Dangerous javascript warning

For the last couple of days, my antivirus software has been trigger by detecting a serious java expliot as I enter this forum.

John

    [b]             Exploit:JS/Blacole.A         [/b]

      [(?)](http://www.microsoft.com/security/portal/Shared/Help.aspx#malware_naming)

Safe Browsing

Diagnostic page for rcsailing.net/forum1

What is the current listing status for rcsailing.net/forum1?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 27 pages we tested on the site over the past 90 days, 26 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-11-10, and the last time suspicious content was found on this site was on 2011-11-10.Malicious software is hosted on 3 domain(s), including bolchetrafa.orge.pl/, chupagabra.com/, admarket2.in.ua/.
2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including cookaround.com/, bolchetrafa.orge.pl/.
This site was hosted on 1 network(s) including AS36351 (SOFTLAYER).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, rcsailing.net/forum1 did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:

[ul]
[li]Return to the previous page.[/li][li]If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.[/li][/ul]

Hi John -
I’ve been in and out since I got the warning this morning - but nothing has been found - although I just updated my JAVA and am wondering if they have something within their new version that might be triggering this. I am playing carefully, but checking each time I leave I find nothing.

Dick

Dick, please use the webmaster tools provided by Google (I don’t have the privs). The Google scan results indicate this is unlikely to be a false alarm.

Cheers,

Earl

I too am getting the warning, but only when using Google Chrome as a browser. If I switch to IE, no malicious software gets flagged up.

Row

I had it flagged by MSE in both Firefox R8 and IE.

John

Doing it occasionally on IE now.

Is this a false positive, or has the site been hacked?

Row

I think the evidence is it’s been hacked. We’re trying to sort it out.

Cheers,

Earl

I’m using a Mac and Firefox 7.0.1

On loading this page, after the same warning page as above, a window popped up saying “You have chosen to open, FlashPlayer-11-macos.pkg, which is a zip archive, from http://94.199.51.3

Doing a google search on that package shows a virus. It is NOT a file from Adobe, and seems to be a Mac installer. The page also says the downloaded package has to be installed to be a threat. I have the file saved, but not installed :slight_smile: if anyone wants it!

BTW, this page reloads itself over and over every few seconds, unless I tell it to stop!

More info- check the page source html, and look at the very bottom of this page. There is a hidden iframe link to [ h t t p://www.cookaround.com/cook/robots.php] after loading that website in another window, all it has is another hidden iframe link to [h t t p://sup erbe sttraf.orge.pl/iframe.php?id=406x8gaw3trjcn1wx4kmv41roybs mal]

Note I added spaces in both links so they would NOT be active, clickable links. Remove the spaces at your own risk!

I would suggest looking for the “cookaround” text string throughout the site and remove it from each page as a starter.

Thank you for bringing this to our attention… I have worked with my host and have resolved the malware.
Seems another site that I am hosting (recipedesigner.com) allowed a malware file to be uploaded that affected all my other sites.

The host and I have scanned and verified the malware should be removed. I have asked google to review the site again. (per googles guidelines)…
Will take a few days for the review to be completed.

In light of this incident I will be looking into methods to better isolate my sites from one another.

After having sent a message to Dick about the “problem” I have downloaded the " malawarebytes" as suggested and afer 84 minutes scan, some 53 files found infected out of 408696.
Reloaded the RCSailing treads and non problems anymore !
Cheers
ClaudioD

Analyzing malware is always iffy, but this appears to attempt to load one of the variants of the Flashback trojan on Macs. The Flashback trojan masquerades as a Flash player update. It can only harm you if you download and install it. If you have done so, Google on “Flashback trojan” to learn how to detect what variant you have had the misfortune to install and how to remove that variant from your machine. If you are a Mac user and concerned about security, I highly recommend the Intego firewall/antivirus software.

Cheers,

Earl

I was just into and then out of this site and ran several different scans here at work - Malware Bytes, Sophos and Norton and all appears well. I posted on two other sites so I can go back and advise this one is once again safe to visit.

Thanks for the quick work Chad, John, Earl - and all.

My anti-virus software is picking up malware again!!

All was clear until this evening - have we been hacked again?

Row

Don’t click on this:

URL: h t t p :confused: / superbesttraf.orge.pl/iframe. php?..
Process: file://C:\Program Files\Alwil Software\A…
Infection: a

Spaces added so hopefully won’t show as link

Upgraded forums and took a pass at the database… I think most has been removed… PLEASE let me know if you find any other warning or suspicious looking pages. Twitter account: Rcsailing or dailypush

If you are running a personal firewall (and these days, you should be) you should block the following IPs associated with this malware:

Cookaround.com at 151.1.175.127

bolchetrafa.orge.pl aka superbesttraf.orge.pl at 182.18.185.82

chupagabra.com at 85.17.136.171

Cookaround is a victim but may still be subverted. The other two are the bad guys.

Cheers,

Earl

or edit your “hosts” file and add those IP addresses to the list. Do a google search if you have never done this before.

Thanks for the replies & info - you’re advising a man who wouldn’t know his IP’s from a DNS etc etc if they loudly stomped up behind and bit his backside. Mr Google to the rescue. I got into trouble with my brother (an airline capt, so very tech savvy) for not having an updated notebook. When I explained that every request was met with alarm bells (anti-virus, firewall etc etc) he eventually sat me down & explained that some software actually worked better when kept up to date…!! Before W7, I was running XP with, a-hem, no service packs.

Row

Chad, page 13 of the America’s Cup thread opened a new attack warning. The iframe src link near the bottom of the page (in “view page source”) points to a new URL at cookaround.com, http://www.co okaro und.com/newhome/vost.php (spaces added) which in turn loads a blank page with an iframe src link to
http://ras temvtop.or ge.pl/iframe.php?id=406x8gaw3trjcn1wx4kmv41roybsmal (spaces added)

This is a new malware site URL

Is there any way to eliminate all <iframe src> html code on the entire site? Or change all <iframe src> code to point to a blank page on your site?

We’re on it. We’re getting way too much practice at this :frowning: Thanks for the alert.

Cheers,

Earl

Looking into that page… scanning the site again… and researching a way to disable iframes from the hosting side