F.A.O. Forum Managers (and users)...

[Urban_Tiger 0]

First up, this post is ONLY here to help and for information. I personally am not making accusations of any kind lol, and my only intent with this post is to aid people in protecting their PC's and also importantly, also hopefully helping to protect the interests of GR.net too !

I Haven't gone back and read it again, but I remember someone posting the other day that they "suspected" that a Virus (Trojan, Worm, whatever) had infected their PC after visiting GR.net, obviously nobody could be sure and it seemed that it was mostly speculation at the time!!!

I was over at a freinds today and told him of this site and he hooked up his comp and logged on here.....We were logged on for about 8 minutes and visited no other sites, downloaded nothing and used no other Internet Applications and he ended up with MSBlast from his brief visit RIGHT HERE !!! He then tells me that he has NO Firewalls, NO Antivirus Software at all, and HADN'T been to the Windows update site to download ANY Critical Updates, or at least gone and got the MSBlast Protection Patch either. Basically he is an in-experienced user and in the process of learning what it's all about. How did I know he had got MSBlast??.....As soon as he logged off something started hammering his CPU for no reason at all, I checked his Task Manager and right there in the list was the notorious "Teekids.exe", a known .exe of the W32.Blaster.C.Worm (I also quickly checked the date and time the "teekids.exe" was created too, and it was 4 minutes before he had logged off as well). Fortunately for him in this case, I happened to have a Compact Flash card with me, and on it was Symantecs Stand Alone FixBlast, we stuck it straight in his CF Card reader and got it running for him, we got it straight away and luckily for him, no damage was done (this time at least). Needless to say, I directed him to the Win Update site and showed him how to d'load the necassary files to up his protection and he will be getting a Firewall and an AV App too lol!!

I got home and to make sure it wasn't just some sort of one off or otherwise. I have an old Laptop that I use for testing alsorts of things. I did a completely fresh install of Windows on it and installed no other apps at all. Then I logged onto GR.net for 3 minutes with no protection at all and none of the Critical Updates or Blast Protection Patches installed at all either, then quickly logged off again and I too had picked up MSBlast on the old Lappy too!!! Bad news huh ??

Hopefully this post will help the Managers as it does seem the Site has been compromised somehow guys , I hope you can sort the problem and not end up with problems with your individual PC's too though and good luck with it obviously !!

For general users.....This further highlights the fact that the W32.Blaster series of Worms is still causing regular and continual chaos and catching those with little or no protection out when they think they are safe, or for the less experienced users it is hammering them relentlessly!! Remember also, this Worm has the ability to affect ANY Website, even those we may trust the most and view as safe and perfectly legitimate, and it's not the fault of the Websites Managers etc when it happens, it's essentially what this Worm is designed to do and it is one sneaky ######! It's not just Sites that you may view as suspect that you are likely to encounter this one!!

If ya not sure what to do to give yaselves some protection (for the less experienced that share the site here), then at the very least......

1. Visit the Windows update site and download EVERY Critical Update available there, if you do nothing else after, ENSURE you at least do this.

2. Purchase a reliable AntiVirus app such as Norton etc, or if ya can't spare the cash, AVG do a very good AV Application too!

3. Also invest in a reliable Firewall too, again there are free ones available that can at least give another layer of protection. The McAfee Firewall V4.0 is very good and the Norton Personal Firewall is also obviously highly rated too and they don't cost a fortune either!!

Hopefully the Forum Managers here can trace the problem, but remember that ANY Website we may visit is potentially infected and it can be passed on to anyone logging on in seconds, with no protection you wouldn't know about it at all till it was far too late either!!

Hope this is of use to the regular users and to the managers, again I hope you can track the problem and have a succesfull outcome to it !!

Edited October 29, 2003 by Urban_Tiger

[BlueRose_76 0]

If youre refering to my post, i can not say visiting GR.net caused the problem. I was on a shared computer so i dont exactly know when this ###### has come in.

I suspect it was just a local thing and after some scans it was easily removed. Also i keep this computer running with firewall, latest MS patches and do regular virussweeps.

Thanks for your concern to keep this forum for all of us running

[Urban_Tiger 0]

Heya Bluerose,

As said m8, I couldn't remember who's post it was and didn't go back and check m8 lol......But todays events definitely highlighted that there is a distinct possibility that MSBlast could be floating around here unfortunately !!!

I'm fairly well protected too and touch wood, haven't been infected and won't be either taking all reasonable measures.

Obviously not all that share the forum either have that luxury or maybe the experience to know what to look for etc and it's mainly there for them to help them avoid a nasty brush with the Dark side of computers......

Despite what I've seen today too, I obviously still can't say for 100% certain that Gr.net is infected either, but a good deal of evidence tends to point in the direction that it just "MIGHT" be having seen it happen twice in a very short space of time and one of those times specifically putting a PC at risk to see if it could be a cause too.

Even if some checking does turn out to be all clear, hopefully the info will still help people and it just mite not be GR.net that it was picked up from either, but it would then make explaining where it did come from when no other sites were visited, no downloads initiated at all, or any other net activity at all one hell of a ###### to then account for too rofl.

It's a nightmare however ya look at it tho, and either way hopefully the managers can have the heads up of possible naughtiness and that way Gr.net will remain running sweetly as ever for all that share the forum !!

[Specter 0]

He did not get the Blaster worm from here. The site is clean, it has been checked. I have checked it myself, as has Rocky, and the other admins.

The blaster worm comes in through an open port on your PC.

You get viruses only through email, open ports on your PC where your ISP servers are used to attack the entire network as with the msblast worm, or someone deliberately infects your PC.

Almost(99.5%)never from a website, as that is traceable, and hackers dont want to be traceable.

The people who came up with msblast and like worms attack through ISP's. It gets on the ISP's servers, and is then subsequently sent to users. We have a thread about this.

As for bluerose the other day, that had nothing to do with the site either, he had gotten a Trojan form visiting another domain that someone had used to maliciously attach it to. We tracked down where he got it, and he got rid of it.

Bottom line is, each individual needs to protect their own PC.

The bottom line is everyone needs to protect themselves by either router, firewall, and /or AV software.

For the record, there is NOTHING attached to ghostrecon.net.

See this thread for more on that worm and other trojans and worms.

They very rarely come from sites. You get viruses through open ports on your PC, mostly in emails that you cant identify, some dont even need to be opened, merely downloaded or are deliberately placed on your PC. But very very rarely from just visiting a site.

So lets please not start a ghostrecon.net virus scare, as it is absolutely false.

[Specter 0]

bump

[Urban_Tiger 0]

As said in my post, I wasn't making any solid stone statements on Gr.net obviously to not initiate a scare, but to hopefully help all here to protect comps as far as they possibly can !

Although MSBlast primarily gains access to PC's by someone initiating Port Scanners on vulnerable machines and if the right port is open agreed completely, basically slipping the Worm in thru the Backdoor like so many other nasties.......

....It is also becoming well known and frequently common, that as people become more wise to that fact that Worms are slipped in thru unprotected ports and protecting their ports more efficiently. Those that choose to utilise the Worms to wreak their havoc are having to seek other means of transferring their code. Thus they are readily hacking into legitimate websites and adding the required code directly onto the content of any Sites they gain access too, obviously when they do this it is hard to detect and can sometimes go untraced until problems start to occur.

When a user then visits that website, along with all the other items that load on the page, if the page has been maliciously altered then the inserted code also automatically runs and installs the necassary .exe's staright onto a users PC. and regardless of how your ports are protected, MSBlast is and has been transferring by this method too by direct running from Web pages !! That's what I was reffering to as it is a real nasty way to work, but obviously, for those that use these scripts, an effective one too and further to the problem, most AV apps don't pick it up when it runs in a webpage like that either !!

It has indeed also been rare that such files have been transferred by anything other than suspect websites I agree, but it unfortunately is becoming more common that busy legitimate sites are being affected in this manner too !!

The main thing is obviously though that Gr.net is clear and at least if nothing else, it was checked personally by the Administrators. Better safe than sorry even if all is clear than any other outcomes to the issues and if anything, that's exactly what will help avoid scares for people to know that the site is checked regularly too !!!

I'm glad it is for one lol, it's one of the best forums on the whole damn web !!

Edited October 29, 2003 by Urban_Tiger

[Rocky 1,224]

It has indeed also been rare that such files have been transferred by anything other than suspect websites I agree, but it unfortunately is becoming more common that busy legitimate sites are being affected in this manner too !!

I have not heard of this, as far as I know it only spreads by running a port scan for port 135 from infected machines. I have never heard of it spreading via websites - can you link me up to news on that please?

[STU_Snake 0]

something fishy has happened since i logged on to this site more frequently..........

yeah thast rite.................

I accumulated more posts!

[Specter 0]

It has indeed also been rare that such files have been transferred by anything other than suspect websites I agree, but it unfortunately is becoming more common that busy legitimate sites are being affected in this manner too !!

I have not heard of this, as far as I know it only spreads by running a port scan for port 135 from infected machines. I have never heard of it spreading via websites - can you link me up to news on that please?

First, I want to say that in no way am I discounting Urban Tiger. Not at all.

If this is indeed happening, I want to see some examples so that I can learn from it. I dont want ya to take my post wrong is all, UT.

It is news to me also. The MSBlast worm and its like are strictly port buggers that are generally distributed via ISP to ports on client machines.

The worst i have ever seen come off of a website itself is a questionable or obnoxious script, and only then from disreputable or spyware pages.

Most(98%) viruses infiltrate via email.

If there is a new one(s) out there using reputable webpages to infiltrate, I would like to know how, and see some examples please.

Blue Rose was taken in by this ruse. He had gotten a nasty Trojan that had been masked by a reputable search engine and infiltrated through a port on his PC to make him think it came from madsearch.com I believe it was, but their site was blamed when in fact the trojan had only used their domain, not their site. The trojan then affected his current web pages, most specifically ghostrecon.net, by attaching itself to the files in his cache on his local PC, making it look like it came from a website, when in fact this wasnt the case at all.

The virus gets in through a port or an email. Executes and resides in your IE cache and temp files attaching itself to those files your history uses for quickloads, thus making a reputable guy like Rocky look like he's lower than prehistoric frog poop. But it is all a ruse.

Bottom line:

Run AV Regularly, as well as one or two Trojan cleaner/removal tools regularly, and clean and clear your IE temp files and history regularly as well as Win Temp files, and all should be good.

Also ignore unknown emails, and even emails from friends and family with .pif extensions, as these are most likely from some bored obnoxious schmuck who heisted your email address book, or a member of your family or friends.

I dont run an AV program or even have one installed. I just follow the steps above, and I have all unused ports to my PC closed off, and aside from the blast worm, havent had a virus in years, and Im connected 24/7.

If you are a computer novice, or too busy to run the port scans and subsequent tools, I recommend running a good AV program.

I have just never felt the need to personally, nor the want because they take up system resources, and they can interfere with some software installs and some network programs. But that is a personal choice on my behalf only.

WARNING : DO NOT FOREGO ANTI VIRUS SOFTWARE BECAUSE I DO. YOU DO SO AT YOUR OWN RISK AS DO I.

IF YOU DO, DO IT KNOWING THAT YOU ARE AT RISK, AND DO IT ONLY AFTER PRECAUTIONS SUCH AS THE ONES I TAKE ARE COMPLETE TO YOUR SATISFACTION. YOU CAN RISK LOSING ALL YOUR DATA AS RUIN CAN ATTEST FOR US.

[Super-Bob 0]

WARNING : DO NOT FOREGO ANTI VIRUS SOFTWARE BECAUSE I DO. YOU DO SO AT YOUR OWN RISK AS DO I. .

Can I blame you for implanting the idea in my head?

[Specter 0]

Sure thing bro. Blame me for whatever ya want. I got big shoulders. I can take it.

[Urban_Tiger 0]

Phantom.....Nothing is taken the wrong way at all m8 . After all, forums are for discussion, information and debate m8 lol !!

I didn't believe it at first either from what I had read on them too when I first heard of things happening this way, that it could be inserted into webpages and executed. But when you consider that such code is inserted into malicious websites all the time and people are directed there under false pretences and a code can run, then it doesn't take much to also realise that any legitimate website can be hacked by experienced hackers, and once in they can insert any code they wish into a wepage on the hacked site that will then run until a Webmaster finds that code and removes it again.

Don't know if you read, but I recently had a huge system problem (not down to Viruses etc, it was Hardware problems), but the long and short of it is that I lost a lot of data (fortunately not the important stuff tho) and with that data was the websites and other sources that gave information of the occurances of which I speak too.....I am trying to remember what they were and locate them so I can link you guys to them.

If it further helps tho, I got hold of the MSBlast Worm and built some test webpages (again using my poor old "Crash Tests Dummy Laptop" hehehe) and inserted the Worm hidden in amongst the HTML code to see how it ticked, then logged my Laptop on to it and it did indeed pick up MSBlast straight away when I surfed to the page I had constructed, (all ports were closed with a Firewall too and no email accounts were installed on it either, just so you know that it didn't manage to creep in that way lol)!!

It can be done and is!!!

I'm trying to find the links I had, but buggered if I can remember them as I type, typically and always yhe damn way when you need the damn things lol!!