Virus warning after following a link (not ECF site)

[AttyPops]

So I followed a link in a post here on ECF to a PV seller's site...and got a virus warning from Norton Security Suite. I made a post in the thread noting it.

Do I (or you) need to do anything else? PM the server admin? Break the link in the post?

The warning was about:
Web Attack: SofosFO Exploit Kit Website

The post I quoted (but broke the link in my quote) is here:
http://www.e-cigarette-forum.com/fo...ed-recommendations-new-mod-3.html#post9660491

And I PM'ed the person that had the original post. Others have qoted it in that thread tho. Nobody intended to have an issue. Could even be a false positive or from an ad. IDK.

I don't think it's my system, but I'm running a full scan anyway.

 

[moijamie]

The chances of getting a virus from a website by just visiting it seems pretty small to me but you never know for sure

 

[lissa5168]

The chances of getting a virus from a website by just visiting it seems pretty small to me but you never know for sure

It's actually quite common anymore. You used to have to download or open something in order to get it, but no more. Our main office at work got hacked from someone in Amsterdam by people just visiting Facebook. Our IT guy traced the attack. Thankfully our security kept them out of our server ... locked us all out as well, lol. That was a fun week while nobody could connect until the cleaned it out.

 

[moijamie]

The chances of getting a virus from a website by just visiting it seems pretty small to me but you never know for sure

It's actually quite common anymore. You used to have to download or open something in order to get it, but no more. Our main office at work got hacked from someone in Amsterdam by people just visiting Facebook. Our IT guy traced the attack. Thankfully our security kept them out of our server ... locked us all out as well, lol. That was a fun week while nobody could connect until the cleaned it out.

disable javascript

 

[AttyPops]

The IP address of the site via whois doesn't match the attacking computer site in the Norton message. However, it only appeared after I clicked the link. No other activities going on. So who knows. No slams against that vendor intended. I'm just not sure what to do.

It's a GoDaddy hosted system if the whois info is to be trusted (of the site url). However the IP address was quite different. IDK if it could come from an ad or something. Strange.

 

[AttyPops]

Sigh. Dump Java. Security hole.

Javascript, however, is often required to use a site effectively. Not much you can do, IMHO.

Anyway, all off topic.

To ECF Admin....I've done my duty. IDK what else to do other than report this and note it. Too much going on for me to tell who/what/where/why when the IP addresses don't match up. Positive it happened when I clicked on that link. But not positive as to why it happened. Or if it's that site, or some other site (imbedded info or ad or whatever). The source IP is different but that doesn't mean much since the original site could have been hacked and then made a request to another site..........or whatever.

 

[tcgenius]

better safe than sorry

 

[AttyPops]

better safe than sorry

??????????

You mean my leaving a message about the possible virus. Thanks.

If you mean disabling javascript so the server that Lisa5168 was trying to access when it was taken "offline" for maintenance would all of a sudden be theoretically available (NOT!) ...dumb. Javascript was likely not the reason she couldn't access the server.

Also, as far as I know...you wouldn't be using ECF if you had javascript disabled, since the post button doesn't even work.... There are times it's handy to temporarily disable it but....mostly not practical.

Anyway...this isn't a general computer security thread. It's a specific question to the forum admins. thanks.

 

[retired1]

Could be a false positive. I went and looked at the source code on the page and didn't find anything out of place. Unfortunately, they don't provide much information on their site for contact information. You could try calling them at 347-286-8943 so they can have their IT person check the site over.

Edit -- I ran the page through Sucuri SiteCheck and it didn't find anything.

 

[AttyPops]

Makes me think/guess it's either fixed now, or that it was embedded content of some type. My local system scan was negative so I don't think it was me.

Who knows. The site's page came up and so did the message. Could be a comm error/false positive. or random. or fixed now. or dodged for now. or whatever.

Guess it's a non-issue if they don't have contact info. I don't see a reason to make that long distance call if your check said it was OK and they don't provide e-mail contact info.

It came from "Network traffic from parish. reign .treatmentsalo.in/mnu6rufxZP4ZP4K5w55P84y/null/missed.php5 matches the signature of a known attack. "

spaces added to block URL. Odd. That's a domain in India. So probably from an ad or some other content being served up.

 

[flintlock62]

SofosFO Exploit Kit Website
That's is a serious virus. You need to run Norton Power Eraser. You may also want to download a free copy of malwarebytes.

 

[tcgenius]

I just meant that writing a post about the issue was a good idea even if it was a false positive. At least people can check it out to see if there is an issue to be worried about. I was not referring to the javascript. My apologies for the confusion.

??????????

You mean my leaving a message about the possible virus. Thanks.

If you mean disabling javascript so the server that Lisa5168 was trying to access when it was taken "offline" for maintenance would all of a sudden be theoretically available (NOT!) ...dumb. Javascript was likely not the reason she couldn't access the server.

Also, as far as I know...you wouldn't be using ECF if you had javascript disabled, since the post button doesn't even work.... There are times it's handy to temporarily disable it but....mostly not practical.

Anyway...this isn't a general computer security thread. It's a specific question to the forum admins. thanks.

 

[AttyPops]

SofosFO Exploit Kit Website
That's is a serious virus. You need to run Norton Power Eraser. You may also want to download a free copy of malwarebytes.

I ran a thorough scan. Was negative. Will check other options. It was blocked (hence the alert). However, I'll still check other options. Thx.

 

[progg]

Also, as far as I know...you wouldn't be using ECF if you had javascript disabled, since the post button doesn't even work.... There are times it's handy to temporarily disable it but....mostly not practical. .

Just as info : I'm posting this with javascript disabled. (FF 21.0, also plug-in is disabled.)

 

[AttyPops]

OK, I stand corrected, post button is a bad example, but you probably don't have buttons above your text area, or other features..... and other less friendly sites won't hardly work at all.

The point being...who the heck would want to surf like that? Maybe you, but not me. No fun. I try to avoid the more "iffy" sites when I can. Can't be perfect though, true. The only perfectly safe way to surf the net...is not to.

The other thing about FF....I'd like a button to enable/disable js. Maybe possible with a macro or setting of some kind, IDK. But it's a pain to turn on/off by site.

 

[progg]

You're correct, Atty. Just wanted to say it is possible to post with JS disabled in case it ever became necessary. Thanks for your heads up in your first post.

 

[AttyPops]

I edited above. Do you know of a way to turn it on by site? Or have an on-off button for it? The option menu route is a pain.

 

[progg]

The only ways that I know of are -

Option method you referenced.

NoScript extension for FF which can control specific sites and specific scripts at a site.

 

[JessicaS]

The IP address of the site via whois doesn't match the attacking computer site in the Norton message. However, it only appeared after I clicked the link. No other activities going on. So who knows. No slams against that vendor intended. I'm just not sure what to do.

It's a GoDaddy hosted system if the whois info is to be trusted (of the site url). However the IP address was quite different. IDK if it could come from an ad or something. Strange.

The IP from whois would most likely not match, since it sounds like a browser redirection. This could be from an exploited Java hole, SQL injection or more commonly a browser add-on gone gone rogue. My advice would be clear out your browser's cache and disable any unnecessary add-ons.