Thanks Roly. Couldn't have been simpler. I wasn't having any problems but good to be up to date....
Might be a malware problem
- Thread starter garenasix
- Start date
- th_trl_thread_readers 0
- Status
Thanks Roly. Couldn't have been simpler. I wasn't having any problems but good to be up to date....
Thanks for all the great info guys/gals. I don't think I was infected, since I don't allow JAVA and run Firefox. However, I'd like to check. Unfortunately, I didn't catch where you named the exploit, so I don't know what to search for, nor if my anti-virus software detects it. Which one was it???????? Others have listed viruses they are infected with, but IDK if that was ECF specific.
Thanks!
Thanks!
Last edited:
Hard to say because I think two things happened at about the same time: a vapers group on Facebook got infected, and some of that spilled over to here, and then we had a different exploit on one of the ECF servers. The FB people fixed their end, then we had to find our problem. It turned out to be very hard to find as it was in an old plugin semi-installed in 2008 that was invisible unless you searched every file in vB - which is basically what our apps admin had to do.
As these things are encrypted code or call a script on another server, there's no way to tell exactly what it would be called, and the informal names - such as 'blackhole toolkit' - are not really any help anyway. Good scanners (online like Secunia, or on-PC ones) often find the stuff on a PC, and if things get difficult, you go to rootkit scanners, then offline scans using a Linux-based live CD with the right tools. Sometimes the problem is easy to find if you go straight to that and you are OK with registry editing.
I think the main lesson here is don't use Internet Explorer, or if you do, make absolutely sure that your whole PC has everything on it updated every week; plus get yourself a good AV and a real firewall, not the Windows joke effort. If you don't browse with IE then you get about 1% of the issues - or less.
It's best to keep your PC updated as there is plenty of software that regularly has holes found. Windows, IE, Java, anything Adobe including the simple PDF reader, Flash, Office (Excel for example), all need a regular update. It's also a good idea to get rid of old Java stuff because apparently it doesn't do that when updating, which leaves you vulnerable if IE lets anything in. Get something other than Adobe for anything web-related as they don't have a good reputation there. Get rid of Adobe PDF Reader too, there are several alternatives that don't take 30 seconds to boot up and have as many holes as Swiss cheese.
People need to use a real firewall, and a real one is one that stops dangerous traffic both in and out. Windows Firewall only works in one direction so from my perspective it does not qualify for the name 'firewall'. A real one has to learn what you allow and don't allow, so it has to be trained, and because of that, people can't be bothered. A real one blocks stuff dialing out and that's what you should do. Never, ever click 'Yes', unless you know exactly what is happening. Just click 'No' or 'Block' and make sure the Remember box is not checked. Then, if something doesn't work, you can just reboot and next time check the 'Remember' box and click 'Allow'. Just don't click Allow, ever, unless you know what it is. And remember that these things will try to fool you, so they may look respectable.
See this page:
Security advice
We do what we can but it is inevitable that every 6 months we will be exploited, because this site is so complex and because there are people trying to crack it all the time. The miracle is that it doesn't happen more often.
As several e-cig sites have had issues in the last couple of weeks it makes you wonder. If I had a couple of million bucks and wanted to bury e-cigs I know one route I'd go down...
As these things are encrypted code or call a script on another server, there's no way to tell exactly what it would be called, and the informal names - such as 'blackhole toolkit' - are not really any help anyway. Good scanners (online like Secunia, or on-PC ones) often find the stuff on a PC, and if things get difficult, you go to rootkit scanners, then offline scans using a Linux-based live CD with the right tools. Sometimes the problem is easy to find if you go straight to that and you are OK with registry editing.
I think the main lesson here is don't use Internet Explorer, or if you do, make absolutely sure that your whole PC has everything on it updated every week; plus get yourself a good AV and a real firewall, not the Windows joke effort. If you don't browse with IE then you get about 1% of the issues - or less.
It's best to keep your PC updated as there is plenty of software that regularly has holes found. Windows, IE, Java, anything Adobe including the simple PDF reader, Flash, Office (Excel for example), all need a regular update. It's also a good idea to get rid of old Java stuff because apparently it doesn't do that when updating, which leaves you vulnerable if IE lets anything in. Get something other than Adobe for anything web-related as they don't have a good reputation there. Get rid of Adobe PDF Reader too, there are several alternatives that don't take 30 seconds to boot up and have as many holes as Swiss cheese.
People need to use a real firewall, and a real one is one that stops dangerous traffic both in and out. Windows Firewall only works in one direction so from my perspective it does not qualify for the name 'firewall'. A real one has to learn what you allow and don't allow, so it has to be trained, and because of that, people can't be bothered. A real one blocks stuff dialing out and that's what you should do. Never, ever click 'Yes', unless you know exactly what is happening. Just click 'No' or 'Block' and make sure the Remember box is not checked. Then, if something doesn't work, you can just reboot and next time check the 'Remember' box and click 'Allow'. Just don't click Allow, ever, unless you know what it is. And remember that these things will try to fool you, so they may look respectable.
See this page:
Security advice
We do what we can but it is inevitable that every 6 months we will be exploited, because this site is so complex and because there are people trying to crack it all the time. The miracle is that it doesn't happen more often.
As several e-cig sites have had issues in the last couple of weeks it makes you wonder. If I had a couple of million bucks and wanted to bury e-cigs I know one route I'd go down...
Cost me $250.00 to restore my laptop last week...had a Windows Recovery Virus. All programs and files were gone!!.. Have Norton now...will see
@LAFL - I'm told that this causes the filesystem to just be hidden, and you need something like unhide.exe to fix it. There's a guy on here who fixes it for people and charges $50, but it only takes him 5 minutes.
Best to update everything and don't use IE, no issues then.
I sympathize with your loss, we've all been there.
Best to update everything and don't use IE, no issues then.
I sympathize with your loss, we've all been there.
Just want to let you guys know....the issue still exists. Here now on the Linux half of my machine because the windows half got hit by the bug. I agree...it's a Java exploit, but I don't buy the Facebook connection. I think that might be a red herring. I've seen this exploit before on a Drupal-based forum, and it was the ad servers that were infected.
I think you may be making a mistake by concentrating on the Internet Explorer/Facebook thing...and not looking very close at the ad servers. Just my take on it....
I think you may be making a mistake by concentrating on the Internet Explorer/Facebook thing...and not looking very close at the ad servers. Just my take on it....
Hi Maxx.
As far as we know it's gone now, as we found two exploits (one on a Facebook group, one on our server) that were removed.
We only use Google's ads as far as external sources go. Our banner ads are ~40kB jpegs or 20kB gifs served from our own server, so they are as safe as is possible - no room on the ads for malware code, and/or our own adserver would need to be exploited. We checked it two weeks ago and it came up clean.
Please see this post:
http://www.e-cigarette-forum.com/forum/computer-security/187157-online-security-advice.html
Perhaps you have a rootkit, maybe you can investigate that possibility?
As far as we know it's gone now, as we found two exploits (one on a Facebook group, one on our server) that were removed.
We only use Google's ads as far as external sources go. Our banner ads are ~40kB jpegs or 20kB gifs served from our own server, so they are as safe as is possible - no room on the ads for malware code, and/or our own adserver would need to be exploited. We checked it two weeks ago and it came up clean.
Please see this post:
http://www.e-cigarette-forum.com/forum/computer-security/187157-online-security-advice.html
Perhaps you have a rootkit, maybe you can investigate that possibility?
Got hit with it today. Logged onto ECF at work during lunch. Hit with the Windows recovery virus. It is in the IT departments hands now.
Roly..this morning at 9:03 I had a Symantec pop up showing me it had blocked the "blackhole toolkit"one when I clicked on "settings"...first I've had since my overhaul...I have the info if wanted again.....
(I don't use facebook)
(I don't use facebook)
The exact same thing happened to me this morning within seconds after I logged in ECF. I'm glad Symantec blocked it. If anyone wants the originating ip address, let me know.
I use facebook, but haven't been on the site in weeks.
Hopefully your IT people can get to the bottom of this soon. I won't even log in on my work computer anymore in fear of getting the virus again. I think I will stick to my iPod for now using tapatalk. I can't afford to have my home computer infected plus my wife would go ballistic without her laptop. Since the virus I now only use firefox but I am fearful that is not enough.
I use FB and ECF never had problem use Avast I think its one of the best anti-virus tools out there along with Malwarebytes Anti-Malware they keep my computer safe also program Ccleaner great for cleaning and fixing registry errors!
What browser are you using? TIA
That would be the IP address that is linked to the windows restore virus. Vaporgalinfla gave me the IP address for my knowledge. I am using firefox right now and so far so good.
DH prefers IE and went into Facebook and got nailed: Zone Power caught it.
Ran Malwarebytes Anti-Malware after too.
It was about the time Classy was having problems. Can't remember the details but part of what was quarantined was something involving Java.
I've since updated and have been using FireFox only on Facebook and ECF.
This still being a problem is a problem though. I sometimes use my son's laptop and it only has IE on it so I hope someone finally finds the problem.
Ran Malwarebytes Anti-Malware after too.
It was about the time Classy was having problems. Can't remember the details but part of what was quarantined was something involving Java.
I've since updated and have been using FireFox only on Facebook and ECF.
This still being a problem is a problem though. I sometimes use my son's laptop and it only has IE on it so I hope someone finally finds the problem.
Just went to my Symantec history.....those are the same numbers ! (64.72.105.3)
- Status
Similar threads
- Locked
