The site keeps trying to redirect to something called "golnanosat" and there's a popup, ostensibly from Microsoft called "Remote Data Controller Data Controller" or something that keeps trying to run.

What is going on?

I don't trust the site enough to use the 20% off coupon right now... very annoying!

This maybe related to the redirect, McAfee is telling me that it is removing a Trojan (Exploit-Iframe) when I go to some of the pages here (such as the home page and the freestuff)
This just started happening.

I got an "unknown applet" trying to run on going to freestuff, and it's still bogging me down.

I get it in the galleries :(

Found the certificate it was pushing "Thawte Consulting cc". 

I am getting a warning about Trojan.Virantix.C
It started in the galleries and now it's every page i go to.

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99

I'm getting a Java notice which I have to click nine times (three sets of three) in order to get it to go away, and when I'm in the galleries, there's a message across the top of my screen that says,

"this website wants to run the following add-on:  microsoft data acess - remote data services dat ... from microsoft corporation.  if you trust the website and the add-on and want to allow it to run, click here ..." 

I can access an image, but as soon as I click away from it, I get the same Java message again.  Oddly enough, I'm not having that problem in the forum at all.  Once I got here, I was able to browse around and look at different forum posts (looking for exactly this issue!) with no problem.

Also ...

I'm on IM with Marilyn (beachzz) right now, and she can't get in at all.  She's getting a popup.  She says:  i get a really weird message-- "The site at vipasotka.com has been reported as an attack site and has been blocked based on your secutiry preferences."  She ran her spybot program, but it's still coming up.

Any information would be lovely!  :)  For now, I'm just going to get off RR.  I'll check back later.

Thanks! 

I'm getting the trojan warnings too from McAfee when I come to this site. 

AVG just gave me 4 different Trojan warning popups when direct linking to the forums as well as the Microsoft Remote Data Access request which I've denied of course. Sorry folks, but i don't trust Rendo THAT much! Nobody's getting remote data access to my PC. Not nobody not no how! :tt2:

I am getting it as well.  I've forwarded this thread to the admins.

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99

Yep same here, some javascript is trying to run an installer whenever I hit the gallery here.  I navigated many URLs elsewhere, no popup, but instantly get it when I navigate to Rendo's gallery.  Nice!

Info about this specific hack:
http://www.phpbb.com/community/viewtopic.php?f=1&t=1127185

I kinda strongly suggest Rendo block all traffic to "golnanosat.com"...

Parse error: syntax error, unexpected '<' in /sv1/renderosity/public_html/mod/rrfilelock/index.php on line **375

I was really afraid I'd picked up something nasty.

**

Anybody who actually allowed this to run, you're probably really screwed.  I hate to be doomy and gloomy but this looks like a nasty little browser hijack.

Same here and it's a shame because I wanted to use that coupon offer, but there's no way I'd purchase anything at the moment. :( 

Ditto here Phoenix.  I sincerely hope that Rendo will extend the coupon b/c of this...

Hi all,

The problem is being worked on, and hopefully fully resolved shortly.

Well lucky me I let it run.. woohoo.. now rendo hardly loads at all.. glad I learned that lesson the hard way :((

The coupon was extended and most of the areas have been fixed.  There are still a few things being worked on.

We're still having the problem 1 hour later. I came to check here in the forums, I thought I had a virus or something. I also get redirected by golnanosat but I didn't run the application.

Thanks for the update Jen!

louly, you will likely need to clean out your cache since the problem has been corrected in the forums and many other places.

Ok thank you :)

Thank you Jenifer!  All is well.

:)

Lucky for me kaspersky didn't let me run it even though I said go ahead :) Love kaspersky sometimes! Not getting the pop up any more so it must be fixed.

Sigh...

sadly, the store does not recognize the coupon code for me...  i appreciate the offered extension, but it's simply not working for me.

Oh well, maybe next time - I doubt I'll be back to try again in the next 9 hours - I'm off to bed now, as it's almost 2:30 a.m....

Cheers!

According to google.....golnanosat.com and thefreecompany.net  are hijacking forums all over the place..and some servers are being exploited also.

The "Thawte" certificates -- those are legitimate, right?  I can't get onto the site without allowing it, though I deleted all of it when I was requested earlier this evening to verify it.  

I don't know if they are legit or not but I'd say not. I have never been asked for anything like that in the past.  So I did a complete search for anything containing the word thawte which came up in my kaspersky backup files of things deleted and I deleted the backup as well.  I have no problem getting on this site without thawte consulting, so I'd say it's something you don't want.

Yeesh!   Out it goes again!  XD

Just great! I'm running ZoneAlarm firewall and Symantec antivirus and didn't get any kind of warning at all during the night.  I've been on & off site all day long. Now I'm paranoid that it snuck past them undetected. What do I do now?
Thanks! :)

I definitely cannot log onto this site without the "thawte" certificates, can I please get a definite on what it is?  

Quote - I definitely cannot log onto this site without the "thawte" certificates, can I please get a definite on what it is?  

Thawte is an Internet consulting firm that issues SSL (Secure Server License) to websites that have online stores at a cost to the owner of the website. The certificate that they issue [at a pretty large and annoying cost] is responsible for the little "Gold Lock" icon that shows at the bottom of your browser window when you are in the store... this is done to assure Online Store Customers that the website and online store you are visiting and the information you provide is "Secure"...

Thawte doesn't really do anything other than charge a website owner to purchase this certificate. The certificate is only good for a year and the only way that Thawte verifies this information is by running a script against the server to test and make sure that there isn't any open ports, remote linking, phishing scripts and other little things that might make it possible for people to steal your information at the moment of purchase... and it pretty much only verifies this information at the time of purchase or renewal of the certificate... as for the other 364 days of the year... well...  shrugs

Fact of the matter is this... any good System's Administrator is going to make sure that the website is secure 24/7/365... the SSL Certificate is only a means to provide Customer trust while sucking a pretty sizable chunk of money out of a website owner's pocket to provide that trust.

Bottom line... think of it as a nice little certificate that a shop owner puts up on the wall of their business to show they have a license to do whatever service they do. For example a certificate license for a person who cuts hair at a  hair salon... as many of you may know by this example, even though the person may have a certficate/license stating that they are licensed to cut hair, doesn't mean that they are someone you'd trust to touch your hair! :)

As for the website and forum hijack that occured... the fact is this... Renderosity is a pretty large Community, which makes it a perfect target for [disrespectful] individuals to try and siphon traffic and bandwidth from, or try and take revenge on (say from an individual who's been banned)... it is a script kitty paradise here!!

As such, this website is probably attacked on a regular basis in one form or another. DOS attacks, phishing tatics, harmful scripts, server/forum hijack attempts, etc... etc... etc... making it a monster of a job to protect itself and its members. And sometimes little things can make it through the cracks or accidently be over-looked and, as such, make for a very interesting and tiring day for the System's Administrator to try and clean the mess up and make steps to prevent it from happening again...

Personally, one way to avoid this would be to work on the means in which the forums must be replied to... meaning the applet that the site's software uses to allow members to post or reply to forum threads... no offense to Renderosity, but this is a pretty nice chink in the armor... particularly when a member has to DISABLE ADWARE protection software to post on the website!

Seriously, asking a member to disable security features that protect them from Phishing, Browser Hijacking Scripts, E-Mail Sniffers, and harmful applets that can be attached to off-site advertising banners for them to visit and interact on your website is not a great means to provide security to your members while visiting your website and makes the site an even MORE tempting target to idiots looking to exploit, steal, harrass, hijack or be a general pain in the butt to your business and to your customers.

Just my two pennies!
~Jack D. Kammerer
who is re-enabling his system's security features and going back to lurk mode

Quote -
Seriously, asking a member to disable security features that protect them from Phishing, Browser Hijacking Scripts, E-Mail Sniffers, and harmful applets that can be attached to off-site advertising banners for them to visit and interact on your website is not a great means to provide security to your members while visiting your website and makes the site an even MORE tempting target to idiots looking to exploit, steal, harrass, hijack or be a general pain in the butt to your business and to your customers.
 

Run on sentences much? I haven't had my caffiene and this was a bitch to read without punctuation. :tt2:

Thank you much, Jack, very much appreciated.

I did have a random and "unknown" applet trying to run from the start of the "attack", actually.  But I have no idea how this hacking was carried out. 

Oddly enough I use Mozilla-Firefox and haven't had an issue.  

Yes, the thawte certificate is legit. Thanks Jack for explaining it so well.   No one should have any problems, since this was resolved last night.

For those of you just hearing about the issues, last night Bondware became aware of a security compromise to Renderosity and RuntimeDNA. The attack presented itself as a hidden Javascript application embedded at the bottom of certain pages, prompting the user to download and install an application that is actually a Trojan virus. Less than an hour after the attack, Bondware had isolated the affected scripts and started reversing the changes.

We have installed monitoring tools to detect a repeat attempt. We are actively investigating the details of last night's attack and will aggressively address any vulnerabilities discovered.

Please make sure you reject any and all unsolicited download prompts when visiting any website, as these could possibly be a sign of attack. Also, we strongly encourage everyone to always use anti-virus software. This type of trojan has affected some of the largest websites including Wal-mart, Target, etc in recent months, but routine anti-viral software seems to prevent damage to the visitors computer.

 agrose, your symantec anti-virus would have caught and blocked the concern if you had visited during the time of the problem, which started just before 9:30 and were resolved in about an hour.  Some people may have continued to experience an anti-virus block after the fix if their browser had cached the pages that had been compromised.

We extended last night's coupon. For anyone that missed it, please keep checking the The Temperature is Rising Sales Promotion located on the front page and watch the Site Announcements area for up to the minute specials.

We sincerely apologize for the inconvenience that this has caused.

Jenifer Carey
Vice President

Does anybody know what that hack was designed to do?

Asking because last night when ZoneAlarm kept giving me warnings saying a trojan was downloaded, I noticed the java console had also suddenly appeared in my taskbar.

Before I purchased something from the store today,  I opened ZA and saw that those viruses had been quarantined. I let ZA delete them.

Still, I don't know if I'm 'safe'? : (
I'd hate for my purchasing info to be compromised. : (

I have Trendmicro, it stopped the trojan and reported it is also known in Sopho and AVG databases as a trojan infecting approximately 28,000 computers in North America, however, it's purpose/s are 'unknown'

Quote - Less than an hour after the attack, Bondware had isolated the affected scripts and started reversing the changes.

Thank you very much! :)

Quote -
We extended last night's coupon. For anyone that missed it, please keep checking the The Temperature is Rising Sales Promotion located on the front page and watch the Site Announcements area for up to the minute specials.

We sincerely apologize for the inconvenience that this has caused.

Jenifer Carey
Vice President

Thank you, Jen - however, when I tried to use the extended code last night at about 1a.m., as soon as I heard that the threat had been contained, the store software would not accept the coupon code, reporting that it had expired.

Today's coupon, for half of last night's discount, is a 'pale substitute'  - I'm not complaining, I only point this out to clarify that there may indeed have been other customers who were unable to use the supposedly-extended coupon...  so you may hear about it from others as well...

As for me, I will keep watching, in the hope that a similarly-generous coupon code appears before the promotion is over!

Cheers!

Quote - **Does anybody know what that hack was designed to do?**Asking because last night when ZoneAlarm kept giving me warnings saying a trojan was downloaded, I noticed the java console had also suddenly appeared in my taskbar.

A lot of ppl don't realize it but you also have a cache of temp internet files just for your java program. 

You get to it thru your control panel >java>java control panel>temp internet files>settings......and from there you can set it like you want and delete the temp files...it's also where a java exploit/virus can live and bash you every time it gets a chance.
I'm talking about windows...I don't know anything about mac...don't even know if mac has java.  lol
 

Jennifer,

I have lost part of my page. Seen here circled in red.

Is this just a CSS problem, or is it a result of whatever happened last night? It only does this when I'm in the forums.

Thanks I appreciate any help you can give me in fixing my page.

Did you clear your cache?  What browser are you using?

Stacey I use IE.

My Cache should have been cleared out yes.

So you know I reset my css to the default and that seems to have fixed the problem.

I've just had a blank email from store@renderosity.com ...... is this anything to do with the hack?

Thank you so much for that, AnnieD...

I never knew of this java cache feature. :m_shocked:

But damn, now I'm going to have keep calling my bank to see if my recent rendo purchase info is being used to take money from my account. I did delete those viruses this morning before purchasing, but didn't know anything about deleting the cache stuff that may have been associated with the java activity I saw last night.

I effing hate this kind of thing.

sorry originalkitten.  That was completely my fault as I was in the backend gathering some data for reports, and I accidentally hit the submit button and it sent out a blank email to all previous buyers :(  deb hangs head in shame and is very sorry