the_tdog opened this issue on Aug 20, 2008 · 111 posts
the_tdog posted Wed, 20 August 2008 at 9:28 PM
The site keeps trying to redirect to something called "golnanosat" and there's a popup, ostensibly from Microsoft called "Remote Data Controller Data Controller" or something that keeps trying to run.
What is going on?
I don't trust the site enough to use the 20% off coupon right now... very annoying!
chriscox posted Wed, 20 August 2008 at 9:42 PM
This maybe related to the redirect, McAfee is telling me that it is removing a Trojan (Exploit-Iframe) when I go to some of the pages here (such as the home page and the freestuff)
This just started happening.
Goldenthrush posted Wed, 20 August 2008 at 9:46 PM
I got an "unknown applet" trying to run on going to freestuff, and it's still bogging me down.
rebelmommy posted Wed, 20 August 2008 at 9:50 PM
I get it in the galleries :(
Renderosity's "problem Child"
Support Hydrocephalus research.. because a Shunt is NOT a cure!
Goldenthrush posted Wed, 20 August 2008 at 9:51 PM
Found the certificate it was pushing "Thawte Consulting cc".
DarkStormCrow posted Wed, 20 August 2008 at 9:52 PM
Kalypso posted Wed, 20 August 2008 at 10:08 PM Site Admin
I am getting a warning about Trojan.Virantix.C
It started in the galleries and now it's every page i go to.
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99
auntietk posted Wed, 20 August 2008 at 10:10 PM
I'm getting a Java notice which I have to click nine times (three sets of three) in order to get it to go away, and when I'm in the galleries, there's a message across the top of my screen that says,
"this website wants to run the following add-on: microsoft data acess - remote data services dat ... from microsoft corporation. if you trust the website and the add-on and want to allow it to run, click here ..."
I can access an image, but as soon as I click away from it, I get the same Java message again. Oddly enough, I'm not having that problem in the forum at all. Once I got here, I was able to browse around and look at different forum posts (looking for exactly this issue!) with no problem.
Also ...
I'm on IM with Marilyn (beachzz) right now, and she can't get in at all. She's getting a popup. She says: i get a really weird message-- "The site at vipasotka.com has been reported as an attack site and has been blocked based on your secutiry preferences." She ran her spybot program, but it's still coming up.
Any information would be lovely! :) For now, I'm just going to get off RR. I'll check back later.
Thanks!
"If your pictures aren't good enough, you're not close enough." ... Robert Capa
Dragontales posted Wed, 20 August 2008 at 10:12 PM
I'm getting the trojan warnings too from McAfee when I come to this site.
Ravyns posted Wed, 20 August 2008 at 10:31 PM
**************************************************************************************
Life may not be the party we hoped for but while we're here we should dance.
LostinSpaceman posted Wed, 20 August 2008 at 10:40 PM
AVG just gave me 4 different Trojan warning popups when direct linking to the forums as well as the Microsoft Remote Data Access request which I've denied of course. Sorry folks, but i don't trust Rendo THAT much! Nobody's getting remote data access to my PC. Not nobody not no how! :tt2:
Giolon posted Wed, 20 August 2008 at 10:46 PM
I am getting it as well. I've forwarded this thread to the admins.
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99
¤~ RadiantCG ~¤~ My Renderosity Gallery ~¤
pjz99 posted Wed, 20 August 2008 at 10:59 PM
Yep same here, some javascript is trying to run an installer whenever I hit the gallery here. I navigated many URLs elsewhere, no popup, but instantly get it when I navigate to Rendo's gallery. Nice!
pjz99 posted Wed, 20 August 2008 at 11:02 PM
Info about this specific hack:
http://www.phpbb.com/community/viewtopic.php?f=1&t=1127185
I kinda strongly suggest Rendo block all traffic to "golnanosat.com"...
Miss Nancy posted Wed, 20 August 2008 at 11:02 PM
pizazz posted Wed, 20 August 2008 at 11:05 PM
Parse error: syntax error, unexpected '<' in /sv1/renderosity/public_html/mod/rrfilelock/index.php on line **375
I was really afraid I'd picked up something nasty.
**
pjz99 posted Wed, 20 August 2008 at 11:07 PM
Anybody who actually allowed this to run, you're probably really screwed. I hate to be doomy and gloomy but this looks like a nasty little browser hijack.
Phoenix1966 posted Wed, 20 August 2008 at 11:09 PM
Same here and it's a shame because I wanted to use that coupon offer, but there's no way I'd purchase anything at the moment. :(
Giolon posted Wed, 20 August 2008 at 11:10 PM
Ditto here Phoenix. I sincerely hope that Rendo will extend the coupon b/c of this...
¤~ RadiantCG ~¤~ My Renderosity Gallery ~¤
nickcharles posted Wed, 20 August 2008 at 11:24 PM
Hi all,
The problem is being worked on, and hopefully fully resolved shortly.
Nick C. Sorbin
Staff Writer
Renderosity Magazine
......................................................................................................
"For every breath, for every day of living, this is my Thanksgiving."
-Don Henley
rebelmommy posted Wed, 20 August 2008 at 11:33 PM
Well lucky me I let it run.. woohoo.. now rendo hardly loads at all.. glad I learned that lesson the hard way :((
Renderosity's "problem Child"
Support Hydrocephalus research.. because a Shunt is NOT a cure!
JeniferC posted Wed, 20 August 2008 at 11:35 PM
The coupon was extended and most of the areas have been fixed. There are still a few things being worked on.
louly posted Wed, 20 August 2008 at 11:40 PM
We're still having the problem 1 hour later. I came to check here in the forums, I thought I had a virus or something. I also get redirected by golnanosat but I didn't run the application.
rebelmommy posted Wed, 20 August 2008 at 11:44 PM
Thanks for the update Jen!
Renderosity's "problem Child"
Support Hydrocephalus research.. because a Shunt is NOT a cure!
JeniferC posted Wed, 20 August 2008 at 11:49 PM
louly, you will likely need to clean out your cache since the problem has been corrected in the forums and many other places.
louly posted Wed, 20 August 2008 at 11:51 PM
Ok thank you :)
auntietk posted Thu, 21 August 2008 at 12:30 AM
Thank you Jenifer! All is well.
:)
"If your pictures aren't good enough, you're not close enough." ... Robert Capa
Diogenes posted Thu, 21 August 2008 at 1:12 AM
Lucky for me kaspersky didn't let me run it even though I said go ahead :) Love kaspersky sometimes! Not getting the pop up any more so it must be fixed.
Colin posted Thu, 21 August 2008 at 1:19 AM
Sigh...
sadly, the store does not recognize the coupon code for me... i appreciate the offered extension, but it's simply not working for me.
Oh well, maybe next time - I doubt I'll be back to try again in the next 9 hours - I'm off to bed now, as it's almost 2:30 a.m....
Cheers!
AnnieD posted Thu, 21 August 2008 at 1:20 AM
According to google.....golnanosat.com and thefreecompany.net are hijacking forums all over the place..and some servers are being exploited also.
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
Goldenthrush posted Thu, 21 August 2008 at 1:29 AM
The "Thawte" certificates -- those are legitimate, right? I can't get onto the site without allowing it, though I deleted all of it when I was requested earlier this evening to verify it.
Diogenes posted Thu, 21 August 2008 at 1:51 AM
I don't know if they are legit or not but I'd say not. I have never been asked for anything like that in the past. So I did a complete search for anything containing the word thawte which came up in my kaspersky backup files of things deleted and I deleted the backup as well. I have no problem getting on this site without thawte consulting, so I'd say it's something you don't want.
Goldenthrush posted Thu, 21 August 2008 at 1:55 AM
Yeesh! Out it goes again! XD
aqrose posted Thu, 21 August 2008 at 3:27 AM
Just great! I'm running ZoneAlarm firewall and Symantec antivirus and didn't get any kind of warning at all during the night. I've been on & off site all day long. Now I'm paranoid that it snuck past them undetected. What do I do now?
Thanks! :)
Goldenthrush posted Thu, 21 August 2008 at 4:44 AM
I definitely cannot log onto this site without the "thawte" certificates, can I please get a definite on what it is?
Jack D. Kammerer posted Thu, 21 August 2008 at 7:24 AM
Quote - I definitely cannot log onto this site without the "thawte" certificates, can I please get a definite on what it is?
Thawte is an Internet consulting firm that issues SSL (Secure Server License) to websites that have online stores at a cost to the owner of the website. The certificate that they issue [at a pretty large and annoying cost] is responsible for the little "Gold Lock" icon that shows at the bottom of your browser window when you are in the store... this is done to assure Online Store Customers that the website and online store you are visiting and the information you provide is "Secure"...
Thawte doesn't really do anything other than charge a website owner to purchase this certificate. The certificate is only good for a year and the only way that Thawte verifies this information is by running a script against the server to test and make sure that there isn't any open ports, remote linking, phishing scripts and other little things that might make it possible for people to steal your information at the moment of purchase... and it pretty much only verifies this information at the time of purchase or renewal of the certificate... as for the other 364 days of the year... well... shrugs
Fact of the matter is this... any good System's Administrator is going to make sure that the website is secure 24/7/365... the SSL Certificate is only a means to provide Customer trust while sucking a pretty sizable chunk of money out of a website owner's pocket to provide that trust.
Bottom line... think of it as a nice little certificate that a shop owner puts up on the wall of their business to show they have a license to do whatever service they do. For example a certificate license for a person who cuts hair at a hair salon... as many of you may know by this example, even though the person may have a certficate/license stating that they are licensed to cut hair, doesn't mean that they are someone you'd trust to touch your hair! :)
As for the website and forum hijack that occured... the fact is this... Renderosity is a pretty large Community, which makes it a perfect target for [disrespectful] individuals to try and siphon traffic and bandwidth from, or try and take revenge on (say from an individual who's been banned)... it is a script kitty paradise here!!
As such, this website is probably attacked on a regular basis in one form or another. DOS attacks, phishing tatics, harmful scripts, server/forum hijack attempts, etc... etc... etc... making it a monster of a job to protect itself and its members. And sometimes little things can make it through the cracks or accidently be over-looked and, as such, make for a very interesting and tiring day for the System's Administrator to try and clean the mess up and make steps to prevent it from happening again...
Personally, one way to avoid this would be to work on the means in which the forums must be replied to... meaning the applet that the site's software uses to allow members to post or reply to forum threads... no offense to Renderosity, but this is a pretty nice chink in the armor... particularly when a member has to DISABLE ADWARE protection software to post on the website!
Seriously, asking a member to disable security features that protect them from Phishing, Browser Hijacking Scripts, E-Mail Sniffers, and harmful applets that can be attached to off-site advertising banners for them to visit and interact on your website is not a great means to provide security to your members while visiting your website and makes the site an even MORE tempting target to idiots looking to exploit, steal, harrass, hijack or be a general pain in the butt to your business and to your customers.
Just my two pennies!
~Jack D. Kammerer
who is re-enabling his system's security features and going back to lurk mode
LostinSpaceman posted Thu, 21 August 2008 at 8:49 AM
Quote -
Seriously, asking a member to disable security features that protect them from Phishing, Browser Hijacking Scripts, E-Mail Sniffers, and harmful applets that can be attached to off-site advertising banners for them to visit and interact on your website is not a great means to provide security to your members while visiting your website and makes the site an even MORE tempting target to idiots looking to exploit, steal, harrass, hijack or be a general pain in the butt to your business and to your customers.
Run on sentences much? I haven't had my caffiene and this was a bitch to read without punctuation. :tt2:
Goldenthrush posted Thu, 21 August 2008 at 11:19 AM
Thank you much, Jack, very much appreciated.
I did have a random and "unknown" applet trying to run from the start of the "attack", actually. But I have no idea how this hacking was carried out.
Acadia posted Thu, 21 August 2008 at 12:17 PM
Oddly enough I use Mozilla-Firefox and haven't had an issue.
"It is good to see ourselves as
others see us. Try as we may, we are never
able to know ourselves fully as we
are, especially the evil side of us.
This we can do only if we are not
angry with our critics but will take in good
heart whatever they might have to
say." - Ghandi
JeniferC posted Thu, 21 August 2008 at 2:06 PM
Yes, the thawte certificate is legit. Thanks Jack for explaining it so well. No one should have any problems, since this was resolved last night.
For those of you just hearing about the issues, last night Bondware became aware of a security compromise to Renderosity and RuntimeDNA. The attack presented itself as a hidden Javascript application embedded at the bottom of certain pages, prompting the user to download and install an application that is actually a Trojan virus. Less than an hour after the attack, Bondware had isolated the affected scripts and started reversing the changes.
We have installed monitoring tools to detect a repeat attempt. We are actively investigating the details of last night's attack and will aggressively address any vulnerabilities discovered.
Please make sure you reject any and all unsolicited download prompts when visiting any website, as these could possibly be a sign of attack. Also, we strongly encourage everyone to always use anti-virus software. This type of trojan has affected some of the largest websites including Wal-mart, Target, etc in recent months, but routine anti-viral software seems to prevent damage to the visitors computer.
agrose, your symantec anti-virus would have caught and blocked the concern if you had visited during the time of the problem, which started just before 9:30 and were resolved in about an hour. Some people may have continued to experience an anti-virus block after the fix if their browser had cached the pages that had been compromised.
We extended last night's coupon. For anyone that missed it, please keep checking the The Temperature is Rising Sales Promotion located on the front page and watch the Site Announcements area for up to the minute specials.
We sincerely apologize for the inconvenience that this has caused.
Jenifer Carey
Vice President
Angelsinger posted Thu, 21 August 2008 at 2:29 PM
Does anybody know what that hack was designed to do?
Asking because last night when ZoneAlarm kept giving me warnings saying a trojan was downloaded, I noticed the java console had also suddenly appeared in my taskbar.
Before I purchased something from the store today, I opened ZA and saw that those viruses had been quarantined. I let ZA delete them.
Still, I don't know if I'm 'safe'? : (
I'd hate for my purchasing info to be compromised. : (
Santel posted Thu, 21 August 2008 at 3:39 PM
I have Trendmicro, it stopped the trojan and reported it is also known in Sopho and AVG databases as a trojan infecting approximately 28,000 computers in North America, however, it's purpose/s are 'unknown'
Jean-Luc_Ajrarn posted Thu, 21 August 2008 at 5:05 PM
Quote - Less than an hour after the attack, Bondware had isolated the affected scripts and started reversing the changes.
Thank you very much! :)
Colin posted Thu, 21 August 2008 at 5:28 PM
Quote -
We extended last night's coupon. For anyone that missed it, please keep checking the The Temperature is Rising Sales Promotion located on the front page and watch the Site Announcements area for up to the minute specials.We sincerely apologize for the inconvenience that this has caused.
Jenifer Carey
Vice President
Thank you, Jen - however, when I tried to use the extended code last night at about 1a.m., as soon as I heard that the threat had been contained, the store software would not accept the coupon code, reporting that it had expired.
Today's coupon, for half of last night's discount, is a 'pale substitute' - I'm not complaining, I only point this out to clarify that there may indeed have been other customers who were unable to use the supposedly-extended coupon... so you may hear about it from others as well...
As for me, I will keep watching, in the hope that a similarly-generous coupon code appears before the promotion is over!
Cheers!
AnnieD posted Thu, 21 August 2008 at 5:35 PM
Quote - **Does anybody know what that hack was designed to do?**Asking because last night when ZoneAlarm kept giving me warnings saying a trojan was downloaded, I noticed the java console had also suddenly appeared in my taskbar.
A lot of ppl don't realize it but you also have a cache of temp internet files just for your java program.
You get to it thru your control panel >java>java control panel>temp internet files>settings......and from there you can set it like you want and delete the temp files...it's also where a java exploit/virus can live and bash you every time it gets a chance.
I'm talking about windows...I don't know anything about mac...don't even know if mac has java. lol
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
Daidalos posted Thu, 21 August 2008 at 5:59 PM
Jennifer,
I have lost part of my page. Seen here circled in red.
Is this just a CSS problem, or is it a result of whatever happened last night? It only does this when I'm in the forums.
Thanks I appreciate any help you can give me in fixing my page.
"The Blood
is the life!"
StaceyG posted Thu, 21 August 2008 at 7:15 PM
Did you clear your cache? What browser are you using?
Daidalos posted Thu, 21 August 2008 at 7:19 PM
Stacey I use IE.
My Cache should have been cleared out yes.
So you know I reset my css to the default and that seems to have fixed the problem.
"The Blood
is the life!"
originalkitten posted Thu, 21 August 2008 at 7:50 PM
I've just had a blank email from store@renderosity.com ...... is this anything to do with the hack?
"I didn't lose my mind, it was mine to give away"
Angelsinger posted Thu, 21 August 2008 at 7:55 PM
Thank you so much for that, AnnieD...
I never knew of this java cache feature. :m_shocked:
But damn, now I'm going to have keep calling my bank to see if my recent rendo purchase info is being used to take money from my account. I did delete those viruses this morning before purchasing, but didn't know anything about deleting the cache stuff that may have been associated with the java activity I saw last night.
I effing hate this kind of thing.
Debbie M. posted Thu, 21 August 2008 at 7:57 PM
sorry originalkitten. That was completely my fault as I was in the backend gathering some data for reports, and I accidentally hit the submit button and it sent out a blank email to all previous buyers :( deb hangs head in shame and is very sorry
Debbie M.
originalkitten posted Thu, 21 August 2008 at 8:04 PM
Lmao Deb don't worry I just wanted to make sure it wasn't part of the hack... I've done that so many times myself lmao....glad to know I'm not the only one....
have a great night
hugs
Lou x
"I didn't lose my mind, it was mine to give away"
AnnieD posted Thu, 21 August 2008 at 8:05 PM
Ok...lol that explains why I just got one too....reaches over and pinches Deb
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
AnnieD posted Thu, 21 August 2008 at 8:10 PM
Quote - Thank you so much for that, AnnieD...
I never knew of this java cache feature. :m_shocked:
But damn, now I'm going to have keep calling my bank to see if my recent rendo purchase info is being used to take money from my account. I did delete those viruses this morning before purchasing, but didn't know anything about deleting the cache stuff that may have been associated with the java activity I saw last night.
I effing hate this kind of thing.
You are welcome Angelsinger. I found out the hard way..years ago.
Now I have to figure out why the forum pages are completely out of whack and stretching across and off the screen..the posting section is ok...so off I go to check it out.
Jeeze...I don't get the ads that follow you...I didn't run into the hacker stuff..i thought everything was ok on my end and I missed out on it..now this...lol
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
Debbie M. posted Thu, 21 August 2008 at 8:12 PM
Thanks for understanding, and once again, I'm really sorry for the false alarm. I could have at least typed something nice in there to send you all huh?
deb still hanging head in shame
Debbie M.
AnnieD posted Thu, 21 August 2008 at 8:16 PM
Get ready Deb...everyone that got one is going to post to ask why...lol
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
Debbie M. posted Thu, 21 August 2008 at 8:18 PM
I'm already paying for it by responding to the tons of emails coming in :crying:
Debbie M.
Wonga posted Thu, 21 August 2008 at 8:18 PM
are all personal details secure?
also got that blank email ;)
Miss Nancy posted Thu, 21 August 2008 at 8:20 PM
o.k., thx to y'all for fixing that trojan.
p.s. for those interested in poser history, jack k. owned this site prior to tim,
and jack is one of the main reasons poser is so popular on the internet now.
Debbie M. posted Thu, 21 August 2008 at 8:22 PM
Hi wonga,
Yes, everything is secure and has been since last night. The blank email was completely my fault as I hit the send button instead of the link to retrieve data I was building for a report I'm working on.
Sorry to all for the inconvenience.
Debbie M.
AnnieD posted Thu, 21 August 2008 at 8:25 PM
Deb...now you should type an explanation and 'accidently' hit the send button again.... :m_bouncy:
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
Debbie M. posted Thu, 21 August 2008 at 8:29 PM
NOOOOO Annie, I'd have everyone throwing tomatoes at me then LOL
Debbie M.
Khai posted Thu, 21 August 2008 at 8:36 PM
Tomatoes! get your Tomatoes here.....T-Shirts! get your 'I tomatoed a Rendo Admin' Here...
LadySythe posted Thu, 21 August 2008 at 8:39 PM
Quote - Debbie M. :
Hi wonga,
Yes, everything is secure and has been since last night. The blank email was completely my fault as I hit the send button instead of the link to retrieve data I was building for a report I'm working on.
Sorry to all for the inconvenience.
Soo... You're the culpurit! lol I was wondering why a lot of us got those emails, as well as concerned it might have been something unfavorable to my computer. Thanks for letting us know!
LadySythe
P.S. Try not to hit send again ;)
Jean-Luc_Ajrarn posted Thu, 21 August 2008 at 8:44 PM
Quote - A lot of ppl don't realize it but you also have a cache of temp internet files just for your java program.
Thanks, AnnieD. :)
I didn't know that either.
Now... what happens if i uncheck "Keep temporary files on my computer"?
Would that be a good idea?
Debbie M. posted Thu, 21 August 2008 at 8:47 PM
Khai, you may get VERY rich selling those tomatoes and T-shirts LOL
I don't think I can say I'm sorry enough for the false alarm. As soon as I knew what I did I felt like crawling into the nearest, DEEPEST hole!
Debbie M.
StaceyG posted Thu, 21 August 2008 at 8:51 PM
No worries Debbie. We are human and accidents happen. Its all good:)
Khai, you better not tomato me!!! I've got my eye on you!!! :m_lecture: You don't want a lecture from me about tomato throwing do you? heehee
originalkitten posted Thu, 21 August 2008 at 8:57 PM
deb why dont ya just send out another email saying sorry for the blank email? lmao would solve having to reply lol
"I didn't lose my mind, it was mine to give away"
Debbie M. posted Thu, 21 August 2008 at 8:59 PM
that would be a disaster on top of a disaster Lou LOL
Debbie M.
originalkitten posted Thu, 21 August 2008 at 9:00 PM
lmaoooooo ....was just a thought.....now thats prob why your staff and I'm not! lmao
"I didn't lose my mind, it was mine to give away"
originalkitten posted Thu, 21 August 2008 at 9:05 PM
LOL I just realised when I posted that someone else had done the same....lmao now Im hanging head in shame lmao
"I didn't lose my mind, it was mine to give away"
AnnieD posted Thu, 21 August 2008 at 9:06 PM
Quote - > Quote - A lot of ppl don't realize it but you also have a cache of temp internet files just for your java program.
Thanks, AnnieD. :)
I didn't know that either.Now... what happens if i uncheck "Keep temporary files on my computer"?
Would that be a good idea?
Your cache for temp internet files is a place for the files to stay so your computer can access them faster without having to completely load them again like you did the first time your browser accessed the page they were on...so, if you check not to keep them..they will just load every time like the first time...no big deal unless you are on dial-up and your pages load really slow all the time...then it could be a pain to load them fresh every time...but remember you also don't usually use your java constantly anyway.
The temp internet files for windows works the same way...I never keep my history and my browser is set to empty my temp files everytime I close it...you can also get virus and trojans...etc. stuck in your temp file folder.
Anyway...you decide...uncheck it for awhile and if it doesn't bother you...leave it that way..if it does..just remember to empty it often.
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
Debbie M. posted Thu, 21 August 2008 at 9:08 PM
LOL Lou, I think we both need some rest
Debbie M.
originalkitten posted Thu, 21 August 2008 at 9:09 PM
lmao Deb I sure do.....tis 3.09 am here.... I WILL go to bed soon lmao
"I didn't lose my mind, it was mine to give away"
Debbie M. posted Thu, 21 August 2008 at 9:11 PM
sweet dreams :) I still have a few hours left before I hit my pillow LOL
Debbie M.
originalkitten posted Thu, 21 August 2008 at 9:16 PM
lmao ....you too when you finally get there!
"I didn't lose my mind, it was mine to give away"
Faery_Light posted Thu, 21 August 2008 at 9:25 PM
Hmmm, wondered about that. Nortons blocked it several times and deleted the Trojan. I was left wondering where the catnip it was coming from. :)
Let me introduce you to my multiple personalities. :)
BluEcho...Faery_Light...Faery_Souls.
LostinSpaceman posted Thu, 21 August 2008 at 9:26 PM
Quote - I've just had a blank email from store@renderosity.com ...... is this anything to do with the hack?
Ditto the blank email thing.
Khai posted Thu, 21 August 2008 at 9:28 PM
Quote - sorry originalkitten. That was completely my fault as I was in the backend gathering some data for reports, and I accidentally hit the submit button and it sent out a blank email to all previous buyers :( deb hangs head in shame and is very sorry
LostinSpaceman posted Thu, 21 August 2008 at 9:30 PM
Quote - > Quote - sorry originalkitten. That was completely my fault as I was in the backend gathering some data for reports, and I accidentally hit the submit button and it sent out a blank email to all previous buyers :( deb hangs head in shame and is very sorry
Yup! I read that as I continued scrolling further down.
Jean-Luc_Ajrarn posted Thu, 21 August 2008 at 9:41 PM
Thanks again, AnnieD. :)
I will try that, then. :)
Daidalos posted Thu, 21 August 2008 at 9:49 PM
Quote - > Quote - Thank you so much for that, AnnieD...
I never knew of this java cache feature. :m_shocked:
But damn, now I'm going to have keep calling my bank to see if my recent rendo purchase info is being used to take money from my account. I did delete those viruses this morning before purchasing, but didn't know anything about deleting the cache stuff that may have been associated with the java activity I saw last night.
I effing hate this kind of thing.
You are welcome Angelsinger. I found out the hard way..years ago.
Now I have to figure out why the forum pages are completely out of whack and stretching across and off the screen..the posting section is ok...so off I go to check it out.
Jeeze...I don't get the ads that follow you...I didn't run into the hacker stuff..i thought everything was ok on my end and I missed out on it..now this...lol
Sorry thats because of the screen shot I posted.
"The Blood
is the life!"
AnnieD posted Thu, 21 August 2008 at 9:52 PM
Thanks...I figured that out pretty quick but it only lasted as long as it took for another page to start...so no problem.
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
3Dillusions posted Fri, 22 August 2008 at 5:42 AM
I missed all the fun, was sleeping over in Australia, good to see you guys removed it.
Nasty thing
3Dillusions posted Fri, 22 August 2008 at 5:44 AM
Forgot to Ask was it Java or JavaScript that the Trojan loaded from?
Angelsinger posted Fri, 22 August 2008 at 6:55 PM
3Dillusions, it was Java.
My AV pointed me to the path c-Documents and Settings - username - Application Data - Sun - Java - Deployment - cache - and then a couple more subfolders.
3Dillusions posted Fri, 22 August 2008 at 7:09 PM
There you go, Firefox recommends all users disable Java that is why I did not get any warning or infection, thanks Firefox well that proved it worked.
I have javascript enabled but no JAVA.
I wonder if the rate of infection was higher with IE or Firefox.
Nasty things Trojans, well Spohos was warning about it for 2 weeks, and websites are still getting caught with their pants down, not excuse, you must keep up with all the updates, I do, I don't understand people that run web pages and don't update regularly.
They should all subscribe to Spohos Daily reports those guys are up there with the first release in the wild of things, that way you know which module or program or update to check. No excuse to get taken over like that, especially all the larger sites that are getting hit.
Angela
AnnieD posted Fri, 22 August 2008 at 8:25 PM
For anyone who is really interested in the way these things work...and which is more secure..how to protect your machine, etc.
**The malicious payload may be in the form of a Java applet, JavaScript, an ActiveX control, or any other form of executable content, which usually runs surreptitiously in the background.
**
Take your pick of articles
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
3Dillusions posted Fri, 22 August 2008 at 8:43 PM
Yep they exploit them all, the point it to keep up with all updates, sure they will find one that has not even been picked up yet but those are really rare, this Trojan was in the wild for 2 weeks so it should of been plugged ages ago.
This week Java, next week php and anything else that runs online.
There spammers are pests its the credit card fraud and bot controllers that are the major criminals online.
rydelldragon posted Fri, 22 August 2008 at 10:16 PM
glad you caught the scripts that caused this. it took FIVE hours to clean up after this mess. my wife, whose computer got hit, has an old pc and can't run the new AV software, it takes too much. how did the SOB get the JS onto your pages. there are others who lost their pcs to this mess.
I'd say i'm sorry about ranting but i'm not. this mess screwed up five hours of my time, caused so much stress that my wife won't even come back here, and has disabled all scripts on her pc. I can not stress this strongly enough, it is more than an inconveinence, it's a nightmare, my wife is a survivor of rape and the level of violated she feels is such that she is having flashbacks to things from years ago.
3Dillusions posted Sat, 23 August 2008 at 1:34 AM
So sorry about your wife, tell her to use Firefox Mozilla, you can disable Java and JavaScript's and still go online without any problems, I also have Flash Disabled, they are hitting those adverts too in a big way.
The reason flash is disabled on my browser is my pc is slow and it freezes, it hates my Nividia Graphics card and always has. As I have a slow pc, I can understand your frustration on running the latest AV programs and they are huge on Memory which us poor people don't have on older pc's.
If you are using IE ditch it if you need help to set this up I can show you some add ons that will literally save you heaps of time online and keep your safe. Nothing compares to it, its so easy to install and has so many features you will be amazed. I got one Trojan in 1999, and thats the last time I had IE on my pc, refuse to even let it load, its a bloated beast that does nothing but infect a users pc, and if any disagrees then bad luck its a fact.
Internet explorer has a higher malware infection rate than Firefox.
3Dillusions posted Sat, 23 August 2008 at 1:51 AM
Someone correct me if I am wrong with this and IFRAME exploit?
AnnieD posted Sat, 23 August 2008 at 3:21 AM
To be fair...I use IE 7...and I don't have any problems...I also run my java and no problems.
My pc was built in 2001 and its not a new one by any means....
If you take the time to learn about security for your pc...you cut down the chances of getting infected greatly. I haven't had an infection on this machine since I've had it....luck? yes!
As long as you are on the internet...you can get infected by these things...they get more sophisticated every day...and no one browser or program will protect you.
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
Angelsinger posted Sat, 23 August 2008 at 12:00 PM
Know what 3Dillusions, I'm using FF, and if I had only known to disable Java, I wouldn't still be wondering if info could have been ciphered by the cached Java crap. :s
My AV located the infected stuff in FF's cache, but it didn't point me to the Java cache til I did a full scan.
AnyHOO, thanks for the info, it's much appreciated. : )
AnnieD posted Sat, 23 August 2008 at 2:45 PM
Quote - Know what 3Dillusions, I'm using FF, and if I had only known to disable Java, I wouldn't still be wondering if info could have been ciphered by the cached Java crap. :s
My AV located the infected stuff in FF's cache, but it didn't point me to the Java cache til I did a full scan.
As long as your software (any software) caches files you run a risk. Best thing is to find out where those files are being kept temporarily and make sure you keep it cleaned out...it should be part of your regular maintenance.
Your computer keeps these files in a temp folder...( there's more than one on your pc ) ..and says its faster to retrieve them from there than to download them all over again...so in that folder you have everything sitting there that was a part of the page that you originally downloaded...pics..scripts..flash ad cookies session info...everything that went into making that page available to you!
If you haven't already checked it out..load up a page or two from the net...and go open your temp internet folder and look at all the junk in it....junk that doesn't all go away by itself.
Java isn't the only thing to watch out for....and the temp internet folder isn't the only place that keeps those things.
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
Angelsinger posted Sat, 23 August 2008 at 3:19 PM
Thanks for your reply, AnnieD. : )
I have always known about the cache folders, have gone into them to dig out videos from youtube, etc... lol -- But... I'm surprised I never realized that it could be unsafe to keep stuff in there.
I use FF's 'clear private data' shortcut keys to wipe the cache & other stuff often... But still!
To be honest, this was the first time I was ever alerted about a virus attack on a website!
Guess I felt pretty secure with my AV, and was ignorant about considering the cached files if such a thing occurred.
AnnieD posted Sat, 23 August 2008 at 3:49 PM
It sounds like you are doing what you can...and thats all you can do...that and learn about it.
Lots of nasty things can get in there ....kinda like roaches or ants hiding behind other things...eewww!
Like I said...I learned most of this the hard way in the last 12 or 13 yrs...
There is a site online to get all the security info you need....and run tests to see if your pc is safe...click on the shields up and look around at those tests.. I've been going there and using it for years....and its free.
Shields Up For anyone who wants to check it out.
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
Angelsinger posted Sat, 23 August 2008 at 3:58 PM
Bookmarking that site, Annie, thanks again! : )
Hope it doesn't say "uh oh!" when it's done scanning.
lol
AnnieD posted Sat, 23 August 2008 at 4:02 PM
Actually, it checks to make sure your ports are closed so nothing sneaks in the back way..lol
and it also shows you what kind of info your browser gives to the pages you visit..and it shows about cookies..and just a whole lot of security things you can control yourself if you just do them...By the time you are done your computer will not be able to be seen by hackers...etc. You will be running in total stealth mode. lol
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
AnnieD posted Sat, 23 August 2008 at 4:11 PM
You know...there is one thing that I can't say loud enough or often enough to anyone who will listen....
DO NOT....do not ever click on anything that you don't know what it is for sure....!!!
The ppl who got into trouble here did so because they allowed a request from an unknown factor...the interaction is the key to allowing unknown files on your computer....
The worse ones are the ones that pop up on pages and when you click to turn them off or get rid of them...you download them instead...because the only command on those things is to download...no matter what else it says...don't close it..don't allow it..don't hit the little x to get rid of it...if there is any question....close out your browser instead...and check your temp internet file folder to make sure it cleaned out.
Best thing to do is stay away from questionable pages.
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
3Dillusions posted Sat, 23 August 2008 at 9:16 PM
Quote - Know what 3Dillusions, I'm using FF, and if I had only known to disable Java, I wouldn't still be wondering if info could have been ciphered by the cached Java crap. :s
My AV located the infected stuff in FF's cache, but it didn't point me to the Java cache til I did a full scan.
AnyHOO, thanks for the info, it's much appreciated. : )
Your welcome
And I have my cache to empty everytime I close firefox.
Do this this for FF Users do the following.
Tool, Options, when the window opens go to the Privacy Tab
Then down the bottom you will see Private Data
Put a check mark under Always clear myl private data when I Close Firefox.
the next Thing to do is to make sure its clears what you want, I have the following but this is personal choice you might want to clear the whole thing.
Click the settings button in the same area and put a check mark in the things you want cleared but make sure Cache is one of them.
I only keep cookies and passwords the rest I nuke.
Angela
3Dillusions posted Sat, 23 August 2008 at 9:25 PM
I forgot this also, for Popups you should have this blocked this would of helped alot of FF users if they had this turned on.
Tools, Options then Content
Where its says pop up blockers, just put a check mark into that.
Guess it must be me that I have never been caught with an online malware or trojan flyby as I keep up with things, but you don't expect the average person to know all the crap that is out there, and believe me its increasing
Last to date 1,000 infected websites and growing daily, its up to the admins of the pages to be up to date with all the modules and coding the use. Its a daunting task, so don't blame renderosity, its happens to loads of sites even the security ones get caught with their pants down once in a while lol.
But as for IFRAME eploits if this one was one, then that is not good as it was first reported in 2004, no excuse to not have this plugged up. For Windows XP Users you better be running at Least SP2 for this trojan not to infect your pc, but from what I can see in other Forums for Trojan and malware reporting seems allot of people take online browsing as a joke.
And on a happy note, the rate of infection for Malware and Trojans on Warez sites and P2S has increased 80%, so I am happy for these people serves them right.
The only reason I know a bit more than the average person is I report the nasty bugs day in day out. People are totally unaware how dangerous it is online.
Angelsinger posted Sat, 23 August 2008 at 9:47 PM
Quote - ...but from what I can see in other Forums for Trojan and malware reporting seems allot of people take online browsing as a joke.
And on a happy note, the rate of infection for Malware and Trojans on Warez sites and P2S has increased 80%, so I am happy for these people serves them right.
lol... I know someone who uses p2p like his life depends on it; he has no av installed -- but the kicker is, he's an IT guy with in-depth knowledge of computers.
Rarely do you get to see this mixture of stupidity. lmao
Daidalos posted Sun, 24 August 2008 at 12:49 AM
Annie thanks for the Shields up heads up.
It's much appreciated.
"The Blood
is the life!"
3Dillusions posted Sun, 24 August 2008 at 1:38 AM
Quote - > Quote - ...but from what I can see in other Forums for Trojan and malware reporting seems allot of people take online browsing as a joke.
And on a happy note, the rate of infection for Malware and Trojans on Warez sites and P2S has increased 80%, so I am happy for these people serves them right.
lol... I know someone who uses p2p like his life depends on it; he has no av installed -- but the kicker is, he's an IT guy with in-depth knowledge of computers.
Rarely do you get to see this mixture of stupidity. lmao
Jeez he should no better but not to feel bad, my hubby has just been roasted by me for getting his pc infected by visiting a forum on GPS of all things, looks like java was on his pc, he never listen and now he has to learn to remove it I am not helping this time lol
Trojan Horse Dropper.Agent.JOC seems to be the flavor of choice this week.
AnnieD posted Sun, 24 August 2008 at 1:54 AM
You are welcome Daidalos...I hope it helps you as much as it has helped me. :biggrin:
“For those who believe, no proof is necessary. For those who don't believe, no proof is possible.”
[Stuart Chase]
MyCat posted Tue, 26 August 2008 at 10:48 PM
An official statement from the Renderosity administration could help a lot. The Red Hat (and Fedora) servers were recently hacked and they described the attack (afterwards, they were probably a bit busy during.)
My credit card number is going nowhere near a Renderosity Marketplace server until then.
KarenJ posted Wed, 27 August 2008 at 1:38 AM
Hi MyCat,
It's on page 2.
"you are terrifying
and strange and beautiful
something not everyone knows how to love." - Warsan
Shire
MyCat posted Wed, 27 August 2008 at 11:15 PM
Thanks KarenJ. (I'm probably a bit too paranoid, but it beats being not paranoid enough.)
JeniferC posted Thu, 28 August 2008 at 1:38 PM
Hi Everyone!
I want to give you all the information you need to ensure your browsing protection at Renderosity and at other websites.
Renderosity experienced an unauthorized file injection incident last night and one a week ago. Our technical staff cleaned off the effected areas of the site in less than an hour both times. Since then the programmers and network system administrators have been busy trying to make sure it doesn’t happen again and tracking down the perpetrator in hopes of some legal recourse.
We obtained at lot more valuable information this time, and we have put more safeguards in place. One of those safeguards is to block those with malicious intent, and another is a new version of our Bondware software. This new version of Bondware helps detect and prevent the file injection type of attacks. The detection message gives the warning message:
"Bondware Guard: Suspicious input detected and logged. Aborting ... "
However, it is highly possible that we have filtered out some of the Bondware software’s legitimate scripts in our enthusiasm. Please keep in mind that if you see this message, it may not really be suspicious activity. We ask that you please report this to admin@renderosity.com if you see it so we can fix the legitimate site functions. We hope you can appreciate this precautionary measure we are taking for your safety.
Please also note that our Bondware software does not store any credit card information, and we go above the PCI card protection requirements. We have always taken this security in order to increase the protection of your personal info.
As always, we strongly recommend everyone to always use anti-virus software and reject any and all unsolicited download prompts when visiting ANY website because this type of Trojan is attacking several other large, popular sites.
Thank you for understanding.
Jenifer
PS - edited to add that if anyone is still having a problem it is simply just your cache needing to be cleared out.
Jean-Luc_Ajrarn posted Thu, 28 August 2008 at 2:40 PM
Thank you very much for the info, Jennifer. :)