Jump to content
Login with your Gmail HERE and start posting in seconds! ×
Don't just read! Be part of the Community! Join the conversation ×

Strange Attack

klikster

By klikster
in IT and Computers

 Share

Recommended Posts

klikster Platinum Member

klikster

Posted
Posted

I usually surf pretty safely .. Zone Alarm, AVG updated daily .. "No Script" extension installed on FF3.

Something apparently nailed me yesterday or night before. It looked like Maxnet had just collapsed, so I didn't think too much. Then I started noticing odd symptoms.

1 - I could only open websites for a few minutes after a reboot, then no apparent bandwidth.

2 - Oddly, I could log on to gmail, which is usually a bit slow. I could also ftp.

3 - When I finally realized what was going on, I saw that I could open https pages, just not http. Then I realized that Zone Alarm had been compromised.

I guess it must be/have been a trojan.

So I downloaded Comodo firewall and antivitus and scanned he heck out of my system It seems to have worked. I even scanned with the Comodo online scanner and got 0 threats.

Any recommendation for scanning for another trojan or rootkit?

Farma Platinum Member

Farma

Posted
Posted

Is it an attack or problems with the net?

For the past 3 days Middle Eastern services have been unreliable to say the least. It’s not restricted to the one supplier or service be it dial up, satellite or broadband. Users of all ISP’s have reported the same.

Connections drop, at times you connect to the server but it remains dormant, impossible to sign into msn or hotmail, can’t log into secure sites. The list goes on. For some reason Yahoo, Skype and Callserve work at the times when websites timeout.

In the past hour or so it appears to be returning to normal.

klikster Platinum Member

klikster

Posted
  • Author
Posted
Is it an attack or problems with the net?

For the past 3 days Middle Eastern services have been unreliable to say the least. It’s not restricted to the one supplier or service be it dial up, satellite or broadband. Users of all ISP’s have reported the same.

Connections drop, at times you connect to the server but it remains dormant, impossible to sign into msn or hotmail, can’t log into secure sites. The list goes on. For some reason Yahoo, Skype and Callserve work at the times when websites timeout.

In the past hour or so it appears to be returning to normal.

I think the most telling point is that https pages opened and http pages wouldn't.

klikster Platinum Member

klikster

Posted
  • Author
Posted

I'm wondering if it could have been one of those clickjacking scripts. Tis from the webmasterworld site.

"This was announced a few weeks ago, and the mainstream press has finally caught it for a second round on the internet.

http://news.google.com/news?as_q=clickjack...mp;as_scoring=o

There is no workaround (and thankfully no proof-of-concept) and noscript does not stop it from happening. It works without javascript.

I cannot fathom how it possibly works. I hope the hackers have just as hard of a time.

One thing that might help is FlashBlock (for firefox) which stops all flash except the scripts you press the "play button" on."

MKAsok Gold Member

MKAsok

Posted
Posted

Did you not notice this on the Comodo website? I would strongly recommend it. Just yesterday it picked up something - literally within seconds after I installed a downloaded EXE - that Norton apparently remained entirely clueless about...

mk

JetsetBkk Star Member

JetsetBkk

Posted
Posted
& connection problems don't disable firewalls... :o

I noticed about 5 days ago that my Comodo wasn't running - it was unchecked in the Startup tab of the System Configuration Utility.

So I wrote a simple command file for the startup folder that checks that certain important tasks are running: Avast antivirus, Comodo firewall, BOClean anti-malware, Windows Defender, Spybot S&D and Ad-Aware. If any isn't running, it displays a message.

klikster Platinum Member

klikster

Posted
  • Author
Posted
Did you not notice this on the Comodo website? I would strongly recommend it. Just yesterday it picked up something - literally within seconds after I installed a downloaded EXE - that Norton apparently remained entirely clueless about...

mk

Yes, I downloaded BOClean and it found several tracking cookies, but nothing that looked like a trojan. I have this nervous feeling that the trojan(?) is still on my machine, and only the firewall is keeping it from doing whatever it is designed to do. I guess with the way the 'net is so rife with malware, paranoia is a healthy state.

TopDogger Gold Member

TopDogger

Posted
Posted
I usually surf pretty safely .. Zone Alarm, AVG updated daily .. "No Script" extension installed on FF3.

So how have you picked this virus up? It must be from either warez or porn? :o

JetsetBkk Star Member

JetsetBkk

Posted
Posted
Yes, I downloaded BOClean and it found several tracking cookies, but nothing that looked like a trojan. I have this nervous feeling that the trojan(?) is still on my machine, and only the firewall is keeping it from doing whatever it is designed to do. I guess with the way the 'net is so rife with malware, paranoia is a healthy state.

Try this one: http://www.kaspersky.co.uk/virusscanner - Kaspersky online virus scanner.

klikster Platinum Member

klikster

Posted
  • Author
Posted
It must be from either warez or porn? :o

Why must it be? Why not read the entire post and take special notice of the "clickjacking" article.

I have already said I have used different virus scanners. Stupid and insulting comment, TopDogger. :D

Jiu-Jitsu Platinum Member

Jiu-Jitsu

Posted
Posted
It must be from either warez or porn? :o

Why must it be? Why not read the entire post and take special notice of the "clickjacking" article.

I have already said I have used different virus scanners. Stupid and insulting comment, TopDogger. :D

Have you followed my instruction?

klikster Platinum Member

klikster

Posted
  • Author
Posted

@jetsblue - did the kapersky online check .. all 54 hours. It did find a "trojan", (js.downloader) but it was in a folder for some dreeware I downloaded months ago and never got around to installing. So I don't think that caused my problem.

@jj - downloaded and ran Malwarebytes' AntiMalware on a complete system scan .. 1 hour .. nothing found.

Thanks to both of you for your help. My system "seems" okay, but .. ?

MKAsok Gold Member

MKAsok

Posted
Posted

Don't think there's much more you can do realistically beyond a HD format which would seem a little excessive. Change all your passwords to be on the safe side. Good luck...

mk

JetsetBkk Star Member

JetsetBkk

Posted
Posted (edited)
It must be from either warez or porn? :o

Why must it be? Why not read the entire post and take special notice of the "clickjacking" article.

I have already said I have used different virus scanners. Stupid and insulting comment, TopDogger. :D

Ignore him - he's just "having a laugh". :D

@jetsblue - did the kapersky online check .. all 54 hours. It did find a "trojan", (js.downloader) but it was in a folder for some dreeware I downloaded months ago and never got around to installing. So I don't think that caused my problem....

Wow! How long?? I usually only scan my C: drive - just did it again, in fact, and it took just over an hour and only found the programs I know aren't viruses - cmdow.exe and some SysInternals stuff.

Of course, if I had scanned the 940 GB of external data on the 1.2 TB of drives, it would've taken a little longer. :D

I think I'll give that MalwareBytes stuff a go now... :D

Edited by JetsetBkk
klikster Platinum Member

klikster

Posted
  • Author
Posted
Don't think there's much more you can do realistically beyond a HD format which would seem a little excessive. Change all your passwords to be on the safe side. Good luck...

mk

Actually, everything "seems" fine now that I removed ZoneAlarm and Installed Comodo's firewall.

JetsetBkk Star Member

JetsetBkk

Posted
Posted
Don't think there's much more you can do realistically beyond a HD format which would seem a little excessive. Change all your passwords to be on the safe side. Good luck...

mk

Actually, everything "seems" fine now that I removed ZoneAlarm and Installed Comodo's firewall.

Maybe Zone Alarm got its knickers in a twist :o I use Comodo - takes a while for it to "learn" what to do, but once that period is over, it's usually pretty quiet and gets on with its job.

I did the Malware Bytes scan - no problems.

MKAsok Gold Member

MKAsok

Posted
Posted
So I downloaded Comodo firewall and antivitus and scanned he heck out of my system It seems to have worked.

Just out of interest, after you did this, did Comodo actually pick up any anything specific?

klikster Platinum Member

klikster

Posted
  • Author
Posted (edited)
So I downloaded Comodo firewall and antivitus and scanned he heck out of my system It seems to have worked.

Just out of interest, after you did this, did Comodo actually pick up any anything specific?

To tell you the truth, I'm not sure. That sounds silly, but I had so much stuff going on in my old noggin that nothing jumped out at me.

BOClean found some stuff, but since nothing was actually called "trojan", it didn't register. I spent most of the afternoon changing passwords on ftp clients, and web server panels and accounts.

Edited by klikster
MKAsok Gold Member

MKAsok

Posted
Posted
To tell you the truth, I'm not sure.

I think Jetset may have been right when he said "Maybe Zone Alarm got its knickers in a twist." Sounds like it may have got corrupted or something and you might not have had any malware at all. I don't think it's great software to be honest. Anyway, you did all the right things. Better safe than potentially extremely sorry...

klikster Platinum Member

klikster

Posted
  • Author
Posted
To tell you the truth, I'm not sure.

I think Jetset may have been right when he said "Maybe Zone Alarm got its knickers in a twist." Sounds like it may have got corrupted or something and you might not have had any malware at all. I don't think it's great software to be honest. Anyway, you did all the right things. Better safe than potentially extremely sorry...

I hope he was right. I'm continually frustrated by the "No Script" extension that I have installed on FF .. so many times I have to give temporary permissions, reload pages, wait, etc. But I'm sure I would be a lot more frustrated if my hosting company had to format the drives and reinstall everything on my VPS and dedicated server .. and hope the backups are not corrupt. :o

JetsetBkk Star Member

JetsetBkk

Posted
Posted
...I'm continually frustrated by the "No Script" extension that I have installed on FF .. so many times I have to give temporary permissions, reload pages, wait, etc. But I'm sure I would be a lot more frustrated if my hosting company had to format the drives and reinstall everything on my VPS and dedicated server .. and hope the backups are not corrupt. :o

I have the NoScript icon on the FF status bar at the bottom of the screen and regularly click on the "Allow ......." option if I trust the web page. This means I don't need to allow it again in the future. I sometimes click on the "Temporarily allow ....." option, but not usually.

klikster Platinum Member

klikster

Posted
  • Author
Posted
...I'm continually frustrated by the "No Script" extension that I have installed on FF .. so many times I have to give temporary permissions, reload pages, wait, etc. But I'm sure I would be a lot more frustrated if my hosting company had to format the drives and reinstall everything on my VPS and dedicated server .. and hope the backups are not corrupt. :o

I have the NoScript icon on the FF status bar at the bottom of the screen and regularly click on the "Allow ......." option if I trust the web page. This means I don't need to allow it again in the future. I sometimes click on the "Temporarily allow ....." option, but not usually.

Well, I'm very wary of iframe attacks. I guess I could assume "once okay, always okay", but I have been the victim of an iframe exploit on my server a few years ago.

The exploit inserted an iframe into a number of HTML pages on every site, as well as HTML pages on Apache. I spend about 30 hours removing the code and reloading pages. The exploit didn't appear to do anything, but it directed traffic to a specific URI. But the worst part was that Googlebot picked it up and placed a site-by-site warning in the search results. Needless to say, traffic dropped off considerably for the webmasters who didn't realize the code was there.

Estimates that I heard claimed the 200,000 sites had been affected.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.






ASEANNOW

ASEANNOW (formerly Thai Visa) Thailand's oldest and most popular forum for expats and foreigners.

Sign up today and have your say

MORE INFO

POPULAR AREAS

CONTACT US

219/59 Asoke Towers, 15th Floor, Soi Sukhumvit 21, Watthana, Bangkok 10110
(+66) 99 196 1100
[email protected]

×
×
  • Create New...