Malicious Attack Site....

[MM 6,562]

A couple of days ago, a piece of javascript was inserted into the root file of www.pattayatalk.com. This was flagged by Google as being malware, and it probably was, though I am not sure what it was doing.

 

The problem has been detected and resolved, but Google will still report the site as an "attack site" for a short while until they can rescan it and give it a clean bill of health.

 

Until that time, you will see a message something like this

 

when you open the site or try to access the forum.

 

If you're feeling brave, go ahead and click the PROCEED ANYWAY link to continue.

 

As far as I can tell, the problem is resolved at this point.

 

Sorry for the disruption.

[MM 6,562]

Oh, and if you have accessed Pattayatalk since the 1st of July, run a virus scan. I think a little bugger got thru, but it was found by my scanner and fixed.

 

Here is the virus scanning result from finding the javascript insertion (JS/agent).

 

[MrMango 667]

The last 2 days, everytime I try to logon to this forum, I get a message taht spyware is detected.

http://www.stopbadware.org/firefox?hl=en-US&url=http%3A%2F%2Fwww.pattayatalk.com%2Fforums%2Findex.php%3Fact%3DSearch%26nav%3Dlv%26CODE%3Dshow%26searchid%3D144adb059f3849f77543eec0499fcb06%26search_in%3Dtopics%26result_type%3Dtopics%26lastdate%3D0

 

Anybody have any ideas why?

[Evil Penevil 7,628]

EDIT: I posted about receiving a similar warning before reading MM's post that thesituation had been resolved. I'm leaving the detailed advisory from Google in case it can be of any help.

 

I get a similar warning when trying to log in via Chrome, but not with Firefox or IE.

 

 

Evil

Edited July 5, 2012 by Evil Penevil

[MrMango 667]

EDIT: I posted about receiving a similar warning before reading MM's post that thesituation had been resolved. I'm leaving the detailed advisory from Google in case it can be of any help.

 

I get a similar warning when trying to log in via Chrome, but not with Firefox or IE.

 

 

Evil

I still get the same here

[jacko 8,813]

When I tried to log on this AM...Pattaya Talk was blocked and a red warning came up... it linked to a page containing this.

Do not click on links....

 

Safe Browsing

 

Diagnostic page for pattayatalk.com

 

What is the current listing status for pattayatalk.com?

Site is listed as suspicious - visiting this website may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 8 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-07-04, and the last time suspicious content was found on this site was on 2012-07-04.

Malicious software is hosted on 1 domain(s), including

qtmyeslmsoxkjbku.xx

.

This site was hosted on 2 network(s) including

AS16805 (LAYER3)xx

,

AS22576 (LAYER3)xx

.

(I put the xx in to try and stop anyone going there...the first one was .ru, a usual suspect)

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, pattayatalk.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

• Return to the previous page.
  
• If you are the owner of this website, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Centre.
  

Edited July 5, 2012 by jacko

[oasisbarhatien 3]

Same thing for me here in Vietnam,the first time I tried to log in,I got the red warning page,but not the second time when I tried again immediately afterwards.

[MM 6,562]

See this post http://www.pattayatalk.com/forums/topic/58959-if-you-are-really-brave-click-thru/

[MM 6,562]

On top of things as usual MM.... Scan running now!

 

Not really...the malware was inserted on July 1, according to the server admin logs, but wasn't detected until July 4, so it managed to upload to a few people, I'm sure.

 

For a discussion (very technical) of what the malware code does, you can look here http://blog.unmaskpa...mains/#more-883 (apparently the authors liked "Forrest Gump").

 

It's attempting to redirect you to bogus Russian sites with names like hxxp://xmexlajhysktwdqe .ru/runforestrun?sid=cx where the first part is a random string created by the script.

It turns out that, luckily, someone has been taking the target site down, so they point to a "sinkhole" (dead site), which cannot continue where the script left off. That's at least a piece of good news.

 

Let us know if you find the same virus/malware on your system.

[jacko 8,813]

Not really...the malware was inserted on July 1, according to the server admin logs, but wasn't detected until July 4, so it managed to upload to a few people, I'm sure.

 

For a discussion (very technical) of what the malware code does, you can look here http://blog.unmaskpa...mains/#more-883 (apparently the authors liked "Forrest Gump").

That link too is blocked with a warning for me!

[MM 6,562]

That link too is blocked with a warning for me!

 

LOL. Maybe it's blocked because it has a description (though not an implementation) of the malware code.

[jacko 8,813]

LOL. Maybe it's blocked because it has a description (though not an implementation) of the malware code.

I am a bit nervous of late anyhow, as I got one of those emails in May from a 'friend' that I stupidly clicked on the link within and my email got hacked!

[MM 6,562]

I am a bit nervous of late anyhow, as I got one of those emails in May from a 'friend' that I stupidly clicked on the link within and my email got hacked!

Yeah, I've been getting a lot of the emails with huge CC lists and a single URL in them.

But I never click them!

[MM 6,562]

Btw, jacko, what did your scan find?

[MM 6,562]

I've found the security hole that allowed this to happen, and it has been "plugged".

 

Now waiting for Google to rescan and give us a clean bill of health.

[biggles 509]

google must have done something. I got the message when I logged in this morning around 10am. Just logged in now at 3.45pm and no message came up. I am using google chrome.

[MM 6,562]

google must have done something. I got the message when I logged in this morning around 10am. Just logged in now at 3.45pm and no message came up. I am using google chrome.

 

Great. I am not getting the message anymore either.

 

Google search results still show "This site may harm your computer", but hopefully those will go away in a day or so.

[MM 6,562]

Damn...while I was fixing the problem and before I plugged the security hole, they hit "freelancerbar.com".

 

Busy day.

[Guest jjprodigy]

It infected me.

 

[media=]

[/media] Edited July 5, 2012 by jjprodigy

[MM 6,562]

It infected me.

Calm down.

[Guest jjprodigy]

Calm down.

 

I think I know who is responsible

 

 

Jabba the Jock

[MM 6,562]

I think I know who is responsible

Jabba the Jock

 

More likely, Igor the Russkie.

[jacko 8,813]

Btw, jacko, what did your scan find?

Scan came back clean.

[steamer 158]

did a clean up and found a trojan.

 

Not sure how long it's been there as I don't look under the bed all that often.

[MM 6,562]

did a clean up and found a trojan.

 

Not sure how long it's been there as I don't look under the bed all that often.

You should!