Virus

DallanC · Site Admin Joined: Jan 18, 2005 Posts: 3572 Location: Utah

I am getting reports from users about a virus when they attempt to access HuntingNut. I am talking to my webhost to see if this is valid, or it its a false positive.

Details to follow as I learn more.

-DallanC

DallanC · Site Admin Joined: Jan 18, 2005 Posts: 3572 Location: Utah

From my host:

Quote::

Hi,

I am sorry, but it look like a cached or false positive alarm on AVG. I have performed a full scan on your account and the result is just positive;

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
scan completed on /home/hunting/public_html: files 27482, malware hits 0, cleaned hits 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Also, checked the domain with other antivirus site like McAfee, Norton etc and those results showing there is no infections on your account.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
huntingnut.com

We tested this site and didn't find any significant problems.
Are you the owner of this site? Leave a comment
Contact information: Country Popularity

United States

Some users
Automated Web Safety Testing Results for huntingnut.com
E-MAIL TESTS FOR HUNTINGNUT.COM:
DOWNLOAD TESTS FOR HUNTINGNUT.COM:
Downloads we found on this site:
Download Analysis
PointBlankCRBSv18a.zip
PointBlankCRBSv18a.zip
PointBlankCRBSv18a.zip
PointBlankCRBSv18a.zip
PointBlankCRBSv18a.zip
6 total downloads. See more.
6 green downloads
In our tests, we found downloads on this site were free of adware, spyware, and other potentially unwanted programs.
View detailed analysis
Submit a download for analysis
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thank you.
Regards,
--
Alex Spaford
Level 2 System Administrator
TotalChoiceHosting INC.

Still digging, into this!

-DallanC

DallanC · Site Admin Joined: Jan 18, 2005 Posts: 3572 Location: Utah

Ok I was able to track down the infection, it does indeed seem we got accessed somehow. I will continue to investigate how this happened, meanwhile the site appears "clean".

If anyone happens to notice any pages that trigger wierd behavior let me know. Apologies for the inconvience!

-DallanC

shrpshtrjoe · Posted: Wed May 29, 2013 1:36 pm Post subject: Re: Virus

Cool

Thanks for your efforts Dallan...

Dawgdad · Posted: Wed May 29, 2013 1:56 pm Post subject: Re: Virus

I had posted a link to a photo hosted on Coppermine and some people said they got a "hack attempt has been recorded" alert when they tried to open it.

DallanC · Site Admin Joined: Jan 18, 2005 Posts: 3572 Location: Utah

Dawgdad wrote:

I had posted a link to a photo hosted on Coppermine and some people said they got a "hack attempt has been recorded" alert when they tried to open it.

Email me the link you used, I will look into it.

-DallanC

DallanC · Site Admin Joined: Jan 18, 2005 Posts: 3572 Location: Utah

shrpshtrjoe wrote:

Cool

Thanks for your efforts Dallan...

Heh no problem. I had a site wide backup made on the 13th of this month, so I made a new backup with the virus, then ran some software I have that does file comparisons to show what changed from one version to the next. It quickly showed the 70'ish files that got modified. I manually restored them all and it seems fine.

As annoying as it is, it seems we are "big enough" that hackers feel we are worth the effort to access.

-DallanC

DallanC · Site Admin Joined: Jan 18, 2005 Posts: 3572 Location: Utah

PS: the trojan really only seemed to affect the newest version of Internet Explorer (version 10), it would just try to redirect the user from HuntingNut to some silly dating site.

-DallanC

shrpshtrjoe · Posted: Wed May 29, 2013 2:27 pm Post subject: Re: Virus

DallanC wrote:

PS: the trojan really only seemed to affect the newest version of Internet Explorer (version 10), it would just try to redirect the user from HuntingNut to some silly dating site.

-DallanC

That's what I have . No problems logging in now Very Happy

.. My Norton antivirus wouldn't even let me log in earlier I guess it works Smile

Ominivision1 · Posted: Wed May 29, 2013 2:54 pm Post subject: Re: Virus

One other thing to watch for is rogue certificates being installed on your web browser(s). If you get redirected to another website, shut down the browser and lock the firewall and open up FF or whatever you use) and go to advance settings (encryption, view certificates) and I found found a rogue sever security certificate installed who knows when (date).

gelandangan · Posted: Wed May 29, 2013 3:10 pm Post subject: Re: Virus

Good on you Dallan!
Thanks for the hard work, I am glad we are back.

Pumpkinslinger · Posted: Wed May 29, 2013 4:19 pm Post subject: Re: Virus

Yep, I was going through HuntingNut withdrawal! Norton blocked it at home and whatever they use at work did the same.

Pumpkinslinger · Posted: Wed May 29, 2013 10:58 pm Post subject: Re: Virus

Hmmm, when I went to the photos here to put some in a post I got that same warning from Norton that I was getting on Tuesday. Here is some of the Norton information.

Category: Intrusion Prevention
An intrusion attempt by www.huntingnut.com was blocked.
Web Attack: Mass Injection Website 5, ,"www.huntingnut.com (208.76.80.141,80) ",www.huntingnut.com/modules/coppermine/scripts.js," Network traffic from www.huntingnut.com/mod...scripts.js matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE.

Vince · Posted: Wed May 29, 2013 11:36 pm Post subject: Re: Virus

Well done Dallan. Once again your hard work saves our hunting community from a withdrawal meltdown and subsequent depression, anxiety and other psychological maladies mate.

I bow to your superior knowledge and abilities. Bow

Elvis · Posted: Thu May 30, 2013 12:26 am Post subject: Re: Virus

good on you DallanC
YOU THE MAN