PDA

View Full Version : Forums Hacked?!



Castius
11-11-2008, 04:54 PM
This forum keep trying to install a activex plugin cal "bol downloader"!

Zane Condren
11-11-2008, 04:59 PM
The MIS team is on the case.

Matt
11-11-2008, 04:59 PM
You're not wrong!

I just had Spyware Doctor block 'Trojan.CHM.Psyme'

Coming from:

"C:\DOCUMENTS AND SETTINGS\MATT\LOCAL SETTINGS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\JI72R4DX.DEFAULT\CAC HE\289B4349D01"

hrgiger
11-11-2008, 05:01 PM
Yeah, I'm getting the same thing on IE which fortunately, is blocking and asking me if I want to install it.

cagey5
11-11-2008, 05:03 PM
Hmmm, gues who just installed it and then spent 15 minutes getting rid of the damn thing...

hrgiger
11-11-2008, 05:13 PM
I'm not getting it at all on my system where I use Firefox.

Silkrooster
11-11-2008, 05:16 PM
On My system I am getting an active X warning from Norton. And the screen is formated really screwy.
It is called "HTTP MS Unsafe ActiveX Obj Instantiation"
Attacking computer local host.
Destination is Vbulletin.Newtek.com
Need any more info just yell.
Silk

lvsoule
11-11-2008, 05:19 PM
I don't hook my imortant PC's to the net. I just use the mac mostly and don't worry about it.

Elmar Moelzer
11-11-2008, 05:24 PM
Getting a virus warning from Antivir as well.
NewTek,fix this!

Castius
11-11-2008, 05:27 PM
Looks like it's cleaned up now. Thanks for the quick attention to it. :thumbsup:

Hopper
11-11-2008, 05:30 PM
Strange .. all I got was .. "Uploading bol downloader to forums." :D

wp_capozzi
11-11-2008, 05:32 PM
I'm still getting something trying to be downloaded or installed in Internet Explorer.

Hieron
11-11-2008, 05:33 PM
lol @ Hopper :)


Same here, still pops up.

calilifestyle
11-11-2008, 05:39 PM
Profiles\vk6mlrzt.default\Cache\4FAAEAD8d01\00002f 81.vbs


trojan

Medi8or
11-11-2008, 05:40 PM
Some VBscript thingy trying to download avp.com from Newteks server. Don't use Internet Explorer, but the anti-virus program interrupts my forumreading. Don't really want to disable antivirus, so I use Virtualbox with a Linux-install.. :)

IMI
11-11-2008, 06:28 PM
I get this warning from McAfee on every page I load here. See pic.

KevinL
11-11-2008, 06:31 PM
Same, Mozilla (latest) McAfee reports Exploit-MS06-014. All Pages.

Kevin L

IMI
11-11-2008, 06:32 PM
I betcha Autodesk is behind this.
Those bastards!

geothefaust
11-11-2008, 06:51 PM
lol

I don't doubt that. They KNOW that the strongest part of NT is the community. Attack that... And it will shatter... :O

bobakabob
11-11-2008, 06:58 PM
Kaspersky didn't detect it... though it's acknowledged as a threat... I can't find 999.exe and 999.vbs so hopefully I'm clear. Any more tips on where this might be lurking? Or what we should be looking for? I'm on XP 8~

http://www.viruslist.com/en/viruses/encyclopedia?virusid=210939#doc2

Medi8or
11-11-2008, 07:09 PM
Probably can't find 999.exe because it's a different file getting downloaded.
Google "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36", and you see the IE exploit that lets a file get downloaded and executed...

StereoMike
11-11-2008, 07:21 PM
I don't get a warning. I use avira and threatfire. Is it still here?

mike

Matt
11-11-2008, 07:41 PM
It's still here, getting the same message every time I open a thread. Fortunately Spyware Doctor detects it and blocks it every time. Using Firefox here BTW.

Scanned my machine afterwards, nothing there, which is good!

IMI
11-11-2008, 08:08 PM
I'm still getting the same message from McAfee as before, with every page loaded here, in Firefox, IE 32 bit and IE 64 bit.

StereoMike
11-11-2008, 08:19 PM
I got it now too, decided to reject it.

Hope they get it fixed soon...

mosconariz
11-11-2008, 08:25 PM
Damn, I didn't got it till I clicked in this thread, that's odd!!

Mark The Great
11-11-2008, 08:53 PM
Here's the message I get.

THREEL
11-11-2008, 09:06 PM
Here's the message I get.

Me too!

IMI
11-11-2008, 09:27 PM
I just tried on one of my other PC's which has AVG on it and I get an Exploit MDAC ActiveX code execution warning. Doesn't say anything about it being a trojan though, or a downloader.

JamesCurtis
11-11-2008, 09:35 PM
I get the same message as Mark the Great.

Happened now as soon as i went to the Forum!!!!

How might I fix this? Or is it something NT needs to do?

IMI
11-11-2008, 10:39 PM
I get the same message as Mark the Great.

Happened now as soon as i went to the Forum!!!!

How might I fix this? Or is it something NT needs to do?

It's something in the server, not anything we can do about it.

arsad
11-12-2008, 01:48 AM
I also get a message from avira on every page of the forum
http://arsad.free.fr/trojan_warnig_avira.png

Andrew March
11-12-2008, 02:02 AM
It's definately a virus, it got picked up by No script and AVG. I've just removed Newtek from my No Script whitelist and it's gone away.

By the way of you're not running No Script, I highly recommend it. http://noscript.net/ highly customisable.

Andrew March
11-12-2008, 02:12 AM
Spoke too soon, it's back again!

StereoMike
11-12-2008, 02:47 AM
Has anybody reported this? Maybe they still don't know???

dballesg
11-12-2008, 02:49 AM
Hi,

I am affected for this as well. I am using Firefox 3 and it didn't asked me to install any activeX.

BUT Avast it is aborting the connection to the forums every time, I needed to ignore the panels and move them away to be able to post this.

The virus identified by avast it is a VBS:Obfuscated-gen [Trj].

David

arsad
11-12-2008, 02:55 AM
Has anybody reported this? Maybe they still don't know???

well if you look at post no 2 on page 1 you'll se that they are aware and on it.

3DGFXStudios
11-12-2008, 03:13 AM
that's probably autodesk trying to steal our ideas ;) !

IMI
11-12-2008, 03:30 AM
If there's a virus on the message board server, one wonders why the board isn't closed down for maintenance until it is fixed.

Maybe it's a new feature they've added. ;)

jet172
11-12-2008, 05:23 AM
I get warning on every loaded page also from Avast antivirus.

VBS:Obfuscated-gen [Trj]

cagey5
11-12-2008, 05:25 AM
I'm pretty sure Newtek has cleaned it up now. You just need to clean it out of your system to restore normality

IMI
11-12-2008, 05:46 AM
I just wiped my Firefox cache completely clean and the warning is still popping up for both my Intel/McAfee PC and my AMD/AVG PC.
McAfee deletes the file on contact. AVG gives the warning and won't even load the page.

Something tells me they haven't done anything about it, unless there's some other way to clean up I'm not aware of.

Matt
11-12-2008, 06:29 AM
I'm still seeing the same warning in SpyWare Doctor.

IMI
11-12-2008, 06:37 AM
It's beginning to get more than a little annoying, but I don't want to turn the warning thingy off so I know when it's gone for good.

Sure would be nice if someone would let us know what's going on. Even just 10 seconds to post to say they're still working on it.

IMI
11-12-2008, 06:37 AM
MIS usually has a reaction time of 4-6 months, so this could take a while :D

What's MIS?

Matt
11-12-2008, 06:41 AM
What's MIS?

Management Information System (NewTek web guys)

IMI
11-12-2008, 06:42 AM
Oh, ok, I thought maybe it was some sever maintenance service or something.

serge
11-12-2008, 07:11 AM
I'm pretty sure Newtek has cleaned it up now. You just need to clean it out of your system to restore normality
How do you know if you're infected? I don't have any virus scanner, just Firefox and No-script. But of course Newtek is on the "white list".

cagey5
11-12-2008, 07:22 AM
Seems I was mistaken anyhow. It's back to flashing a warning every time the forum is displayed.

UnCommonGrafx
11-12-2008, 07:50 AM
This needs to be fixed post haste; newtek's site is about to get dumped as a place business' can visit.

Everytime I go to another page it initiates this trojan. Ewww...

MooseDog
11-12-2008, 07:50 AM
9:49am e.s.t.

getting a warning from my avira anti-vir on every page i access here :(.

no where else but here though. :goodluck: newtek.

beverins
11-12-2008, 08:06 AM
On VirusScan 8.5i, it says (random 8 digit number).vbs detected as Exploit-MS06-014 Trojan.

You guys will have to take the server offline and patch it I think.:hammer:

CC Rider
11-12-2008, 08:17 AM
Here is a link to a security patch on the Microsoft Technet website.

http://www.microsoft.com/technet/security/bulletin/ms06-014.mspx

:D

IMI
11-12-2008, 08:21 AM
Here is a link to a security patch on the Microsoft Technet website.

http://www.microsoft.com/technet/security/bulletin/ms06-014.mspx

:D

Doesn't say anything on that page about Vista, just XP and Server.

KevinL
11-12-2008, 08:51 AM
I have not downloaded the update because of this. Status report would be welcome.

Thank You

Scazzino
11-12-2008, 08:53 AM
No problems here... Mac OS X/Safari is unaffected... :hey:

beverins
11-12-2008, 09:02 AM
it's definitely Newtek's webserver that's been hacked or otherwise compromised through a security hole.

They need to take it offline and patch it.

It's isn't them being targetted, it's just that this is an unpatched hole and a vbs trojan got in.

@NiM8R
11-12-2008, 09:10 AM
All I can say is . . .Thank God for Firewalls!

beverins
11-12-2008, 03:24 PM
Seems to be fixed now! Excellent work :-)

Weetos
11-12-2008, 03:27 PM
Glad the forum came back online ! Well done NT !

uh the header looks weird though and a whole bunch of emoticons are missing

IMI
11-12-2008, 03:40 PM
Glad the forum came back online ! Well done NT !

uh the header looks weird though and a whole bunch of emoticons are missing

Agreed. Thank you, NT.

And yes, the forum looks all weirded out now. Better than the ActiveX/Virus/Trojan/whatever it was though.

MooseDog
11-12-2008, 03:43 PM
congrats and thx to the web/mis folks. i'm sure it was a tiring and stressful afternoon. well done!

3DGFXStudios
11-12-2008, 03:44 PM
did you guys already click on an attached image..... Do it... its nice

archijam
11-12-2008, 03:44 PM
oooh .. click on an image! very hi-tech.

the logo above is huge ... at least on my iphone .. ;)

edit: actually i think people are going to protest about it :)

3DGFXStudios
11-12-2008, 03:45 PM
lol thats funny archijam..........

IMI
11-12-2008, 03:49 PM
did you guys already click on an attached image..... Do it... its nice

Yeah, looks really cool. :thumbsup:

Hmmm... we get a new image viewer at the same time as what might have been a virus or a trojan or whatever... coincidence? ;)

MooseDog
11-12-2008, 03:54 PM
Glad the forum came back online ! Well done NT !

uh the header looks weird though and a whole bunch of emoticons are missing

guessing from the shiny new flash-based viewer in the gallery sections, there was also an upgrade to the bbs software. me approves.

Zane Condren
11-12-2008, 04:09 PM
Thanks for your patience. The forum headed and navigation bar will be restored shortly.

archijam
11-12-2008, 04:12 PM
Trés bon.

*** pssst .. Matt .. quick, design them a new header *** ;)

Dirk
11-12-2008, 04:19 PM
So I was save with Opera?

Matt
11-12-2008, 04:25 PM
did you guys already click on an attached image..... Do it... its nice

Ooooooh, very sexual! :)

RebelHill
11-12-2008, 04:32 PM
forums are back up... but my virus checker is still warning me when i log on here... this problem aint gona away yet.

m4a2000
11-12-2008, 04:38 PM
Seeing the forum just came back up... Could we please go to a MSDos based forum... I would love to post via that!!!

Matt
11-12-2008, 04:41 PM
Trés bon.

*** pssst .. Matt .. quick, design them a new header *** ;)

Best I could do in a few minutes, sorry! :)

Weetos
11-12-2008, 04:46 PM
wow Matt, I love it !

Let's vote ! I'm voting for Matt's header ! :thumbsup:

Dirk
11-12-2008, 04:49 PM
really nice!

Matt
11-12-2008, 04:50 PM
wow Matt, I love it !

Let's vote ! I'm voting for Matt's header ! :thumbsup:

Woohoo! I rock! :D

m4a2000
11-12-2008, 04:51 PM
I say let's use it.

Matt
11-12-2008, 04:55 PM
Or how about ... :D

Hehe!

Weetos
11-12-2008, 04:55 PM
Woohoo! I rock! :D

Oh boy of course you do :D

Weetos
11-12-2008, 04:57 PM
or how about ... :d

hehe!

rotfl !

starbase1
11-12-2008, 05:01 PM
I'm not getting it at all on my system where I use Firefox.

Got past my firefox, and was detected by AVG...

What does it do, and how can we check 100% it is gone?

IMI
11-12-2008, 05:06 PM
Or how about ... :D

Hehe!

Now that's funny!

Great looking image, too!

steve0077
11-12-2008, 05:21 PM
I had the same attack and Norton Internet Sec. prevented the intrusion, but then I tried to do a live update and the web intrusion update section came up with an error and couldn't update any more. Log on to Norton Support and they sent a file to run and fix problem. I was wondering if the virus disables your virus software. Never had a problem with Live Update before.

Matt
11-12-2008, 05:24 PM
Got past my firefox, and was detected by AVG...

What does it do, and how can we check 100% it is gone?

Do a FULL scan of your hard drive people, I had a Trojan on mine, despite the threat being blocked. Could have been from the forums, could have been there before. I don't scan often enough!

jasonwestmas
11-12-2008, 05:30 PM
Yep I had a mutating plasma worm on mine, I had to whip out the can!

ted
11-12-2008, 05:40 PM
Alright Quietontheset. No more laughing at me because I'm paranoid and have Norton installed! :D
You are only paranoid if they are NOT trying to get you. But they always are! :)

Medi8or
11-12-2008, 05:53 PM
Got past my firefox, and was detected by AVG...

What does it do, and how can we check 100% it is gone?
Unless your Firefox runs VBScript, it didn't really "get past" Firefox. What the antivirus programs reacted to wasn't whatever-it-was that could infect your machine, but the script in the html-code of the forum, that could download it to your computer.

MooseDog
11-12-2008, 06:38 PM
Do a FULL scan of your hard drive people, I had a Trojan on mine, despite the threat being blocked. Could have been from the forums, could have been there before. I don't scan often enough!

good advice. done! found one thing in my c:\ partition.

Matt
11-12-2008, 06:47 PM
good advice. done! found one thing in my c:\ partition.

Thank Jay Roth, he had something on his and warned us all.

ted
11-12-2008, 11:19 PM
Are some of your "Smilies" just showing the red X's. This just started after the forum came back up???
Did the whole virus scan thing.

archijam
11-13-2008, 01:43 AM
woohoo! I rock! :d

+1 :)

ps. the new search options (threads, posts) are great! :thumbsup: !

Matt
11-13-2008, 02:45 AM
Are some of your "Smilies" just showing the red X's. This just started after the forum came back up???
Did the whole virus scan thing.

They just haven't been reinstated yet.

I think we should have some shiny new ones to choose from actually!

Matt
11-13-2008, 02:47 AM
+1 :)

ps. the new search options (threads, posts) are great! :thumbsup: !

They were there before!

IMI
11-13-2008, 03:12 AM
That never really was a virus or any kind of malicious ActiveX thingy was it? Something in the new design programming which set off all our alarms?

zapper1998
11-13-2008, 03:39 AM
it was the Aliens I tell ya, it was ..

starbase1
11-13-2008, 10:19 AM
Have I missed an announcement by Newtek elsewhere?

Because it seems clear from the messages in this thread that however it happened, Newtek have been firing viruses at forum users.

And I would expect, as a matter of urgency:

1. A prominent warning.
2. Instructions on how to unambigously detect if you have been infected.
3. Instructions on how to remove if you have been infected.
4. An explanation of how it happened, and what will be done to prevent a recurrence.

Without all 4 of the above, I will be dropping by here a LOT less often, and only from a secure browser in a VM.

Medi8or
11-13-2008, 11:33 AM
Slap your forehead if:
1. you use Internet Explorer
2. you don't install Microsofts security updates
3. you don't use antivirus program with updated definitions

If you slapped your forehead more than once, you probably got a virus. It should also explain point 4 in your list.. :)

flatpyramid
11-13-2008, 01:26 PM
Looks like somebody hacked the boards... glad its fixed now.

Cougar12dk
11-13-2008, 02:35 PM
In FireFox I don't see the Bar with the links to the right of the NewTek Discussion Forums logo, just a big white box.

Is anyone else experiencing that? Mozilla Firefox 3.0.3

Wickster
11-13-2008, 03:48 PM
I like the new LightBox script on the gallery sections.

Matt
11-13-2008, 04:04 PM
Okay, enough is enough! Would someone please sort the top banner and menu out, it's starting to offend my design sensibilities! I just can't deal with badly aligned pixels in my world!

:D

Wickster
11-13-2008, 04:42 PM
i know, that discontinued gradient background is just painfully hurting my design piece of mind. :D

Stooch
11-13-2008, 04:47 PM
lol if thay have trouble configuring a php messageboard....

JamesCurtis
11-13-2008, 06:24 PM
I wish they'd at least put up a link to the Registered users page to make getting announced Beta updates convenient again!!

Wickster
11-13-2008, 06:40 PM
That's interesting...I think it's being worked on as we type...I just saw this Bookmarks Panel (with Digg, del.icio.us, StumbleUpon and Google) just now.

Though my Screwy smiley is still not working.

Cougar12dk
11-13-2008, 10:00 PM
BTW did anyone notice that, in registration, the top bar is available?

-EsHrA-
11-14-2008, 05:46 AM
+1 for matt's logo.


mlon

bobakabob
11-14-2008, 10:16 AM
Have I missed an announcement by Newtek elsewhere?

Because it seems clear from the messages in this thread that however it happened, Newtek have been firing viruses at forum users.

And I would expect, as a matter of urgency:

1. A prominent warning.
2. Instructions on how to unambigously detect if you have been infected.
3. Instructions on how to remove if you have been infected.
4. An explanation of how it happened, and what will be done to prevent a recurrence.

Without all 4 of the above, I will be dropping by here a LOT less often, and only from a secure browser in a VM.

Yep, must say I'm still confused as to what exactly I'm looking for and where.

There seem to be so many different names for this thing depending on the AV software you're running. I have a trial of Kaspersky on my PC which is usually ruthless in zapping nasties but on this occasion not a peep.

Anyone got a link to the Jay Roth advice?

Zane Condren
11-14-2008, 10:20 AM
All threats have been removed If you need a virus scanner we suggest houscall.antivirus.com which is free and will run in your broswer. New Forum Skins are on the way.