Attn Herm

[gopostal]

I subscribe to a listing of websites deemed as blocked by google. This forum is on the list now:

http://www.google.com/safebrowsing/diag ... rum/&hl=en

Just thought you should know. It looks like someone is hijacking the dns routing and infiltrating the packets. I did a malware scan after checking this the first time and I scanned cleanly so it may be someone just trying to grab passwords going back and forth. You oughta look into this Herm, this is some nasty stuff.

[gopostal]

Well, scratch that. Here is MalWare bytes scan from just now:

Code: Select all

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4848

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/16/2010 5:43:43 AM
mbam-log-2010-10-16 (05-43-43).txt

Scan type: Quick scan
Objects scanned: 162973
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\zrpt.xml (Malware.Trace) -> Quarantined and deleted successfully.

Somewhere in the site bounces someone is intercepting and installing a keylogger. If you are accepting any sort of third party ads Herm or running a "server checker" (or anything third-party with embedded code) you oughta kill it. Someone is using your site to access passwords on the client computers. I don't *think* anyone can do it by putting something in their sig, but it wouldn't surprise me if that were the cause. Have you gotten a new member with some script in their sig in the last few days or added something like a web counter? That's the sort of thing to look at. If you are unsure Herm, email me and I'll explain how they did this. I probably will not come back here, I just scanned again after posting this and the infection returned (this is the only window open on my comp).

Anyone here ought to scan with MalwareBytes:
http://www.malwarebytes.org/
It is free, safe, and you should be doing it regularly anyway.

[David]

I have used Malwarebytes recently, and it did not locate anything, but I will check again. Thanks Gopostal.

[Hermskii]

I hate this crap! It seems each time I skip a couple of days of coming here, crap happens. I checked my email and saw that my provider had actually already caught it and cleared it before it got out of hand. I have a list of things from them that I have to do myself too but can do it all. I'm about to start all of my scans and such now. I also have not yet looked to see where this started or was detected. I have a feeling though that this will be easy for me to figure out.

Most importantly, Thanks for the heads up and it is good to hear from you!

[Sir Mandrake]

...and Kudos to your provider for catching and blocking it early, sounds like they are on top of things as well.

[Hermskii]

Scans are all clean on my PC. I thought my wife had possibly been a part of this but she is cleared now. Work PC is cleared too. Now on towards the site.

Sorry no redirect log-ins work right now. It is a precaution for now and I expect to have them open and usuable again by the weekend.

I am about half done with doing everything I have to do here to clear this forums name of malware with Google and such. There was a delay with how this worked too. The original attack happened at 7:00 AM October 2nd. Might not be the same attach but the forum started getting ping on then and that was when my password was first hacked.

Again, I'm sorry about this folks. there is really not a damn thing I could have done about it but keep this in mind....I have backups of everything and they happen every single day. I can restore this whole thing if I ever need too in a day or two.

[*POTS*]

It's good to know everything is working fine now Herm.

[Hermskii]

OKAY. I now have the all clear from Google so all warnings should be gone now in a day or two. They verified we are all clean here again now and as secure as I can make it basically. Everything was easier than I thought it would be.