clicksnetworks.net? blackhole toolkit on ls1tech?
01-16-2012, 09:07 AM
#1
TECH Enthusiast
Thread Starter
iTrader: (7)
Join Date: Jan 2011
Location: Longbeach, CA
Posts: 590
Likes: 0
Received 0 Likes
on
0 Posts
clicksnetworks.net? blackhole toolkit on ls1tech? Good morning guys,
I'm sitting here browsing the forums and my symantec keeps popping up every time I make a post or view a thread saying it's blocking traffic because of a "blackhole" exploit.
then I get a constant timeout of "clicksnetworks.net" and the forum page won't finish loading until I hit the X in the browser.
never had this issue before, seems to be just the site today.
even as I type this the browser is saying "connecting to clicksnetworks.net" in the bottom right (firefox.)
I did a google of this site and nothing came up.
ip address I have is 146.185.254.34 and this is the addy that endpoint is blocking.
I'm on here all the time, never had this issue before, and didn't turn up anything on the search.
Eventually the clicksnetwork request stops, be it that it responds or that it times out, I'm not sure.
Here's my logs:
[SID: 24215] Web Attack: Blackhole Toolkit Website 12 detected.
Traffic has been blocked from this application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Traffic from IP address 146.185.254.34 is blocked from 1/16/2012 9:56:26 AM to 1/16/2012 10:06:26 AM.
False alarm I'm sure.. but why just now?
research on this toolkit thing doesn't sound very reassuring.
http://www.symantec.com/connect/blogs/blackhole-theory
I'm sitting here browsing the forums and my symantec keeps popping up every time I make a post or view a thread saying it's blocking traffic because of a "blackhole" exploit.
then I get a constant timeout of "clicksnetworks.net" and the forum page won't finish loading until I hit the X in the browser.
never had this issue before, seems to be just the site today.
even as I type this the browser is saying "connecting to clicksnetworks.net" in the bottom right (firefox.)
I did a google of this site and nothing came up.
ip address I have is 146.185.254.34 and this is the addy that endpoint is blocking.
I'm on here all the time, never had this issue before, and didn't turn up anything on the search.
Eventually the clicksnetwork request stops, be it that it responds or that it times out, I'm not sure.
Here's my logs:
[SID: 24215] Web Attack: Blackhole Toolkit Website 12 detected.
Traffic has been blocked from this application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Traffic from IP address 146.185.254.34 is blocked from 1/16/2012 9:56:26 AM to 1/16/2012 10:06:26 AM.
False alarm I'm sure.. but why just now?
research on this toolkit thing doesn't sound very reassuring.
http://www.symantec.com/connect/blogs/blackhole-theory
01-16-2012, 09:33 AM
#2
TECH Enthusiast
Thread Starter
iTrader: (7)
Join Date: Jan 2011
Location: Longbeach, CA
Posts: 590
Likes: 0
Received 0 Likes
on
0 Posts
confirmed this is not just my computer here at the office. Tried from home, received same warning. This was not occuring last night.
home log:
[SID: 24215] Web Attack: Blackhole Toolkit Website 12 detected.
Traffic has been blocked from this application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Traffic from IP address 146.185.254.34 is blocked from 11/27/2011 5:26:41 PM to 11/27/2011 5:36:41 PM.
Same parameters in both cases. clicksnetworks.net is the name resolution.
the thing that has me most concerned on symantec's site:
Man I hope I'm wrong about this. I'm not trying to create panic, just resolve this ASAP. Just tried a 3rd computer,fresh install plus AV, same warning, this time with IE9.
home log:
[SID: 24215] Web Attack: Blackhole Toolkit Website 12 detected.
Traffic has been blocked from this application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Traffic from IP address 146.185.254.34 is blocked from 11/27/2011 5:26:41 PM to 11/27/2011 5:36:41 PM.
Same parameters in both cases. clicksnetworks.net is the name resolution.
the thing that has me most concerned on symantec's site:
Originally Posted by symantec's site
3) passw.plug – It will hook the export table of a number of WININET.dll and USER32.dll functions and will log every username/password combination that is typed, as well as any URLs visited.
Last edited by DarkFox118; 01-16-2012 at 09:43 AM.
01-16-2012, 09:35 AM
#3
TECH Junkie
iTrader: (21)
Join Date: Aug 2004
Location: Virginia Beach, VA
Posts: 3,164
Likes: 0
Received 0 Likes
on
0 Posts
Blackhole toolkit Website 12 Norton is blocking this every time I come to LS1tech. Address is: clicksnetworks.net
Any idea what it is? I googled it and someone on CF posted the same thing.. Kinda weird both sites are IB sites. I don't get the warning when I go to other websites either. I have only gotten it here and on CF, I haven't been on the PC enough this morning to go to a bunch of other sites though.
Here is the CF link:
http://forums.corvetteforum.com/c6-c...rus-alert.html
Any idea what it is? I googled it and someone on CF posted the same thing.. Kinda weird both sites are IB sites. I don't get the warning when I go to other websites either. I have only gotten it here and on CF, I haven't been on the PC enough this morning to go to a bunch of other sites though.
Here is the CF link:
http://forums.corvetteforum.com/c6-c...rus-alert.html
01-16-2012, 09:37 AM
#4
TECH Junkie
iTrader: (21)
Join Date: Aug 2004
Location: Virginia Beach, VA
Posts: 3,164
Likes: 0
Received 0 Likes
on
0 Posts
I just went to the list of IB sites:
http://www.internetbrands.com/our-brands/automotive/
and started clicking on random ones, and it is coming from alot of them, but not all. I wonder if IB was targeted or something...
http://www.internetbrands.com/our-brands/automotive/
and started clicking on random ones, and it is coming from alot of them, but not all. I wonder if IB was targeted or something...
01-16-2012, 09:41 AM
#6
TECH Junkie
iTrader: (21)
Join Date: Aug 2004
Location: Virginia Beach, VA
Posts: 3,164
Likes: 0
Received 0 Likes
on
0 Posts
Info about it:
http://www.symantec.com/security_res...jsp?asid=24215
A thread on Norton:
http://community.norton.com/t5/Norto...ck/td-p/461114
http://www.symantec.com/security_res...jsp?asid=24215
A thread on Norton:
http://community.norton.com/t5/Norto...ck/td-p/461114
Hi mml_1980,
That information is helpful. A Web Attack indicates that you are encountering a driveby download attempt. Since you indicate that this is only happening when you access your homepage, then this is likely resulting from a compromised website or poisoned ads, as you say, rather than from malware on your system.
If you are getting this without going to the Yahoo! site, either manually or automatically, there may be an issue. If just getting online causes these alerts, then something may be connecting out.
That information is helpful. A Web Attack indicates that you are encountering a driveby download attempt. Since you indicate that this is only happening when you access your homepage, then this is likely resulting from a compromised website or poisoned ads, as you say, rather than from malware on your system.
If you are getting this without going to the Yahoo! site, either manually or automatically, there may be an issue. If just getting online causes these alerts, then something may be connecting out.
Trending Topics
01-16-2012, 10:48 AM
#14
TECH Enthusiast
Thread Starter
iTrader: (7)
Join Date: Jan 2011
Location: Longbeach, CA
Posts: 590
Likes: 0
Received 0 Likes
on
0 Posts
I reported my own post to admins, no contact from them yet.
I'm more worried about people who are unprotected that browse the site.
(you should ALWAYS use protection.
)
I'm more worried about people who are unprotected that browse the site.
(you should ALWAYS use protection.
) 
01-16-2012, 11:09 AM
#17
TECH Enthusiast
Thread Starter
iTrader: (7)
Join Date: Jan 2011
Location: Longbeach, CA
Posts: 590
Likes: 0
Received 0 Likes
on
0 Posts
possible. This visit I didn't receive the error.
I have adblock on my browser (sorry!) so I'm not seeing most of the banners, but that doesn't mean the code isn't being loaded apparently. It was on every single page for a while tho.
01-16-2012, 11:25 AM
#18
6600 rpm clutch dump of death Administrator
I haven't gotten any warnings on my session, but as i said, I am looking into it. I have also let IB know so they can have their guys look into it as well. Posted in here if you see anything else.
01-16-2012, 11:32 AM
#20
TECH Enthusiast
Thread Starter
iTrader: (7)
Join Date: Jan 2011
Location: Longbeach, CA
Posts: 590
Likes: 0
Received 0 Likes
on
0 Posts
not seeing it anymore on my side.
Last event was logged here:
Traffic from IP address 146.185.254.34 is blocked from 1/16/2012 11:47:21 AM to 1/16/2012 11:57:21 AM.
current time is 12:30PM, and I've been on here tooling around with PMs and following up threads (slow work day..) for the last few minutes, so whatever it is, I think ya musta got it. Now the fun part is of course finding out what it was to begin with, and how it got here.
I don't run an operation anywhere near as sophisticated as this site, but I do work in IT, so I know how troublesome this kinda thing can be, especially if users data is compromised. I'm STILL chasing demons from a user who fell for a phishing scam 2 months ago.
Last event was logged here:
Traffic from IP address 146.185.254.34 is blocked from 1/16/2012 11:47:21 AM to 1/16/2012 11:57:21 AM.
current time is 12:30PM, and I've been on here tooling around with PMs and following up threads (slow work day..) for the last few minutes, so whatever it is, I think ya musta got it. Now the fun part is of course finding out what it was to begin with, and how it got here.
I don't run an operation anywhere near as sophisticated as this site, but I do work in IT, so I know how troublesome this kinda thing can be, especially if users data is compromised. I'm STILL chasing demons from a user who fell for a phishing scam 2 months ago.