win a ball from Bowling.com

Author Topic: Virus threat from ballreviews.com  (Read 19251 times)

charlest

  • Hero Member
  • *****
  • Posts: 24526
Virus threat from ballreviews.com
« on: May 26, 2012, 07:20:45 PM »
AT 8:15 PM Eastern time, I did a refresh on my unread posts and got a warning from AVG that this was detected: "Exploit JavaScript Obfuscation type (156) was intercepted". I did not see if this was a virus; it just said it was a threat.

A couple of internet searches showed it can caused by an advertisement.
« Last Edit: May 26, 2012, 07:24:24 PM by charlest »
"None are so blind as those who will not see."

 

Aloarjr810

  • Hero Member
  • *****
  • Posts: 2149
  • Alley Katz Strike!
Re: Virus threat from ballreviews.com
« Reply #16 on: May 29, 2012, 09:11:56 PM »
I just got a alert from Avast when I came on here. Said it blocked a trojan called HTML:Downloader-CC[Trj]
Aloarjr810
----------
Click For My Grip

BallReviews-TECH

  • Administrator
  • Sr. Member
  • *****
  • Posts: 480
Re: Virus threat from ballreviews.com
« Reply #17 on: May 30, 2012, 12:14:07 AM »
It looks like there is a malicious ad on one of our ad networks. I haven't been able to recreate the issue but I am looking into it.
-BR-Tech

Aloarjr810

  • Hero Member
  • *****
  • Posts: 2149
  • Alley Katz Strike!
Re: Virus threat from ballreviews.com
« Reply #18 on: May 30, 2012, 07:37:24 AM »
Just came on and it did it again heres the info
"I removed http:// from url"

today-
Infection Details
URL:   cetolsq.tk/35232777.html
Infection:   HTML:Downloader-CC [Trj]

Last night-
Infection Details
URL:   bilioaerw.tk/78102777.html
Infection:   HTML:Downloader-CC [Trj]
Aloarjr810
----------
Click For My Grip

BallReviews-TECH

  • Administrator
  • Sr. Member
  • *****
  • Posts: 480
Re: Virus threat from ballreviews.com
« Reply #19 on: May 30, 2012, 07:55:50 AM »
Still haven't been able to trigger it myself. If it pops up for someone again, please let me know what ads are displaying.
-BR-Tech

scotts33

  • Hero Member
  • *****
  • Posts: 8452
Re: Virus threat from ballreviews.com
« Reply #20 on: May 30, 2012, 10:48:10 AM »
Still haven't been able to trigger it myself. If it pops up for someone again, please let me know what ads are displaying.

Download free Avast BR_tech.  Best AV program out there and it will detect and give you info.  http://www.avast.com/free-antivirus-download

BTW...I scanned BR with https://www.virustotal.com/#url and found nothing.  Possibly with an AV/Avast it's a false positive?  I turned on adblock and NoScript using FireFox 11.0 and it allows me on site. 
Scott

Aloarjr810

  • Hero Member
  • *****
  • Posts: 2149
  • Alley Katz Strike!
Re: Virus threat from ballreviews.com
« Reply #21 on: May 30, 2012, 11:06:16 AM »
Still haven't been able to trigger it myself. If it pops up for someone again, please let me know what ads are displaying.

Download free Avast BR_tech.  Best AV program out there and it will detect and give you info.  http://www.avast.com/free-antivirus-download

BTW...I scanned BR with https://www.virustotal.com/#url and found nothing.  Possibly with an AV/Avast it's a false positive?  I turned on adblock and NoScript using FireFox 11.0 and it allows me on site. 

Be cause the ads are on a rotation, unless you come on the site when its present it wont set off the AV.

The url avast shows for it is a ".tk" domain. They are notorious for all the phishing, scamming etc. do to their free domain names.

I would think telling adchoices they have a infected ad would be the thing.
Aloarjr810
----------
Click For My Grip

Perfect Approach Pro Shop

  • Sr. Member
  • ****
  • Posts: 339
Re: Virus threat from ballreviews.com
« Reply #22 on: May 30, 2012, 12:52:53 PM »
I use Avast and just logged into Ballreviews and it bloccked a trojan also.
J. Helton
Perfect Approach Pro Shop

Spider Man

  • Hero Member
  • *****
  • Posts: 11829
Re: Virus threat from ballreviews.com
« Reply #23 on: May 30, 2012, 01:47:11 PM »
maybe the site should be shut down until this is resolved? a trojan is no small matter. any user not blocking 3rd party is exposed.

Stan

  • Hero Member
  • *****
  • Posts: 667
Re: Virus threat from ballreviews.com
« Reply #24 on: May 30, 2012, 02:15:52 PM »
Just got on and Norton just caught a Virus.  Something like palaceshrink.

Please check this out.

Spider Man

  • Hero Member
  • *****
  • Posts: 11829
Re: Virus threat from ballreviews.com
« Reply #25 on: May 30, 2012, 02:20:37 PM »
what ads were flashing (not counting 900 Global at bottom)? this may help troubleshooting it.

BallReviews-TECH

  • Administrator
  • Sr. Member
  • *****
  • Posts: 480
Re: Virus threat from ballreviews.com
« Reply #26 on: May 30, 2012, 02:30:10 PM »
Ads have been disabled till we sort this out. If anyone is still receiving any errors please let me know ASAP.
-BR-Tech

Impending Doom

  • Hero Member
  • *****
  • Posts: 6288
Re: Virus threat from ballreviews.com
« Reply #27 on: May 30, 2012, 02:47:32 PM »
I didn't notice it until I was on my windows box. Then I saw what everyone else is seeing. Mac users seeing this too? Just wondering.

Impending Doom

  • Hero Member
  • *****
  • Posts: 6288
Re: Virus threat from ballreviews.com
« Reply #28 on: May 30, 2012, 02:49:23 PM »
Lefty,

Lifehacker is totally legit. Go with confidence.

Is a sight called lifehacker where I want to be going??

Regards,

Luckylefty

Aloarjr810

  • Hero Member
  • *****
  • Posts: 2149
  • Alley Katz Strike!
Re: Virus threat from ballreviews.com
« Reply #29 on: May 30, 2012, 02:58:20 PM »
Okay I just came back on and got this

Infection Details
URL:         palaceshrunk.in/404notfound
Infection:   URL:Mal
Aloarjr810
----------
Click For My Grip

BallReviews-TECH

  • Administrator
  • Sr. Member
  • *****
  • Posts: 480
Re: Virus threat from ballreviews.com
« Reply #30 on: May 30, 2012, 04:27:59 PM »
tl;dr version: Site should be coming back as clean for everyone.

What happened?
It appears that an infected server (not ours, a random one on the web) was used to grab our index files through ftp, append some malicious code, and return the files to their position on the server.

How did they get in to FTP? Don't you have passwords or something?
We had an account activated for a freelance web developer in order to help with the transition to the new server. We don't believe the freelancer had anything to do with the hack but the password on the account was simple enough to be brute-forced.

Are you sure it is all gone?
Our file transfer logs showed all files that were accessed and we have gone through all files affected. The code has been cleaned from all of these files. I don't like dealing in absolutes but yea, I'm sure it is all gone.

Why did you originally say it was the ads?
I was unable to recreate the issue and, in the past, I've dealt with similar issues where I was unable to get the right ad to load so some people would see the error while others wouldn't. In this case, the malicious code was designed to not activate for specific browsers. Google Chrome was among the browsers that were ignored so, when I visited the site, I was unable to see the line of code.

What have you done to ensure that this doesn't happen again?
Though this looks like it was just the work of a script and not of an actual user, we have changed all passwords related to the server. We have also disabled the account used to make the changed to the files. Finally, we have activated filtering for FTP so that FTP commands can only be accessed using specified ip addresses.

Was my password at risk?
The logs do not indicate any attempt to access or view any user data. Even if the hack attempt had led to access of the users database, all passwords are hashed and salted. This means that we can't even see what your password is if we want to do so.

Why all this information?
We want to make sure that we have clear communication about these sorts of events with our users.
-BR-Tech