FAO NEAL: Reported Attack Site? Anyone else getting this too? - Page 10

doctrine · 10-21-10, 09:16 AM

Hey guys, maybe this is already mentioned, but I was to lazy to read the whole thread so sorry in advance if it was. And although I never see any ads on this site, maybe it helps....

We had this problem as well with our company website a few months ago. Scanned our whole system and servers and nothing wrong was found. But we found out our ad-server was kind of hijacked. Every time the implementation code for an ad was fetched from the ad-system and implemented on the page, a piece of extra javascript was included with it, which was the reason for our trojan/malware warnings. And the baddest thing, excluded from the google search.

If this could be the reason (and it's your own ad-server), make sure you disable your ads as fast as possible, because the trojan/malware can spread further through the ad-system.

Our solution was to disable the complete ad-system running on our site. Once you're almost sure your site is clean again, request a new review (i guess it was: http://www.google.com/support/webmas...?answer=168328). It can take a few days before it is reviewd.

Good luck with it m8!

SeaWolf U-57 · 10-21-10, 09:32 AM

Quote:

Originally Posted by Dowly

I can vouch that the trojan Seawolf is speaking of was there, I tried one of the links he posted above back then and my Avast picked it up aswell.

I also googled the address and it was listed on multiple malware/trojan prevention sites as a a trojan.

I have no idea why only few are getting these things, tho.

One thing to note is that most of these trojans (I think all but one) that have been reported are all coming from co.cc ending URLs.

Thanks Dowly I'm glad you remembered

kiwi_2005 · 10-21-10, 09:40 AM

Beat the hackers - be prepared

Quote:

You've been hacked. What do you do? Who do you call?
It's good to know before time, because you can waste a lot of time, and do a lot of damage to your systems and your organisation if you don't, according to Paul Craig, the lead forensic incident responder at Security-Assessment.com.
There are people out there who will hack into your system with criminal intent. There are people who do it for fun, or so they can skite about it on sites like zone-h.com - which will point other people to your servers, your databases and your credit card numbers if you don't move fast to secure them. Craig says most hacking now starts with web applications, because the firewalls that aim to stem other types of network intrusion are now almost ubiquitous.

Once a server has been hacked, people need to work out what the hacker has done in the system, whether they have taken anything or made queries on the database, whether they have left any back doors so they can come in later.

Craig says a common response to being hacked is the worst one.
"People say, 'We've reformatted the servers, reinstalled from back-ups, the crisis was averted.'
"What they've actually done is destroyed forensic evidence, and they have no way to find out what the hacker has done."
He says in one New Zealand government agency where Security-Assessment.com was called in, the security manager was unaware the website had been defaced.

The content manager was, but just restored from back-ups whenever it happened. Craig says once he ran all the available data through his tools and in effect recreated what had happened by automatically sifting through gigabytes of logs to find out what, when and who, he discovered eight separate hackers had exploited a vulnerability in the DotNetNuke web content management system.

Hacker five had listed his exploit on zone-h.com, where hacking government sites earns extra points, and hackers six, seven and eight followed the link in. He recommends organisations sort out their business processes and technical response before they get hacked.
If they identify a preferred forensic supplier, one with the trained staff, the equipment and the processes to do the job right, they can have emergency response numbers, pre-signed non-disclosure agreements and to-do lists in place if the worst happens.

Digital evidence degrades over time, so it's important to move fast.
Craig says if a server is hacked, leave it on and connected to the internet. That means the forensic examiner can look at logs and routing tables and get an accurate picture.
Action may need to be taken so the machine does not restart. That means disabling any automated shut-downs or patch routines.
If the incident responder can't get there for a few days, get a new one - and rip the power cord out of the wall.

"Don't do a shut down. When Windows shuts down, it clears a lot of volatile information," Craig says.
It's good if organisations know what their incident responder needs and have it ready. They will be paying big money for forensics, maybe $2000-plus a day, so why waste it by having the person wandering the building chasing up network topography maps and server logs.
Craig says he is still waiting for the job that leads to a successful prosecution.

If the hack came from New Zealand or Australia, that would be relatively simple, but most hacks come from places where local law enforcement doesn't seem inclined to chase down the culprits - such as when he identified a United States-based hacker who was even using his smartphone to grab credit card numbers.

And if the hacker comes from China, there may be a prosecution - but the sentence is to be drafted in to the army's cyberwar division.

http://www.nzherald.co.nz/technology...ectid=10681664

joea · 10-21-10, 12:37 PM

Well I'm posting with FF and no message. Good news.

Am I the only when who thinks hackers, if they can be caught, should be put in stockades so we can throw rotten fruit and or worse stuff at them?

Buddahaid · 10-21-10, 01:15 PM

Australian territory? 80% Sunni Muslim speaking people.

http://en.wikipedia.org/wiki/.cc

ajrimmer42 · 10-21-10, 02:55 PM

Quote:

Originally Posted by joea

Well I'm posting with FF and no message. Good news.

I'm still getting it unfortunately

MaddogK · 10-21-10, 06:22 PM

Alerts are indeed gone from my FF 3.6.8 install- good job.

I am however miffed that my other computer is being blocked by the site host. I ran a trace this morning and 'theplanet.com' appears to be the culprit, just as well I shouldn't be surfing this site while at work. A shame I have to watch all that beautiful cable bandwidth go to waste.

Dowly · 10-21-10, 06:39 PM

The Planet is the host for Subsim.

TLAM Strike · 10-21-10, 08:43 PM

I've logged on an not seen it... Is it really gone?

Takeda Shingen · 10-21-10, 10:32 PM

It appears to be yes and no right now, depending on the browser and AV software used. This alone leads me to believe that it is a technical issue rather than an attack.

Reece · 10-21-10, 11:22 PM

I still have the error with FF 3.6.3!

It seems that some don't have this problem, is the solution to upgrade to 3.6.11 the answer?

I use COMODO firewall with Ad-Aware and Avira.

JScones · 10-22-10, 01:00 AM

Quote:

Originally Posted by Buddahaid

Australian territory? 80% Sunni Muslim speaking people.

http://en.wikipedia.org/wiki/.cc

Read that link more carefully... we're talking ".co.cc", not ".cc". www.co.cc is not a heirachy, but a company (South Korean, to be exact) that offers subdomain services.

Thus http:\\clickplus.co.cc is a subdomain of www.co.cc, and not affiliated with the Cocos Islands. The giveaway is the missing www.

Seeadler · 10-22-10, 07:11 AM

Today when I visited the forum main page, KAV reported again blocked trojan downloads.

Herr-Berbunch · 10-22-10, 07:20 AM

Quote:

Originally Posted by Buddahaid

Australian territory? 80% Sunni Muslim speaking people.

http://en.wikipedia.org/wiki/.cc

It's a few hundred miles from Christmas Island, but maybe we tested atom bombs there knowing there was a prevailing easterly wind?

Oberon · 10-22-10, 04:50 PM

A friend of mine (registered here as Nagy) just got the Chrome warning, ignored it and then his virus checker intercepted a "Kryptik.L.Gen trojan" attempt to download itself to his machine from an advert. Sadly he didn't see what advert was up at the time it tried, but just a heads up to people that it's still out there. I'll also PM this to Neal to let him know since this is on page ten of the thread.
There is also this message, if it's helpful:

"The website at www.subsim.com contains elements from the site 48572835.cz.cc, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer."

10-21-10, 01:15 PM	#140
Buddahaid Shark above Space Chicken Join Date: Jun 2008 Posts: 8,572 Downloads: 160 Uploads: 0	Australian territory? 80% Sunni Muslim speaking people. http://en.wikipedia.org/wiki/.cc __________________ "However vast the darkness, we must provide our own light." Stanley Kubrick "Tomorrow belongs to those who can hear it coming." David Bowie

10-21-10, 06:22 PM	#142
MaddogK XO Join Date: Oct 2010 Location: Chicago, Ill. Posts: 409 Downloads: 15 Uploads: 0	Alerts are indeed gone from my FF 3.6.8 install- good job. I am however miffed that my other computer is being blocked by the site host. I ran a trace this morning and 'theplanet.com' appears to be the culprit, just as well I shouldn't be surfing this site while at work. A shame I have to watch all that beautiful cable bandwidth go to waste. __________________ May fortune favor the foolish

10-21-10, 08:43 PM	#144
TLAM Strike Navy Seal Join Date: Apr 2002 Location: Rochester, New York Posts: 8,633 Downloads: 29 Uploads: 6	I've logged on an not seen it... Is it really gone? __________________

10-21-10, 11:22 PM	#146
Reece CINC Pacific Fleet Join Date: Sep 2003 Location: Down Under Posts: 32,812 Downloads: 171 Uploads: 0	I still have the error with FF 3.6.3! It seems that some don't have this problem, is the solution to upgrade to 3.6.11 the answer? I use COMODO firewall with Ad-Aware and Avira. __________________ *Sub captains go down with their ship!* Last edited by Reece; 10-22-10 at 12:53 AM.

10-22-10, 07:11 AM	#148
Seeadler Pacific Aces Dev Team Join Date: Mar 2001 Location: Northern Germany Posts: 1,096 Downloads: 169 Uploads: 0	Today when I visited the forum main page, KAV reported again blocked trojan downloads. __________________ -- Vapor-ware is always easier to sell because there's no limit what it can do!

10-21-10, 09:16 AM	#136
doctrine Mate Join Date: Mar 2010 Location: Near the port of Rotterdam Posts: 59 Downloads: 77 Uploads: 0	Hey guys, maybe this is already mentioned, but I was to lazy to read the whole thread so sorry in advance if it was. And although I never see any ads on this site, maybe it helps.... We had this problem as well with our company website a few months ago. Scanned our whole system and servers and nothing wrong was found. But we found out our ad-server was kind of hijacked. Every time the implementation code for an ad was fetched from the ad-system and implemented on the page, a piece of extra javascript was included with it, which was the reason for our trojan/malware warnings. And the baddest thing, excluded from the google search. If this could be the reason (and it's your own ad-server), make sure you disable your ads as fast as possible, because the trojan/malware can spread further through the ad-system. Our solution was to disable the complete ad-system running on our site. Once you're almost sure your site is clean again, request a new review (i guess it was: http://www.google.com/support/webmas...?answer=168328). It can take a few days before it is reviewd. Good luck with it m8!

10-21-10, 12:37 PM	#139
joea Silent Hunter Join Date: Jul 2002 Location: At periscope depth in Lake Geneva Posts: 3,512 Downloads: 25 Uploads: 0	Well I'm posting with FF and no message. Good news. Am I the only when who thinks hackers, if they can be caught, should be put in stockades so we can throw rotten fruit and or worse stuff at them?

10-21-10, 06:39 PM	#143
Dowly Lucky Jack Join Date: Apr 2005 Location: Finland Posts: 25,005 Downloads: 32 Uploads: 0	The Planet is the host for Subsim.

10-21-10, 10:32 PM	#145
Takeda Shingen Navy Seal Join Date: Mar 2000 Posts: 8,643 Downloads: 19 Uploads: 0	It appears to be yes and no right now, depending on the browser and AV software used. This alone leads me to believe that it is a technical issue rather than an attack.

10-22-10, 04:50 PM	#150
Oberon Lucky Jack Join Date: Jul 2002 Posts: 25,976 Downloads: 61 Uploads: 20	A friend of mine (registered here as Nagy) just got the Chrome warning, ignored it and then his virus checker intercepted a "Kryptik.L.Gen trojan" attempt to download itself to his machine from an advert. Sadly he didn't see what advert was up at the time it tried, but just a heads up to people that it's still out there. I'll also PM this to Neal to let him know since this is on page ten of the thread. There is also this message, if it's helpful: "The website at www.subsim.com contains elements from the site 48572835.cz.cc, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer."