This appears to be an ongoing issue that we have not gotten to the bottom of yet. But we are working at it diligently.
Mike
Mike
AZ Virus again?
- Thread starter ignomirello
- Start date
For the last month it takes forever to bring up the webpage (about 50% of the time)- then I get a message that a long script is running and click to stop the script and I get in fine. Using the latest IE.
It happened just now too.
I think your HTML webpage script has been tampered with somehow. I got thru about 700 lines 2 weeks ago and found some incriminating evidence that a virus was running. I didn't have time to go thru all 3,000 lines of code. Maybe that is what you are doing, maybe not. But IMHO I think this should be looked into.
I just doublechecked the page and there is no harmful code on it right now.
No idea what would cause the page to take forever to load. I have cached most of the content on the page so that it is coming from html instead of being generated on the fly.
Would be very interested in any incriminating evidence of a virus.
Believe me, I am taking this very serious and have been fighting with it for two days now. I will get to the bottom of it.
Mike
No idea what would cause the page to take forever to load. I have cached most of the content on the page so that it is coming from html instead of being generated on the fly.
Would be very interested in any incriminating evidence of a virus.
Believe me, I am taking this very serious and have been fighting with it for two days now. I will get to the bottom of it.
Mike
I haven't had any problem at all loading any page on the site. I'm using Comodo Dragon web browser.
Actually comodo is a firewall not a browser
Ill take a look at the source code and see if I see anything suspicious just for kicks and giggles. Mike, just curious but did you disable any plugins already when troubleshooting, if so which ones?
Sent from my phone.
Cali, the problem was actually iframe code that had been inserted into the page. I replaced the web page with a clean version, but they were able to do it again this morning.
Just trying to figure out what they are exploiting to get in.
Mike
Just trying to figure out what they are exploiting to get in.
Mike
hmm... ok... if you don't mind, could you paste the offending code in a PM to me from the index.php of the main page before you removed the offending code?
Things like this raise my curiosity, as some moron is messing with a site I love:smile:
It appears that these type of attacks are a result of either a compromised FTP password or a SQL injection. These SQL injections are very popular these days, as it's easy to do massive blanket searches for sites, due to the fact that software (such as VBulletin or Wordpress), everyone has the same filenames. Everyone knows the entire directory structure and every filename in each directory already.
It sounds like they could very well be making a "invisible" iframe with it being 1 pixel wide and 1 pixel high. Thus, no one can see it, but it's there.
If someone obtained your FTP password or was able to get access to certain parts of your site, they may have put some back doors in several other places, thus allowing them to get access again if they are blocked for some reason.
I would first change your FTP password. I would look for other index.php/index.htm/index.html pages, and look at the modified dates on them. Regardless, I would search any of those types of pages, looking for some of that offending code. Unfortunately, it is not limited to those files only though... I would search all of your Vbulletin directory for this stuff too or any Wordpress files. And anywhere else on your site. I would start first by just finding all files with modified dates of whenever you think it happened. Now I know that some of your files are constantly being modified, but some of them, not much. For example most Vbulletin files are not modified after install, so that makes it easier.
Here's a little reading about it
http://www.xeonbd.com/blog/2011/04/...pt-iframe-malicious-code-index-page-solution/
But I would be curious to see the original index.php page before you changed it. I would also remember if you see that code again in a file, make a note of the time it was modified, if it was a file that shouldn't be getting modified, to help you narrow down the search.
Once you've got a idea of when it happened, you can look at the RAW logs of your site and try to track down where it happened. From there you may get a idea of what other files were changed.
I had a SQL injection happen to me on one of my sites. I got a notice from my Webhost (Justhost sucks the big one.. just a friendly reminder:smile
one day, that they had shut down my site. I said what for, they said I was running a Wells Fargo Scam. I said what the hell are you talking about.. they said you're scamming people trying to run a phishing site. The tough part is this though, with my scumbucket host. They shut down your site and will not allow you to get into it. They expect you to fix the problem, but you can't into your site to fix it. After days on the phone and countless emails.. they finally give me access to CPanel only and only from one IP. I find the offending files (someone had injected a zip file with a whole Wells Fargo phishing site, then unzipped it) which was in some non descript folder, but sure enough, it was a Wells Fargo phishing site. It would try and steal their info and then redirect it to somewhere else. AND i was the unsuspecting host of it all. They found a SQL exploit in my Wordpress install and used it to upload all that crap.
The good thing is... that it seems like it's easily caught by all the Antivirus programs out there.:smile:
God that irritates the hell out of me though. It's probably some snot nose 13 year old, that found some scripts, he runs those scripts on hundreds of thousands of sites, it just runs in the background while he's playing his video games. Then he gets a list of possible sites to exploit. He runs some more scripts to see if he can get in, then off to do it to someone else.
The sad thing is... anyone can do this crap. It's easy as hell to be a "script kiddie". Countless sites that have Hacking for Dummies guides. Download a small zip file with thousands of scripts in it, read your guide and crank up some scripts that run while you're sleeping, wake up and see what you can get into.
Go get 'em Mike! If we need to, we can always sic Marty on them
After all, this site is near to his heart
virus
if i get a warning what should i do
if i get a warning from this forum what should i do.
MMike
if i get a warning what should i do
if i get a warning from this forum what should i do.
MMike
Mike, if you get the warning then please email me at housepro@azbilliards.com
Sending me a pm will also work, but an email to me would be the quickest way to reach me. Also cc jerry@azbilliards.com on it. He can call me if I am asleep.
Mike
Sending me a pm will also work, but an email to me would be the quickest way to reach me. Also cc jerry@azbilliards.com on it. He can call me if I am asleep.
Mike
Cali, sending you an email now.
Mike
Mike
i didnt a warning
i didnt get a warning .
i just couldnt get on the forum for a hr or 2 the other day.
with what everyone is saying just made nervous because i dont know what to do if i did get a warning.
thank very much for your concern.
im running a scan now. said no threats, but my ms security wasnt up dating ?
ty MMike
i didnt get a warning .
i just couldnt get on the forum for a hr or 2 the other day.
with what everyone is saying just made nervous because i dont know what to do if i did get a warning.
thank very much for your concern.
im running a scan now. said no threats, but my ms security wasnt up dating ?
ty MMike
Last edited:
I knew about the downtime the other day. I rebooted the machine and sometimes when that happens we get corruption in the database. That takes a little time to fix and it drags the forums down to a crawl until it is fixed.
Thanks,
Mike
Thanks,
Mike
I've been getting the warning for the last couple days on my Norton Virus Scan. I have not had any problems downloading the site.
Nice job Mike!
Mike, Nice job taking care of that Virus!
If this ever happends again Should i post about it to make other az'ers aware? or shouldI just send you the image?
Mike, Nice job taking care of that Virus!
If this ever happends again Should i post about it to make other az'ers aware? or shouldI just send you the image?
Actually comodo is a firewall not a browser
Ill take a look at the source code and see if I see anything suspicious just for kicks and giggles. Mike, just curious but did you disable any plugins already when troubleshooting, if so which ones?
Sent from my phone.
Actually, you need to check out Comodo Dragon, which is, indeed, a browser. It is based on the Google Chrome browser but is much faster and more secure. I have the firewall also. I've used the firewall for a couple of years, now, and Dragon for about 6 months.
I got a virus warning yesterday morning and I also got the same virus warning this morning when I opened the home page. I feel sorry for anyone that doesn't have security protection. What kind of sick mind does things like that?
it's back again guys
It's back again
Mike, I sent you the new image via E-Mail Good Luck
It only happends on the main page.
It's back again
Mike, I sent you the new image via E-Mail Good Luck
It only happends on the main page.
Yesterday I was warned by kaspersky about the Trozen. I immediately did the scan. But the scan report did not mention anything about the Trozen. Eventhough I have zero knowledge of computer technology, I concluded that kaspersky is the culprit and not smart in carrying out his mischivous acts. kaspersky`s left hand did not know what it`s right hand was doing. A smart mischief`s left hand knows what right hand is doing. Some time in the recent past kaspersky did the same thing when I clicked AZBilliards website. That time also several AZ posters complained about the virus. Today I did not have any warning.
