Mon, Nov 25, 7:28 AM CST

Renderosity Forums / Community Center



Welcome to the Community Center Forum

Forum Moderators: wheatpenny Forum Coordinators: Anim8dtoon

Community Center F.A.Q (Last Updated: 2024 Nov 23 2:12 am)

Forum news, updates, events, etc. Please sitemail any notices or questions for the staff to the Forum Moderators.



Subject: Site Hacked?


the_tdog ( ) posted Wed, 20 August 2008 at 9:28 PM · edited Mon, 25 November 2024 at 7:25 AM

The site keeps trying to redirect to something called "golnanosat" and there's a popup, ostensibly from Microsoft called "Remote Data Controller Data Controller" or something that keeps trying to run.

What is going on?

I don't trust the site enough to use the 20% off coupon right now... very annoying!


chriscox ( ) posted Wed, 20 August 2008 at 9:42 PM · edited Wed, 20 August 2008 at 9:43 PM

This maybe related to the redirect, McAfee is telling me that it is removing a Trojan (Exploit-Iframe) when I go to some of the pages here (such as the home page and the freestuff)
This just started happening.

Chris Cox



Goldenthrush ( ) posted Wed, 20 August 2008 at 9:46 PM

I got an "unknown applet" trying to run on going to freestuff, and it's still bogging me down.


rebelmommy ( ) posted Wed, 20 August 2008 at 9:50 PM

I get it in the galleries :(

Renderosity's "problem Child"
Support Hydrocephalus research.. because a Shunt is NOT a cure!


Goldenthrush ( ) posted Wed, 20 August 2008 at 9:51 PM

Found the certificate it was pushing "Thawte Consulting cc". 


DarkStormCrow ( ) posted Wed, 20 August 2008 at 9:52 PM

file_412274.jpg

I am getting a warning also, on every page on this site.


Kalypso ( ) posted Wed, 20 August 2008 at 10:08 PM
Site Admin

I am getting a warning about Trojan.Virantix.C
It started in the galleries and now it's every page i go to.

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99


auntietk ( ) posted Wed, 20 August 2008 at 10:10 PM

I'm getting a Java notice which I have to click nine times (three sets of three) in order to get it to go away, and when I'm in the galleries, there's a message across the top of my screen that says,

"this website wants to run the following add-on:  microsoft data acess - remote data services dat ... from microsoft corporation.  if you trust the website and the add-on and want to allow it to run, click here ..." 

I can access an image, but as soon as I click away from it, I get the same Java message again.  Oddly enough, I'm not having that problem in the forum at all.  Once I got here, I was able to browse around and look at different forum posts (looking for exactly this issue!) with no problem.

Also ...

I'm on IM with Marilyn (beachzz) right now, and she can't get in at all.  She's getting a popup.  She says:  i get a really weird message-- "The site at vipasotka.com has been reported as an attack site and has been blocked based on your secutiry preferences."  She ran her spybot program, but it's still coming up.

Any information would be lovely!  :)  For now, I'm just going to get off RR.  I'll check back later.

Thanks! 

"If your pictures aren't good enough, you're not close enough."  ...  Robert Capa


Dragontales ( ) posted Wed, 20 August 2008 at 10:12 PM

I'm getting the trojan warnings too from McAfee when I come to this site. 


Ravyns ( ) posted Wed, 20 August 2008 at 10:31 PM

file_412284.jpg

I got the Trojan.Virantix.C warning from Nortons when I came to the forums along with the other stuff in the screenshot..

**************************************************************************************

Life may not be the party we hoped for but while we're here we should dance.

 


LostinSpaceman ( ) posted Wed, 20 August 2008 at 10:40 PM

AVG just gave me 4 different Trojan warning popups when direct linking to the forums as well as the Microsoft Remote Data Access request which I've denied of course. Sorry folks, but i don't trust Rendo THAT much! Nobody's getting remote data access to my PC. Not nobody not no how! :tt2:


Giolon ( ) posted Wed, 20 August 2008 at 10:46 PM · edited Wed, 20 August 2008 at 10:51 PM

I am getting it as well.  I've forwarded this thread to the admins.

http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99

¤~Giolon~¤

¤~ RadiantCG ~¤~ My Renderosity Gallery ~¤


pjz99 ( ) posted Wed, 20 August 2008 at 10:59 PM

Yep same here, some javascript is trying to run an installer whenever I hit the gallery here.  I navigated many URLs elsewhere, no popup, but instantly get it when I navigate to Rendo's gallery.  Nice!

My Freebies


pjz99 ( ) posted Wed, 20 August 2008 at 11:02 PM · edited Wed, 20 August 2008 at 11:04 PM

Info about this specific hack:
http://www.phpbb.com/community/viewtopic.php?f=1&t=1127185

I kinda strongly suggest Rendo block all traffic to "golnanosat.com"...

My Freebies


Miss Nancy ( ) posted Wed, 20 August 2008 at 11:02 PM · edited Wed, 20 August 2008 at 11:03 PM

file_412286.jpg

they need to fix this right quick.  seriously.  It's preventing forum pages and god knows what else from loading.  and no, I don't trust thawte consulting.  I say hunt 'em down.



pizazz ( ) posted Wed, 20 August 2008 at 11:05 PM

file_412287.jpg

attached is what I got.  I also cannot get into my file locker.  the following message pops up on a HUGE white page.

Parse error: syntax error, unexpected '<' in /sv1/renderosity/public_html/mod/rrfilelock/index.php on line **375

I was really afraid I'd picked up something nasty.

**


pjz99 ( ) posted Wed, 20 August 2008 at 11:07 PM

Anybody who actually allowed this to run, you're probably really screwed.  I hate to be doomy and gloomy but this looks like a nasty little browser hijack.

My Freebies


Phoenix1966 ( ) posted Wed, 20 August 2008 at 11:09 PM

Same here and it's a shame because I wanted to use that coupon offer, but there's no way I'd purchase anything at the moment. :( 


Giolon ( ) posted Wed, 20 August 2008 at 11:10 PM

Ditto here Phoenix.  I sincerely hope that Rendo will extend the coupon b/c of this...

¤~Giolon~¤

¤~ RadiantCG ~¤~ My Renderosity Gallery ~¤


nickcharles ( ) posted Wed, 20 August 2008 at 11:24 PM

Hi all,

The problem is being worked on, and hopefully fully resolved shortly.

Nick C. Sorbin
Staff Writer
Renderosity Magazine
......................................................................................................
"For every breath, for every day of living, this is my Thanksgiving."
-Don Henley


rebelmommy ( ) posted Wed, 20 August 2008 at 11:33 PM

Well lucky me I let it run.. woohoo.. now rendo hardly loads at all.. glad I learned that lesson the hard way :((

Renderosity's "problem Child"
Support Hydrocephalus research.. because a Shunt is NOT a cure!


JeniferC ( ) posted Wed, 20 August 2008 at 11:35 PM

The coupon was extended and most of the areas have been fixed.  There are still a few things being worked on.

 


louly ( ) posted Wed, 20 August 2008 at 11:40 PM

We're still having the problem 1 hour later. I came to check here in the forums, I thought I had a virus or something. I also get redirected by golnanosat but I didn't run the application.


rebelmommy ( ) posted Wed, 20 August 2008 at 11:44 PM

Thanks for the update Jen!

Renderosity's "problem Child"
Support Hydrocephalus research.. because a Shunt is NOT a cure!


JeniferC ( ) posted Wed, 20 August 2008 at 11:49 PM

louly, you will likely need to clean out your cache since the problem has been corrected in the forums and many other places.

 


louly ( ) posted Wed, 20 August 2008 at 11:51 PM

Ok thank you :)


auntietk ( ) posted Thu, 21 August 2008 at 12:30 AM

Thank you Jenifer!  All is well.

:)

"If your pictures aren't good enough, you're not close enough."  ...  Robert Capa


Diogenes ( ) posted Thu, 21 August 2008 at 1:12 AM

Lucky for me kaspersky didn't let me run it even though I said go ahead :) Love kaspersky sometimes! Not getting the pop up any more so it must be fixed.


A HOMELAND FOR POSER FINALLY


Colin ( ) posted Thu, 21 August 2008 at 1:19 AM

Sigh...

sadly, the store does not recognize the coupon code for me...  i appreciate the offered extension, but it's simply not working for me.

Oh well, maybe next time - I doubt I'll be back to try again in the next 9 hours - I'm off to bed now, as it's almost 2:30 a.m....

Cheers!


AnnieD ( ) posted Thu, 21 August 2008 at 1:20 AM

According to google.....golnanosat.com and thefreecompany.net  are hijacking forums all over the place..and some servers are being exploited also.

 

“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”

[Stuart Chase]


Goldenthrush ( ) posted Thu, 21 August 2008 at 1:29 AM

The "Thawte" certificates -- those are legitimate, right?  I can't get onto the site without allowing it, though I deleted all of it when I was requested earlier this evening to verify it.  


Diogenes ( ) posted Thu, 21 August 2008 at 1:51 AM

I don't know if they are legit or not but I'd say not. I have never been asked for anything like that in the past.  So I did a complete search for anything containing the word thawte which came up in my kaspersky backup files of things deleted and I deleted the backup as well.  I have no problem getting on this site without thawte consulting, so I'd say it's something you don't want.


A HOMELAND FOR POSER FINALLY


Goldenthrush ( ) posted Thu, 21 August 2008 at 1:55 AM

Yeesh!   Out it goes again!  XD


aqrose ( ) posted Thu, 21 August 2008 at 3:27 AM

Just great! I'm running ZoneAlarm firewall and Symantec antivirus and didn't get any kind of warning at all during the night.  I've been on & off site all day long. Now I'm paranoid that it snuck past them undetected. What do I do now?
Thanks! :)


Goldenthrush ( ) posted Thu, 21 August 2008 at 4:44 AM

I definitely cannot log onto this site without the "thawte" certificates, can I please get a definite on what it is?  


Jack D. Kammerer ( ) posted Thu, 21 August 2008 at 7:24 AM

Quote - I definitely cannot log onto this site without the "thawte" certificates, can I please get a definite on what it is?  

Thawte is an Internet consulting firm that issues SSL (Secure Server License) to websites that have online stores at a cost to the owner of the website. The certificate that they issue [at a pretty large and annoying cost] is responsible for the little "Gold Lock" icon that shows at the bottom of your browser window when you are in the store... this is done to assure Online Store Customers that the website and online store you are visiting and the information you provide is "Secure"...

Thawte doesn't really do anything other than charge a website owner to purchase this certificate. The certificate is only good for a year and the only way that Thawte verifies this information is by running a script against the server to test and make sure that there isn't any open ports, remote linking, phishing scripts and other little things that might make it possible for people to steal your information at the moment of purchase... and it pretty much only verifies this information at the time of purchase or renewal of the certificate... as for the other 364 days of the year... well...  shrugs

Fact of the matter is this... any good System's Administrator is going to make sure that the website is secure 24/7/365... the SSL Certificate is only a means to provide Customer trust while sucking a pretty sizable chunk of money out of a website owner's pocket to provide that trust.

Bottom line... think of it as a nice little certificate that a shop owner puts up on the wall of their business to show they have a license to do whatever service they do. For example a certificate license for a person who cuts hair at a  hair salon... as many of you may know by this example, even though the person may have a certficate/license stating that they are licensed to cut hair, doesn't mean that they are someone you'd trust to touch your hair! :)

As for the website and forum hijack that occured... the fact is this... Renderosity is a pretty large Community, which makes it a perfect target for [disrespectful] individuals to try and siphon traffic and bandwidth from, or try and take revenge on (say from an individual who's been banned)... it is a script kitty paradise here!!

As such, this website is probably attacked on a regular basis in one form or another. DOS attacks, phishing tatics, harmful scripts, server/forum hijack attempts, etc... etc... etc... making it a monster of a job to protect itself and its members. And sometimes little things can make it through the cracks or accidently be over-looked and, as such, make for a very interesting and tiring day for the System's Administrator to try and clean the mess up and make steps to prevent it from happening again...

Personally, one way to avoid this would be to work on the means in which the forums must be replied to... meaning the applet that the site's software uses to allow members to post or reply to forum threads... no offense to Renderosity, but this is a pretty nice chink in the armor... particularly when a member has to DISABLE ADWARE protection software to post on the website!

Seriously, asking a member to disable security features that protect them from Phishing, Browser Hijacking Scripts, E-Mail Sniffers, and harmful applets that can be attached to off-site advertising banners for them to visit and interact on your website is not a great means to provide security to your members while visiting your website and makes the site an even MORE tempting target to idiots looking to exploit, steal, harrass, hijack or be a general pain in the butt to your business and to your customers.

Just my two pennies!
~Jack D. Kammerer
who is re-enabling his system's security features and going back to lurk mode

 


LostinSpaceman ( ) posted Thu, 21 August 2008 at 8:49 AM

Quote -
Seriously, asking a member to disable security features that protect them from Phishing, Browser Hijacking Scripts, E-Mail Sniffers, and harmful applets that can be attached to off-site advertising banners for them to visit and interact on your website is not a great means to provide security to your members while visiting your website and makes the site an even MORE tempting target to idiots looking to exploit, steal, harrass, hijack or be a general pain in the butt to your business and to your customers.
 

Run on sentences much? I haven't had my caffiene and this was a bitch to read without punctuation. :tt2:


Goldenthrush ( ) posted Thu, 21 August 2008 at 11:19 AM

Thank you much, Jack, very much appreciated.

I did have a random and "unknown" applet trying to run from the start of the "attack", actually.  But I have no idea how this hacking was carried out. 


Acadia ( ) posted Thu, 21 August 2008 at 12:17 PM

Oddly enough I use Mozilla-Firefox and haven't had an issue.  

"It is good to see ourselves as others see us. Try as we may, we are never
able to know ourselves fully as we are, especially the evil side of us.
This we can do only if we are not angry with our critics but will take in good
heart whatever they might have to say." - Ghandi



JeniferC ( ) posted Thu, 21 August 2008 at 2:06 PM

Yes, the thawte certificate is legit. Thanks Jack for explaining it so well.   No one should have any problems, since this was resolved last night.

For those of you just hearing about the issues, last night Bondware became aware of a security compromise to Renderosity and RuntimeDNA. The attack presented itself as a hidden Javascript application embedded at the bottom of certain pages, prompting the user to download and install an application that is actually a Trojan virus. Less than an hour after the attack, Bondware had isolated the affected scripts and started reversing the changes.

We have installed monitoring tools to detect a repeat attempt. We are actively investigating the details of last night's attack and will aggressively address any vulnerabilities discovered.

Please make sure you reject any and all unsolicited download prompts when visiting any website, as these could possibly be a sign of attack. Also, we strongly encourage everyone to always use anti-virus software. This type of trojan has affected some of the largest websites including Wal-mart, Target, etc in recent months, but routine anti-viral software seems to prevent damage to the visitors computer.

 agrose, your symantec anti-virus would have caught and blocked the concern if you had visited during the time of the problem, which started just before 9:30 and were resolved in about an hour.  Some people may have continued to experience an anti-virus block after the fix if their browser had cached the pages that had been compromised.

We extended last night's coupon. For anyone that missed it, please keep checking the The Temperature is Rising Sales Promotion located on the front page and watch the Site Announcements area for up to the minute specials.

We sincerely apologize for the inconvenience that this has caused.

Jenifer Carey
Vice President

 

 


Angelsinger ( ) posted Thu, 21 August 2008 at 2:29 PM

Does anybody know what that hack was designed to do?

Asking because last night when ZoneAlarm kept giving me warnings saying a trojan was downloaded, I noticed the java console had also suddenly appeared in my taskbar.

Before I purchased something from the store today,  I opened ZA and saw that those viruses had been quarantined. I let ZA delete them.

Still, I don't know if I'm 'safe'? : (
I'd hate for my purchasing info to be compromised. : (


Santel ( ) posted Thu, 21 August 2008 at 3:39 PM

I have Trendmicro, it stopped the trojan and reported it is also known in Sopho and AVG databases as a trojan infecting approximately 28,000 computers in North America, however, it's purpose/s are 'unknown'


Jean-Luc_Ajrarn ( ) posted Thu, 21 August 2008 at 5:05 PM

Quote - Less than an hour after the attack, Bondware had isolated the affected scripts and started reversing the changes.

Thank you very much! :)


Colin ( ) posted Thu, 21 August 2008 at 5:28 PM

Quote -
We extended last night's coupon. For anyone that missed it, please keep checking the The Temperature is Rising Sales Promotion located on the front page and watch the Site Announcements area for up to the minute specials.

We sincerely apologize for the inconvenience that this has caused.

Jenifer Carey
Vice President

Thank you, Jen - however, when I tried to use the extended code last night at about 1a.m., as soon as I heard that the threat had been contained, the store software would not accept the coupon code, reporting that it had expired.

Today's coupon, for half of last night's discount, is a 'pale substitute'  - I'm not complaining, I only point this out to clarify that there may indeed have been other customers who were unable to use the supposedly-extended coupon...  so you may hear about it from others as well...

As for me, I will keep watching, in the hope that a similarly-generous coupon code appears before the promotion is over!

Cheers!

 


AnnieD ( ) posted Thu, 21 August 2008 at 5:35 PM

Quote - **Does anybody know what that hack was designed to do?**Asking because last night when ZoneAlarm kept giving me warnings saying a trojan was downloaded, I noticed the java console had also suddenly appeared in my taskbar.

A lot of ppl don't realize it but you also have a cache of temp internet files just for your java program. 

You get to it thru your control panel >java>java control panel>temp internet files>settings......and from there you can set it like you want and delete the temp files...it's also where a java exploit/virus can live and bash you every time it gets a chance.
I'm talking about windows...I don't know anything about mac...don't even know if mac has java.  lol
 

 

“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”

[Stuart Chase]


Daidalos ( ) posted Thu, 21 August 2008 at 5:59 PM

Jennifer,

I have lost part of my page. Seen here circled in red.

Is this just a CSS problem, or is it a result of whatever happened last night? It only does this when I'm in the forums.

Thanks I appreciate any help you can give me in fixing my page.


"The Blood is the life!"

 


StaceyG ( ) posted Thu, 21 August 2008 at 7:15 PM

Did you clear your cache?  What browser are you using?


Daidalos ( ) posted Thu, 21 August 2008 at 7:19 PM

Stacey I use IE.

My Cache should have been cleared out yes.

So you know I reset my css to the default and that seems to have fixed the problem.


"The Blood is the life!"

 


originalkitten ( ) posted Thu, 21 August 2008 at 7:50 PM

I've just had a blank email from store@renderosity.com ...... is this anything to do with the hack?

"I didn't lose my mind, it was mine to give away"


Angelsinger ( ) posted Thu, 21 August 2008 at 7:55 PM

Thank you so much for that, AnnieD...

I never knew of this java cache feature. :m_shocked:

But damn, now I'm going to have keep calling my bank to see if my recent rendo purchase info is being used to take money from my account. I did delete those viruses this morning before purchasing, but didn't know anything about deleting the cache stuff that may have been associated with the java activity I saw last night.

I effing hate this kind of thing.


Debbie M. ( ) posted Thu, 21 August 2008 at 7:57 PM

sorry originalkitten.  That was completely my fault as I was in the backend gathering some data for reports, and I accidentally hit the submit button and it sent out a blank email to all previous buyers :(  deb hangs head in shame and is very sorry

Debbie M.


Privacy Notice

This site uses cookies to deliver the best experience. Our own cookies make user accounts and other features possible. Third-party cookies are used to display relevant ads and to analyze how Renderosity is used. By using our site, you acknowledge that you have read and understood our Terms of Service, including our Cookie Policy and our Privacy Policy.