Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Virus ?

  1. #1
    SFM Guru trekki's Avatar
    Join Date
    May 06
    Location
    Germany
    Posts
    622

    Virus ?

    Hello,
    with me always strange sides on and my virus scanner beats constantly alarm. Is that correct ?

  2. #2
    SFM Nugget
    Join Date
    Feb 14
    Age
    26
    Posts
    87
    Me too. Trojan for mining bitcoins.

  3. #3
    just some guy rojren's Avatar
    Join Date
    May 06
    Location
    Louisville, KY
    Age
    53
    Posts
    1,418
    "...aborted connection on cdn.cloudcoins.co because it was infected with JS:Miner-C [Trj]..."

  4. #4
    SFM Oracle MadKoiFish's Avatar
    Join Date
    May 06
    Posts
    3,826
    Yeah just block the site at the host file. Thinking that these urls that are injected are rotating through it is time I think to abandon ship again.



    https://coinhive.com/*
    another url to block.
    there are some other fishy things as well like "blob:http://*"
    Last edited by MadKoiFish; 22nd Nov 2017 at 07:03.
    -= BLOG| WIP BLOG=-

  5. #5
    SFM Oracle MadKoiFish's Avatar
    Join Date
    May 06
    Posts
    3,826
    Gonna actually bump this to use ublock origin (chrome and firefox) and just block all 3rd party scripts and what not on the site. I do not think ABP can do this without messing with the language it uses to block by site, it is all or nothing or henpecking the content as it arrives.

    I hate to say it this way as it also prohibits the REAL adverts for the site as well. I think ublock though can green light certain things. Make sure to google how the columns work. I managed to block third party and retain the google ads with the following URL info.

    https://github.com/gorhill/uBlock/wi...g:-quick-guide

    I have been using ublock on my tablet as ABP is utter crap on android, no element blocks no custom filters just some lame vpn like behavior that chews up ram and cycles leading to eating the battery in less than a hour. Takes a while to figure out what does what but eh it works so far.
    -= BLOG| WIP BLOG=-

  6. #6
    SFM Guru
    Join Date
    Feb 10
    Location
    Quebec, Canada
    Age
    52
    Posts
    650
    I use adblock for firefox, but had to include the coin URL. I hope they could put a wordpress forum/social platform of some sort...at least they cold relied on stronger security plugins.

  7. #7
    SFM Oracle MadKoiFish's Avatar
    Join Date
    May 06
    Posts
    3,826
    As said elsewhere or maybe here it is the issue of vbulletin not supporting older software to which this site runs on. Google vbulletin hack or vbulletin security hole. Plugs have nothing to do with it.

    As for the urls yeah someone aught to report all those crud tumblr ones and all the ones that randomly show up. Also note do not search sfm via google or a search engine as that will send you to a redirect of some sort which is a common hack as well.


    As mentioned I would use a script or adblocker that can block all 3rd party scripts or frames. And can selectively block or allow specific elements or scripts. In that image you can see the red on the right in 3rd party means anything no matter what if it does not contain the sfm url on it it wont run.

    Also note adblockers do not necessarily block hacks bad scripts etc just adverts. Most have subscriptions that allow you to add exploits hacks etc or bad urls. I would technically use a hosts file to block those as well. Known evil urls and stop them loading on the system from any application. Like all those damned adobe hive/botnet urls and ips.

    To note in the past I recommended ABP but that app starts to gloat like mad and does not always block frames or elements you select. Worse is if you use a tab manager or other tool to load last tabs or windows from the last session ABP will not be in effect on any pages loading in focus or behind other tabs. This is a new behavior for it either it is something Firefox broke or it is ABP playing games or a limitation. So far Ublock Origin is the cleanest and fastest evcen with my HUGE list of ABP custom blocks and subscribing to a tonne of ublock subs. Onbly complain is the pop ups and element blocking is cludgy vs ABPs add ins.

    Heh that list of crappy Russian image sites has grown.

    Code:
    </head>
    	<body>
    <div style="text-indent:-9999px; position:fixed">
    
    <a href="http://asuszenfone2.tumblr.com/">asuszenfone</a>
    <a href="http://izlehdfilm.tumblr.com/">film</a>
    <a href="https://guncelbegenihileleriinstagram.tumblr.com/">güncel beğeni</a>
    <a href="https://guncelinstagramhileleri2017.tumblr.com/">güncel instagram</a>
    <a href="https://guncelinstagramtakipciyollari.tumblr.com/">instagram takipçi</a>
    <a href="http://guncelhaberlerbugun.tumblr.com/">haberler</a>
    <a href="http://guncelhaberlerturkiye.tumblr.com/">güncel haberler</a>
    <a href="https://guncelinstagramtakiphileleri2017.tumblr.com/">instagram takip hileleri</a>
    <a href="http://haberlerioku.tumblr.com/">haberleri</a>
    <a href="https://instabayim.tumblr.com/">instabayim beğeni</a>
    <a href="https://instabayimbegeni.tumblr.com/">instabayim</a>
    <a href="https://instagram200begenihilesi.tumblr.com/">instagram 200</a>
    <a href="https://instagram200takipcihilesi.tumblr.com/">instagram 200 takipçi</a>
    <a href="https://instagram200yorumhilesi.tumblr.com/">instagram 200 yorum</a>
    <a href="https://instagrambegenihilesiucretsiz.tumblr.com/">instagram beğeni hilesi</a>
    <a href="https://instagrambegenikasmahilesi.tumblr.com/">instagram beğeni kasma</a>
    <a href="https://instagramgiris.tumblr.com/">instagram</a>
    <a href="https://instagramtakipciarttirma.tumblr.com/">instagram takipçi</a>
    <a href="https://instagramtakipcikazan.tumblr.com/">instagram takipçi</a>
    <a href="http://lgg5fiyati.tumblr.com/">lg5</a>
    <a href="http://samsungnote7.tumblr.com/">samsungnote</a>
    <a href="http://sondakikaturkiye.tumblr.com/">sondakika</a>
    <a href="http://sonyxperiaz5.tumblr.com/">sony</a>
    <a href="https://takipcigondermearaci.tumblr.com/">takipçi</a>
    <a href="https://takipcigondermesitesi.tumblr.com/">takipçi gönderme</a>
    <a href="http://turkiyesondakika.tumblr.com/">son dakika türkiye</a>
    <a href="http://diziizleyabanci.tumblr.com/">dizi</a>
    <a href="http://yenihaberleristanbul.tumblr.com/">haberler</a>
    <a href="https://instagramgunceltakipcikasma.tumblr.com/">instagram güncel takipçi</a>
    <a href="https://ucretsizinstagramtakipcikas.tumblr.com/">ücretsiz instagram takipçi</a>
    <a href="https://ucretsizinstagram500takip.tumblr.com/">ücretsiz instagram 500</a>
    <a href="https://ucretsizinstagramhileler.tumblr.com/">ücretsiz instagram</a>
    <a href="https://bedavainstagramtakipci.tumblr.com/">bedava instagram</a>
    <a href="https://ucretsizguncelinstagramtakip.tumblr.com/">ücretsiz güncel instagram</a>
    <a href="https://guncelinstagramhilelerikasma.tumblr.com/">güncel instagram hileleri</a>
    <a href="https://instagramtakipcikasmaucretsiz.tumblr.com/">instagram takipçi</a>
    <a href="https://ucretsiztakipcihileinstagram.tumblr.com/">ücretsiz takipçi</a>
    <a href="https://ucretsizinstagramhileleriguncel.tumblr.com/">ücretsiz instagram</a>
    <a href="https://ucretsizinstagramtakipcibegeni.tumblr.com/">takipçi ve beğeni</a>
    <a href="https://ucretsizinstagramhileleri.tumblr.com/">ücretsiz instagram</a>
    <a href="https://ucretsizinstagramtakipcihile.tumblr.com/">takipçi</a>
    <a href="https://ucretsizinstagramtakipci.tumblr.com/">instagram</a>
    <a href="https://instagramtakipcikasmasitleri.tumblr.com/">instagram</a>
    <a href="https://ucretsizinstagramtakipcisite.tumblr.com/">instagram takipçi</a>
    <a href="https://ucretsizinstagramtakipkasma.tumblr.com/">instagram takip</a>
    <a href="https://ucretsizinstagramtakipci1k.tumblr.com/">ilk ücretsiz</a>
    <a href="https://ucretsiztakipcikasmasiteniz.tumblr.com/">ücretsiz takipçi kasma</a>
    <a href="https://instagramucretsiz1ktakipci.tumblr.com/">instagram ücretsiz</a>
    <a href="https://instagram1000takipcikazan.tumblr.com/">instagram 1000</a>
    <a href="https://instagram500takipcihileleri.tumblr.com/">instagram 500</a>
    <a href="https://instagramfenomentakipci.tumblr.com/">instagram</a>
    <a href="https://instagramucretsizbegenihilesi.tumblr.com/">instagram ücretsiz</a>
    <a href="https://instagramtakipcikazanmahile.tumblr.com/">instagram takipçi</a>
    <a href="https://instagramfenomenyollari.tumblr.com/">instagram fenomen</a>
    <a href="https://instagramguncelbegenihile.tumblr.com/">instagram güncel</a>
    <a href="https://instagramgunceltakipci.tumblr.com/">instagram güncel</a>
    <a href="https://instagramtakibetakiphilesi.tumblr.com/">instagram takip</a>
    <a href="https://instagramtakipciucretsiz.tumblr.com/">instagram takipçi ücretsiz</a>
    <a href="https://instagramtakipcikasmayollar.tumblr.com/">instagram takipçi</a>
    <a href="https://instagramtakipciarttirmasite.tumblr.com/">instagram takipçi</a>
    <a href="https://instagramtakipciucretsizkasma.tumblr.com/">instagram takipçi ücretsiz</a>
    <a href="https://instagramtakipcikasalim.tumblr.com/">hemen takipçi</a>
    <a href="https://instagramucretsizgunceltakipci.tumblr.com/">güncel instagram ücretsiz</a>
    <a href="https://instagramtakipci.tumblr.com/">instagram takipçi</a>
    <a href="https://instagramtakipcinasilkasilir.tumblr.com/">instagram takipçi nasıl</a>
    <a href="https://instagrambegenihileguncel.tumblr.com/">instagram beğeni</a>
    <a href="https://instagramtakipcinasilarrtir.tumblr.com/">instagram takipçi nasıl</a>
    <a href="https://instagramtakipcihileleriguncel.tumblr.com/">instagram takipçi</a>
    <a href="https://instagramtakipcikasmahile.tumblr.com/">instagram takipçi kasma</a>
    <a href="https://instagramucretsiztakipci.tumblr.com/">instagram ücretsiz</a>
    <a href="http://internetgazetesi.tumblr.com/">internet gazetesi</a>
    <a href="http://iphone8fiyati.tumblr.com/">iphone 8</a>
    
    </div>
    dunno what that crap does short of exist in the code. It is only on the site's root so shrug.
    -= BLOG| WIP BLOG=-

  8. #8
    Worldwide Phenomenon Guerrilla's Avatar
    Join Date
    May 06
    Location
    Helsinki, Finland
    Age
    35
    Posts
    2,665
    The first crypto-miner was pretty easy to find and remove (it was encrypted but stuck out), but I haven't even figured out where this one is injected yet. You can circumvent the issue by adding crypto-loot.com to your adblock or whatever you're running (My ublock actually blocked it on its own).

    Pretty sure the Turkish SEO crap on the index has been there ever since the last hack, but I haven't figured out where it gets added to the index. The file integrity checker is useless and I don't actually have access to default vbulletin files that I know 100% to be clean. As far as I can tell, it doesn't really do anything other than lurk right off the page trying to generate search engine rankings (which it probably isn't, since this blackhat SEO bull**** isn't supposed to work anymore).

    The redirects are a bigger issue, but like MKF said, they are very complicated to fix on our version of vBulletin.

    I realize this isn't ideal, and we really are working on something big to fix this, but in the meantime here are a couple of things to work around the biggest issues:

    1. Read the previous post from MKF. Good information there.
    2. The two crypto miners spotted so far are cloudcoins.co (which I'm pretty sure I removed) and crypto-loot.com (which I'm furiously looking for). Add both to your ad-blocker, if they're not there already.
    3. You should probably run an ad-blocker here (I run ublock origin). Some form of no-script might be a good idea too, but may mess with actual site functionality
    4. Onlly access the site by typing in the complete URL or use a bookmark or whatever. Don't enter through a search engine, and access the forum index directly (www.scifi-meshes.com/forums/) to avoid most redirects.
    5. Maybe don't access the site on mobile for the time being
    Comco: i entered it manually in the back end

    Join our fancy new Discord Server!

  9. #9
    Worldwide Phenomenon Guerrilla's Avatar
    Join Date
    May 06
    Location
    Helsinki, Finland
    Age
    35
    Posts
    2,665
    Ok, spent better part of a working day digging through some very suspicious suspicious files. SEO crap and crypto-miner should be gone, at least for the time being, and I managed to track down and close down some security holes along the way. Redirects will need more research.

    I'm a little worried that the fixes I made are temporary, so you should keep your eyes open in any case, but at least we'll have a better handle on what happens if/when suspicious stuff appears on the index again.
    Comco: i entered it manually in the back end

    Join our fancy new Discord Server!

  10. #10
    SFM Oracle MadKoiFish's Avatar
    Join Date
    May 06
    Posts
    3,826
    well it lasted all but a day? least the loot thing isnt there atm just the others. Interesting thing is it is only on the new posts results vs inside of any one thread.



    heh they come and go. Anyhow I had posted something saying thanks but it seems it got eaten or something so thanks for thew work at cleaning things up.
    Last edited by MadKoiFish; 16th Dec 2017 at 12:12. Reason: muh post got eaten
    -= BLOG| WIP BLOG=-

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •