Announcement

Collapse
No announcement yet.

My Malware Nightmare

Collapse
X
Collapse
First Prev Next Last
 
  • Filter
  • Time
  • Show
Clear All
new posts

    My Malware Nightmare

    So as a result of this hack i had to have Wayne Luke go in and remove files and get me back into my admin panel on the forum. But my members were still getting constant warnings of malware.

    So i joined Godaddy Security and they ran a scan. Tons of Malware removed. Problem is it would seem there is still a bunch left over. I am getting constant emails regarding these threats from Google and Netcraft. I feel like i paid Godaddy and they got their money only to remove some stuff and then ignore my next requests to help me. Wayne is also unfindable.

    This is what im dealing with now...

    ​​​​​​Dear Sir or Madam,

    We have discovered a phishing attack located on your network:

    hxxp://thepowderblues[.]com/my/de535e267c10a7c88f2ed4283e8484da/signin.php?country=-&lang=en [198.54.113.182]

    You may not have been aware of this attack, however, you are still responsible for removing it.

    This attack targets our customer, Netflix, website URL https://www.netflix.com/.

    Please remove this fraudulent content, and any other associated fraudulent content, as soon as possible.

    Additionally, please send any files associated with the fraudulent content to [email protected] so that our customer and law enforcement agencies can investigate the incident further.

    For more information please see https://incident.netcraft.com/0971dc6eb12f/

    Regards,

    Netcraft

    _______________________

    ​​​​​​Dear Sir or Madam,

    We have discovered a phishing attack located on your network:

    hxxp://thepowderblues[.]com/my/801c14f07f9724229175b8ef8b4585a8/signin.php?country=-&lang=en [198.54.113.182]
    hxxp://thepowderblues[.]com/my/4f284803bd0966cc24fa8683a34afc6e/ [198.54.113.182]
    hxxp://www.thepowderblues[.]com/my/2a3d6d6cc4b5e77238c1fc1bb6cdd681 [198.54.113.182]
    hxxp://www.thepowderblues[.]com/my/2a3d6d6cc4b5e77238c1fc1bb6cdd681/signin.php?country=-&lang=en [198.54.113.182]
    hxxp://www.thepowderblues[.]com/my/3ea2db50e62ceefceaf70a9d9a56a6f4 [198.54.113.182]
    hxxp://thepowderblues[.]com/my/0b0b0994d12ad343511adfbfc364256e/ [198.54.113.182]
    hxxp://thepowderblues[.]com/my/e6abb6620be44e2035008f84888a43b1/ [198.54.113.182]
    hxxp://thepowderblues[.]com/my/ca8155f4d27f205953f9d3d7974bdd70/ [198.54.113.182]
    hxxp://thepowderblues[.]com/my/0b0b0994d12ad343511adfbfc364256e/signin.php?country=-&lang=en [198.54.113.182]
    hxxp://thepowderblues[.]com/my/e6abb6620be44e2035008f84888a43b1/signin.php [198.54.113.182]
    hxxp://thepowderblues[.]com/my/4f284803bd0966cc24fa8683a34afc6e/signin.php [198.54.113.182]
    hxxp://www.thepowderblues[.]com/my/3ea2db50e62ceefceaf70a9d9a56a6f4/signin.php?country=-&lang=en [198.54.113.182]
    hxxp://thepowderblues[.]com/my/de535e267c10a7c88f2ed4283e8484da [198.54.113.182]
    hxxp://thepowderblues[.]com/my/ [198.54.113.182]
    hxxp://thepowderblues[.]com/my/ca8155f4d27f205953f9d3d7974bdd70/signin.php [198.54.113.182]
    hxxp://thepowderblues[.]com/my/de535e267c10a7c88f2ed4283e8484da/signin.php?country=-&lang=en [198.54.113.182]

    We believe that this attack is being restricted so it is only visible from certain countries. Before deciding that the attack has been resolved please confirm it cannot be viewed from the following countries:
    United Kingdom
    We previously contacted you about this issue on 2019-10-05 12:28:31 (UTC).
    Since our last notification, the following additional URL(s) have been detected:

    hxxp://thepowderblues[.]com/my/ca8155f4d27f205953f9d3d7974bdd70/signin.php
    hxxp://thepowderblues[.]com/my/
    hxxp://thepowderblues[.]com/my/de535e267c10a7c88f2ed4283e8484da
    hxxp://www.thepowderblues[.]com/my/3ea2db50e62ceefceaf70a9d9a56a6f4/signin.php?country=-&lang=en
    hxxp://thepowderblues[.]com/my/4f284803bd0966cc24fa8683a34afc6e/signin.php
    hxxp://thepowderblues[.]com/my/e6abb6620be44e2035008f84888a43b1/signin.php
    hxxp://thepowderblues[.]com/my/0b0b0994d12ad343511adfbfc364256e/signin.php?country=-&lang=en
    hxxp://thepowderblues[.]com/my/ca8155f4d27f205953f9d3d7974bdd70/
    hxxp://thepowderblues[.]com/my/e6abb6620be44e2035008f84888a43b1/
    hxxp://thepowderblues[.]com/my/0b0b0994d12ad343511adfbfc364256e/
    hxxp://www.thepowderblues[.]com/my/3ea2db50e62ceefceaf70a9d9a56a6f4
    hxxp://www.thepowderblues[.]com/my/2a3d6d6cc4b5e77238c1fc1bb6cdd681/signin.php?country=-&lang=en
    hxxp://www.thepowderblues[.]com/my/2a3d6d6cc4b5e77238c1fc1bb6cdd681
    hxxp://thepowderblues[.]com/my/4f284803bd0966cc24fa8683a34afc6e/
    hxxp://thepowderblues[.]com/my/801c14f07f9724229175b8ef8b4585a8/signin.php?country=-&lang=en

    You may not have been aware of this attack, however, you are still responsible for removing it.

    This attack targets our customer, Netflix, website URL https://www.netflix.com/.

    Please remove this fraudulent content, and any other associated fraudulent content, as soon as possible.

    Additionally, please send any files associated with the fraudulent content to [email protected] so that our customer and law enforcement agencies can investigate the incident further.

    For more information please see https://incident.netcraft.com/0971dc6eb12f/

    Regards,

    Netcraft

    Phone: +44(0)1225 447500
    Fax: +44(0)1225 448600
    Netcraft Issue Number: 7481416

    To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: [email protected]

    This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.

    _____________________


    ​​​​​​
    Dear Sir or Madam,

    We have discovered a phishing attack located on your network:

    hxxp://thepowderblues[.]com/my/8c9f32e03aeb2e3000825c8c875c4edd/signin.php [198.54.113.182]
    hxxp://thepowderblues[.]com/my/801c14f07f9724229175b8ef8b4585a8/signin.php?country=-&lang=en [198.54.113.182]
    hxxp://thepowderblues[.]com/my/4f284803bd0966cc24fa8683a34afc6e/ [198.54.113.182]
    hxxp://www.thepowderblues[.]com/my/2a3d6d6cc4b5e77238c1fc1bb6cdd681 [198.54.113.182]
    hxxp://www.thepowderblues[.]com/my/2a3d6d6cc4b5e77238c1fc1bb6cdd681/signin.php?country=-&lang=en [198.54.113.182]
    hxxp://www.thepowderblues[.]com/my/3ea2db50e62ceefceaf70a9d9a56a6f4 [198.54.113.182]
    hxxp://thepowderblues[.]com/my/0b0b0994d12ad343511adfbfc364256e/ [198.54.113.182]
    hxxp://thepowderblues[.]com/my/e6abb6620be44e2035008f84888a43b1/ [198.54.113.182]
    hxxp://thepowderblues[.]com/my/ca8155f4d27f205953f9d3d7974bdd70/ [198.54.113.182]
    hxxp://thepowderblues[.]com/my/0b0b0994d12ad343511adfbfc364256e/signin.php?country=-&lang=en [198.54.113.182]
    hxxp://thepowderblues[.]com/my/e6abb6620be44e2035008f84888a43b1/signin.php [198.54.113.182]
    hxxp://thepowderblues[.]com/my/4f284803bd0966cc24fa8683a34afc6e/signin.php [198.54.113.182]
    hxxp://www.thepowderblues[.]com/my/3ea2db50e62ceefceaf70a9d9a56a6f4/signin.php?country=-&lang=en [198.54.113.182]
    hxxp://thepowderblues[.]com/my/de535e267c10a7c88f2ed4283e8484da [198.54.113.182]
    hxxp://thepowderblues[.]com/my/ [198.54.113.182]
    hxxp://thepowderblues[.]com/my/ca8155f4d27f205953f9d3d7974bdd70/signin.php [198.54.113.182]
    hxxp://thepowderblues[.]com/my/de535e267c10a7c88f2ed4283e8484da/signin.php?country=-&lang=en [198.54.113.182]

    We believe that this attack is being restricted so it is only visible from certain countries. Before deciding that the attack has been resolved please confirm it cannot be viewed from the following countries:
    United Kingdom
    We previously contacted you about this issue on 2019-10-05 13:31:34 (UTC).
    Since our last notification, the following additional URL(s) have been detected:

    hxxp://thepowderblues[.]com/my/8c9f32e03aeb2e3000825c8c875c4edd/signin.php

    You may not have been aware of this attack, however, you are still responsible for removing it.

    This attack targets our customer, Netflix, website URL https://www.netflix.com/.

    Please remove this fraudulent content, and any other associated fraudulent content, as soon as possible.

    Additionally, please send any files associated with the fraudulent content to [email protected] so that our customer and law enforcement agencies can investigate the incident further.

    For more information please see https://incident.netcraft.com/0971dc6eb12f/

    Regards,

    Netcraft

    Phone: +44(0)1225 447500
    Fax: +44(0)1225 448600
    Netcraft Issue Number: 7481416

    To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: [email protected]

    This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.

    _______________

    #2
    I was dealing with something similar about a week ago, except they were targeting Microsoft. Had my host remove the new directories then I did a clean install of the patched software. I feel like I caught it before too much damage was done.

    Comment


      #3
      I documented on vbulletin's forum, but for us the best course of action was to:

      1) shut down the web server (apache in our case), and kill any php processes lingering around (if any)
      2) backup the database
      3) move the vb5 directory to vb5_hacked (you will need to copy some images from it later)
      4) reinstall vb5 from scratch in a clean directory, up to the point you are supposed to run install.php, and instead run upgrade.php
      5) continue with the "upgrade" -- it will connect to your existing database
      6) fire up the web server

      By doing this you have completely removed all nasty files from the equation, and haven't lost anything from your database at all.

      You will need to restore your favicon, and possibly some images (logos) and what not from your images folder.

      That turned out the easiest, fastest, and safest way for us to deal with it.

      Comment


        #4
        I already had Sucuri fix it. I guess thats the perk of having one of the owners being a Charger fan. lol. What a nightmare.

        Comment


          #5
          I had my website checked by sucuri.net They removed all malware and installed a powerful firewall.

          Comment

          Working...
          X