admins, do you use encryption? I read that if a webmaster decides to encrypt javascript, AVG could recognize it as a threat
1990 KDX200
Bike Profile -> http://www.kdxrider.net/forums/viewtopi ... 61#p136315
Suspension Overhaul(Shock+89-92 conventional forks) -> http://www.kdxrider.net/forums/viewtopi ... 15&t=15255
96'-98' RM125 Showa 49mm fork swap -> http://www.kdxrider.net/forums/viewtopi ... 04&t=16994
KDXrider world map! -> https://www.zeemaps.com/map?group=186158
User avatar
kawagumby
Gold Member
Gold Member
Posts: 927
Joined: 10:09 am Nov 30 2006
Country:
Location: California

Site virus !!

Post by kawagumby »

You'd think the false positive issue would have been addressed by now via AVG... look at the date of the comments. Plus, I've been using AVG for over 2 years and this is the first time it's blocked these activities. AVG was just updated on my computer a couple of weeks ago...and also blocked a trojan as well as the javascript obfuscation on this site.

Plus, this is the only site that has caused AVG intervention - in over 2 years - so something different is likely going on here.

It's also weird that days can go by before it shows itself again.
1994 KDX200, Beta 200rr, yz125, yz250, kx100 modded for adult, gasgas contact 250.
User avatar
Julien D
KDXRider.net
KDXRider.net
Posts: 5858
Joined: 07:53 pm Nov 07 2008
Country: USA
Contact:

Re: Site virus !!

Post by Julien D »

I'm nearly 100% sure at this point that it's a false positive on AVG's part. Even AVG's website scanning service shows the site being clean, explain that. I have been through every index file and found no malicious code. The only thing that coincides with the time frame is re-installing tapatalks plugin.

On another note. New site will probably go live tomorrow. I will have to take the forum down for a couple hours. Might be longer for some folks as DNS records propagate. We'll be leaving the current mess behind in either case. :)

:partyman:
Image
User avatar
kawagumby
Gold Member
Gold Member
Posts: 927
Joined: 10:09 am Nov 30 2006
Country:
Location: California

Re: Site virus !!

Post by kawagumby »

Good deal! :partyman:
1994 KDX200, Beta 200rr, yz125, yz250, kx100 modded for adult, gasgas contact 250.
Post Reply