KDXRIDER.NET

cornishwrecker220 wrote:Thanks for your help guys I`ll see what I can do at my end.....it flagged up again when I visited this site just now! ...its funny but it doesn't do it on any other site..only here

are you logged into another site when visiting or just browsing but not logged in I know your logged in here which is why I suspected some sort of keylogger etc.

also what is it saying is an exploit exactly?

what antivirus do you have?

like I said you might just be getting a pm and some antivirus think that is an exploit etc. Tools and functions associated with hacks virus or whatnot also share the same for good programs too. When you have a pm here it forces a pop up (believe you can disable) this in itself could create an exploit of sorts especially with pop up blocker etc.

Best thing to do is go to an earlier restore point if you have it enabled. Pick on a bit a while ago and takes a few minutes but atleast if its a recent setting you changed you should be back to normal.

Install anything new lately?

I just picked up the same virus right now for the first time on this site, my AVG software says it blocked it.

Did it give you a file name? I wonder if the tapatalk redirect is causing a flag in AVG. There are other js redirects in play, too. Such as the redirect for the portal page, etc. I have AVG on my kids PC at home. I'll check it out after work. I'm 100% sure this is nothing to worry about at this point, but I would still like to get to the bottom of it.



Sent from my HTC6500LVW using Tapatalk

I didn't write it all down, but two of the terms used were xploit javashield

edit: if it happens again I'll try to get all the info provided. thanks!

The name I get is...Exploit:JS/Neclu.C
Tried a search but nothing comes back on it?
My PC security ( Microsoft security essentials ) blocks it, cleans & removes the offender whilst informing me , I haven't downloaded anything or have I visited any `dodgy` sites, its strange how it has just appeared & only when I visit here.

Have you updated java since it was compromised last year? I think I have java disabled in my browser, unless a trusted application calls for it to be used, then I enable it temporarily. There was a warning issued by DHS last year to delete java, but it was fixed if i recall correctly... Try getting the latest updates from the java site

http://www.microsoft.com/security/porta ... ortby=date

here

feb 7 5 days ago like I said not caught up yet.

I don't have it and Im not even running a firewall to get it

I run a .jar to spoof a user account so I can watch NHL streams so I sorta need it hahah

I'm in the process of spinning up a new server on some VPS goodness. This will get us off the shared hosting service we've been using, and hopefully boost site performance quite a bit. Most of the file structure will be copied, but while I'm moving things I will be sure not to move anything that is not absolutely necessary. I don't know if this will help with your current issue, but we will see. I hope to have it live sometime within the next few weeks. Our current hosting agreement expires in April, I figured now is as good a time as any.

One of the two virus' AVG caught popped up again today (didn't yesterday).

Here are the details provided by AVG:

exploit javascript obfuscation (type 2875)

object name: kcu27yi.icecaprace.pw/2803557705/1392379860.htm

Can you do my a favor, hit the new site at http://162.243.75.126, login, and let me know if you get any alerts from there?

Thanks!

Jason

Nothing yet from the new site - but even with the old site the virus' would only show up about every 5-6 log ons (at best) so whatever is happening it doesn't appear to be resident.

I'll hit the new site every time I log in for a while...

Tom

Did it give you an option to submit that virus to AVG? They'd likely add it to their database and have it blocked

I did a search on this AVG Javascript Obfuscation. this might be a worth a look AVG users, but read the comments. It seems it's false error reporting on behalf of AVG. It's what's known as a "false positive" or kdxrider.net was misidentified as a threat for using the same "program compilers or software libraries" that a malicious code author has been identified using on the same platform(I assume phpBB)

http://www.avgthreatlabs.com/virus-and- ... fuscation/

Also, not sure if you might have windows updates turned on? I have regular .net framework updates come in, and could have something to do with it.


Admins, do you use encryption? I read that if a webmaster decides to encrypt javascript, AVG could recognize it as a threat

You'd think the false positive issue would have been addressed by now via AVG... look at the date of the comments. Plus, I've been using AVG for over 2 years and this is the first time it's blocked these activities. AVG was just updated on my computer a couple of weeks ago...and also blocked a trojan as well as the javascript obfuscation on this site.

Plus, this is the only site that has caused AVG intervention - in over 2 years - so something different is likely going on here.

It's also weird that days can go by before it shows itself again.

I'm nearly 100% sure at this point that it's a false positive on AVG's part. Even AVG's website scanning service shows the site being clean, explain that. I have been through every index file and found no malicious code. The only thing that coincides with the time frame is re-installing tapatalks plugin.

On another note. New site will probably go live tomorrow. I will have to take the forum down for a couple hours. Might be longer for some folks as DNS records propagate. We'll be leaving the current mess behind in either case. :)

Good deal!