AVG antivirus reporting you with "Blackhole Exploit Kit 1889"

[tadas]

I'm sure it's a false positive, but AVG antivirus has been reporting this site as having "Blackhole Exploit Kit 1889". I normally keep a window open here, and for the last two days, it beeps at me every 20 minutes with a detection (and cleanup) report. AVG's false positive report page is at http://www.avg.com/ww-en/page-rating-report.

Hope this helps,
Tadas

[Dean Williams]

I'm getting a similar warning from AVG on the "Blackhole Exploit Kit" for Nelsonfoto.  Yesterday it blocked the
forum completely.  Today, it's letting me in, but keeps flashing a "Danger, Will Robinson" warning box.

[LarryD]

I contacted CE last night about it. He is working on it. it is real from what he thinks. Maybe something with the shared server.

[nelsonfoto]

Larry reported this to me in the wee morning hours. I, too, was hit with similar warnings via Avast installation on my local machine.

A perusal of the source code for the main forums page showed nothing pointing to ibiz.cc; ditto a check of the code from the main URL, nelsonfoto.com . For what it's worth, I've no reason to expect we've been hacked. Rather, I think this is either a false-positive or some other account on our shared server has been compromised.

I also run the NO Script extension for Firefox and it is blocking script from several servers at the ibiz.cc domain. I've just finished screen caps and am now forwarding the matter to tech support. I'll update this thread when I know more.

Thanks,
Craig

[nelsonfoto]

I contacted CE last night about it. He is working on it. it is real from what he thinks. Maybe something with the shared server.

Larry  - careful paraphrasing me, please. I did not state that I think it is real, as in we've been compromised.

I am working on this. Anything I have to add will be contained in this thread.

C.

[Scott]

FWIW, I, too, got an Avast warning today, though I don't remember the wording.

[LarryD]

Sorry about that CE.

[Dean Williams]

Now, twice in my current session, AVG has blocked what it calls "threats", once as I logged on, and
once as I opened the "F Stops Here" part for the forum.  Both times, it (AVG) asked which option I
would like to deal with this Blackhole Exploit thing.  On my first opening of the forum main page, I was
able to remove two threats.  On opening into this part of the forum, (where I'm typing this), AVG asked
if I wanted to read more about it or send it to the "Virus Vault", which is what was done.

I didn't get the file numbers on the first two pop up windows.  I can try to do that if there is a next time,
if it will help chasing this down, Craig.

Dean

[nelsonfoto]

In an effort to keep this as simple as possible, my explanation, note that this issue was cause by a PHP exploit that affected all servers, not just ours. No sooner had I popped a ticket open with support, the answers began appearing in e-mails. Looks like they were on it before I got to them.

At any rate, significant patching of PHP installs has taken place and while the patches are not permanent solutions, we are assured that the PHP authoring team is hard at work conjuring a proper fix. For now, you should no longer receive the script warnings.

Thanks for your patience.

Craig

[LarryD]

Thanks Craig.