Intrusion/Hacking attempts?

feejer

Ol'Timer
Feb 16, 2007
443
1
18
Is anyone elses firewall blocking attacks from IP 31.184.92.59 when accessing the URL for this site? Three unsuccessful attempts have been made to install a Java Rhino script, a JRE trusted method chaining kit, and another malicious toolkit to my laptop only when this site's URL is accessed. The attacking IP is in St. Petersburg, Russia. Any issues with GT-Rider being hacked?
 

schackster

Ol'Timer
Jul 18, 2009
334
1
16
I also have had a similar threat detected by my antivirus. Its happened over the last 2 or 3 days when I first open this site ??
 

TonyBKK

Ol'Timer
Dec 27, 2007
3,854
11
38
Dang, I didn't get any warnings... does that mean my antivirus sucks? :crazy:
 

feejer

Ol'Timer
Feb 16, 2007
443
1
18
TonyBKK;276288 wrote: Dang, I didn't get any warnings... does that mean my antivirus sucks? :crazy:
No, but it could mean that your definitions are not up to date. Most of these former Eastern bloc hacks work for global organized crime orgs looking to steal identities/credit card info etc. They are sneaky and try to exploit vulnerabilities in legit code that sites need to work properly. And do it as long as possible before the site is aware of it and take steps to block them. So it is important to update your firewall/AV definitions and do a full scan DAILY. I just set it to start up at 3:00 AM and when I wake up it is done and tells me if anything was found & repaired.

To be sure you didn't get some nasty trojan or rootkit, run this http://www.microsoft.com/security/scanner/en-us/default.aspx
 

mbox999

Ol'Timer
Nov 7, 2007
517
0
0
Tony, are you accessing this site with a windows pc?in this case it could be as feejer said..... If you accessing with another OS such as Apple,Linux (android) you likely have nothing....viruses and attacks are mostly made for windows, being the most widely used OS. I have no warnings on my android device...
 

nikster

Ol'Timer
Nov 7, 2007
659
0
0
TonyBKK;276288 wrote: Dang, I didn't get any warnings... does that mean my antivirus sucks? :crazy:
No, it means that russian crime syndicates are now reading your email :p
 

DavidFL

Administrator
Staff member
Jan 16, 2003
12,595
3,098
113
67
Chiang Khong
www.thegtrider.com
Considering that the forum software has just been upgraded by the guys in the USA who wrote the software & that only a few people are experiencing this hacking / virus alert I'd say the problem is on the individual computers concerned; otherwise everyone would have the same problem.
 

Champasak

Ol'Timer
Jan 12, 2003
258
1
0
One member had their Kaspersky anti-virus software warning pop up on an outer (WordPress) page about importing bikes. On checking the page, it appeared likely that it was triggered by a link to an i-Frame page. Some AV programes see any attempt to open a page via an i-Frame as a potential threat - although in this case it was an old HTML page off the GT-Rider web site.

If anyone can send a screenshot of an Anti-Virus / Malware warning including the offending page, that would help.

All the vBulletin forum and Wordpress software has been upgraded, which over-writes all the program files. All the pages on the site are dynamic, database-driven pages, and embedding anything into a paricular page is not an easy thing to do.

Given all of the determined efforts made last year by a known group of miscreants, the VPS we use has pretty tight security applied, and the data-centre do monitor and identify malware threats on client sites.

Further, Google also employs sophisitcated malware checking, and highlights pages with detected threats. I've done a few searches lately and seen no warnings from Google HQ either...
 

Champasak

Ol'Timer
Jan 12, 2003
258
1
0
Here is what Google reports on GT-Rider regarding malware etc...
- http://www.google.com/safebrowsing/diagnostic?site=gt-rider.com

[h=2]Safe Browsing[/h][h=3]Diagnostic page for gt-rider.com[/h]What is the current listing status for gt-rider.com?
This site is not currently listed as suspicious.
What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-11, and suspicious content was never found on this site within the past 90 days.This site was hosted on 1 network(s) including AS20248 (TAKE2).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, gt-rider.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

URLVOID: http://www.urlvoid.com/ checking against all the main websites that monitor malware etc, GT-Rider.com is listed as "CLEAN"
 

LivinLOS

Ol'Timer
Mar 11, 2008
534
0
0
Davidfl;276296 wrote: Considering that the forum software has just been upgraded by the guys in the USA who wrote the software & that only a few people are experiencing this hacking / virus alert I'd say the problem is on the individual computers concerned; otherwise everyone would have the same problem.
Alternatively most people wouldnt have the skills or tools to tell..

If your behind a hardware router / firewall many would not know that this was being blocked.
 

KZ25

Ol'Timer
Nov 19, 2011
805
0
0
LivinLOS;276333 wrote: If your behind a hardware router / firewall many would not know that this was being blocked.
Forgive me for being pedantic by pointing out a spelling mistake but "my behind" is nobody's business! :)
 

Rustic Charm

Ol'Timer
Jul 17, 2007
250
0
16
This is my pop-up from Avast.

Attached files
276335=8646-gthacking.jpg
 

feejer

Ol'Timer
Feb 16, 2007
443
1
18
Admin001;276304 wrote: One member had their Kaspersky anti-virus software warning pop up on an outer (WordPress) page about importing bikes. On checking the page, it appeared likely that it was triggered by a link to an i-Frame page. Some AV programes see any attempt to open a page via an i-Frame as a potential threat - although in this case it was an old HTML page off the GT-Rider web site.

If anyone can send a screenshot of an Anti-Virus / Malware warning including the offending page, that would help.

All the vBulletin forum and Wordpress software has been upgraded, which over-writes all the program files. All the pages on the site are dynamic, database-driven pages, and embedding anything into a paricular page is not an easy thing to do.

Given all of the determined efforts made last year by a known group of miscreants, the VPS we use has pretty tight security applied, and the data-centre do monitor and identify malware threats on client sites.

Further, Google also employs sophisitcated malware checking, and highlights pages with detected threats. I've done a few searches lately and seen no warnings from Google HQ either...

I have included the screenshots/logs of the blocked attacks. It is VERY rare for me to get these notifications at all and I have never received any such on the GT-Rider website before a few days ago. However, these now ONLY happen when accessing the GT-Rider.com main URL but not every time either. As you will see, it just happened again today but now from a different IP (31.184.192.35 vs. 31.184.192.59).

This very well may be and I sincerely hope this is just a big false alarm. But I thought it prudent to ask if it was happening to others as it can become serious quickly. I have a close friend who had thousands of dollars drained from his bank account within a few days after his debit card info was stolen through a hacked Holiday Inn computer network in Osoyoos, Canada.

It took 4 months to investigate and he was lucky to have his money reimbursed by the bank since he reported it promptly. And yes, the criminals who did it were traced to Russia and Belarus but nothing could be done due to lack of jurisdiction. These crime rings are also active locally in installing card skimmers at gas stations and portable ATM's to steal CC #'s and PIN's. They just busted a bunch of them a few months back so "Russian crime syndicates" may seem funny, ridiculous, and far fetched until it happens to you.

Webattack3.jpg


Webattack2.jpg


Webattack1.jpg
 

LivinLOS

Ol'Timer
Mar 11, 2008
534
0
0
Just got the same warning from avast as above..

I can do a screencap but its the same as the image with simply Chrome.exe instead of opera..
 

lordofthedreadz

Ol'Timer
Jun 13, 2010
85
0
6
Me too using Kaspersky.

By the way everyone running on Windows should consider paying for antivirus protection, kaspersky is not too expensive here and it is one of the best antivirus if not the best.

Next time I have the alert I will post the screenshot.
 

sam14300

Member
Feb 19, 2011
20
0
0
I have been receiving a message from Kaspersky as well. It indicates a Trojan contained in images/editor/smilies/gif.
 

Champasak

Ol'Timer
Jan 12, 2003
258
1
0
In addition to the previous blacklist checks, we've signed up for a couple of online malware scanning services;
QualsysGUARD: scanned 2000 pages on GT-Rider, no issues found
HackAlert: no issues found
Securi.net: reported a JavaScript issue with a WordPress plugin (outer portion of the site). Whilst it called code from another site, that appeared to be legitimate code from the author of the plugin. No other malware servcie reported this as an issue... Deleted the plugin as it was unused.
VirusTotal.com: squeaky-clean site on all their tests...
Norton SafeWeb: http://safeweb.norton.com/report/show?url=www.gt-rider.com - CLEAN
Macafee.com: http://www.siteadvisor.com/sites/www.gt-rider.com - CLEAN
AVG.com.au: http://www.avgthreatlabs.com/sitereports/domain/www.gt-rider.com/domain-search-widget/www.avg.com.au - CLEAN

Blacklist status
Domain clean by Google Safe Browsing: gt-rider.com - reference
Domain clean by Norton Safe Web: gt-rider.com - reference
Domain clean on Phish tank: gt-rider.com - reference
Domain clean on the Opera browser: gt-rider.com - reference
Domain clean on Sucuri IP/URL malware blacklist: gt-rider.com - reference

We've also contacted vBulletin Tech Support to request a check on the /images/editor/smilie.gif files reported by AVAST AV as per post by mbox999
 

feejer

Ol'Timer
Feb 16, 2007
443
1
18
KZ25;276307 wrote: My PC came with a local copied version of Microsoft - do you recommend to run this security scanner?

I do a complete system scan with the free Avira weekly - do you think that's good enough?

That link is a good quick check if you believe you may have been compromised by malware or to see if your A/V is missing stuff. Personally, I am not familiar with Avira as I have not used it or know anyone who has. But for a free A/V that works well, the Microsoft security essentials A/V-Firewall package is a good choice. I have used Symantec for 10 years and have never had any successful intrusion or data corruption due to virus or otherwise. But IMO any of the highly rated commercially available A/V do a good job of protecting you. The key is proper configuration, daily updates/scans, and strong password selection for all your accounts.

Another huge problem is with wi-fi security. Some people happily transmit their financial account passwords over unsecured wi-fi networks or even what they believe is encrypted wi-fi. But many encrypted public wi-fi are still set to use the outdated WEP protocol that is easily hacked with free software that can be downloaded over the internet. To be safe when using wi-fi, make sure it is set to use WPA at a minimum or better yet WPA2. To my knowledge, nobody has been able to hack a WPA2 encrypted network......yet.
 

Champasak

Ol'Timer
Jan 12, 2003
258
1
0
This warning is very odd because .GIF versions of these files don't appear to exist on the site at all. Files with the same name but with .PNG extensions are present, and are part of the vB4 software...

mbox999;276347 wrote: i just got these 4 alerts
 

rob7711

Ol'Timer
Oct 30, 2010
203
5
0
My Kaspersky has detected the same as reported by others. This has been ongoing for the past 2 or 3 days now (as I was assessing the site with my laptop. My iPad doesn't provide such warning though). Has the site been compromised?