PDA

View Full Version : Another virus warning



Mike Switzer
01-21-2015, 02:14 PM
Starting this AM I am getting another virus warning when I open these forums or another page on these forums.
The file name is k?tstmp= (followed by a 10 digit numeric string)
The path is http://static.lakenormankids.com/ (followed by the file name above)

The 10 digit string is different every time.

Hal Bryan
01-21-2015, 02:19 PM
Thanks for the heads-up, Mike - I'm not seeing any warnings here, but I'll have our hosting provider look into it.

Hal Bryan
01-21-2015, 03:41 PM
Mike -

Can you tell me if you can try to reproduce the warning on another machine? All the scans our provider has done are coming back clean.


Thanks!

Hal

Mike Switzer
01-21-2015, 04:05 PM
Yes - both machines running the latest version of Firefox. Same thing on both (I wasn't logged in on the 2nd machine)

Hal Bryan
01-21-2015, 04:30 PM
Okay - many thanks.

Hal Bryan
01-21-2015, 05:15 PM
Mike - Can you try again?

Mike Switzer
01-21-2015, 05:54 PM
It is still doing it on every new page. Acts almost like a vbulletin page tracker of some sort but my antivirus is throwing the flag, and the source is strange

Mike Switzer
01-21-2015, 06:38 PM
It quit popping up now - looks like it might be fixed

Mike M
01-22-2015, 08:09 AM
maybe not all fixed? Opera browser gives a "malicious site warning" saying "visiting this site may be harmful. It has been reported for distributing malicious software. Opera software strongly discourages visiting this site."

Hal Bryan
01-22-2015, 09:10 AM
I just fired up Opera and saw the warning you're talking about. As I read it, it means that the site was reported as having an issue at some point - none of our diagnostics or malware scans show anything out of the ordinary after our fixes from yesterday. According to Opera, the report came from a site in Russia (ironically, home to a majority of our spam attackers) called Yandex. I'm not sure if we can petition them to withdraw their warning or not, but I'll look into it.

Mike M
01-22-2015, 11:09 AM
Thanks for checking, Hal, it was beyond my level of expertise. I've been ignoring it when it pops up. This is a used computer, i've already replaced the hard drive once, it's not a big deal to replace if I'd gotten trashed again. But it's good to know it hasn't really been at risk.

Kyle Boatright
03-16-2015, 08:11 PM
The last 3 times I've come to this site, Norton has issued a warning:

"Norton blocked an attack by Web Attack: Exploit Toolkit Website 67"

I'm running IE7 and Norton...

I've seen this warning before when visiting this site and have never seen it when visiting any other site.

Mike Switzer
03-16-2015, 11:11 PM
After seeing Kyle's post I updated my antivirus (I do it manually as it sucks so much bandwidth it really interferes if I am actually working) and I reloaded the page and I am not seeing any warnings.

Dana
03-17-2015, 04:28 AM
My bookmark for this site is the "new threads" page. Whenever there are no new threads to display, Avast antivirus gives a warning about the page. This started recently, though it has happened in the past as well.

Hal Bryan
03-17-2015, 06:33 AM
Thanks all - our hosting provider is investigating now.

Hal Bryan
03-17-2015, 07:00 AM
The last 3 times I've come to this site, Norton has issued a warning:

"Norton blocked an attack by Web Attack: Exploit Toolkit Website 67"

I'm running IE7 and Norton...

I've seen this warning before when visiting this site and have never seen it when visiting any other site.

Kyle - can you check again? There was a corrupted file in our vBulletin installation that's now been replaced.

Kyle Boatright
03-17-2015, 06:44 PM
Kyle - can you check again? There was a corrupted file in our vBulletin installation that's now been replaced.

I am not getting the warning this evening. Thanks for the fix...

Check 6
03-21-2015, 12:52 PM
I am getting the same warning through my Norton 360 software. See that attached screenshot of the warning.

Dana
03-21-2015, 08:00 PM
I'm still getting the virus warning, only when I access the new posts link (http://eaaforums.org/search.php?do=getnew&contenttype=vBForum_Post) and there are no new posts to view. Avast pops up with this:

4649

Kyle Boatright
03-22-2015, 01:23 PM
I'm still getting the virus warning, only when I access the new posts link (http://eaaforums.org/search.php?do=getnew&contenttype=vBForum_Post) and there are no new posts to view. Avast pops up with this:

4649

Interesting. I checked, and yes, I do get this warning when there are no new posts to view use the "New Posts" function.

Dana
03-22-2015, 05:55 PM
So what's nevpo.com? I tried going to it and it was blocked with all kinds of virus warnings... but if you view the source of the new posts page, there's no link to it. But it doesn't happen every time.

Hal Bryan
03-23-2015, 06:35 AM
So what's nevpo.com? I tried going to it and it was blocked with all kinds of virus warnings... but if you view the source of the new posts page, there's no link to it. But it doesn't happen every time.

Our hosting provider is working on this now. Thanks for your patience everyone!

- Hal

Hal Bryan
03-23-2015, 03:54 PM
This should be resolved now - please let us know if you're seeing any additional issues.

Thanks for your patience!

Hal

Check 6
09-26-2015, 10:50 AM
I am receiving "Web Attack: Exploit Toolkit Website 67" warnings via Norton 360 on every page I open.

1600vw
09-26-2015, 04:51 PM
I am receiving "Web Attack: Exploit Toolkit Website 67" warnings via Norton 360 on every page I open.


Same here. Repeat attacks.

Check 6
09-28-2015, 05:32 PM
Was this fixed or did it fix itself? I am not getting the warnings now.

Glory Aulik
09-30-2015, 07:18 AM
We've got it all fixed! Everything should be good to go now.

Check 6
10-11-2015, 11:37 AM
We've got it all fixed! Everything should be good to go now.

It's baaaaack. Web attack: Exploit toolkit Website 67

rwanttaja
10-11-2015, 01:32 PM
It might help the tech folks at EAA if people identify the browser they're using, and the anti-virus program that's detecting the attack.

I'm running Firefox 41.0.1/Microsoft Security Essentials at home, and IE11/McAffee at work. No alerts.

Ron Wanttaja

Check 6
10-11-2015, 01:45 PM
It might help the tech folks at EAA if people identify the browser they're using, and the anti-virus program that's detecting the attack.

I'm running Firefox 41.0.1/Microsoft Security Essentials at home, and IE11/McAffee at work. No alerts.

Ron Wanttaja

Firefox 41.01.1 Norton 360 and IE11

Glory Aulik
10-12-2015, 08:21 AM
Thanks for letting me know! Looking into this now... hopefully we'll get it all fixed today.

Glory Aulik
10-12-2015, 12:12 PM
Everything should be fixed now... please let me know if something comes up again.

Check 6
10-12-2015, 01:09 PM
Everything should be fixed now... please let me know if something comes up again.


It works now, thank you.

cub builder
10-29-2015, 04:25 PM
I am receiving "Web Attack: Exploit Toolkit Website 67" warnings via Norton 360 on every page I open.

I started getting the same warning from my Semantec Endpoint virus checker when accessing the EAA Forums this afternoon. Firefox 38.0.1

-Cub Builder

Kyle Boatright
10-29-2015, 06:34 PM
I got it yesterday, not today. IE7/Norton.

Glory Aulik
10-30-2015, 07:16 AM
I started getting the same warning from my Semantec Endpoint virus checker when accessing the EAA Forums this afternoon. Firefox 38.0.1

-Cub Builder

Thanks for letting me know - I'll check this out ASAP.

Check 6
10-30-2015, 07:44 AM
I am again receiving "Web Attack: Exploit Toolkit Website 67" warnings, using Norton 360 and Firefox. Methinks y'all need a new web host company.

1600vw
10-30-2015, 07:59 AM
I have been getting this for two days now. I run Firefox and keep it updated. It would be nice to know who is doing this. Someone is attacking this site.

Glory Aulik
10-30-2015, 08:25 AM
The corrupted file has been replaced - please let me know if the attacks continue.

Mike Switzer
12-02-2015, 04:37 PM
I have started getting virus warnings on every new page I open here - all are php files coming from http://st.dynamicwords.us/

Glory Aulik
12-03-2015, 11:25 AM
I have started getting virus warnings on every new page I open here - all are php files coming from http://st.dynamicwords.us/


Thanks for letting me know, I'll look into it. Are you still having warnings today?

Mike Switzer
12-03-2015, 11:50 AM
Thanks for letting me know, I'll look into it. Are you still having warnings today?

Yes, same thing

Mike Switzer
12-05-2015, 11:06 PM
Still getting the same virus warnings.

Glory Aulik
12-07-2015, 11:17 AM
Still getting the same virus warnings.


Our hosting provider performed a scan and everything came up clean. Their thoughts are that this may be a virus on your personal PC.

Mike Switzer
12-07-2015, 02:34 PM
Our hosting provider performed a scan and everything came up clean. Their thoughts are that this may be a virus on your personal PC.

They are wrong. It is still happening, and ONLY on this forum, on multiple machines in my office that I have tried. All machines received a full scan over the weekend. The source is still the URL I reported last week.

Mike Switzer
12-07-2015, 02:40 PM
Just to be clear - my FIREWALL is indicating the source of the infected files is http://st.dynamicwords.us/

It is coming from outside of my firewall & being blocked.

Glory Aulik
12-07-2015, 03:00 PM
Just to be clear - my FIREWALL is indicating the source of the infected files is http://st.dynamicwords.us/

It is coming from outside of my firewall & being blocked.

Thanks for the update, Mike. I will keep looking into this and get it resolved ASAP.

Chris In Marshfield
12-07-2015, 03:30 PM
Can you run a Fiddler (HTTP) trace on your end, Mike? From my location, I'm seeing no traffic to the above-mentioned URL. And nothing in my Sophos logs.

The only traffic I can see coming from here is www.eaaforums.org and www.google-analytics.com.

I'm not planning on troubleshooting this any further, but just letting you know what I'm seeing outside of your office. :cool:

Glory Aulik
12-07-2015, 05:04 PM
Mike - please let me know if you are still getting warnings. Our provider replaced a file - hopefully that fixes things.

Mike Switzer
12-08-2015, 11:27 AM
I am still getting the warning. And Chris, I don't know what Fiddler is, that is a new one for me.

Is it possible the intermittent warnings that some people see & others don't have something to do with the Facebook links on this forum? After I have been here I frequently get aviation related advertising on my Facebook news feed.

Chris In Marshfield
12-08-2015, 02:08 PM
Traffic is tracked on these forums with Google Analytics. It's quite possible that those ads are being targeted from that service based on your visits here.

Mike Switzer
12-08-2015, 04:31 PM
I am now no longer getting the warning.

Glory Aulik
12-08-2015, 04:41 PM
I am now no longer getting the warning.Glad to hear it!

Dana
12-29-2015, 05:28 AM
I hadn't seen it for awhile but it just happened again when I tried to access "new posts":

URL: http://eaaforums.org/clientscript/vbulletin-core.js?v=422|{gzip}
Infection: JS:Iframe-EON [Trj]

FWIW, I had just upgraded Avast.

Oddly, "new posts" showed only one post, that wasn't new (I had made the last post, so there were no new posts).

Glory Aulik
12-29-2015, 11:02 AM
I hadn't seen it for awhile but it just happened again when I tried to access "new posts":

URL: http://eaaforums.org/clientscript/vbulletin-core.js?v=422|{gzip}
Infection: JS:Iframe-EON [Trj]

FWIW, I had just upgraded Avast.

Oddly, "new posts" showed only one post, that wasn't new (I had made the last post, so there were no new posts).

Hi Dana -

Thanks for the heads up. I'm having our hosting provider look into this issue now.

Glory Aulik
12-29-2015, 03:09 PM
Our provider performed a scan which came back clean, they did however replace a few files just in case. Please let me know if you are still receiving virus warnings!

Dana
12-29-2015, 04:47 PM
Our provider performed a scan which came back clean, they did however replace a few files just in case. Please let me know if you are still receiving virus warnings!

Got the same warning again, just a few minutes ago. Seems to happen only the first time I load the website in a session. My bookmark is to "new posts", http://eaaforums.org/search.php?do=getnew&contenttype=vBForum_Post

Kyle Boatright
01-03-2016, 08:46 AM
Got the Web Attack Toolkit 16 virus warning just now. There were a half dozen active topics when I pulled up the "new posts", and that's when the virus warning occurred. I'm running IE7 and Norton.

Glory Aulik
01-04-2016, 08:29 AM
Got the Web Attack Toolkit 16 virus warning just now. There were a half dozen active topics when I pulled up the "new posts", and that's when the virus warning occurred. I'm running IE7 and Norton.

Thanks for letting me know, Kyle! I'll have our hosting provider look into this.

Glory Aulik
01-04-2016, 11:05 AM
Thanks for letting me know, Kyle! I'll have our hosting provider look into this.


Got the same warning again, just a few minutes ago. Seems to happen only the first time I load the website in a session. My bookmark is to "new posts", http://eaaforums.org/search.php?do=getnew&contenttype=vBForum_Post

Kyle & Dana - Can you please let me know if you are still getting the virus warnings after clearing your browser cache?

Kyle Boatright
01-04-2016, 07:25 PM
Kyle & Dana - Can you please let me know if you are still getting the virus warnings after clearing your browser cache?

No warnings tonight.

Dana
01-04-2016, 10:42 PM
I didn't get the warning this evening, did not clear the cache, and the forum is much faster loading. So whatever you did, thanks.

Glory Aulik
01-05-2016, 08:18 AM
I didn't get the warning this evening, did not clear the cache, and the forum is much faster loading. So whatever you did, thanks.

Great to hear! :)

Dana
01-15-2016, 07:15 PM
Virus warning is back... as is super s-l-o-o-o-o-o-o-w forum response....

Mike Switzer
01-17-2016, 06:43 PM
Tonight I started getting a virus warning again immediately upon opening the forum.
File name: vbulletin-core.js?v=422
Virus name: Trojan.JS.Agent.ctu
Path: http://eaaforums.org/clientscript/vbulletin-core.js?v=422

Glory Aulik
01-18-2016, 09:05 AM
Tonight I started getting a virus warning again immediately upon opening the forum.
File name: vbulletin-core.js?v=422
Virus name: Trojan.JS.Agent.ctu
Path: http://eaaforums.org/clientscript/vbulletin-core.js?v=422


Virus warning is back... as is super s-l-o-o-o-o-o-o-w forum response....

Thanks for letting me know - I'll contact our provider.

Glory Aulik
01-18-2016, 04:49 PM
Please let me know if you are still getting virus warnings! The corrupted files have been replaced.

Dana
01-18-2016, 05:13 PM
Seems OK now, thanks!

Mike Switzer
01-19-2016, 12:04 PM
OK here also

Glory Aulik
01-19-2016, 02:07 PM
Great to hear!

rwanttaja
02-09-2016, 07:18 PM
Got it at work today...the whole EAA forum section was classified as a malicious site, and the corporate firewall wouldn't let me access at all. Company uses MacAfee. Warning notice:

URL: http://www.eaaforums.org/
Categories: Malicious Sites
Proxy: wp-ewa-02

Ron Wanttaja

martymayes
02-09-2016, 08:11 PM
Getting virus warning right now, first time for me.

1600vw
02-10-2016, 05:21 AM
Getting virus warning right now, first time for me.

I am not getting this anymore. This must be a headache for the IS department. I have never had this on any other website but this one. Someone does not like the EAA. That someone is a jerk. JMO.

Glory Aulik
02-10-2016, 08:17 AM
Taking a look into it know!

Glory Aulik
02-10-2016, 10:45 AM
Our provider is still looking into this issue, but suggested clearing out your browser cache first and then seeing if you are still receiving the virus warning.

Glory Aulik
02-11-2016, 08:11 AM
Checking back here - is anyone still receiving the virus warning?

Kyle Boatright
02-11-2016, 06:31 PM
Checking back here - is anyone still receiving the virus warning?

Not today.

Glory, what's the story on this? This board is the only one which has ever caused my anti-virus protection to alarm, and it has happened a dozen times or more.

None of the other 10 or so boards I participate in has ever been flagged by my antivirus in the 20 years I've been active on the internet.

rwanttaja
02-11-2016, 08:04 PM
Checking back here - is anyone still receiving the virus warning?
My company's still blocking it...get a red warning banner every time I click the bookmark. Suspect it they need proof to take a site OFF the list.

Too bad, really. My co-workers are missing the hoots of derisive laughter coming from my cubicle during lunch break.....

Ron Wanttaja

rleffler
02-13-2016, 06:06 AM
My company's still blocking it...get a red warning banner every time I click the bookmark. Suspect it they need proof to take a site OFF the list.

Too bad, really. My co-workers are missing the hoots of derisive laughter coming from my cubicle during lunch break.....

Ron Wanttaja


In a past life, I managed a large SAAS site. Everyone once in awhile, one of customers would do something stupid causing us to get blacklisted. It was a nightmare, because then my staff would have to contact each blacklisting service to get our domain and IPS removed from their list. It's a PITA and a real resource drain, but unfortunately, it's a fact of life today.

where I work now, my company uses Websense and is the process of moving to Intel Security. Websense has always blocked the EAA Forums. If my memory serves me correct, there are five scripts that they didn't like. At the moment, the forums aren't blocked by Intel Security.

if you are really bored, you can check out CSI.websense.com to see what they think about your favorite web site.

the point is that most of us in corporate America have no control over these settings. Flushing our browser cache will have no effect either. The EAA has to work with the major black/white providers to ensure their sites don't get black listed. Yes, coporate IT can over ride these settings. Must will require business justification for the over ride. I don't think many of us can convince IT that there is business justification for forum access at work.

so Ron, I, and many others are sitting in the same boat. Some waiting more patiently than others........

Glory Aulik
02-15-2016, 08:11 AM
Thanks for the info everyone! I will continue to work with out provider to figure this out. Sorry for the inconvenience. Stay tuned for an update!

Glory Aulik
02-15-2016, 11:24 AM
My company's still blocking it...get a red warning banner every time I click the bookmark. Suspect it they need proof to take a site OFF the list.

Too bad, really. My co-workers are missing the hoots of derisive laughter coming from my cubicle during lunch break.....

Ron Wanttaja

Ron - a possibility for the issue is that someone within your company listed the forums as being suspicious and it may take some time, if ever, before the site is unlisted.

Suggestions from our provider to help us eliminate some options is to first reach out to your company's IT department and see if they have blocked it and are willing to unblock it.

If the warning continue let me know and we can work through some other options.

Thanks!
Glory

rwanttaja
02-15-2016, 07:35 PM
Ron - a possibility for the issue is that someone within your company listed the forums as being suspicious and it may take some time, if ever, before the site is unlisted.

Suggestions from our provider to help us eliminate some options is to first reach out to your company's IT department and see if they have blocked it and are willing to unblock it.

If the warning continue let me know and we can work through some other options.
Eh, probably not worth it...there's a process, but I have to state that access is work-related. Ironic, when you consider I work for a major EAA advertiser.....

In other good news, I found that emails from connect@eaa.org are going directly into my Comcast spam folder.....

Ron Wanttaja

Glory Aulik
02-16-2016, 12:10 PM
Eh, probably not worth it...there's a process, but I have to state that access is work-related. Ironic, when you consider I work for a major EAA advertiser.....

In other good news, I found that emails from connect@eaa.org are going directly into my Comcast spam folder.....

Ron Wanttaja

Another option is to delete the bookmark and clear any cookies.

rwanttaja
02-25-2016, 07:30 PM
Another option is to delete the bookmark and clear any cookies.
Here's the McAfee site that shows EAA Forums as a high-risk domain:

http://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=http://www.eaaforums.org/

Offhand, I don't think it's my cookies.....

Ron Wanttaja

Glory Aulik
02-26-2016, 08:16 AM
Thanks for the heads up, Ron! I have submitted a request to remove it as a high risk domain. No word yet.

rwanttaja
03-30-2016, 12:09 PM
Thanks for the heads up, Ron! I have submitted a request to remove it as a high risk domain. No word yet.
Looks like it worked. McAfee now shows the site as low risk, and I can access it again. Thanks!

If folks complain again about virus warnings, it might be worth another look at the McAfee site to see if eaaforums.org somehow got graduated to a higher risk level.

Ron Wanttaja

Glory Aulik
03-30-2016, 01:48 PM
Looks like it worked. McAfee now shows the site as low risk, and I can access it again. Thanks!

If folks complain again about virus warnings, it might be worth another look at the McAfee site to see if eaaforums.org somehow got graduated to a higher risk level.

Ron Wanttaja

:thumbsup: Awesome!

Mike Switzer
04-18-2016, 10:47 AM
I am getting a warning again, every time a page opens on these forums. Tried clearing the cache but it is still there. It wasn't doing this yesterday.

The file name is vbulletincore.js?v=422 path http://eaaforums.org/clientscript/vbulletincore.js?v=422

Glory Aulik
04-18-2016, 11:56 AM
I am getting a warning again, every time a page opens on these forums. Tried clearing the cache but it is still there. It wasn't doing this yesterday.

The file name is vbulletincore.js?v=422 path http://eaaforums.org/clientscript/vbulletincore.js?v=422

Thanks for letting me know! I'll get our provider to look into it.

Glory Aulik
04-19-2016, 09:13 AM
I am getting a warning again, every time a page opens on these forums. Tried clearing the cache but it is still there. It wasn't doing this yesterday.

The file name is vbulletincore.js?v=422 path http://eaaforums.org/clientscript/vbulletincore.js?v=422


Mike - are you still getting a warning? Our provider has replaced the java script file you provided.

Mike Switzer
04-19-2016, 10:06 AM
It is still doing it - same error. Cleared cache again & still getting the warning.

Mike Switzer
04-21-2016, 02:10 PM
This is the first time I have had time to check in here since sometime yesterday, the warning is no longer coming up on my machine.

Glory Aulik
04-21-2016, 02:15 PM
This is the first time I have had time to check in here since sometime yesterday, the warning is no longer coming up on my machine.

Good to hear! Thanks for your patience.

Kyle Boatright
05-18-2016, 06:38 PM
The virus warning is back for me. Norton caught it as soon as I opened the forum.

Glory Aulik
05-19-2016, 07:55 AM
The virus warning is back for me. Norton caught it as soon as I opened the forum.

Thanks for letting me know! Having our provider look into it...

Glory Aulik
05-19-2016, 09:09 AM
The virus warning is back for me. Norton caught it as soon as I opened the forum.Kyle - Can you please clear your cache and let me know if you're still getting the warning? Thanks!

Kyle Boatright
05-19-2016, 07:04 PM
Kyle - Can you please clear your cache and let me know if you're still getting the warning? Thanks!

Didn't clear the cache. Didn't get it this evening.

Glory Aulik
05-20-2016, 07:14 AM
Didn't clear the cache. Didn't get it this evening.Great to hear, thanks!