This might be either a slightly disconcerting thing or the most pointless/useless thread.

But for the last couple of minutes or so, my Norton Antivirus keeps popping up this message of
"Norton blocked an attack by:

Website attack: Blackhole Toolkit Website.

And it's seems to keep happening when I'm on the RFD website - regardless of thread, it appears.

Any of my other sites that I regularly visit doesn't make the Norton warning pop up. Only when I load, say, another tab with RFD in it, does it pop up.

I have Avast and it's doing the same thing

I have Avast and it's doing the same thing

On one hand, I'm thankful we have programs in place to protect our systems.

On the otherhand, I feel sorry for RFD users who don't have equivalent programs or any protection at all - whose systems are probably infected by now.

same thing for kaspersky...have to leave the site, it's irritating

Yup same here. I actually let it through to see what it's doing, it seems to be some type of java applet loading that eventually loads one of those fake anti-virus spyware ****. Only happening on these forums. Quite easy to remove using RKill to kill the processes along with an anti-spyware program like Malwarebytes or Combofix if anyone gets infected by it.

http://www.bleepingcomputer.com/download/anti-virus/rkill
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
http://www.malwarebytes.org/

I am also having an issue.... every single window I open here tries to open Java and it fails every time but definitely annoying

Same here, Comodo is detecting "TrojWare.Win32.Trojan.Agent.Gen@1" from this site.. and it's saying I have to restart to clean the file now. :facepalm:

Same from me. Good bye for today

When I opened RFD forum, AVG detected a threat: Win32/Kryptik.OGM. It downloaded itself to TEMP folder and trying to access the internet. It's blocked by my firewall.

Just for the hell of it, I just cleared out my search/browsing histories, my cookies, my cache, and my active logins.

And it's still showing.

When I opened RFD forum, AVG detected a threat: Win32/Kryptik.OGM. It downloaded itself to TEMP folder and trying to access the internet. It's blocked by my firewall.

Its called a false positive/alarm

Not sure if srs

There is a hidden IFRAME at the bottom of the HTML that goes to the site with the trojan. If you have adblock, you can block the site.

I feel sorry for the people without any antivirus. They are all most likely infected now.

Nope. It is true.

If you look at the HTML at the bottom there is a hidden IFRAME that leads to the site with the trojan.

If you have adblock, you can block the site. And I suggest everyone do a scan as you are most likely infected now.

Nope. It is true.

If you look at the HTML at the bottom there is a hidden IFRAME that leads to the site with the trojan.

If you have adblock, you can block the site. And I suggest everyone do a scan as you are most likely infected now.

My kaspersky is going crazy lol. It keeps containing the trojan every link i post! or click on!

Same behavior on my machines, both Kaspersky and Norton reporting it.

My kaspersky is going crazy lol. It keeps containing the trojan every link i post! or click on!

Because it is in the HTML. Your browser automatically goes to the site that has the trojan in the IFRAME code.

If you have AdBlock on your browser, block the site. If not, you can add to your host file the following line...

127.0.0.1 vnvbhbyta.cz.cc

to prevent you from connecting to the site.

same here!

http://img834.imageshack.us/img834/522/unledsf.jpg

In Dan_Kow's thread (http://forums.redflagdeals.com/why-does-back-button-not-work-anymore-1043328/), he notes that his back button is apparently not working. And that there's a site that his history shows is an intermediary URL.

According to my Norton Antivirus, it's the same site that is serving as the "Attacking Computer".

So these threads, as well as Setz's thread (http://forums.redflagdeals.com/monster-mortgage-ad-causing-viruses-1043330/) I assume, are very much related.

Weird, I'm not longer getting the pop up anymore..

Weird, I'm not longer getting the pop up anymore..

I just did a refresh - and Norton is still nagging me.

I just did a refresh - and Norton is still nagging me.

what browser are you using? I'm using Opera 11.02 and it's fine. Back button works, and refresh. Each link I click is fine too lol.

what browser are you using? I'm using Opera 11.02 and it's fine. Back button works, and refresh. Each link I click is fine too lol.
Firefox 4.0.1.

My backbutton's fine. And I've got ad Blocker in. It's just...the pop up...

If you have AdBlock, block the site. Look for "vnvbhbyta.cz.cc" and block it.

Hopefully RFD quickly removes the infected iframe code.

If you have AdBlock, block the site. Look for "vnvbhbyta.cz.cc" and block it.

Hopefully RFD quickly removes the infected iframe code.

I have Adblock plus, and in the category of "My Ad blocking Rules" I have "||vnvbhbyta.cz.cc". It still shows.

Something I'm missing? :confused:

WTF? Is there no QA done on the ads? This is ridiculous, how are all users expected to know how to block specific sites in the firewall? FF here as well.

nothing detected by my avast, but my chrome browser is jumping to the bottom of every newly opened RFD forum page; this is not happening with IE - related?

edit: behaving normally now after putting http://vnvbhbyta.cz.cc* into my block list in avast - presumably that was causing the bottom-jumping <smirk>

I have Adblock plus, and in the category of "My Ad blocking Rules" I have "||vnvbhbyta.cz.cc". It still shows.

Something I'm missing? :confused:

I think it should be "||vnvbhbyta.cz.cc^". So it gets all the text after the .cc.

download opera browser and see if it does the same thing!

WTF? Is there no QA done on the ads? This is ridiculous, how are all users expected to know how to block specific sites in the firewall? FF here as well.

It not an ad. The actual template PHP code was modified and added with the infected code.

The other solution I can think of without AdBlock is to add the following to your hosts file (C:\Windows\etc\hosts)

127.0.0.1 vnvbhbyta.cz.cc

This should prevent you from connecting to the site.

I think it should be "||vnvbhbyta.cz.cc^". So it gets all the text after the .cc.

Just inserted ^ -- and it still shows. Oy vey, this is annoying.

Same issue here. My antivirus (McAfee) blocked it.

Using Firefox 4.0.1 with Adblockplus.

WTF? Is there no QA done on the ads? This is ridiculous, how are all users expected to know how to block specific sites in the firewall? FF here as well.

I believe that the blackhole toolkit hit websites as opposed to ads. Methinks RFD has been hit and if you have an active updated antivirus you will be OK. Search blackhloe tool kit and it will tell you that this has been around for quite a while, hitting all sorts of websites. RFD is just one in a long list.

So is my computer infected now? I'm running Windows 7 on Sandboxied Firefox and Avast. :confused:

Looks like the infected IFRAME code has now been removed.

Everyone should still do a scan on their computers just to be safe.

Looks like the infected IFRAME code has now been removed.

Everyone should still do a scan on their computers just to be safe.

It would appear so -- refreshed a couple of times and Norton no longer is notifying me.

Yep, something wrong with the forums. I got some strange messages from my firewall, MSW and IE. I did'nt have a chance to look closer as the IE reload the page after I clicked "Abort" and all was gone for now.

Guess that is why my iPhone was stalling just before finishing loading the pages.

Silly question, but do these infect mac's too? (at home). Think I popped into RFD before I left for work.

It would appear so -- refreshed a couple of times and Norton no longer is notifying me.

If you are relying on Norton than you are putting yourself at risk.
Just get Malwarebytes, Superantispyware, and Security essentials.

In conjunction these three will offer you highly secured enviornment. :)

Serious?

NOD32 didn't detect anything.

Serious?

NOD32 didn't detect anything.

Yeah, my AVG didn't detect anything..? :confused:

I kept getting flash pluggin crashes on every page...FF4.0 kept saying downloading from vnvbhbyta.cz.cc...time to run a full scan....

Serious?

NOD32 didn't detect anything.

It was fixed around 10:40. So if you visited before then you may have been infected.

This is what you get when you hire a security guy with Sony on his resume.

This is what you get when you hire a security guy with Sony on his resume.

:lol:

I believe that the blackhole toolkit hit websites as opposed to ads. Methinks RFD has been hit and if you have an active updated antivirus you will be OK. Search blackhloe tool kit and it will tell you that this has been around for quite a while, hitting all sorts of websites. RFD is just one in a long list.

This issue would have been taken care of earlier had this occured during a weekday. Since it is a weekend it is my understanding that the Adminstrator/Management is off. I dont think it is in the moderators ability to go into the Vbulletin and remove the troublesome php code. At this time it seems someone from the technical team needs to physically head over to the headquarters to take care of this issue, and I feel sorry for the poor shmuck having to do this on the weekend. This is also going to incur overtime/oncall charges for Derek ;)

Anyways in all seriousness there needs to be a system or fail safe method in place so that somebody is still in charge of the site during off hours/weekends.

It not an ad. The actual template PHP code was modified and added with the infected code.

The other solution I can think of without AdBlock is to add the following to your hosts file (C:\Windows\etc\hosts)

127.0.0.1 vnvbhbyta.cz.cc

This should prevent you from connecting to the site.

I saw this thread "after it was fixed" but I didn't change anything... and I don't believe anyone else did either. What makes you believe it wasn't an ad? Our ads are served through a 3rd party. It is quite likely a malicious ad snuck through and when caught, was removed from rotation.

Yes, I got the trojan infection at 7:55am. Avira did not pick it up, but ZoneAlarm detected an attempted outgoing connection attempt which allowed me to identify it right away and remove it.

I saw this thread "after it was fixed" but I didn't change anything... and I don't believe anyone else did either. What makes you believe it wasn't an ad? Our ads are served through a 3rd party. It is quite likely a malicious ad snuck through and when caught, was removed from rotation.

I second that. Im pretty sure it was an ad. There has been some previous instances and its nothing new. I have already reported it a couple of times, and with the latest version of Internet explorer you also randomly get crisscrossing script errors. I know for sure no one from the technical team actually fixed it, it is definately a 3rd party ad and the site itself is not hijacked/hacked/compromised. :)

Have fun!

I have Kaspersky and I didn't get any warnings or anything (i'm not the greatest with computers), should I be worried? Last night after came on here my laptop kept getting disconnected from the internet like every two minutes and it kept trying to connect on another network, I'd have to manually connect back on to my internet. I didn't see anything weird when I logged on here and it hasn't done it since yesterday.

I've been on here since 10am and havent gotten anything.. I use Microsoft Security Essentials.

havn't gotten anything either on MSE, been on since 9. I do, however, have ABP, so i guess it blocked the site already?

I saw this thread "after it was fixed" but I didn't change anything... and I don't believe anyone else did either. What makes you believe it wasn't an ad? Our ads are served through a 3rd party. It is quite likely a malicious ad snuck through and when caught, was removed from rotation.

Here's my reasoning for not an ad...

- Ads are usually served through javascript
- The code was in the HTML. Meaning the actual HTML. Not the after-javascript modified HTML code.
- The IFRAME code (based on my memory) was after the ending DIV tags near the end of the closing BODY tag. I think it was after your comscore tracking javascript code.

Does your ad system modifies the actual HTML code and then serves it (not via javascript)?

Here's my reasoning for not an ad...

- Ads are usually served through javascript
- The code was in the HTML. Meaning the actually HTML. Not the after-javascript modified HTML code.
- The IFRAME code (based on my memory) was after the ending DIV tags near the end of the closing BODY tag. I think it was after your comscore tracking javascript code.

Does your ad system actually modifies actual HTML code and then serves it (not via javascript)?

It depends, I believe. 99% is through JavaScript but not all. Did you see it at the end from viewing source (right click) or some other tool? For example, Firebug will show you the HTML but not the HTML "AS SERVED" - it shows updated view so any javascript that creates an iframe will show up...

It depends, I believe. 99% is through JavaScript but not all. Did you see it at the end from viewing source (right click) or some other tool? For example, Firebug will show you the HTML but not the HTML "AS SERVED" - it shows updated view so any javascript that creates an iframe will show up...

I saw the IFRAME code via "View Source" in Firefox. This should show the actual HTML code. If I saw it via firebug, then I would agree it may done via an ad as it would have been injected via javascript as firebug shows the HTML with any javascript modifications.

On my company website, we have Doubleclick javascript ad calls. In "View Source", I don't see the HTML ad (image tag, anchor tag, etc) in the code. But via Firebug, I will (see the javascript code and the HTML code that was injected).

Well, I got infected, not pleased that AVG did not detect it and Firefox\adblock let it go through.

It installed 'MS Removal Tool' ... malware tells you that every exe you click on is infected and you have to clean it, bla bla bla... If people got infected, they will not be pleased!

For those using FF, don't forget to include noscript addon.

Well, I got infected, not pleased that AVG did not detect it and Firefox\adblock let it go through.

It installed 'MS Removal Tool' ... malware tells you that every exe you click on is infected and you have to clean it, bla bla bla... If people got infected, they will not be pleased!

Yeah AVG sucks. I had it before and had the same situation. The virus got in and then AVG notified it after it was running and kept infecting other files. Disinfect and the virus would have already infected another file. AVG was always one step behind. I had to reformat.

By itself, Adblock wouldn't prevent it. First, your anti-virus should have prevented it from running. Then the infected site path had no common ad patterns (it just a bunch of random characters) so you had to manually add the "rule" to adblock to prevent Firefox from continuing to connect to the site.

For those who have IE: if you have security settings for "Launching windows and files in an IFRAME" set to Disable you were not affected by this virus, most likely you didn't even noticed it even if you have no anti-virus

Any other info on what the payload was?

Anyways in all seriousness there needs to be a system or fail safe method in place so that somebody is still in charge of the site during off hours/weekends.

Oh there always is, but the problem is that the "on-call" guy is usually out downing a few pints when the crap hits the fan.

For those who have IE: if you have security settings for "Launching windows and files in an IFRAME" set to Disable you were not affected by this virus, most likely you didn't even noticed it even if you have no anti-virus

Mine was disabled, but like I mentioned in another thread, the only issue I had was the lack of a "Back" button - I was locked at the page level, and could only go forward, but no virus warnings or other issues.

On Opera before 10:40 I kept getting a blank pop up message with a ok click box and then Opera would crash. No virus notifications from KIS. Running a scan now.

Mine was disabled, but like I mentioned in another thread, the only issue I had was the lack of a "Back" button - I was locked at the page level, and could only go forward, but no virus warnings or other issues.

I think it's a security mechanism from IE so you can't go to a trap link. If the Back button will send you to that site it will void the initial security setting of not opening that file/link/site

Yeah, my AVG didn't detect anything..? :confused:


Same here. My AVG never detected anything wrong.

Seems the site is under attack again. :twisted:

nod32 pops up with threat: HTML/Iframe.B.Gen virus on each page i click

Again...again...I hatez u.

Edit:

I h8 u dis much

<----------------------------------------------------------------------------------------------->

Virus alert again

is it just me or does RFD pages always scroll to the bottom once it loads all of a sudden?

doesnt happen with other sites...

EDIT: nvm its normal now.

Avant here as well. Same malaware stopped

Seeing the same thing here.. hope this gets fixed asap, for those people who think they can't get a virus if they go to "trusted" sites and therefore don't use antivirus software.

is it just me or does RFD pages always scroll to the bottom once it loads all of a sudden?

doesnt happen with other sites...

Hasn't happened to me...yet.

Apologies for posting it here but it looks like the forum has been hacked and is serving a malicious URL via an iframe reference injected into source:
iframe src="h**p://vnvbhbyta.cz.******

I sent an email to admins as well.
Please delete this thread once the issue has been dealt with.

Are you guys still seeing it?

Are you guys still seeing it?

I just refreshed...and it didn't pop up.

Lemme go refresh a couple of times.

Edit: Not seeing it. :)

could you be a bit more specific ?

is it just me or does RFD pages always scroll to the bottom once it loads all of a sudden?

doesnt happen with other sites...

EDIT: nvm its normal now.

yes, this happened to me too, I posted it earlier in this thread: http://forums.redflagdeals.com/merged-trojan-blackhole-toolkit-website-pop-up-when-rfd-1043320/post12949227/#post12949227

happened to me on the weekend, may 28th about 10:10am.

happened again this evening. and i just closed the browser tab..

seems to be gone now..

I guess it pays to sleep in late Saturday morning and get home late on Monday night. ;) I haven't seen anything and I'm running Kaspersky.

Hey guys, a quick update to keep you all in the loop:

Yesterday evening, Kaitlyn discovered the code injected into a template. I won't go into the exact details, but I then dove into log files on 19 different servers and found extremely suspicious activity on a file one of our plugins uses. Nobody at RFD routes themselves through a proxy in Romania to perform actions on the site ;)

The file in question has been moved to safety and we should be ok now.

It seems like Avast, NOD32, and Kaspersky are doing a pretty good job of detecting whatever this was. At this time, I would suggest you install one of those and perform a full scan of your computer.

http://www.avast.com/en-ca/index
http://www.eset.com/us/
http://usa.kaspersky.com/

Sorry about this, guys. We're keeping a close eye on the situation. If you notice it again, please don't hesitate to post here, PM me directly, or both!

Sorry to ask this again, but is this something that is cross platform or PC only? Have a Mac and just wondering if this is something I need to be concerned with. I'm not too familiar with this stuff. Thx :)

Sorry to ask this again, but is this something that is cross platform or PC only? Have a Mac and just wondering if this is something I need to be concerned with. I'm not too familiar with this stuff. Thx :)

Looking through the thread, it appears that it's all Win32-based stuff being detected. It may not be targeted at Mac computers, but I would err on the side of caution and get some anti-virus software anyway. I'm unfamiliar with Mac anti-virus software - maybe somebody in Computers & Electronics can help.

Looking through the thread, it appears that it's all Win32-based stuff being detected. It may not be targeted at Mac computers, but I would err on the side of caution and get some anti-virus software anyway. I'm unfamiliar with Mac anti-virus software - maybe somebody in Computers & Electronics can help.

Thanks. That's what I was thinking. I have some basic anti-virus but since Mac viruses are so rare I've never worried too much about it. Just wasn't sure if this was something special :)

Was Rfd hacked?

And here the administrators are either sleeping, hiding, or hiring a security guy with Sony on his resume.