Blackhole Exploit Virus issue

[Airikita]

http://www.avgthreatlabs.com/webthreats/info/blackhole-exploit-kit-detection/

 

 

I am getting alerts from AVG from the shoutbox javascript about a Blackhole Exploit virus. I cannot use the shoutbox, and a lot of functions from the forums are not working.

 

 

Everytime I refresh the page, AVG pops up with 10 or 20 threats detected and removed.

 

 

I am locked out from viewing certain options from my profile options at the top. I also was unable to view any of the forum topics today for some time.

 

 

EDIT:

[Jack Walker]

This is strange. I have AVG as well and I'm not getting any kind of virus warnings from the shoutbox.

[Conker]

It took me a bit to get the warnings but I certainly do get them now.

[mzxrules]

I browsed the code a bit for kicks, didn't find anything terribly odd.Found this gem in the board source though.

{if(Prototype.Browser.IE){text=text.replace(/!!~~~~~~~~~~ie-sucks~~~~~~~~~~~~!!/g,"n");}

[oddMLan]

 

I browsed the code a bit for kicks, didn't find anything terribly odd.Found this gem in the board source though.{if(Prototype.Browser.IE){text=text.replace(/!!~~~~~~~~~~ie-sucks~~~~~~~~~~~~!!/g,"n");}

http://www.the-gcn.com/topic/2359-site-compromised/?do=findComment&comment=37217

^ I found the malicious code (is obfuscated tho)

 

EDIT:

Some of the affected files:

http://www.the-gcn.com/public/min/index.php?ipbv=3a4b80d54978fa586b7b351014301a19&charset=UTF-8&f=public/js/ipb.js,cache/lang_cache/1/ipb.lang.js,public/js/ips.hovercard.js,public/js/ips.quickpm.js,public/js/ips.post.js,public/js/ips.topic.js,public/js/ips.textEditor.bbcode.js,public/js/ips.textEditor.js	http://www.the-gcn.com/public/min/index.php?ipbv=3a4b80d54978fa586b7b351014301a19&g=jshttp://www.the-gcn.com/public/js/shoutbox.jshttp://www.the-gcn.com/public/min/index.php?ipbv=3a4b80d54978fa586b7b351014301a19&charset=UTF-8&f=public/js/ipb.js,cache/lang_cache/1/ipb.lang.js,public/js/ips.hovercard.js,public/js/ips.quickpm.js,public/js/ips.board.jshttp://www.the-gcn.com/public/js/reflection/reflection.jshttp://www.the-gcn.com/public/js/3rd_party/lightbox.jshttp://www.the-gcn.com/public/js/shoutbox.jshttp://www.the-gcn.com/public/js/shoutbox.jshttp://www.the-gcn.com/public/min/index.php?ipbv=3a4b80d54978fa586b7b351014301a19&g=jshttp://www.the-gcn.com/public/js/ips.statisticsTab.js	http://www.the-gcn.com/mobiquo/smartbanner/appbanner.jshttp://www.the-gcn.com/public/js/ips.facebook.jshttp://www.the-gcn.com/public/js/ips.loginSlide.jshttp://www.the-gcn.com/public/style_extra/blog_bookmarks/facebook.gif

[Three_Pendants]

I'm not trying to stir anything up, but I've been through a fair amount of the topics I missed over the weekend on this Sunday evening and I encountered no problems until I went to "Zeth's Official Removal Topic" then the virus tried to download itself on each and every page of it that I visited. When I left the topic my anti-virus made no more results towards anything strange.

 

It would appear, at least to me, that the stem of the virus may somehow be from there.

[Jack Walker]

 

I'm not trying to stir anything up, but I've been through a fair amount of the topics I missed over the weekend on this Sunday evening and I encountered no problems until I went to "Zeth's Official Removal Topic" then the virus tried to download itself on each and every page of it that I visited. When I left the topic my anti-virus made no more results towards anything strange. It would appear, at least to me, that the stem of the virus may somehow be from there.

 I think that is purely coincidental. Until just recently, the virus would only show up when I check private messages. It never showed up on the "Zeth's Official Removal" topic. Now, it shows up on the index like other people have been reporting.

[Three_Pendants]

Hmm, yeah maybe it is just coincidence, I wasn't sure if everything was settled or not since that was a day or two ago when I came back. As written here it seems to be effecting everyone in a different manner.

[Airikita]

I spoke with Sakura about the issue, and apparently Shadow Fire is unable to log into the Admin CP. His host's security team is working on the issue.

 

There's an exploit on the site. My host's security team is currently working on a way to fix it.It's... bad.I can't even log in to the Admin CP.

[giadrosich]

Yeah, change your passwords guys.

[Saraka]

So...When I attempted to change my password, (I did successfully), I got this at the top of the page


Warning: Cannot modify header information - headers already sent by (output started at /home/thegcn/public_html/~nautilus/sources/handlers/han_login.php:1187) in/home/thegcn/public_html/~nautilus/sources/classes/output/formats/html/htmlOutput.php on line 114

Warning: Cannot modify header information - headers already sent by (output started at /home/thegcn/public_html/~nautilus/sources/handlers/han_login.php:1187) in/home/thegcn/public_html/~nautilus/sources/classes/output/formats/html/htmlOutput.php on line 127

Warning: Cannot modify header information - headers already sent by (output started at /home/thegcn/public_html/~nautilus/sources/handlers/han_login.php:1187) in/home/thegcn/public_html/~nautilus/sources/classes/output/formats/html/htmlOutput.php on line 136

Warning: Cannot modify header information - headers already sent by (output started at /home/thegcn/public_html/~nautilus/sources/handlers/han_login.php:1187) in/home/thegcn/public_html/~nautilus/sources/classes/output/formats/html/htmlOutput.php on line 137

Warning: Cannot modify header information - headers already sent by (output started at /home/thegcn/public_html/~nautilus/sources/handlers/han_login.php:1187) in/home/thegcn/public_html/~nautilus/sources/classes/output/formats/html/htmlOutput.php on line 14

[Librarian]

@Phoretsu

Same with me.

[Saraka]

This is getting slightly creepy. :/

[SoulofDeity]

I hate to admit it, but this is starting to look a lot like a DOS attack...I don't wanna make anyone panic, but just in case the worst happens, I'd suggest backing up any important information you may need.

[Saraka]

A denial of service? This is getting too scary. Something's extremely fishy.:x I had a hard time logging back in.

[!Tommy]

This is exactly why I wonder why people praise computers in the first place. Sure, they can make our lives easier sometimes but other times they cause so much hassle and headache...is it honestly worth it having to put up with all this crap? This is why I think an all digital world is an extremely bad idea.

[Airikita]

I love the digital world, it's a place to connect, and the world has changed greatly because of it. You can't disagree with the positives.

[!Tommy]

I love the digital world, it's a place to connect, and the world has changed greatly because of it. You can't disagree with the positives.

You're right, it does have its positives but it has just as many negatives. But lets say back in the early 2000s, even though computers were popular, not everything was online and I think that's how it should continue to be, both digital and printed content. It's getting the point you almost can't live in this world without a computer of some sort. But I'll stop there since it's getting away from the actual topic.

[Porto881]

I had no problems until I tried to change my password. It kept telling me my current password was incorrect. Logged out and had the same problem. I tried about 20 times before I had to get it reset with a temporary password through email and all that. Not sure if it was just me being stupid or if it maybe had something to do with this, but I felt I should share just in case. 

[Shadow Fire]

I recommend not doing anything just yet. HostGator Security are looking into the matter as we speak.

[Shadow Fire]

Resolved

The original need for this topic has been resolved.

Topic closed.

If you feel this is in error, please consult a member of staff.