User Support & Resources - clicksnetworks.net? blackhole toolkit on ls1tech?

Good morning guys,

I'm sitting here browsing the forums and my symantec keeps popping up every time I make a post or view a thread saying it's blocking traffic because of a "blackhole" exploit.

then I get a constant timeout of "clicksnetworks.net" and the forum page won't finish loading until I hit the X in the browser.

never had this issue before, seems to be just the site today.

even as I type this the browser is saying "connecting to clicksnetworks.net" in the bottom right (firefox.)

I did a google of this site and nothing came up.

ip address I have is 146.185.254.34 and this is the addy that endpoint is blocking.

I'm on here all the time, never had this issue before, and didn't turn up anything on the search.

Eventually the clicksnetwork request stops, be it that it responds or that it times out, I'm not sure.

Here's my logs:

[SID: 24215] Web Attack: Blackhole Toolkit Website 12 detected.
Traffic has been blocked from this application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Traffic from IP address 146.185.254.34 is blocked from 1/16/2012 9:56:26 AM to 1/16/2012 10:06:26 AM.

False alarm I'm sure.. but why just now?

research on this toolkit thing doesn't sound very reassuring.

http://www.symantec.com/connect/blogs/blackhole-theory

confirmed this is not just my computer here at the office. Tried from home, received same warning. This was not occuring last night.

home log:

[SID: 24215] Web Attack: Blackhole Toolkit Website 12 detected.
Traffic has been blocked from this application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Traffic from IP address 146.185.254.34 is blocked from 11/27/2011 5:26:41 PM to 11/27/2011 5:36:41 PM.

Same parameters in both cases. clicksnetworks.net is the name resolution.

the thing that has me most concerned on symantec's site:

3) passw.plug – It will hook the export table of a number of WININET.dll and USER32.dll functions and will log every username/password combination that is typed, as well as any URLs visited.

Man I hope I'm wrong about this. I'm not trying to create panic, just resolve this ASAP. Just tried a 3rd computer,fresh install plus AV, same warning, this time with IE9.

Norton is blocking this every time I come to LS1tech. Address is: clicksnetworks.net

Any idea what it is? I googled it and someone on CF posted the same thing.. Kinda weird both sites are IB sites. I don't get the warning when I go to other websites either. I have only gotten it here and on CF, I haven't been on the PC enough this morning to go to a bunch of other sites though.


Here is the CF link:
http://forums.corvetteforum.com/c6-corvette-general-discussion/2983842-virus-alert.html

I just went to the list of IB sites:

http://www.internetbrands.com/our-brands/automotive/

and started clicking on random ones, and it is coming from alot of them, but not all. I wonder if IB was targeted or something...

I'm getting the same thing.

Info about it:
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=24215

A thread on Norton:

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-repeatedly-blocking-Blackhole-Toolkit-Website-Attack/td-p/461114

Hi mml_1980,



That information is helpful. A Web Attack indicates that you are encountering a driveby download attempt. Since you indicate that this is only happening when you access your homepage, then this is likely resulting from a compromised website or poisoned ads, as you say, rather than from malware on your system.



If you are getting this without going to the Yahoo! site, either manually or automatically, there may be an issue. If just getting online causes these alerts, then something may be connecting out.

I notified someone at IB about this...hopefully they can resolve this before it causes someone a problem.

I'm getting the same thing.

Same here

i believe it just infected a friend of mine's machine.

Btw, i also saw a couple warnings from Symantec endpoint.

me dos

Has this been addressed?

Me too.

I reported my own post to admins, no contact from them yet.

I'm more worried about people who are unprotected that browse the site.

(you should ALWAYS use protection. :lol:)

I'm checking into it. My guess is someone bought a banner and is directing it to a "bad" site. That happens from time to time.

hitnetsystem(dot)com is what Kaspersky is telling me.

I'm checking into it. My guess is someone bought a banner and is directing it to a "bad" site. That happens from time to time.


possible. This visit I didn't receive the error.

I have adblock on my browser (sorry!) so I'm not seeing most of the banners, but that doesn't mean the code isn't being loaded apparently. It was on every single page for a while tho.

I haven't gotten any warnings on my session, but as i said, I am looking into it. I have also let IB know so they can have their guys look into it as well. Posted in here if you see anything else.

I had the same thing happen. I reported it.

not seeing it anymore on my side.

Last event was logged here:

Traffic from IP address 146.185.254.34 is blocked from 1/16/2012 11:47:21 AM to 1/16/2012 11:57:21 AM.

current time is 12:30PM, and I've been on here tooling around with PMs and following up threads (slow work day..) for the last few minutes, so whatever it is, I think ya musta got it. Now the fun part is of course finding out what it was to begin with, and how it got here. :lol:

I don't run an operation anywhere near as sophisticated as this site, but I do work in IT, so I know how troublesome this kinda thing can be, especially if users data is compromised. I'm STILL chasing demons from a user who fell for a phishing scam 2 months ago.

Already have a thread about this in User support, merging with that one

I stopped getting the alerts as well. I don't know what it was, since I don't see any ads (AB+ installed) so I couldn't see a common ad between forums. Maybe later I will check the log and see what script was running when the alerts came up.