Go Back   EQEmulator Home > EQEmulator Forums > General > General::General Discussion

General::General Discussion General discussion about EverQuest(tm), EQEMu, and related topics.
Do not post support topics here.

Reply
 
Thread Tools Display Modes
  #1  
Old 04-23-2010, 04:34 PM
ChaosSlayerZ's Avatar
ChaosSlayerZ
Demi-God
 
Join Date: Mar 2009
Location: Umm
Posts: 1,492
Default Site Infected!

heads up!

one of the adds running on the site has just tried to inject my pc with a trojan.
Reply With Quote
  #2  
Old 04-23-2010, 05:12 PM
blackdragonsdg
Dragon
 
Join Date: Dec 2008
Location: Tennessee
Posts: 654
Default

Happened to me too.....here is a bit more information on it:

Code:
4/23/2010 3:47 PM,High,An intrusion attempt by google.analytics.com.scvepuxdfzar.info was blocked.,Blocked,No Action Required,HTTP Trojan Mebroot Request,"google.analytics.com.scvepuxdfzar.info (208.68.139.38, 80)",google.analytics.com.scvepuxdfzar.info/ld/kav4/,"DRAGON148-PC (192.168.1.101, 2009)",208.68.139.38 (208.68.139.38),"TCP, www-http",
4/23/2010 2:51 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,,,,,Intrusion Prevention
4/23/2010 2:51 PM,Info,Intrusion Prevention is monitoring 1580 signatures. Driver version: 9.1.2.5,Detected,No Action Required,,,,,,,Intrusion Prevention
4/23/2010 2:51 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100415.001,Detected,No Action Required,,,,,,,Intrusion Prevention
4/21/2010 1:22 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,,,,,Intrusion Prevention
4/21/2010 1:22 PM,Info,Intrusion Prevention is monitoring 1580 signatures. Driver version: 9.1.2.5,Detected,No Action Required,,,,,,,Intrusion Prevention
4/21/2010 1:22 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100415.001,Detected,No Action Required,,,,,,,Intrusion Prevention
4/20/2010 6:31 PM,Medium,An intrusion attempt by 68.87.74.166 was blocked.,Blocked,No Action Required,Portscan,"68.87.74.166, 53",,"DRAGON148-PC (192.168.1.101, 59865)",68.87.74.166,"UDP, Port 53",
4/20/2010 6:31 PM,Medium,An intrusion attempt by 68.87.74.166 was blocked.,Blocked,No Action Required,Portscan,"68.87.74.166, 53",,"DRAGON148-PC (192.168.1.101, 60362)",68.87.74.166,"UDP, Port 53",
4/20/2010 4:24 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,,,,,,Intrusion Prevention
4/20/2010 4:24 PM,Info,Intrusion Prevention is monitoring 1580 signatures. Driver version: 9.1.2.5,Detected,No Action Required,,,,,,,Intrusion Prevention
4/20/2010 4:24 PM,Info,Intrusion Prevention Engine version: 4.5.0.67 Definitions Set version: 20100415.001,Detected,No Action Required,,,,,,,Intrusion Prevention
4/18/2010 8:03 PM,Medium,An intrusion attempt by 68.87.74.166 was blocked.,Blocked,No Action Required,Portscan,"68.87.74.166, 53",,"DRAGON148-PC (192.168.1.101, 51040)",68.87.74.166,"UDP, Port 53",
4/18/2010 8:03 PM,Medium,An intrusion attempt by 68.87.74.166 was blocked.,Blocked,No Action Required,Portscan,"68.87.74.166, 53",,"DRAGON148-PC (192.168.1.101, 50654)",68.87.74.166,"UDP, Port 53",
4/18/2010 7:35 PM,High,An intrusion attempt by 93.186.117.19 was blocked.,Blocked,No Action Required,HTTP Fake Antivirus Install Request 4,"93.186.117.19, 80",93.186.117.19/main.php?land=20&affid=44704,"DRAGON148-PC (192.168.1.101, 1637)",93.186.117.19,"TCP, www-http",
Reply With Quote
  #3  
Old 04-23-2010, 08:31 PM
Congdar
Developer
 
Join Date: Jul 2007
Location: my own little world
Posts: 751
Default

yep, McAfee blocked the trojan for me too.
__________________
The Realm
Reply With Quote
  #4  
Old 04-23-2010, 10:58 PM
Akkadius's Avatar
Akkadius
Administrator
 
Join Date: Feb 2009
Location: MN
Posts: 2,071
Default

Aye I had to do a restart, and then get into my processes before I could go back a day to restore my old slate. Was beautiful.
Reply With Quote
  #5  
Old 04-23-2010, 11:41 PM
steve
Discordant
 
Join Date: Jan 2002
Posts: 305
Default

Nasty.

I use a router script that is updated automatically every week that blocks advertisements on websites. Never can be too careful these days, antivirus and anti-malware software can't protect you from everything.
Reply With Quote
  #6  
Old 04-24-2010, 12:36 AM
Akkadius's Avatar
Akkadius
Administrator
 
Join Date: Feb 2009
Location: MN
Posts: 2,071
Default

Aye, that's why I don't really use anything. Just do a restart and cancel out processes running in the background that aren't familiar before they take control of your machine first then you can go back to a restore point (if your OS has it of course).
Reply With Quote
  #7  
Old 04-24-2010, 01:08 AM
pfyon's Avatar
pfyon
Discordant
 
Join Date: Mar 2009
Location: Ottawa
Posts: 495
Default

Quote:
Originally Posted by Akkadius View Post
Aye, that's why I don't really use anything. Just do a restart and cancel out processes running in the background that aren't familiar before they take control of your machine first then you can go back to a restore point (if your OS has it of course).
An ounce of prevention is worth a pound of cure (or whatever the saying is). Adblock + COMODO firewall + microsoft security essentials hasn't failed me yet.
Reply With Quote
  #8  
Old 04-24-2010, 12:12 PM
BuzWeaver
Fire Beetle
 
Join Date: Apr 2010
Location: Atlanta, GA USA
Posts: 16
Default

Avast chimed in yesterday and blocked it when I was in the Project forums.
Reply With Quote
  #9  
Old 04-26-2010, 06:30 PM
trevius's Avatar
trevius
Developer
 
Join Date: Aug 2006
Location: USA
Posts: 5,946
Default

Looks like more trojans from the ads again today. Gotta love having ads here :P
__________________
Trevazar/Trevius Owner of: Storm Haven
Everquest Emulator FAQ (Frequently Asked Questions) - Read It!
Reply With Quote
  #10  
Old 04-26-2010, 08:50 PM
Capheus
Hill Giant
 
Join Date: Apr 2008
Location: Milwaukee
Posts: 141
Default

One thing I have found that really helps is by blocking third party cookies in the internet options for those of us who use IE. Not sure if the other browsers have similar options, I haven't messed around with them too much.
Reply With Quote
  #11  
Old 04-26-2010, 10:16 PM
GeorgeS
Forum Guide
 
Join Date: Sep 2003
Location: California
Posts: 1,474
Default

If someone has the URL's that these infected ads come from then I can block them from the router admin area - sort of like the way come companies do..

Possible?

GeorgeS
__________________
Your source for EQ database tools
Toolshop is open for business


http://www.georgestools.chrsschb.com//

Last edited by GeorgeS; 04-26-2010 at 10:27 PM..
Reply With Quote
  #12  
Old 04-27-2010, 04:15 PM
blackdragonsdg
Dragon
 
Join Date: Dec 2008
Location: Tennessee
Posts: 654
Default

Quote:
Originally Posted by GeorgeS View Post
If someone has the URL's that these infected ads come from then I can block them from the router admin area - sort of like the way come companies do..

Possible?
The site that triggered my firewall is google.analytics.com.scvepuxdfzar.info

208.68.139.38 is the IP address for that site.
Reply With Quote
  #13  
Old 04-27-2010, 05:12 PM
steve
Discordant
 
Join Date: Jan 2002
Posts: 305
Default

I highly recommend everyone with a router to go with an ad blocking solution.

I'm using a Linksys WRT54G with Tomato firmware. If anyone is interested, I can post my router scripts so the ads can be blocked by individuals.
Reply With Quote
  #14  
Old 04-28-2010, 03:48 AM
number6
Sarnak
 
Join Date: Sep 2006
Posts: 62
Default

I run tomato as well Steve, on a WRT54GL - would be interested to hear how you do this.

Cheers

Paul.
Reply With Quote
  #15  
Old 04-28-2010, 04:36 PM
steve
Discordant
 
Join Date: Jan 2002
Posts: 305
Default

For Tomato Firmware users:

1) Goto Administration>Scheduler. In the 'Custom 1' box, setup a time you want the router to update the hostfile (preferably once per week. I use Sunday at 4am). Check Enabled, select time and days.

2) Paste the following into the 'command box':
Code:
xyz=allowlist;hij=adblock.tmp;abc=dnsmasq_adblock.conf;tip=192.168.1.1;wget -q -O /tmp/$abc 'http://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&showintro=0&mimetype=plaintext';[ -f /tmp/$xyz ] && (cat /tmp/$abc | grep -v -f /tmp/$xyz>>/tmp/$hij; mv -f /tmp/$hij /tmp/$abc);[ $? -eq 0 -a `grep ^address= /tmp/$abc|wc -l` -gt 0 ] && (logger -t adblock -p 5 Server download OK;cat /tmp/$abc|sed 's/127.0.0.1/'$tip'/g'>/etc/$abc;[ ! -s /cifs1 ] && mv -f /tmp/$abc /cifs1/$abc.bak || rm /tmp/$abc;[ -h /etc/dnsmasq.custom ] && service dnsmasq restart) || (logger -t adblock -p 4 Server download failed;[ ! -s /etc/$abc -a -s /cifs1/$abc.bak ] && (logger -t adblock -p 5 Data recovered from backup;cat /cifs1/$abc.bak|sed 's/127.0.0.1/'$tip'/g'>/etc/$abc;[ -h /etc/dnsmasq.custom ] && service dnsmasq restart));unset xyz hij abc tip
3) Click 'Save' at the bottom of the page.

4) Now goto Administration>Scripts. Click on the 'Init' tab if it's not already selected, and paste the following code into it and click 'Save'. NOTE: You can add as many 'echo' lines as you like to remove those hostnames from the blocked hostname list. I added Google Analytics because it stalls a lot of pages from loading if they use it.
Code:
echo "google-analytics">/tmp/allowlist
echo "ssl.google-analytics.com">>/tmp/allowlist
[ ! -f /tmp/dnsmasq.chk ] && (ln -s /etc/dnsmasq_adblock.conf /etc/dnsmasq.custom;touch /tmp/dnsmasq.chk)
5) Click on the 'WAN Up' tab at the top. Paste the following code into it, and click 'Save':
Code:
[ ! -f /etc/dnsmasq_adblock.conf ] && eval `nvram get sch_c1_cmd`
ps | grep [p]ixelserv
if [ $? == 1 ]; then
    wget -P /var http://pixelserv.webs.com/pixelserv
    chmod +x /var/pixelserv
    /var/pixelserv
fi
6) Goto 'Administration>Admin Access' and change 'Local Access' to HTTPS only (so the pixelserv server can run on port 80) and enter a port to run the router webserver on - I used 8080. Click 'Save' at the bottom.

7) Reboot router and if all went all, advertisements will be blocked on 99% of all websites and will be replaced with a 1x1 pixel transparent image - no red X's or boxes where the ads would normally be located.

I believe that's all the steps. At least all that I can remember from setting it up. If anyone tries this and it does/doesn't work, be sure to let me know. One thing to note is I just made the webs account to host the pixelserv - not sure how reliable they are, but I think it should be ok. The pixelserv binary is downloaded everytime the router is rebooted and is only 10kb.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

   

All times are GMT -4. The time now is 08:51 PM.


 

Everquest is a registered trademark of Daybreak Game Company LLC.
EQEmulator is not associated or affiliated in any way with Daybreak Game Company LLC.
Except where otherwise noted, this site is licensed under a Creative Commons License.
       
Powered by vBulletin®, Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Template by Bluepearl Design and vBulletin Templates - Ver3.3