RedsZone Malware Attack Discussion

[Ravenlord]

Quote:

Originally Posted by Boss-Hog

Anyone else having this? I think this rules out the ads as the root cause.

first time i've posted in God-knows-when, and i had a worm alert pop on my Norton anti-virus on the Stubbs as #8 hitter thread i posted.

[Boss-Hog]

All,

We need URLs from the site where the attacks are coming from; otherwise, there's nothing to connect the two. Thanks for your help.

[Boss-Hog]

Quote:

Originally Posted by Ravenlord

first time i've posted in God-knows-when, and i had a worm alert pop on my Norton anti-virus on the Stubbs as #8 hitter thread i posted.

Ravenlord, here's what our host had to say about this - if you (or anyone else affected) could supply the bolded information, we would greatly appreciate it. Thanks in advance.

Quote:

Hello,

I have checked the server in detail. I could find that the URL "http://www.redszone.com/forums/showthread.php?t=93571" is being served by accessing the database.

I have checked the tables corresponding to the thread 93571. But I could not find any attachments or suspicious files that are linked to it. Please see the corresponding table pasted below.

--
mysql> select * from thread where threadid=93571;
+----------+---------------------------------------+------------+---------+--------+------+------------+--------------+------------+------------+------------+------------+-------+--------+-------+---------+--------+---------+-----------+--------+-------------+-------------+-----------------------------------+----------+----------+-------------+--------------+------------+--------+----------+----------------+
| threadid | title | lastpost | forumid | pollid | open | replycount | postusername | postuserid | lastposter | dateline | lastedit | views | iconid | notes | visible | sticky | votenum | votetotal | attach | closereason | firstpostid | similar | rss_feed | rss_date | hiddencount | deletedcount | lastpostid |wrdate | prefixid | taglist |
+----------+---------------------------------------+------------+---------+--------+------+------------+--------------+------------+------------+------------+------------+-------+--------+-------+---------+--------+---------+-----------+--------+-------------+-------------+-----------------------------------+----------+----------+-------------+--------------+------------+--------+----------+----------------+
| 93571 | Drew Stubbs is the perfect #8 hitter. | 1326948915 | 7 | 0 | 1 | 17 | WebScorpion | 28 | Ravenlord | 1326849525 | 1326860498 | 749 | 0 | | 1 | 0 | 0 | 0 | 0 | | 2526149 | 87133, 80390, 68946, 78719, 48675 | 0 | | 0 | 0 | 2526762 | | | lineup, stubbs |
+----------+---------------------------------------+------------+---------+--------+------+------------+--------------+------------+------------+------------+------------+-------+--------+-------+---------+--------+---------+-----------+--------+-------------+-------------+-----------------------------------+----------+----------+-------------+--------------+------------+--------+----------+----------------+
--

But I am still not sure about some of the values in the table. Can you please get back to us with the details of the malware that was detected by the antivirus ? This data would be available with the detection report of the antivirus.
Also please discuss this issue with a database programmer as the issue goes deeper in to the codes, we are facing more limitations.

Thank you for the understanding.

[TRF]

I have a fresh install of windows 7, running symantec anti virus and have had no issues whatsoever. all my antivirus is up to date.

[Ravenlord]

info sent, hope it works.

[Boss-Hog]

Quote:

Originally Posted by Ravenlord

info sent, hope it works.

Who did you send it to?

[jojo]

I don't know if this is actually much help but this is what sophos just just flagged:

Virus/spyware 'Mal/Iframe-X' has been detected in "http://www.redszone.com/forums/clientscript/vbulletin_menu.php".

[Boss-Hog]

Quote:

Originally Posted by jojo

I don't know if this is actually much help but this is what sophos just just flagged:

Virus/spyware 'Mal/Iframe-X' has been detected in "http://www.redszone.com/forums/clientscript/vbulletin_menu.php".

That helps...I will look into it.

[Boss-Hog]

I've confirmed that was a malicious file and it has been removed. Please let me know if this continues, and if so, the URL(s).

[BLEEDS]

I had one about a month ago - trojan got in and I have Windows 7 and McAfee - got the one where it takes over all your IE pages and asks you to install "Win7 security" or something, nasty little bugger.

Had to call McAfee and get it scrubbed, and they updated their database. Yikes.

Definitely had to do with ads. Ah well, yet another reason to pay the site fee - I figure I've broken even, given that I hadn't posted in awhile ;-)!

PEACE
-BLEEDS