Close

Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 69

Thread: BB Malware ?

  1. #26
    Join Date
    Mar 2010
    Location
    Honolulu
    Posts
    136
    Rep Points
    193.2
    Mentioned
    0 Post(s)
    Rep Power
    2


    Yes Reputation No
    My Avast on one computer was picking it up, but not my Norton on this computer. I haven't gotten home yet to reboot the Avast computer and see if it still picks it up.

  2. #27
    Join Date
    May 2010
    Location
    SoCal
    Posts
    2,280
    Rep Points
    936.0
    Mentioned
    5 Post(s)
    Rep Power
    10


    Yes Reputation No
    I am using avast. It pops up on both my desktop and laptop both running avast
    Click here to enlarge

  3. #28
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    119,426
    Rep Points
    32,123.4
    Mentioned
    2107 Post(s)
    Rep Power
    322


    Yes Reputation No
    I'm using Avast and it doesn't pop up. WTF.

  4. #29
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    119,426
    Rep Points
    32,123.4
    Mentioned
    2107 Post(s)
    Rep Power
    322


    Yes Reputation No
    Never-mind, I'm not using Avast. Still, WTF.

  5. #30
    Join Date
    Mar 2011
    Location
    FR
    Posts
    82
    Rep Points
    222.3
    Mentioned
    0 Post(s)
    Rep Power
    3



    Yes Reputation No
    Still here with kaspersky 2011 Click here to enlarge

  6. #31
    Join Date
    Feb 2011
    Posts
    1,644
    Rep Points
    2,262.8
    Mentioned
    31 Post(s)
    Rep Power
    23


    Yes Reputation No
    Lol,maybe the malware was a present from Evosport
    Click here to enlarge

  7. #32
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    119,426
    Rep Points
    32,123.4
    Mentioned
    2107 Post(s)
    Rep Power
    322


    Yes Reputation No
    This is what the host said regarding your positive readings:

    Clearing cache should correct the positive readings

  8. #33
    Join Date
    May 2010
    Location
    SoCal
    Posts
    2,280
    Rep Points
    936.0
    Mentioned
    5 Post(s)
    Rep Power
    10


    Yes Reputation No
    i cleared everything on google chrome "from the beginning of time" still popping up though Click here to enlarge
    Click here to enlarge

  9. #34
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    119,426
    Rep Points
    32,123.4
    Mentioned
    2107 Post(s)
    Rep Power
    322


    Yes Reputation No
    Click here to enlarge Originally Posted by Yukohama Click here to enlarge
    i cleared everything on google chrome "from the beginning of time" still popping up though Click here to enlarge
    Is there a cache in the virus scan itself?

  10. #35
    Join Date
    May 2010
    Location
    SoCal
    Posts
    2,280
    Rep Points
    936.0
    Mentioned
    5 Post(s)
    Rep Power
    10


    Yes Reputation No
    avast doesn't have a cache itself, i cleared google chrome everything and did a disc clean-up, still happening though
    Click here to enlarge

  11. #36
    Join Date
    Feb 2011
    Posts
    1,644
    Rep Points
    2,262.8
    Mentioned
    31 Post(s)
    Rep Power
    23


    Yes Reputation No
    Click here to enlarge Originally Posted by Yukohama Click here to enlarge
    avast doesn't have a cache itself, i cleared google chrome everything and did a disc clean-up, still happening though
    +1,I cleared everything out&rebooted as well and still get the malware warning..its detecting something from movingsnip.com
    Click here to enlarge

  12. #37
    Join Date
    Sep 2011
    Location
    Raleigh, NC
    Posts
    148
    Rep Points
    196.6
    Mentioned
    1 Post(s)
    Rep Power
    2


    Yes Reputation No
    It's still here Sticky. Using Kapersky. Here is my log:

    9/16/2011 1:45:00 PM Denied: http://movingsnip.org/nimp3czxwsyae0/ (analysis according to the base of suspicious web addresses) http://movingsnip.org/nimp3czxwsyae0/ URL found in the base Firefox
    2008 BMW 535iA | Cobb Stg2+ | FBO | Meth

  13. #38
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    119,426
    Rep Points
    32,123.4
    Mentioned
    2107 Post(s)
    Rep Power
    322


    Yes Reputation No
    What in the $#@! is movingsnip ? I'll have the host look again.

  14. #39
    Join Date
    May 2010
    Location
    SoCal
    Posts
    2,280
    Rep Points
    936.0
    Mentioned
    5 Post(s)
    Rep Power
    10


    Yes Reputation No
    Click here to enlarge Originally Posted by Sticky Click here to enlarge
    What in the $#@! is movingsnip ? I'll have the host look again.
    i tried to google it. but nothing came up.
    Click here to enlarge

  15. #40
    Join Date
    Sep 2011
    Location
    Raleigh, NC
    Posts
    148
    Rep Points
    196.6
    Mentioned
    1 Post(s)
    Rep Power
    2


    Yes Reputation No
    Click here to enlarge Originally Posted by Sticky Click here to enlarge
    What in the $#@! is movingsnip ? I'll have the host look again.
    If I had to guess, it's either a purposeful or compromised URL that is somehow feeding the malware into the site. I don't see any ads on all pages but it could be an iframe injection. Give the below info to your host. The blue highlights are important data for them. Since it appears on every page, my guess would be either they have compromised your forum code and injected it or so image or other off site hosted data is feeding it into the site. It woudl have to be something on every page though.



    Domain IDClick here to enlarge162856067-LROR Domain Name:MOVINGSNIP.ORG Created On:23-Jul-2011 15:48:30 UTC Last Updated On:03-Aug-2011 07:10:53 UTC Expiration Date:23-Jul-2012 15:48:30 UTC Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Registrant IDClick here to enlargergff11436108397 Registrant Name:Francis Freeman Registrant Organization:FrancisLee Registrant Street1:2422 Rardin Drive Registrant Street2: Registrant Street3: Registrant City:Oakland Registrant State/Province:CA Registrant Postal Code:94612 Registrant Country:US Registrant Phone:+86.6506395108 Registrant Phone Ext.: Registrant FAX:+86.6506395108 Registrant FAX Ext.: Registrant *********************@gmail.com Admin IDClick here to enlargergff11436108580 Admin Name:Francis Freeman Admin Street1:2422 Rardin Drive Admin Street2: Admin Street3: Admin City:Oakland Admin State/Province:CA Admin Postal Code:94612 Admin Country:US Admin Phone:+86.6506395108 Admin Phone Ext.: Admin FAX:+86.6506395108 Admin FAX Ext.: Admin *********************@gmail.com Tech IDClick here to enlargergff11436108960 Tech Name:Francis Freeman Tech Street1:2422 Rardin Drive Tech Street2: Tech Street3: Tech City:Oakland Tech State/Province:CA Tech Postal Code:94612 Tech Country:US Tech Phone:+86.6506395108 Tech Phone Ext.: Tech FAX:+86.6506395108 Tech FAX Ext.: Tech *********************@gmail.com Name Server:NS1.SPRUTNETWORK.COM Name Server:NS2.SPRUTNETWORK.COM Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: DNSSEC:Unsigned

    -=-=-=-

    > movingsnip.org
    Server: UnKnown
    Address: 192.168.1.1

    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 1, authority records = 2, additional = 2

    QUESTIONS:
    movingsnip.org, type = A, class = IN
    ANSWERS:
    -> movingsnip.org
    internet address = 66.197.158.102
    ttl = 300 (5 mins)
    AUTHORITY RECORDS:
    -> movingsnip.org
    nameserver = ns1.sprutnetwork.com
    ttl = 86373 (23 hours 59 mins 33 secs)
    -> movingsnip.org
    nameserver = ns2.sprutnetwork.com
    ttl = 86373 (23 hours 59 mins 33 secs)
    ADDITIONAL RECORDS:
    -> ns1.sprutnetwork.com
    internet address = 66.197.158.102
    ttl = 202 (3 mins 22 secs)
    -> ns2.sprutnetwork.com
    internet address = 66.197.158.102
    ttl = 202 (3 mins 22 secs)

    ------------
    Non-authoritative answer:
    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 3, rcode = SERVFAIL
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    movingsnip.org, type = AAAA, class = IN

    ------------
    Name: movingsnip.org
    Address: 66.197.158.102

    -=-=-=-IP Information - 66.197.158.102IP address: 66.197.158.102 Reverse DNS: static-ip-102-158-197-66.host.cybernet.co.id. Reverse DNS authenticity: [Could be forged: hostname static-ip-102-158-197-66.host.cybernet.co.id. does not exist] ASN: 21788 ASN Name: NOC IP range connectivity: 7 Registrar (per ASN): ARIN Country (per IP registrar): US [United States] Country Currency: USD [United States Dollars] Country IP Range: 66.197.0.0 to 66.197.255.255 Country fraud profile: Normal City (per outside source): Reno, Nevada Country (per outside source): US [United States] Private (internal) IP? No IP address registrar: whois.arin.net Known Proxy? No Link for WHOIS: 66.197.158.102
    2008 BMW 535iA | Cobb Stg2+ | FBO | Meth

  16. #41
    Join Date
    Sep 2011
    Location
    Raleigh, NC
    Posts
    148
    Rep Points
    196.6
    Mentioned
    1 Post(s)
    Rep Power
    2


    1 out of 1 members liked this post. Yes Reputation No
    Ok Sticky.. the site URL is coming up to an unconfigured Apache webserver. My guess is someone used that fact to bypass security and place the malware on it. When visiting that site (PLEASE DONT DO IT UNLESS YOU KNOW WHAT YOU ARE DOING), the favicon.ico is being blocked as well by Kapersky.

    You can request your host block the IP above (66.197.158.102) at their firewall on all ports. That should prevent any hosted malware from accessing the site. If something "breaks" on your sight when they do that, that is also where to look and see where you are infected.

    PS - I just reported their site to google as a malware site. Click here to enlarge
    2008 BMW 535iA | Cobb Stg2+ | FBO | Meth

  17. #42
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    119,426
    Rep Points
    32,123.4
    Mentioned
    2107 Post(s)
    Rep Power
    322


    Yes Reputation No
    Click here to enlarge Originally Posted by xclone Click here to enlarge
    Ok Sticky.. the site URL is coming up to an unconfigured Apache webserver. My guess is someone used that fact to bypass security and place the malware on it. When visiting that site (PLEASE DONT DO IT UNLESS YOU KNOW WHAT YOU ARE DOING), the favicon.ico is being blocked as well by Kapersky.

    You can request your host block the IP above (66.197.158.102) at their firewall on all ports. That should prevent any hosted malware from accessing the site. If something "breaks" on your sight when they do that, that is also where to look and see where you are infected.

    PS - I just reported their site to google as a malware site. Click here to enlarge
    Appreciated, thank you.

  18. #43
    Join Date
    Feb 2011
    Posts
    1,644
    Rep Points
    2,262.8
    Mentioned
    31 Post(s)
    Rep Power
    23


    Yes Reputation No
    Click here to enlarge Originally Posted by xclone Click here to enlarge
    If I had to guess, it's either a purposeful or compromised URL that is somehow feeding the malware into the site. I don't see any ads on all pages but it could be an iframe injection. Give the below info to your host. The blue highlights are important data for them. Since it appears on every page, my guess would be either they have compromised your forum code and injected it or so image or other off site hosted data is feeding it into the site. It woudl have to be something on every page though.



    Domain IDClick here to enlarge162856067-LROR Domain Name:MOVINGSNIP.ORG Created On:23-Jul-2011 15:48:30 UTC Last Updated On:03-Aug-2011 07:10:53 UTC Expiration Date:23-Jul-2012 15:48:30 UTC Sponsoring Registrar:Bizcn.com, Inc. (R1248-LROR) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Registrant IDClick here to enlargergff11436108397 Registrant Name:Francis Freeman Registrant Organization:FrancisLee Registrant Street1:2422 Rardin Drive Registrant Street2: Registrant Street3: Registrant City:Oakland Registrant State/Province:CA Registrant Postal Code:94612 Registrant Country:US Registrant Phone:+86.6506395108 Registrant Phone Ext.: Registrant FAX:+86.6506395108 Registrant FAX Ext.: Registrant *********************@gmail.com Admin IDClick here to enlargergff11436108580 Admin Name:Francis Freeman Admin Street1:2422 Rardin Drive Admin Street2: Admin Street3: Admin City:Oakland Admin State/Province:CA Admin Postal Code:94612 Admin Country:US Admin Phone:+86.6506395108 Admin Phone Ext.: Admin FAX:+86.6506395108 Admin FAX Ext.: Admin *********************@gmail.com Tech IDClick here to enlargergff11436108960 Tech Name:Francis Freeman Tech Street1:2422 Rardin Drive Tech Street2: Tech Street3: Tech City:Oakland Tech State/Province:CA Tech Postal Code:94612 Tech Country:US Tech Phone:+86.6506395108 Tech Phone Ext.: Tech FAX:+86.6506395108 Tech FAX Ext.: Tech *********************@gmail.com Name Server:NS1.SPRUTNETWORK.COM Name Server:NS2.SPRUTNETWORK.COM Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: DNSSEC:Unsigned

    -=-=-=-

    > movingsnip.org
    Server: UnKnown
    Address: 192.168.1.1

    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 1, authority records = 2, additional = 2

    QUESTIONS:
    movingsnip.org, type = A, class = IN
    ANSWERS:
    -> movingsnip.org
    internet address = 66.197.158.102
    ttl = 300 (5 mins)
    AUTHORITY RECORDS:
    -> movingsnip.org
    nameserver = ns1.sprutnetwork.com
    ttl = 86373 (23 hours 59 mins 33 secs)
    -> movingsnip.org
    nameserver = ns2.sprutnetwork.com
    ttl = 86373 (23 hours 59 mins 33 secs)
    ADDITIONAL RECORDS:
    -> ns1.sprutnetwork.com
    internet address = 66.197.158.102
    ttl = 202 (3 mins 22 secs)
    -> ns2.sprutnetwork.com
    internet address = 66.197.158.102
    ttl = 202 (3 mins 22 secs)

    ------------
    Non-authoritative answer:
    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 3, rcode = SERVFAIL
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    movingsnip.org, type = AAAA, class = IN

    ------------
    Name: movingsnip.org
    Address: 66.197.158.102

    -=-=-=-IP Information - 66.197.158.102IP address: 66.197.158.102 Reverse DNS: static-ip-102-158-197-66.host.cybernet.co.id. Reverse DNS authenticity: [Could be forged: hostname static-ip-102-158-197-66.host.cybernet.co.id. does not exist] ASN: 21788 ASN Name: NOC IP range connectivity: 7 Registrar (per ASN): ARIN Country (per IP registrar): US [United States] Country Currency: USD [United States Dollars] Country IP Range: 66.197.0.0 to 66.197.255.255 Country fraud profile: Normal City (per outside source): Reno, Nevada Country (per outside source): US [United States] Private (internal) IP? No IP address registrar: whois.arin.net Known Proxy? No Link for WHOIS: 66.197.158.102
    Holy crap my head is spinning&I feel even more dumb today in regards to the Interwebz as I have absolutely NO clue as to the meaning of anything above Click here to enlarge
    You sir are my Internet hero lol!
    Click here to enlarge

  19. #44
    Join Date
    Sep 2011
    Location
    Raleigh, NC
    Posts
    148
    Rep Points
    196.6
    Mentioned
    1 Post(s)
    Rep Power
    2


    1 out of 1 members liked this post. Yes Reputation No
    Click here to enlarge Originally Posted by oldgixxer Click here to enlarge
    Holy crap my head is spinning&I feel even more dumb today in regards to the Interwebz as I have absolutely NO clue as to the meaning of anything above Click here to enlarge
    You sir are my Internet hero lol!
    LOL.. Welcome to exactly how I feel about tuning! Progressive meth? I swear I wasn't sure if that was a hipster drug addict or drug insurance company. ugh! Click here to enlarge

    Sticky - your problem looks to be resolved now - now more flags or alarms when I browse. Click here to enlarge
    2008 BMW 535iA | Cobb Stg2+ | FBO | Meth

  20. #45
    Join Date
    Nov 2010
    Location
    le Paris
    Posts
    6,648
    Rep Points
    -167.0
    Mentioned
    48 Post(s)
    Rep Power
    0


    Yes Reputation No
    Click here to enlarge Originally Posted by oldgixxer Click here to enlarge
    Holy crap my head is spinning&I feel even more dumb today in regards to the Interwebz as I have absolutely NO clue as to the meaning of anything above Click here to enlarge
    You sir are my Internet hero lol!
    same here. did he even talk in English?

  21. #46
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    119,426
    Rep Points
    32,123.4
    Mentioned
    2107 Post(s)
    Rep Power
    322


    Yes Reputation No
    Click here to enlarge Originally Posted by xclone Click here to enlarge
    Sticky - your problem looks to be resolved now - now more flags or alarms when I browse.
    Excellent.

    How about everyone else?

  22. #47
    Join Date
    Nov 2010
    Location
    le Paris
    Posts
    6,648
    Rep Points
    -167.0
    Mentioned
    48 Post(s)
    Rep Power
    0


    Yes Reputation No
    Problem free here. Avast says everything is good.

  23. #48
    Join Date
    Sep 2011
    Location
    Raleigh, NC
    Posts
    148
    Rep Points
    196.6
    Mentioned
    1 Post(s)
    Rep Power
    2


    2 out of 2 members liked this post. Yes Reputation No
    PS - To clarify the data I put in earlier, it's informational lookups on the host that is currently being flagged for the malware. I looked up the admin contact who "owns" the domain movingsnip.com, found it's IP address then looked up the host company who owns the server being rented by that person.

    The company who owns the server is: http://www.cybernet.co.id/
    They look to be out of Indonesia. They own/resell a server located in Reno, NV to the admin contact (Francis Freeman) who lives in Oakland, CA. With that information, your host can not only block that IP range but also go after the webmaster of movingsnip.com and/or his host if needed.

    I know it looks like gibberish. Pretty much exactly what a dyno chart looks like the first time you read it. Pretty simple once you break it down.

    Sticky - as you can probably guess, I actually admin a few non-car forums and am in IT. If you need anything, just give me a shout. Happy to help!
    2008 BMW 535iA | Cobb Stg2+ | FBO | Meth

  24. #49
    Join Date
    Jan 2010
    Location
    SoCal
    Posts
    119,426
    Rep Points
    32,123.4
    Mentioned
    2107 Post(s)
    Rep Power
    322


    Yes Reputation No
    Click here to enlarge Originally Posted by xclone Click here to enlarge
    Sticky - as you can probably guess, I actually admin a few non-car forums and am in IT. If you need anything, just give me a shout. Happy to help!
    Appreciated!

  25. #50
    Join Date
    Sep 2011
    Location
    Raleigh, NC
    Posts
    148
    Rep Points
    196.6
    Mentioned
    1 Post(s)
    Rep Power
    2


    Yes Reputation No
    Sticky - it's back. %$#%^()$&+^)&

    9/18/2011 10:58:27 PM Denied: http://movingsnip.org/nimp3czxwsyae0/ (analysis according to the base of suspicious web addresses) http://movingsnip.org/nimp3czxwsyae0/ URL found in the base Firefox
    2008 BMW 535iA | Cobb Stg2+ | FBO | Meth

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •