Ok avast has been warning me all day about a virus/worm on guru O_o
any of you guys getting anything?
Virus?
Willow O Whisper
Pew Pew Peace
yep that was today.
szim
every time i try to load gwguru site i got communicate that some trojan whats to download on my pc. guru is infected again, please do somethign with it.
'
2009-05-14 13:22 Firefox Zabroniono: Trojan-Downloader.JS.Iframe.akw '
try to fix your main index.php and look for it in sql database.
quote:
"You need to speak to your site HOST as php or sql injection is something that they should be aware of and taking steps to prevent it. As far as PHP goes older versions of the software have vulnerabilities which are being exploited.
Change your site passwords to something a little stronger to see if that helps and seek help from your HOST provider, ensuring they have the latest versions of PHP/SQL, etc...
Obviously once exploited your site would become a soft target, so at the very least you need strong passwords and change the chmod permissions for pages so they aren't able to modified by other than the owner."
'
2009-05-14 13:22 Firefox Zabroniono: Trojan-Downloader.JS.Iframe.akw '
try to fix your main index.php and look for it in sql database.
quote:
"You need to speak to your site HOST as php or sql injection is something that they should be aware of and taking steps to prevent it. As far as PHP goes older versions of the software have vulnerabilities which are being exploited.
Change your site passwords to something a little stronger to see if that helps and seek help from your HOST provider, ensuring they have the latest versions of PHP/SQL, etc...
Obviously once exploited your site would become a soft target, so at the very least you need strong passwords and change the chmod permissions for pages so they aren't able to modified by other than the owner."
lewis91
Quote:
Originally Posted by szim
every time i try to load gwguru site i got communicate that some trojan whats to download on my pc. guru is infected again, please do somethign with it.
'
2009-05-14 13:22 Firefox Zabroniono: Trojan-Downloader.JS.Iframe.akw '
try to fix your main index.php and look for it in sql database.
quote:
"You need to speak to your site HOST as php or sql injection is something that they should be aware of and taking steps to prevent it. As far as PHP goes older versions of the software have vulnerabilities which are being exploited.
Change your site passwords to something a little stronger to see if that helps and seek help from your HOST provider, ensuring they have the latest versions of PHP/SQL, etc...
Obviously once exploited your site would become a soft target, so at the very least you need strong passwords and change the chmod permissions for pages so they aren't able to modified by other than the owner." Same here, pages are loading very slow, and kaspersky is going crazy.
http://img24.imageshack.us/my.php?image=kasperskyo.jpg
Theres a link to the screenshot (I didn't post it in this post because 1 scripts are failing, instead of the actual page im seing scripts "vbphrase["enter_link_text"] = "Enter the text to be displayed for the link (optional):"; vbphrase["enter_list_type"] = "What type of list do you want? Enter '1' for a numbered list, enter 'a' for an alphabetical list, or leave blank for a list with bullet" Thats just a short list of what im sering right now.)
'
2009-05-14 13:22 Firefox Zabroniono: Trojan-Downloader.JS.Iframe.akw '
try to fix your main index.php and look for it in sql database.
quote:
"You need to speak to your site HOST as php or sql injection is something that they should be aware of and taking steps to prevent it. As far as PHP goes older versions of the software have vulnerabilities which are being exploited.
Change your site passwords to something a little stronger to see if that helps and seek help from your HOST provider, ensuring they have the latest versions of PHP/SQL, etc...
Obviously once exploited your site would become a soft target, so at the very least you need strong passwords and change the chmod permissions for pages so they aren't able to modified by other than the owner." Same here, pages are loading very slow, and kaspersky is going crazy.
http://img24.imageshack.us/my.php?image=kasperskyo.jpg
Theres a link to the screenshot (I didn't post it in this post because 1 scripts are failing, instead of the actual page im seing scripts "vbphrase["enter_link_text"] = "Enter the text to be displayed for the link (optional):"; vbphrase["enter_list_type"] = "What type of list do you want? Enter '1' for a numbered list, enter 'a' for an alphabetical list, or leave blank for a list with bullet" Thats just a short list of what im sering right now.)
tasha
Had this enter itself into the text field automatically when doing a quote reply to threads You can see that a few people didn't notice it and posted it on the following thread: http://www.guildwarsguru.com/forum/s...369450&page=43
Kattar
I've noticed that in Riverside as well. Either something isn't parsing correctly in the jscript, the stylesheet has gone goofy, or there's something else more malicious at work here.
Please post what browsers you're using. I'm in Firefox and can post without the code being inserted.
Please post what browsers you're using. I'm in Firefox and can post without the code being inserted.
Fallen SeraphiM
Getting whole day Avast warning about virus....its annoying,btw with using Chrome as browser
tasha
I'm using Opera 9.64
Kumu Honua
This is probably what is breaking the wysiwyg editor as well (Wall of text above the text editing options).
http://www.google.com/safebrowsing/d...ala.or.jp/bto/
Google seems to know something about it.
I'm also using FF3. I am getting no virus warnings though. Perhaps due to my NoScript/Adblock settings not allowing it to run.
http://www.google.com/safebrowsing/d...ala.or.jp/bto/
Google seems to know something about it.
I'm also using FF3. I am getting no virus warnings though. Perhaps due to my NoScript/Adblock settings not allowing it to run.
MithranArkanere
FF3.0.10
Avast!
I hope this message gets posted.
Avast!
I hope this message gets posted.
??iljo
FF,kaspersky goin crazy here aswell,had toblock scripts
Inde
please let me know if you are still getting this
Pew Pew Peace
Quote:
Originally Posted by Inde
please let me know if you are still getting this
yep still,and look up to this link appears in my posts.
yep still,and look up to this link appears in my posts.
zelgadissan
Kattar
Quote:
Cause I'm not.
Earth
I'm using FF and Windows and I have no problems.
Kumu Honua
Yeah, the script appears to still be there. NoScript is still forbidding plala.or.jp
It's all over the source...
It's all over the source...
manager
Here at the office i'm not having any problems but back at home, Firefox had the popup blocked dialog/warning going off in a lot of threads.
Kattar
Quote:
Kumu Honua
Quote:
Originally Posted by Katsumi
Yep. We're having to manually delete it from every page. Good times.
Yeah, I was looking to see how pervasive it was. You guys have your hands full.
On a side note: It appears that the code only posts when you try to quote something with the quote button. Dunno if that helps at all.
On a side note: It appears that the code only posts when you try to quote something with the quote button. Dunno if that helps at all.
Redvex
Falling Petal
Oh dear 
The reference to the file occurs over 700 times on the homepage alone. You might consider drastic action like disabling access to the site until this is resolved. Third World Internet Users (Windows+IE) are likely going to get eaten up by this in a lot of cases.
The reference to the file occurs over 700 times on the homepage alone. You might consider drastic action like disabling access to the site until this is resolved. Third World Internet Users (Windows+IE) are likely going to get eaten up by this in a lot of cases.
Rainywinter
I got Kaspersky Internet Security and Firefox, and I endlessly get this message:
detected: Trojan program Trojan-Downloader.JS.Iframe.akw
Kaspersky keeps blocking it which makes the site run extremely slow.
detected: Trojan program Trojan-Downloader.JS.Iframe.akw
Kaspersky keeps blocking it which makes the site run extremely slow.
Inde
And now. Is anyone else getting instances of this?
Kumu Honua
It's still all over the source.
Falling Petal
This site is runing quite an old version of vBulletin, here is an example of a SQL injection vulnerability in vBulletin:
http://securityreason.com/wlb_show/WLB-2008110035
This particular one would require admin access to the site to exploit, but doubtless there are others. It could also be a vulnerability in an add-on if this site uses any. If the original vulnerability is not patched a clean-up will be a waste of time because the bad guys will be right back in.
I would again recommend closing access to the site to protect novice users with poor internet security, until the site can be upgraded/fixed or whatever you plan to do
http://securityreason.com/wlb_show/WLB-2008110035
This particular one would require admin access to the site to exploit, but doubtless there are others. It could also be a vulnerability in an add-on if this site uses any. If the original vulnerability is not patched a clean-up will be a waste of time because the bad guys will be right back in.
I would again recommend closing access to the site to protect novice users with poor internet security, until the site can be upgraded/fixed or whatever you plan to do
Snograt
Firefox is displaying the skinless version of the site (I'm assuming this is deliberate?) - so I thought I'd double check with the brand new, shiny IE8.
Is that benign?
Is that benign?
Kattar
Yeah, we know Snog, Inde did it. I was just about to post it to make sure no one's crapping their pants.
-Sonata-
Snog,
I can confirm, on my screen, that my view is skinless as well. I'd assume it's being done purposely. Looks almost like a "safe Mode".
To add to personal info:
I'm running Vista 32-Bit and Avant Browser. I've received no issues from visits - clean so far. I do, however, see the script text in posts.
I can confirm, on my screen, that my view is skinless as well. I'd assume it's being done purposely. Looks almost like a "safe Mode".
To add to personal info:
I'm running Vista 32-Bit and Avant Browser. I've received no issues from visits - clean so far. I do, however, see the script text in posts.
Inde
All right, this should be resolved now. Please send me a PM if you experience anything else.
We had someone do an Sql Injection if you are curious as to the cause. I really appreciate all the help you gave us to track this down. The problem has been fixed, we're fully upgraded and we'll monitor closely the rest of the day.
We had someone do an Sql Injection if you are curious as to the cause. I really appreciate all the help you gave us to track this down. The problem has been fixed, we're fully upgraded and we'll monitor closely the rest of the day.
zelgadissan
Hooray I can successfully quote without without plala or jp junk in my quotes! Well done to Inde, Kat, and whoever else had to manually delete this crap.
PS Snoggy, delete some PM's already
PS Snoggy, delete some PM's already
makosi
Does anybody know what the virus is capable of doing to those with vulnerable systems?
Back then
do i need to scan my computer?
Inde
Well one would always recommend doing regular scans of your computer for virus', spyware, etc..
Looking at google you can see that this particular site has previously infected 240 domains. Lucky us.
Looking at google you can see that this particular site has previously infected 240 domains. Lucky us.
zelgadissan
I scanned my computer (you can see above that one of my posts was affected) and found nothing.
That said, all the bad that it could possibly do would be take up your resources for an hour, so you really should just to be on the safe side.
That said, all the bad that it could possibly do would be take up your resources for an hour, so you really should just to be on the safe side.
Inde
All right, more updates... yes we're still working on seeing how this happened and more. There were a lot of files modified with holes in them, we cleared that out. We also put measures in place to prevent the commands that were run. Once again, thank you for all the PM's, emails, IRC messages and more. Funny enough this is the same sql injection that hit Symantec earlier this year, producers of Norton AntiVirus.
Inde
And I see I disabled gwbbcode in the process as well. I'll see about getting that back up and running today.
Braxton619
I'm using NOD32 and not getting any warnings.
honnaja
I haven't read all the thread, just the first few posts, but just wanted to say well done/thanks to the admin people
I was getting a virus warning too yesterday from Avast, something about 'html:script-inf'. I chose to 'abort connection' when it popped up, and consequently couldn't load this site. I emailed them, and already it seems to be fixed, so thanks again.
I was getting a virus warning too yesterday from Avast, something about 'html:script-inf'. I chose to 'abort connection' when it popped up, and consequently couldn't load this site. I emailed them, and already it seems to be fixed, so thanks again.