META: Symantec Endpoint Protection Marking MGO as a Blackhole Toolkit Website
The title says it all. Over the past couple of weeks I have been getting this warning while visiting MGoBlog:
[SID 24092] Web Attack Blackhole ToolKit Website detected.
I am running XP SP3 and using the most recent version of Firefox as my browser. I thought maybe the issue was on my end, but running scans with my Symantec Endpoint Protection and Malwarebytes has yielded nothing.
The warning pops up when I have multiple tabs open including MGoBlog. However, if I open the browser and visit MGoBlog as the first website it still pops up leading me to believe it is a problem with the site.
I have also been able to make the warning pop up by reloading the site multiple times. The ads are also different every time the warning pops up, so I don't think it's a problem with a specific ad. I've already emailed Brian, but I thought I'd ask the crowd if they are also noticing something similar. Hopefully this is not a precursor to another Malware mess.
Problems, but the site has been running fine for me and I visit roughly a 1000 times a day. I also use chrome
I've had no problems. Mgobowl, It might be the XP.
and I'm running AVG, no problems here
Where are our "I survived Malware-palooza 2001" tshirts?
Probably getting re-printed because the palooza was in 2010, not 2001...
I know a few others have had weird messages pop up but I haven't seen anything unusual yet on my machine (Windows 7). Hopefully that's not a bad sign for me.
I use Firefox. No problems notified by the browser and no issues detected by yours truly... at least not yet.
I haven't had any problems with MGoBlog other than a recent gneral lack in posbanging and seeing too much of TSIO. Their tears are delicious, but their faces are revolting.
My Norton keeps telling me that it's blocking attacks on my PC when I visit here... I haven't noticed if it's only when I have multiple windows open (I usually do).
It occurs when multiple tabs are open, but it also occurs when MGoBlog is the only window open in a fresh start of the browser.
Several times over the last week or so, Norton has blocked a Blackhole Toolkit Website 5 attack when I've accessed MGoBlog as one of multiple tabs. I have the same setup as you--XP SP3 and the latest version of Firefox--but I just upgraded Firefox a couple of days ago, so it happened using the previous version as well.
Kaspersky and Malwarebytes have both been blocking things and have identified it as coming from this site. If you're not getting any notifications from your AV, I hope that just means you're lucky. I'd check it out though.
I get the pop up but Malware says it has blocked a potentially dangerous site so I dont worry bout it
Chrome user, no problems here.
I am running XP SP3, IE 8, amd Symantec Endpoint Protection 11.0.4014.26 w/ updated through 6/10/11. I experienced the same warning this afternoon. It's probably a false warning from SEP.
It's super powerful, very sneaky, and everytime a patch comes out they update it. Ive been watching my metasploit console and my Iptables logs all day and can't see anything. Can you screenshot your warning messages or anything else that could help me and the other computer guys figure out what's going on?
Ok from what I can tell, someone is running a tcp/ip port scanner. Ports in that numerical area are dynamic and they are supposed to be private. What is going on is that the program is trying to get into your system from the port and install rouge inti-virus. Be careful, it might be exploiting weak security from internet explorer, if that's what your using.
I'm using Firefox and it's up to date. Thanks for the input. The next one that came up used a different port number so I'm guessing the program is just choosing at random within certain number values.
Most firewalls only stealth 30% of ports and leaves the rest closed. It's a port that most tcp scanners will not hit but this is more advanced. Open and closed ports are a major security risk, you should think about upgrading.
I would screenshot it if I had anything to screenshot. I get a little yellow call out bubble from SEP (my AV) in my toolbar. All the bubble says is: [SID 24092] Web Attack Blackhole ToolKit Website detected.
Checking my Risk Logs in SEP, it shows some tracking cookies that originated from MGoBlog (labeled as: [email protected] and [email protected]) and were deleted as well as a downloader that was deleted. The downloader was in a java file: c:\Documents and Settings\name_redacted\Application Data\Sun\Java\Deployment\cache\
Did you just find the problem ive been looking for all day? Alright, blackhole exploit can be used to modify website scripts, which made it so hard for me to find. Last time blackhole injected it's own script into the website, this time what I think has happened is that it modified quantserve. Quantserve is a java based application that monitors website traffic, so the first thing you need to do is stop refreshing the page. The installer will will not install until the page is refreshed so it can bypass security easier. Next you need to download firefox and get the noscript toolbar, use it to block quantserve.
This has to be one of the most heavily trafficked sites out there without full-time IT support. Keeping it clean must be a nightmare.
Now only for Mac users
Oh, I mean, too bad...
I haven't noticed any warnings or pop ups, but about a week ago this site started appearing in larger font size (and still is). I asked Brian if he had made this change or if it was on my end and he indicated that it must be on my end. However, this is the only site that appears on my PC in larger than normal font.
All of my Norton and Malwarebytes scans say that my computer is working fine and fully protected.
Using PC running XP and Norton.
This isn't the first, second or third or fourth time this site has served up malware. Most have been handled quietly behind the scenes, but there was the great malware outbreak of 2010 or whenever it was.
I just got the same thing from my Norton Antivirus. I use Windows 7 so it isn't only XP.
Started popping up for me occasionally yesterday too...
run by a pissed-off Buckeye who has had just about enough of our shit, thankyouverymuch.
If you are running Windows and atleast IE7, you are screwed, admin or not. Why anyone runs IE anymore at this point is mind boggling to me.