KDXRIDER.NET

Hi,
Every time I log on my AVG virus protection software shows I'm getting a Trojan malware from this site. It's been that way for about a week and a half. Just a heads-up.

Tom

I will check, but I would guess it's just AVG fussi.g about our login cookie. I will let you know if I find anything.

I changed my av software from AVG to Norton and I'm still picking up a notice every time I log on. Might be another false positive, but I thought you should know..




[category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
4/29/2014 2:22:49 PM,High,An intrusion attempt by MOTHER was blocked.,Blocked,No Action Required,Web Attack: Malicious Toolkit

Request 4,No Action Required,No Action Required,"MOTHER (68.189.66.62, 49233)",asdg87hkjd.co/docentx/audit/allow.php,"asdg87hkjd.co (82.146.33.252, 80)",68.189.66.62 (68.189.66.62),"TCP, Port 49233"
Network traffic from <b>asdg87hkjd.co/docentx/audit/allow.php</b> matches the signature of a known attack.


The attack was resulted from \DEVICE\HARDDISKVOLUME2\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE. To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.

as you stated "when I log in here".......does it do it anytime you log in elsewhere? If so its something you contracted and just gets associated when you login anywhere.

Usually in your temp folder.......its a temp storage of internet files. They usually linger there because they can limit you as to what you can see or do with the file.

Your actually sending information to a remote server from the sounds of it. Passwords account info ebay logins etc.

When you find the program you wont be able to stop it in normal mode. Boot up in safe mode and delete the program and all its associates and reboot normal. Test here with logging in and see if it goes away. Make a restore point if everything is ok and from there consider where you've visited lately to contract it.

It was not here. Ill say this for the umpteenth time its not here. Sure there are exploits in php based systems but mostly just affecting the site alone. Not the user end. Now if there was an implementation of say additional other installs for example games, different chat boxes etc. They are easily exploited and are installed onto the system. This is just a basic site really nothing fancy and nothing really installed to further warrant any worries. Runs all day no worries. The site and server usually has its own antivirus as well. So an exploit is usually caught before hand. Most exploits that affect most php sites is programs that act like repeaters. It appears that a user just keeps posting till it burns up your bandwidth for the month and you get shut down. The site has an option that denies said so many post within a certain amount of times and well stops it. Only thing that could compromise this site really user photo uploads and facebook ties.

I can visit a porn site tomorrow and restart computer and its now there. Everytime I log in anywhere it will activate the program. Doesn't necessarily mean its from here.

If you clean your computer and make a good restore point and run into this again......you can restore the computer to an earlier time and get back onto track. Despite that being temporary files and whatnot the restore point will swipe them. Youll also lose whatever you installed in that time frame as well. Small price to pay for not sending someone your email passwords or paypal account info.

I prolly lost ya but hope it helps some. We ran into this on the old server and I still wasn't effected but a couple others stated something. Usually if you know the administrator by name your in good company.

when done I would look into changing your passwords.

Just run malware bytes and superantispyware anti rootkit. Both are freeware and have the best databases for tracking these bugs...

After that consider using a new browser like Chrome or Firefox and get the adblock+ extension. There are also other web inspector extensions for those two, as far as I know they aren't available for explorer.

It would be close to impossible to get a virus from kdxrider.net considering it makes no requests nor does offer any downloadable content.

Here I can prove it using the disconnect extension. As you can see, there are two blocked analytics websites(google and facebook) and the allowed one in the middle is paypal for donations

Ummm. Well, the only site I get the notice is this one. I just did a clean install on a newly formated hard drive, yesterday, and I'm not one to visit but a few sites, none of which are suspicious. Not saying this site has a virus, but it's weird that two different av's say it does. Not an issue for me. Only a couple of text files in the temp folder. Like I say, could be a false positive for both av's.

BTW, I'm not the only one getting the same av notice only on KDXrider.net, others have also.

Hi,
I just built a new computer - guess what - it picks up the trojan(s) also (it happens about every third time I log on to KDXrider.net). Both AVG and Norton pick it up....and the malware type changes from time to time so it is not a false positive.
This time, I got an offending website address (or most of it)....as it hung trying to load while KDXrider was loading....WWW. zuninu.rosarioflor.com/xxxxwhatever (hope I got it right...looks like a mexican site)

I tried to bring it up on explorer, but no luck.

So, from my end it appears that a malicious website(s?) is piggy-backing your website somehow

Hope this helps.

I don't know what to tell you. Site tests out clean.

http://www.avgthreatlabs.com/website-sa ... rider.net/

http://app.webinspector.com/public/reports/22714164

It's protected by a pretty tight firewall, and running on a fully updated linux distro. I'm not saying that it's impossible that something got in, but it's pretty much impossible that something got in that I can't find. I don't get any alerts logging into the site from my kids PC, which is also AVG. Sophos Web Protection on my office machines finds nothing. I do not have a machine with norton to test with. I would advise against using any norton protection products for anything anyway, as they are pretty much overpriced garbage. I will keep looking, but at this point it is unlikely that I will turn anything up. I have been through every file on the site. I have even downloaded the entire contents of the www directories and scanned them locally. Nothing even remotely suspicious turns up.

Well, whatever it is, it's no big deal to me, as the software blocks the website. It is weird...this is definitely the only site that brings it up - and what's worse...I can visit ten times with no issue, then it hits again. Whatever is happening is intermittant and as I've said, the particular malware changes -

But regarding Norton....it's not just norton that catches the website, AVG does too - I have several computers I'm working on now and the story is the same regardless of which one I log on with (including the one just assembled). It's always about blocking a malicious website - which is not kdxrider.
Thanks for your work anyway....

I appreciate the info, and I will keep looking into it. If I find anything I will post it here.

Thanks,
Jason

Have you seen any more of this? I have not been able to replicate, and I still haven't found anything in the code pointing to any external sites, aside from the stuff I'm using for analytics, etc.....