Supposed malicious link in this General Trainz Forum. Security issue.

Status
Not open for further replies.
S

simonis

New member
Hi all,
I have been reading various pages in this General Trainz forum for the last two days. Found some very helpful ideas. Every now and then (about 6 times so far) my malware program warned me "blocked malicious web site-> ""members.chello.nl" with more information about it being outgoing and an IP address as well.
I have checked my computer for infections of this kind etc. there are none and it only happens on this forum!
Again this morning, the warning came up, it appears to be a link from some pages in this forum and the discussion about abandoned assets repairs.
My questions, is this really a malicious web site? Should such a link be coming from this forum? I happen to be of Dutch origin a long time ago, the website is clearly Dutch and there are other people with Dutch origin on this page.
Can anyone help find an answer? I guard the safety of my computer strongly.

Lou Simonis
North Croydon. VIC.
Australia
 
Thought this had been dealt with, it's a forum members hosting site used for his signature and screenshots that's being picked up by malwarebytes, it maybe a false positive, I did inform him about it a few weeks back and it cleared up.
It's not being picked by anything here by the way, just appears to be malwarebytes.
 
Yes, I got this last night also.
It does not stop you viewing the page.
And I know whose signature it is, also, a very helpful fellow, actually.
 
Hi,

Thanks for the PM.

It is (the image in) my signature that gives a false positive. I have turned it of for this post (in case you are wondering why you don't get it now).

I had stopped using an image in my signature for a few weeks hoping the software you are using would have figured out by now that the website of my ISP I have been using for 10+ years is not that scary.

I suggest you tell your software that my signature image is really not that dangerous; it are (currently) just image of bunkers, not real bunkers ;) (and I am not planning to switch ISP any time soon). I assume / hope the software offers that option.

Saieditor said:
And I know whose signature it is, also, a very helpful fellow, actually.
Click to expand...
Thank you :)
 
Last edited:
I'm guessing the reason it's flagged it up is that someone else using that particular ISP for their website has uploaded something they shouldn't and it's basically caused issues for the whole subdomain.

Shane
 
shaneturner12 said:
I'm guessing the reason it's flagged it up is that someone else using that particular ISP for their website has uploaded something they shouldn't and it's basically caused issues for the whole subdomain.

Shane
Click to expand...

In other words, the admin set a filter of *.* on the domain rather than actually doing some work to find out who actually uploaded the problematic script or malware in the first place.
 
I used to get alerts on "homepage.ntlworld.com" too, from my Emsisoft AntiMalware. This has stopped once I put in a rule to allow it. You might try that until it is fixed externally.

EDIT: In view of Lou's post below, it might be better to leave it blocked.

Bill
 
Last edited:
Hi All,
I referred the information I sent out to Malawarebytes Forum for investigation, together with the blocking log from my computer and screen print as well of the actual message.
This morning 17 Aug 2016 I received the following message, with an analyst list of anti Malware organisations which have come to the same conclusions and including those organisations which have not yet found the issues:
I quote "IP is still distributing Locky ransomware. "
In view of this I suggest that the Trainz Forum immediately block this site from accessing our computers.
It may well be that the users and operators of the members.chello.nl site are not aware of what is being distributed by the site.
Regards,

Lou Simonis
North Croydon
Australia
 
Can someone please explain to me how downloading a jpeg would be in any way able to make you install ransomware? Yeah, I am serious; I like to know for both personal understanding and as clear ammunition I can use when calling my ISP. I really do not see how downloading 1 image (not some on the fly generated thing, just a simple jpeg) can cause that. Because that is what my signature is doing; nothing more, nothing less.

If it would cause a ransomware infection, why is my PC still not completely screwed over (as I sort of get my own signature with every post I make). To my knowledge (and personal experience...), you will actually have to visit a website for that which triggers the running of script. So as long as you are not going to visit members . chello . nl to my knowledge you are all safe (but I am happy to be proven wrong).

I am happy to go and complain against my ISP. What I need is clear information I can slam in their face.

So far the solid information I have from links provided here is limited.
@ Clam: The two links you provided don't give me much information; I need a login for both. Without login it only tells me "IP has a bad reputation" and "has send spam" which does not really tell me much. If you can supply me more information (maybe you have a login to access that?), please do.
@ Simonis: You are going to need to quote a lot more clear information for it to be useful for me to tell my ISP. Please do.

Sorry for the inconvenience.
--- deliberately posted without signature ---

 
Last edited:
Always to remember to send and receive data using https and not http.
The "s" on the end is important.
Even linking or receiving a picture from another website location is a risk of malware intrusion so best to use encryption mode using the https.
 
^^^The 's' means secure. Those are the legit stuff^^^ .I try to avoid links like those, but I have been getting alerts saying malwarebytes blocked it because... People, always, ALWAYS avoid websites that have been shut down, even if there is a link for an asset. when websites are abandoned, they don't monitor scripts, and therefore, they can be hacked. Try asking the community if you are wondering about an asset.
 
Hi oknotsen,

This is how it happens; I am reading one of your messages, a small Malawarebytes warning window comes on the screen "Malicious website blocked" further information: Domain: members.chello.nl
I.P: 80.109.240.71, port: 55714, type: outbound via Firefox. I can make this happen even now on one of your signed messages. I have seen it at least a dozen times now.

To me as a minor technical person this means something, a small program, is attached to your signature file *jpg etc. which tries to send a message from my computer via Firefox browser to that I.P address. As this is classified as "ransomware" it will have tried to send some information, which would allow the receiver at chello.nl to maliciously lock all data on my computer and demand a sum of money to unlock the data. If I don't pay, I would have to rebuild my computer from a backup, if that is not also infected. I am lucky to have Malawarebytes installed to protect the data I need to keep.
This has happened to many computer owners!
I hope this will allow you to notify your web site, to fix their problem, likely not of their making, but caused by another member.

Regards,

Lou Simonis
North Croydon
Australia
 
Last edited by a moderator:
Hello all,

I'm by no means an expert on computer malware, but figured I'd give my two cents.

I'm pretty sure it would be unlikely to become infected in this manner; by simply viewing a forum post with a signature hosted at that IP address. I've run into this before on the forums. I can't remember if it was specifically oknotsen's signature, but every time I would view a specific page, Malwarebytes would block an outbound. I would say the program is blocking it because that IP, as a whole, is known to be distributing ransomware. This wouldn't mean that the file itself is malicious just because it has something to do with that IP address.

Ransomware is typically installed through some sort of user interaction, such as opening an email and opening a malicious attachment, visiting a malicious site, or clicking on a malicious ad. Also, even if the jpeg in question did "phone home" and give somebody your information, they would not be able to access your computer unless there was already some sort of malware present. I don't think there is much they can do with just your IP address. Also note that most often, it is not an actual hacker doing anything in these cases. It is the malware delivering its payload. Once it encrypts your data, it generates a private decryption key that is stored on the server, and if you pay the ransom, supposedly you are sent the key which will decrypt the files.

The best way to avoid this is to keep your files backed up in a secure location that is not in any way, shape, or form, connected to your computer or network. This stuff can spread into devices on the same network or into a external hard drive that is connected to the infected machine.

Also, I'm sure not all AV/AM programs are detecting this. If this were actually dropping malware, I'm sure there would be several people reporting being hit with it here on the forums, not just warning messages from AV software. To make a long story short, I'm not trying to downplay how bad ransomware is; I know it's pretty nasty stuff. I just don't think it's very likely that the actual file in question is malicious. I'm fairly sure Malwarebytes is just flagging that IP as a preventative measure.
 
Last edited:
Status
Not open for further replies.

Similar threads

L
SMWorks & Myself - A Final Update
Replies
1
Views
1K
lego207
L
M
Cannot log in to DLS - but can access Forum??
Replies
2
Views
3K
johnwhelan
J
M
WARNING - INFECTED FR TRAINZ WEB SITE
Replies
11
Views
3K
zatovisualworks
Z
Back
Top