I think there's a virus attached to the ad at the bottom. I keep getting buzzed by Avast that there's a thread.
Okay, it's happened 3 times, and Blight mentioned him getting it as well.
:?
I'm not getting an alert. I have Avast, also. How does the site select ads?
There always there at the bottom.
Quote from: Suu on December 08, 2010, 03:41:09 AM
There always there at the bottom.
Ok, so they don't change from user to user or anything fancy like that? Then that is indeed strange that you and Blight would get alerts and I wouldn't.
It's from the Ukraine. I traced the IP. :?
91.217.162.176
DO NOT CLICK.
I have adblock
Quote from: Suu on December 08, 2010, 02:48:03 AM
I think there's a virus attached to the ad at the bottom. I keep getting buzzed by Avast that there's a thread.
Avast is right. There is a thread.
Don't worry about until it becomes a threat.
Also, didn't you recently have a virus? You sure it's gone? Wiped everything, reinstalled, not used any Word documents or PDFs from when you were infected? Cause a virus can easily change anything in your internets pages. My gf had some thing that always popped up a fake antivirus message whenever she googled something and clicked a result (but not for all searches), until we wiped the whole thing.
Quote from: Sir Squid Diddimus on December 08, 2010, 05:09:52 AM
I have adblock
Serious advice, use NoScript in addition to that. And don't use anything else except Firefox. That alone will keep you safe from 99.99999999% if not all browser-based viruses. NoScript might be annoying at first until you whitelist the websites that make up 95% of your browsing habits and require Flash and/or JavaScript, but they are less than you think, and after that you are perfectly safe.
Additionally, "Javascript" is something entirely different than "Java". Hardly any modern website actually uses Java anymore, while Java plugins and the JVM are full of exploits and bad stuff, so you might as well disable Java completely, as well as uninstall anything Java-related from your Software uninstall screen in windows, because, unless maybe you need it for some sort of work-related application, you really don't need it and it's a huge attack surface.
On the other hand, "Javascript" is used by pretty much every modern website nowadays, but a lot of them degrade gracefully if you disable it, and using NoScript you can manage exactly which sites get to use Javascript and/or Flash and which don't.
Quote from: Triple Zero on December 08, 2010, 12:48:29 PM
Quote from: Suu on December 08, 2010, 02:48:03 AM
I think there's a virus attached to the ad at the bottom. I keep getting buzzed by Avast that there's a thread.
Avast is right. There is a thread.
Don't worry about until it becomes a threat.
Also, didn't you recently have a virus? You sure it's gone? Wiped everything, reinstalled, not used any Word documents or PDFs from when you were infected? Cause a virus can easily change anything in your internets pages. My gf had some thing that always popped up a fake antivirus message whenever she googled something and clicked a result (but not for all searches), until we wiped the whole thing.
I was buzzed. :P
But no, it popped up again this morning, "Threat Detected!" And it's blocking whatever it is. An exe file from that IP address I posted. I got rid of the virus I had, it's not the same thing. I'll look into getting AdBlock. I have AdAware but it never does ANYTHING.
I had something weird happen to my computer this morning too while I was on the site, but it was when I was checking out the Facebook thread. I figured it was something that was attached to that Facebook application.
Weird. I don't think hotlink images from Facebook, so mine is hosted at Photobucket. Can viruses go through hyperlinks? :?
Well, shortly after I clicked on the link for that Facebook app, my anti-virus thing popped up and detected some changes that were being made to my computer. One of the changes was making something a start-up program. so I rolled back the changes. But then some box popped up that looked like it was scanning my computer but it obviously was some kind of spam or something (I don't know the technical term) as it wasn't my actual anti-virus program. Eventually I was able to get whatever was happening to stop.
Alright, I'll see if I can get an admin to delete the thread.
Well, I don't really understand what happened. I'm not the most computer-savvy person in the world, so I wouldn't necessarily act on my account. Nobody else has made any complaints about that link so it may have been something else that coincided. I only mentioned it because other people had weird stuff happening.
To be honest, I'd rather be safe than sorry...and I'm not about to put anyone's system at risk for the sake of a stupid Facebook app.
So who was phone virus?
Done
Thanks.
I just finished making my facebook thing.
Is my computer gonna die now?? :?
Mine didn't die. It just was besieged by some kind of program that wanted to scan my computer for viruses. And it started just as I was starting that FB thingy. So either it was something else, or your computer has better anti-virus stuff than mine.
btw- my shit reads like a big steaming pile of tourette's :lulz:
I just got the alert again. *sigh*
I have no idea what's going on, except that the IP address is from the Ukraine.
Which advert is it, different ones display in each continent. I need to report it to projectwonderful because it isn't just us that it will be effecting.
(http://www.projectwonderful.com/img/uploads/pics/41711-1290695715.png)
But I don't know for sure if it's that either...Like I said, it's weird. I posted the IP earlier in the thread, I dunno if you or someone more savvy can get a stronger lock on it.
I just did a search, it's definitely a virus, and Avast keeps catching it...I just really wanna know the source.
Hrm, The eek a poo page seems clean, its just a web comic and there is nothing funny in the source code.
The IP you gave leads to a page that just has the words Welcome to nginx! on it. Nothing fancy in the code but could have nasty stuff elsewhere on their site. I don't know how
1) What warning did avast kick up?
3) What else was on the page?
4) Does it happen on every page here?
I got it. It was something I was infected with. I must have gotten it yesterday. That means everyone else needs to check their systems too.
I used ComboFix and found a walkthrough online.
I haven't seen anything perk up avast or show up on anti-spyware myself. Could it have been predating the advert / facebook colage?
Not sure. Avast sure as hell didn't catch it on the way in.
Quote from: Suu on December 08, 2010, 08:23:27 PM
Not sure. Avast sure as hell didn't catch it on the way in.
You caught it yesterday? Any idea if it was from here, normally projectw are pretty damn stringent on their adverts. In fact, I think they make them for the advertisers, they cant alter the code, just up an image.
To be honest, now I'm not completely sure. I'm just a bit wiggy now considering I'm finishing up my final paper. I'm opening my task manager and going, "OMG OMG OMG WHAT'S THAT" and then remembering it's a normal file. :x
Viruses are proof that you shouldn't give nerds wedgies in middle school.
Viruses are proof that people will be vindictive fucks in any situation, and not have the skill or tact to only punish the wedgie-er when the opportunity to shit in the well comes up.
Quote from: Suu on December 08, 2010, 09:01:37 PM
To be honest, now I'm not completely sure. I'm just a bit wiggy now considering I'm finishing up my final paper. I'm opening my task manager and going, "OMG OMG OMG WHAT'S THAT" and then remembering it's a normal file. :x
Viruses are proof that you shouldn't give nerds wedgies in middle school.
Email that file to yourself, and dropbox it, and whatever other backups you have.
Not because you need that redundancy, but so that you never need to worry about it.
Quote from: Faust on December 08, 2010, 07:35:15 PM
Hrm, The eek a poo page seems clean, its just a web comic and there is nothing funny in the source code.
The IP you gave leads to a page that just has the words Welcome to nginx! on it. Nothing fancy in the code but could have nasty stuff elsewhere on their site. I don't know how
"Nginx" is webserver software, just like Apache or IIS. You probably get that message when you surf to an IP instead of a domain name, because depending on configuration sometimes the server needs to look at which hostname is being requested to know which page it needs to serve (if multiple domains are served from one server with one IP), and then if you use the IP, it gets no hostname, so it gets confused and displays a "welcome!" page instead, because it thinks that you haven't configured the server yet, so you must be new here and wants you to feel welcome to using its humble software to run your server.
Quote from: Triple Zero on December 09, 2010, 01:57:55 PM
Quote from: Faust on December 08, 2010, 07:35:15 PM
Hrm, The eek a poo page seems clean, its just a web comic and there is nothing funny in the source code.
The IP you gave leads to a page that just has the words Welcome to nginx! on it. Nothing fancy in the code but could have nasty stuff elsewhere on their site. I don't know how
"Nginx" is webserver software, just like Apache or IIS. You probably get that message when you surf to an IP instead of a domain name, because depending on configuration sometimes the server needs to look at which hostname is being requested to know which page it needs to serve (if multiple domains are served from one server with one IP), and then if you use the IP, it gets no hostname, so it gets confused and displays a "welcome!" page instead, because it thinks that you haven't configured the server yet, so you must be new here and wants you to feel welcome to using its humble software to run your server.
Ah so if its not linked up to a domain then its probably doing something else malicious in communication with the virus on suu's machine.
Quote from: Suu on December 08, 2010, 03:58:48 AM
91.217.162.176
Google fu returns reports of it hosting dm3.exe
And
http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=91.217.162.176&submit.x=0&submit.y=0&submit=Search
Contact info
Quote from: Faust on December 09, 2010, 02:03:48 PM
Quote from: Triple Zero on December 09, 2010, 01:57:55 PM
Quote from: Faust on December 08, 2010, 07:35:15 PM
Hrm, The eek a poo page seems clean, its just a web comic and there is nothing funny in the source code.
The IP you gave leads to a page that just has the words Welcome to nginx! on it. Nothing fancy in the code but could have nasty stuff elsewhere on their site. I don't know how
"Nginx" is webserver software, just like Apache or IIS. You probably get that message when you surf to an IP instead of a domain name, because depending on configuration sometimes the server needs to look at which hostname is being requested to know which page it needs to serve (if multiple domains are served from one server with one IP), and then if you use the IP, it gets no hostname, so it gets confused and displays a "welcome!" page instead, because it thinks that you haven't configured the server yet, so you must be new here and wants you to feel welcome to using its humble software to run your server.
Ah so if its not linked up to a domain then its probably doing something else malicious in communication with the virus on suu's machine.
I was assuming it's just not set up to serve a webpage when connected via a raw IP. Kind of in the same way as how with some sites you must visit http://www.domain.com but http://domain.com gives an error cause they forgot to configure it. Or the other way around. The point is, it points to a configuration error / oversight, not necessarily that it's hosting a virus.
Um so yeah the point is to figure out what domain name(s) are set up for that IP, because then possibly the server would click and remember it's supposed to serve a website not a server welcome screen. So Reverse DNS Lookup!
... Well, I tried a couple of reverse DNS tools, but they give no hostname for that particular IP, and that
is fishy. Because usually at least an IP has some hostname corresponding to their webhost or ISP or something, and the RFCs* say every IP should have at least one hostname.
* RFC = "Request For Comments" is a collection of documents (some over 20 years old) that describe the Protocols of HTTP, TCP/IP, The Internet and Everything. It's the Rules.