There is obfuscated javascript on the page which does indeed look suspicious:

Admin: thanks, edited out the script, there is no need to paste the whole javascript block in the post (it also triggers aVast warning)

That's what I was afraid of, Resolve. I'm having to disable Avast's web shield in order to reach this site at all, so I'm hoping noscript will block any malicious scripts (and recommend all Firefox users do the same).

Heh, looks like I was way wrong.

A few security tips:

- The web would be a much safer place without Javascript and Flash but unfortunately it has become hard to avoid those completely so install the NoScript extension and only enable javascript and flash for sites that you trust and really need it. (as we have seen, even our favorite site can become infested by something but still this reduces the risks.)

- Make sure you have the latest versions of Flash and Acrobat Reader. The old versions have commonly used exploits.

- Disable the JavaScript support in Acrobat Reader. I've never seen a pdf file that used that for anything useful and almost all the latest pdf exploits can be prevented by that simple measure. I believe even the latest version is currently vulnerable if javascript is turned on.

- Disable the pdf plugin in your browser. You don't need it (just save the pdfs you really want to see) and anyway it's annoying and sometimes makes the browser crash.

- Also disable any browser plugin you don't really need and make sure those you keep are up to date.

Last edited by Codexus (2009 May 16, 3:39 pm)

Codexus wrote:

- Make sure you have the latest versions of Flash and Acrobat Reader. The old versions have commonly used exploits.

Yeah, I was using Adobe Reader version 7, because the newer versions had become so bloated and slow. I didn't realize Adobe's plugins could be exploited so easily by a trojan. It may have been how my PC got infected.

I don't even use it! Last time I checked version 9 still couldn't remember the last used page of recently opened documents. FoxitReader can do that.

For now I have uninstalled Adobe Reader as part of the cleanup operation.. if I have to install it again, I'll get the latest version.

Great suggestions about browser plugins.. I didn't think of simply disabling them, always annoys me when the browser opens a PDF file instead of letting the dedicated app handle it!

I think you should warn users of this in the "Announcement" space. I'm sure a lot of people don't ever bother to scroll down the main page or check the Feedback forum.

Also, from what time till what time do you estimate the virus was live on the site?

Last edited by Transparent_Aluminium (2009 May 16, 4:46 pm)

Zarxrax: please try again, if it doesn't work, try the Refresh button on the browser or CTRL-F5 in Windows, this should clear the cache from old javascript files.

Thanks ファブリス, you are doing a great job! I'm so glad that the site is back up again!

It seems to be an issue with the substitute kanji script. Turn it off and the page loads normally. The substitute font script works OK.

Fixed it. Affected scripts were Substitute keywords and Alter sequence.

ファブリス wrote:

The website cleanup was tricky because my local copy was a little different. The review page code is actually slightly different, and may interfere with some Greasemonkey scripts (though that should not matter too much given that the whole site will be updated with the refactored version next week).

We have a date! I'm aware that the update might make large parts of above scripts obsolete, still a week is a lot of reviews. Can't let the customers lose faith.

I have the same problem as Evil_Dragon, does this mean I just have to wait now and it will be fixed in a few days?

thanks! works again. I feel stupid now but thanks for having patience with slow people like me ^^;