Virus through site?

[Varyafirion]

The forum's definitely been messed with. The ****** seems to have been injected into everything (it's escaped in the posts themselves, but appears parsed elsewhere). It links to a java applet containing exploit code. I had virustotal check it out: https://www.virustotal.com/file/70b7...5b8a/analysis/ . Looks like it's exploiting the "new" exploit in Java, so many people who don't have updated browser plugins are vulnerable to it. The forum needs to be taken offline imo.

[Diab]

Is this related to the <****** src=http://www.spiderwebforums.com
html that's being appended to everybody's forum posts?

Just got this again with the same java thing but with this new url:
(do not click)
h ttp://www.spiderwebforums.com/mlm/Orz.class
(do not click)

[Rushster]

There is a problem which we are working on now but it takes time to check everything. We are watching it very closely though and hopefully we'll have it fixed up shortly.

[krischan]

Every URL about a thread here had that ****** thingy. Maybe somebody wanted to draw the attention to spiderweb.com or launch a DoS attack on them... or just make that impression. Nothing is certain.

Whatever, the issue seems to be solved now. Firefox still seems to report incgamers as an attacking site, however. It might need some time to get that changed back.

Java is currntly switched off on my browser. Whatever might need it, it will currently not receive the 1001 blessings of my presence .

[morik]

Is there anything those of us who have been visiting the forums need to worry about? (In terms of having picked up any malware?)

[Rushster]

Wanted to give everyone an update. We have been pouring over server logs and poking around the servers. I can say that the servers are all fine. However, after looking over the logs (which we are still doing) we think this is an intentional attack aimed at this community.

If you are running any sort of virus protection then you will have been OK, same for Chrome users who got an alert bar at the top of the page. However, to be on the safe side I would advise anyone to give their machine a scan, always better to be safe than sorry.

It is only these forums that have been affected, not the main Diablo site homepage or any other incgamers website.

Our investigations are ongoing on this and we have got our co-location hosts involved as well as we are not happy about this attack which is obviously malicious aimed at this Diablo community.

I will be updating this thread as I know more. As of writing this post, the site is clean, despite the google.FF warnings. These will dissappear when FF and Chrome get their act together and remove the warning. I do not know how long they take to update their records so you may get their alerts for a little while longer.

[snipeattacker]

i can now enter forums again without report from google that this is attack site... i have noscript enabled though to be sure. sorry i posted on main page earlier, but was only place safe to report it!

[Elly]

thanks for update. So google takes about 8 hours to update their records. Thought it would have been quicker.

[Varyafirion]

If it was an intentional, non-automated attack, then it wasn't very smart. Putting the ****** into posts which are very likely to be escaped. Also just as a note, it seems the navigation bar (e.g. Forum > Diablo: IncGamers, Diablo Wiki & DiabloNut.com >Feedback, Suggestions & Support >Virus through site?) did not look like it escaped html tags. You probably have enough on your plate as it is, just putting it out there Also, FF no longer blocks the forums. And any info on whether credentials were compromised will be nice too. Good luck!

[Rushster]

Regarding credential, there is certainly no evidence of that from our log checking and scans.

Just as another update, an external audit of the server is running at the moment which will also help us see what was up.