Web Attack. Malicious File Download.

[parbrook]

When I open my forum www.hyperparathyroid.forumotion.co.uk, Norton reports blocking a "Web attack: malicious file download 12".

The Attack details are as follows:
"download.adobaaoan.us (91.236.116.81, 80)","download.adobaaoan.us/Flashplay/Lem/App/CD/UKa/auload.html?installer=Flash_Player_11_for_Other_Browsers&browser_type=KHTML&dualoffer=false".
Traffic description: TCP, www-http.
Network traffic from <b>download.adobaaoan.us/Flashplay/Lem/App/CD/UKa/auload.html?installer=Flash_Player_11_for_Other_Browsers&browser_type=KHTML&dualoffer=false  matches the signature of a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE.

I now cannot access my forum.  When I open the forum home page, it is displayed for a second.  Then the adverts appear and the browser is redirected to the above file download.

I am assuming that Norton is doing its job correctly in preventing this download, so why is my browser being hijacked and how can I access my forum without being exposed to this malicious file download?

[ddoesmc]

I am assuming that Norton is doing its job correctly in preventing this download

Norton is protecting you from this page, it could be firefox. Also do you have any add ons in firefox?
Norton report

[parbrook]

I have a few add-ons but I do not see how these would be related to a redirection that happens as soon as the adverts appear.

This issue only happens on the forum home page, not any other website - just like the iPad redirection problem that I reported yesterday, which may be related.

The common factor is the adverts.

[Derri]

I'll report this to our Pro Admin who might be able to tell us why this is happening to your forum in the event it isn't something on your end.

[Jophy]

Hello,

It is advisable to provide screenshot for the pro admin to check, thanks.

[parbrook]

Hello,

It is advisable to provide screenshot for the pro admin to check, thanks.

OK, but a screenshot of what?

You have a choice of a Firefox message reporting disconnection from the server (thanks to Norton blocking the redirection) and the URL of the hijack destination (which is the same as I reported above), or the Norton Internet Security report, which I have already given above.

[Shadow]

Hello

I manage to enter your forum properly: http://hyperparathyroid.forumotion.co.uk/
I have checked your forum on Sucuri http://sitecheck.sucuri.net/results/hyperparathyroid.forumotion.co.uk/
I have also checked your forum on Northon:


All look good.

Thanks for providing more information.

[parbrook]

I also checked the site using securi.net.

I think that the problem is caused by some specific adverts, so you would need to be very lucky to run the security check at the same time as the malicious redirection adverts are appearing.

For your information, the malicious redirection only happens when adverts are displayed.
When I am logged-in as Administrator, adverts are not displayed and I have no problem accessing the forum.

Also, please remember that we have iPad users being redirected to the App Store when they try to log-in.

[parbrook]

I have noticed that there is a related thread here: https://help.forumotion.com/t133064-913-java-ads

It seems to be Java and Flash adverts that cause the redirections.

I realise the Forumotion do not control the adverts, but it is a major problem when members and visitors cannot access the forums.

[Jophy]

Hello,

Just to inform that Buttercup is on leave today, she'll be back by tomorrow to assist you further in this issue. Thanks.