Jump to content

Possible Virus Detection in Mod Pack


Recommended Posts

According to my Virus Protection, it has quarantined several repeated attacks by several different viruses & other intrusions so I thought I should share them with you all.
The following list are what the antivirus program found to be infections themselves or where the infections were found (I assume) & are as listed in my Quarantine/Removed Sections:
1) 24.20_crashed_tracks_base_ (Followed by the name of my puter & the date)

2) flex.7z

3) chasis.visual_processed

4) nestedfolderrenametool.exe

5) ws.reputation.1

 

I hope this means something to you, none of them were successful in penetrating my system however, several of them made repeated attempts to break through, a few attempts lasted hours.

I don't understand what any of them are, other than my virus protection program thwarted their attempts.

I have never seen this type of attack prior to downloading your last update (#3.)

I check my AntiVirus activity files daily & ALWAYS do a complete scan each night as well as after downloading any app or program.

If you do find something was in your modpack, please let us know.

I know these things happen & sometimes get past careful content providers; it's just a reality of using puters.

 

LOVE your program

Link to comment
13 hours ago, Aslain said:

If you don't trust my modpack, check it here https://www.virustotal.com/#/home/upload

Don't get me wrong, I wasn't complaining at all.
It's not that I don't trust you or your site nor am I implying anything negative, but rather, I only wanted to warn yourself & others this began happening (for the first time ever) right after your last update, which is where all these invasion attempts were stemming from, according to my virus program, all having to do with WoT & specific Mod app names.

I am not bitching or upset with you in any way, it was just a courtesy notification more than anything else, as I did see others had posted similar possible attacks/issues as well.

I totally love your mod pack, it's the best & I appreciate the effort you put into it all, especially after your recent health concerns.
In fact, I brag to other players all the time about how your modpack is the perfect combo all the time cause I'm so happy with it :)

Hope you're feeling alright these days.

Link to comment
14 hours ago, Interface2037 said:

Actually it might be right. Today my Norton Firewall blocked intrusion attempts from Poland while playing World of Tanks.

 

Category: Intrusion Prevention

Date & Time,18-Nov-17 23:08:41,
Risk,High,- An intrusion attempt by 78.140.179.99 was blocked.,
Activity Status,-Blocked,
Recommended Action,- No Action Required,
IPS Alert Name,- Web Attack: Exploit Kit Redirection 21,
Default Action,- No Action Required,
Action Taken,- No Action Required,
Attacking Computer,- "78.140.179.99, 80", also from 88.85.84.123 & 88.85.84.124
Attacker URL,- ralkipa.info/cdrive.js?t5vg9c=855352,
Destination Address,- "LUNXXXXX (192.168.1.40, 1176)",78.140.179.99,"TCP,www-http"
Source Address,- Network traffic from <b>ralkipa.info/cdrive.js?t5vg9c=855352</b> matches the signature of a known attack. 
Traffic Description,- The attack was resulted from \DEVICE\HARDDISKVOLUME5\GAMES\WORLD_OF_TANKS\RES\CEF\CEF_BROWSER_PROCESS.EXE.

I got this aswell & this is what I got from 3 different IP's

Link to comment
  • Administrator

It's very weird https://www.virustotal.com/#/url/95909a4f14fb5fae94f5d849e635e4d38a0cdcaf02fce231c96dfd42ce6a04e7/detection

 

Looks like the purpose of this connection is to display in game website from ekspoint:

 

Spoiler

N5OEKdn.jpg

 

Yet today his website was blocked by admins because he was cheating counters and auto surfing (redirections to ads).

 

As of the OP:

 

1) 24.20_crashed_tracks_base_ (Followed by the name of my puter & the date)

This is just a visual file, part of white dead tracks, nothing more nothing less

 

2) flex.7z

It's not part of my modpack and never was

 

3) chasis.visual_processed

looks like another visual file from some skin mod, look at 1.

 

4) nestedfolderrenametool.exe

I had it long time ago, it was a tool that renames files, I used it to rename version folder to new one, a regular app

 

5) ws.reputation.1

ws reputation is stupid idea by Norton? to mark files by user reputation (voting), haters loves this tool, ignore it

Link to comment

here's my thinking... with my limited knowledge of coding...

Something in the modpack was put there to give another puter something to query to, thus hopefully gaining access to  our puters through the modpack.
I think they are using:

* Perhaps a weak spot they discovered so multiple attempts to query it repeatedly will eventually lead to a connection.

* Portions from old no longer used apps or code (remnants of some old program?) has made the modpack vulnerable to repeated query attempts to connect.

* Part of a program/app/coding was found / left behind / no longer used but still within the modpack, has left a weak spot or chink in the armour and is undetected by your Virus Protection before release & only appears as a threat by OUR Virus Protection when queried multiple times & may eventually said query will find a way to let someone in.

 

Im totally guessing here, but my point is this:

* Hopefully I have triggered a different way to approach the idea there could be a virus or weak spot which could allow someone to gain access to our puters.
* Created a challenge amongst you programmers as to what could be causing this.

* Persuade some of you to think differently about this & find what is causing it.

 

There has to be a reason why my virus protection app (& several other virus apps on other puters) are all triggering warnings about these attacks, stopping them & repeatedly preventing multiple queries from some puters in .ru to attempt to break into our systems.

 

I have read where multiple attacks or queries on puters have successfully gained access to them by making repeated attempts.

Just sayin... :)

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use and Privacy Policy.