Intrusion/Hacking attempts?

Discussion in 'General Discussion / News / Information' started by feejer, Feb 11, 2012.

  1. feejer

    feejer Ol'Timer

    Is anyone elses firewall blocking attacks from IP when accessing the URL for this site? Three unsuccessful attempts have been made to install a Java Rhino script, a JRE trusted method chaining kit, and another malicious toolkit to my laptop only when this site's URL is accessed. The attacking IP is in St. Petersburg, Russia. Any issues with GT-Rider being hacked?
  2. Loading...

  3. mbox999

    mbox999 Ol'Timer

    Yep, i had some of these warnings coming on the Windows PC as well....
  4. schackster

    schackster Ol'Timer

    I also have had a similar threat detected by my antivirus. Its happened over the last 2 or 3 days when I first open this site ??
  5. TonyBKK

    TonyBKK Ol'Timer

    Dang, I didn't get any warnings... does that mean my antivirus sucks? :crazy:
  6. feejer

    feejer Ol'Timer

    No, but it could mean that your definitions are not up to date. Most of these former Eastern bloc hacks work for global organized crime orgs looking to steal identities/credit card info etc. They are sneaky and try to exploit vulnerabilities in legit code that sites need to work properly. And do it as long as possible before the site is aware of it and take steps to block them. So it is important to update your firewall/AV definitions and do a full scan DAILY. I just set it to start up at 3:00 AM and when I wake up it is done and tells me if anything was found & repaired.

    To be sure you didn't get some nasty trojan or rootkit, run this
  7. mbox999

    mbox999 Ol'Timer

    Tony, are you accessing this site with a windows pc?in this case it could be as feejer said..... If you accessing with another OS such as Apple,Linux (android) you likely have nothing....viruses and attacks are mostly made for windows, being the most widely used OS. I have no warnings on my android device...
  8. nikster

    nikster Ol'Timer

    No, it means that russian crime syndicates are now reading your email :p
  9. DavidFL

    DavidFL Administrator Staff Member

    Considering that the forum software has just been upgraded by the guys in the USA who wrote the software & that only a few people are experiencing this hacking / virus alert I'd say the problem is on the individual computers concerned; otherwise everyone would have the same problem.
  10. Champasak

    Champasak Ol'Timer

    One member had their Kaspersky anti-virus software warning pop up on an outer (WordPress) page about importing bikes. On checking the page, it appeared likely that it was triggered by a link to an i-Frame page. Some AV programes see any attempt to open a page via an i-Frame as a potential threat - although in this case it was an old HTML page off the GT-Rider web site.

    If anyone can send a screenshot of an Anti-Virus / Malware warning including the offending page, that would help.

    All the vBulletin forum and Wordpress software has been upgraded, which over-writes all the program files. All the pages on the site are dynamic, database-driven pages, and embedding anything into a paricular page is not an easy thing to do.

    Given all of the determined efforts made last year by a known group of miscreants, the VPS we use has pretty tight security applied, and the data-centre do monitor and identify malware threats on client sites.

    Further, Google also employs sophisitcated malware checking, and highlights pages with detected threats. I've done a few searches lately and seen no warnings from Google HQ either...
  11. KZ25

    KZ25 Ol'Timer

    My PC came with a local copied version of Microsoft - do you recommend to run this security scanner?

    I do a complete system scan with the free Avira weekly - do you think that's good enough?
  12. Champasak

    Champasak Ol'Timer

    Here is what Google reports on GT-Rider regarding malware etc...

    [h=2]Safe Browsing[/h][h=3]Diagnostic page for[/h]What is the current listing status for
    This site is not currently listed as suspicious.
    What happened when Google visited this site?
    Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-11, and suspicious content was never found on this site within the past 90 days.This site was hosted on 1 network(s) including AS20248 (TAKE2).
    Has this site acted as an intermediary resulting in further distribution of malware?
    Over the past 90 days, did not appear to function as an intermediary for the infection of any sites.
    Has this site hosted malware?
    No, this site has not hosted malicious software over the past 90 days.

    URLVOID: checking against all the main websites that monitor malware etc, is listed as "CLEAN"
  13. LivinLOS

    LivinLOS Ol'Timer

    Alternatively most people wouldnt have the skills or tools to tell..

    If your behind a hardware router / firewall many would not know that this was being blocked.
  14. KZ25

    KZ25 Ol'Timer

    Forgive me for being pedantic by pointing out a spelling mistake but "my behind" is nobody's business! :)
  15. Rustic Charm

    Rustic Charm Ol'Timer

    This is my pop-up from Avast.

    Attached files 276335=8646-gthacking.
  16. feejer

    feejer Ol'Timer

    I have included the screenshots/logs of the blocked attacks. It is VERY rare for me to get these notifications at all and I have never received any such on the GT-Rider website before a few days ago. However, these now ONLY happen when accessing the main URL but not every time either. As you will see, it just happened again today but now from a different IP ( vs.

    This very well may be and I sincerely hope this is just a big false alarm. But I thought it prudent to ask if it was happening to others as it can become serious quickly. I have a close friend who had thousands of dollars drained from his bank account within a few days after his debit card info was stolen through a hacked Holiday Inn computer network in Osoyoos, Canada.

    It took 4 months to investigate and he was lucky to have his money reimbursed by the bank since he reported it promptly. And yes, the criminals who did it were traced to Russia and Belarus but nothing could be done due to lack of jurisdiction. These crime rings are also active locally in installing card skimmers at gas stations and portable ATM's to steal CC #'s and PIN's. They just busted a bunch of them a few months back so "Russian crime syndicates" may seem funny, ridiculous, and far fetched until it happens to you.



  17. LivinLOS

    LivinLOS Ol'Timer

    Just got the same warning from avast as above..

    I can do a screencap but its the same as the image with simply Chrome.exe instead of opera..
  18. mbox999

    mbox999 Ol'Timer

    i just got these 4 alerts

    Attached files 276347=8647-gtr.
  19. penetrator

    penetrator Ol'Timer

    I've been getting the alerts regarding this site too recently.
  20. lordofthedreadz

    lordofthedreadz Ol'Timer

    Me too using Kaspersky.

    By the way everyone running on Windows should consider paying for antivirus protection, kaspersky is not too expensive here and it is one of the best antivirus if not the best.

    Next time I have the alert I will post the screenshot.
  21. sam14300

    sam14300 Member

    I have been receiving a message from Kaspersky as well. It indicates a Trojan contained in images/editor/smilies/gif.
  22. Champasak

    Champasak Ol'Timer

    In addition to the previous blacklist checks, we've signed up for a couple of online malware scanning services;
    QualsysGUARD: scanned 2000 pages on GT-Rider, no issues found
    HackAlert: no issues found reported a JavaScript issue with a WordPress plugin (outer portion of the site). Whilst it called code from another site, that appeared to be legitimate code from the author of the plugin. No other malware servcie reported this as an issue... Deleted the plugin as it was unused. squeaky-clean site on all their tests...
    Norton SafeWeb: - CLEAN - CLEAN - CLEAN

    Blacklist status
    Domain clean by Google Safe Browsing: - reference
    Domain clean by Norton Safe Web: - reference
    Domain clean on Phish tank: - reference
    Domain clean on the Opera browser: - reference
    Domain clean on Sucuri IP/URL malware blacklist: - reference

    We've also contacted vBulletin Tech Support to request a check on the /images/editor/smilie.gif files reported by AVAST AV as per post by mbox999
  23. feejer

    feejer Ol'Timer

    That link is a good quick check if you believe you may have been compromised by malware or to see if your A/V is missing stuff. Personally, I am not familiar with Avira as I have not used it or know anyone who has. But for a free A/V that works well, the Microsoft security essentials A/V-Firewall package is a good choice. I have used Symantec for 10 years and have never had any successful intrusion or data corruption due to virus or otherwise. But IMO any of the highly rated commercially available A/V do a good job of protecting you. The key is proper configuration, daily updates/scans, and strong password selection for all your accounts.

    Another huge problem is with wi-fi security. Some people happily transmit their financial account passwords over unsecured wi-fi networks or even what they believe is encrypted wi-fi. But many encrypted public wi-fi are still set to use the outdated WEP protocol that is easily hacked with free software that can be downloaded over the internet. To be safe when using wi-fi, make sure it is set to use WPA at a minimum or better yet WPA2. To my knowledge, nobody has been able to hack a WPA2 encrypted network......yet.
  24. Champasak

    Champasak Ol'Timer

    This warning is very odd because .GIF versions of these files don't appear to exist on the site at all. Files with the same name but with .PNG extensions are present, and are part of the vB4 software...

  25. ajahnlau

    ajahnlau Active Member

    I get same.
  26. rob7711

    rob7711 Ol'Timer

    My Kaspersky has detected the same as reported by others. This has been ongoing for the past 2 or 3 days now (as I was assessing the site with my laptop. My iPad doesn't provide such warning though). Has the site been compromised?

Share This Page