Site Infected!

[ChaosSlayerZ]

heads up!

one of the adds running on the site has just tried to inject my pc with a trojan.

[blackdragonsdg]

Happened to me too.....here is a bit more information on it:

Code:

4/23/2010 3:47 PM,High,An intrusion attempt by google.analytics.com.scvepuxdfzar.info was blocked.,Blocked,No Action Required,HTTP Trojan Mebroot Request,"google.analytics.com.scvepuxdfzar.info (208.68.139.38, 80)",google.analytics.com.scvepuxdfzar.info/ld/kav4/,"DRAGON148-PC (192.168.1.101, 2009)",208.68.139.38 (208.68.139.38),"TCP, www-http",
4/23/2010 2:51 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,,,,,Intrusion Prevention
4/23/2010 2:51 PM,Info,Intrusion Prevention is monitoring 1580 signatures. Driver version: 9.1.2.5,Detected,No Action Required,,,,,,,Intrusion Prevention
4/23/2010 2:51 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100415.001,Detected,No Action Required,,,,,,,Intrusion Prevention
4/21/2010 1:22 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,,,,,Intrusion Prevention
4/21/2010 1:22 PM,Info,Intrusion Prevention is monitoring 1580 signatures. Driver version: 9.1.2.5,Detected,No Action Required,,,,,,,Intrusion Prevention
4/21/2010 1:22 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100415.001,Detected,No Action Required,,,,,,,Intrusion Prevention
4/20/2010 6:31 PM,Medium,An intrusion attempt by 68.87.74.166 was blocked.,Blocked,No Action Required,Portscan,"68.87.74.166, 53",,"DRAGON148-PC (192.168.1.101, 59865)",68.87.74.166,"UDP, Port 53",
4/20/2010 6:31 PM,Medium,An intrusion attempt by 68.87.74.166 was blocked.,Blocked,No Action Required,Portscan,"68.87.74.166, 53",,"DRAGON148-PC (192.168.1.101, 60362)",68.87.74.166,"UDP, Port 53",
4/20/2010 4:24 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,,,,,Intrusion Prevention
4/20/2010 4:24 PM,Info,Intrusion Prevention is monitoring 1580 signatures. Driver version: 9.1.2.5,Detected,No Action Required,,,,,,,Intrusion Prevention
4/20/2010 4:24 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100415.001,Detected,No Action Required,,,,,,,Intrusion Prevention
4/18/2010 8:03 PM,Medium,An intrusion attempt by 68.87.74.166 was blocked.,Blocked,No Action Required,Portscan,"68.87.74.166, 53",,"DRAGON148-PC (192.168.1.101, 51040)",68.87.74.166,"UDP, Port 53",
4/18/2010 8:03 PM,Medium,An intrusion attempt by 68.87.74.166 was blocked.,Blocked,No Action Required,Portscan,"68.87.74.166, 53",,"DRAGON148-PC (192.168.1.101, 50654)",68.87.74.166,"UDP, Port 53",
4/18/2010 7:35 PM,High,An intrusion attempt by 93.186.117.19 was blocked.,Blocked,No Action Required,HTTP Fake Antivirus Install Request 4,"93.186.117.19, 80",93.186.117.19/main.php?land=20&affid=44704,"DRAGON148-PC (192.168.1.101, 1637)",93.186.117.19,"TCP, www-http",

[Congdar]

yep, McAfee blocked the trojan for me too.

[Akkadius]

Aye I had to do a restart, and then get into my processes before I could go back a day to restore my old slate. Was beautiful.

[steve]

Nasty.

I use a router script that is updated automatically every week that blocks advertisements on websites. Never can be too careful these days, antivirus and anti-malware software can't protect you from everything.

[Akkadius]

Aye, that's why I don't really use anything. Just do a restart and cancel out processes running in the background that aren't familiar before they take control of your machine first then you can go back to a restore point (if your OS has it of course).

[pfyon]

Quote:

Originally Posted by Akkadius

Aye, that's why I don't really use anything. Just do a restart and cancel out processes running in the background that aren't familiar before they take control of your machine first then you can go back to a restore point (if your OS has it of course).

An ounce of prevention is worth a pound of cure (or whatever the saying is). Adblock + COMODO firewall + microsoft security essentials hasn't failed me yet.

[BuzWeaver]

Avast chimed in yesterday and blocked it when I was in the Project forums.

[trevius]

Looks like more trojans from the ads again today. Gotta love having ads here :P

[Capheus]

One thing I have found that really helps is by blocking third party cookies in the internet options for those of us who use IE. Not sure if the other browsers have similar options, I haven't messed around with them too much.

[GeorgeS]

If someone has the URL's that these infected ads come from then I can block them from the router admin area - sort of like the way come companies do..

Possible?

GeorgeS

[blackdragonsdg]

Quote:

Originally Posted by GeorgeS

If someone has the URL's that these infected ads come from then I can block them from the router admin area - sort of like the way come companies do..

Possible?

The site that triggered my firewall is google.analytics.com.scvepuxdfzar.info

208.68.139.38 is the IP address for that site.

[steve]

I highly recommend everyone with a router to go with an ad blocking solution.

I'm using a Linksys WRT54G with Tomato firmware. If anyone is interested, I can post my router scripts so the ads can be blocked by individuals.

[number6]

I run tomato as well Steve, on a WRT54GL - would be interested to hear how you do this.

Cheers

Paul.

[steve]

For Tomato Firmware users:

1) Goto Administration>Scheduler. In the 'Custom 1' box, setup a time you want the router to update the hostfile (preferably once per week. I use Sunday at 4am). Check Enabled, select time and days.

2) Paste the following into the 'command box':

Code:

xyz=allowlist;hij=adblock.tmp;abc=dnsmasq_adblock.conf;tip=192.168.1.1;wget -q -O /tmp/$abc 'http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext';[ -f /tmp/$xyz ] && (cat /tmp/$abc | grep -v -f /tmp/$xyz>>/tmp/$hij; mv -f /tmp/$hij /tmp/$abc);[ $? -eq 0 -a `grep ^address= /tmp/$abc|wc -l` -gt 0 ] && (logger -t adblock -p 5 Server download OK;cat /tmp/$abc|sed 's/127.0.0.1/'$tip'/g'>/etc/$abc;[ ! -s /cifs1 ] && mv -f /tmp/$abc /cifs1/$abc.bak || rm /tmp/$abc;[ -h /etc/dnsmasq.custom ] && service dnsmasq restart) || (logger -t adblock -p 4 Server download failed;[ ! -s /etc/$abc -a -s /cifs1/$abc.bak ] && (logger -t adblock -p 5 Data recovered from backup;cat /cifs1/$abc.bak|sed 's/127.0.0.1/'$tip'/g'>/etc/$abc;[ -h /etc/dnsmasq.custom ] && service dnsmasq restart));unset xyz hij abc tip

3) Click 'Save' at the bottom of the page.

4) Now goto Administration>Scripts. Click on the 'Init' tab if it's not already selected, and paste the following code into it and click 'Save'. NOTE: You can add as many 'echo' lines as you like to remove those hostnames from the blocked hostname list. I added Google Analytics because it stalls a lot of pages from loading if they use it.

Code:

echo "google-analytics">/tmp/allowlist
echo "ssl.google-analytics.com">>/tmp/allowlist
[ ! -f /tmp/dnsmasq.chk ] && (ln -s /etc/dnsmasq_adblock.conf /etc/dnsmasq.custom;touch /tmp/dnsmasq.chk)

5) Click on the 'WAN Up' tab at the top. Paste the following code into it, and click 'Save':

Code:

[ ! -f /etc/dnsmasq_adblock.conf ] && eval `nvram get sch_c1_cmd`
ps | grep [p]ixelserv
if [ $? == 1 ]; then
    wget -P /var http://pixelserv.webs.com/pixelserv
    chmod +x /var/pixelserv
    /var/pixelserv
fi

6) Goto 'Administration>Admin Access' and change 'Local Access' to HTTPS only (so the pixelserv server can run on port 80) and enter a port to run the router webserver on - I used 8080. Click 'Save' at the bottom.

7) Reboot router and if all went all, advertisements will be blocked on 99% of all websites and will be replaced with a 1x1 pixel transparent image - no red X's or boxes where the ads would normally be located.

I believe that's all the steps. At least all that I can remember from setting it up. If anyone tries this and it does/doesn't work, be sure to let me know. One thing to note is I just made the webs account to host the pixelserv - not sure how reliable they are, but I think it should be ok. The pixelserv binary is downloaded everytime the router is rebooted and is only 10kb.