TriumphGuy
New member
If that's the case, then they have a problem and need to shut down their web presence until it's been fixed. Also, looks like the site's still a no-go as of right now.
Keltec site virus
- Thread starter WyMark
- Start date
If that's the case, then they have a problem and need to shut down their web presence until it's been fixed. Also, looks like the site's still a no-go as of right now.
Armorer-at-Law
New member
WARNING!
This is still an active problem!
I got a vicious worm just from opening their home page today that has my IT guy replacing my hard drive now. Combofix was not effective.
The site really needs to come down until it is fixed.
This is still an active problem!
I got a vicious worm just from opening their home page today that has my IT guy replacing my hard drive now. Combofix was not effective.The site really needs to come down until it is fixed.
Brian Pfleuger
Moderator Emeritus
It's probably a DNS hack. Their site IS offline. You're being redirected to an otherwise identical site that contains a virus.
TriumphGuy
New member
That's not really how DNS works. If Kel-Tec owns "keltecweapons.com," they get to decide what IP address traffic is directed to.
Now it's very possible that once you have a virus on your own computer, you could be redirected to different websites but that's not what's going on here. That's what frustrates me with them at this point. If they can't get this fixed, they need to shut their site down until they can. I was ready to lay some tax return money down on a KSG up until now.
Now it's very possible that once you have a virus on your own computer, you could be redirected to different websites but that's not what's going on here. That's what frustrates me with them at this point. If they can't get this fixed, they need to shut their site down until they can. I was ready to lay some tax return money down on a KSG up until now.
Brian Pfleuger
Moderator Emeritus
It has and does happen. That's the whole point. The DNS is redirected. If they know they have a virus, why would they leave their site up? It's a 30 second fix. You replace the site code with an uninfected backup copy. They can't do that because the traffic isn't getting to them. It's being redirected. No reputable company would leave an infected site online. Anybody who knows the first thing about computers could fix it in a minute but it's not that easy to fix a DNS redirect.
DNS hacks have happened many times.
DNS hacks have happened many times.
TriumphGuy
New member
I'm not going to go into all of the details, but when your computer looks up Keltecweapons.com, it doesn't get the IP address from Kel-Tec. It comes from your internet service provider. Unless all of our ISPs have been hacked by some organization with a vendetta against Kel-tec, that's not what's going on.
It's absolutely possible that their webpage is forwarding people to a different server, but if that were to happen the url in your browser's address bar would change.
It's absolutely possible that their webpage is forwarding people to a different server, but if that were to happen the url in your browser's address bar would change.
Brian Pfleuger
Moderator Emeritus
I know how DNS works. There have been many DNS hacks over the years. Might not be that, might be.
Could also be SQL injection or an unpatched web server.
Could also be SQL injection or an unpatched web server.
Brian Pfleuger
Moderator Emeritus
If they were running Linux or Mac it wouldn't be happening.
TriumphGuy
New member
You're right. It is absolutely possible but according to their registrar, Domains Priced Right, the record hasn't been changed since August 21 of last year.
TriumphGuy
New member
I did a little snooping, here's my best guess at what's going on.
Each of those port numbers there correspond to a service running on whatever server keltecweapons.com points at. I can't think of a whole lot of good reasons to have anything other than 80 and 443 open on a webserver. Port 21 and 22 are used by well known web services and aren't necessarily telling of anything bad on their own until you add all of those "unknown" ports in the 50000 range.
If I were to bet on what's going on here, I'd say that someone found a way into their systems somehow. Maybe a keylogger that one of their employees picked up, SQL injection as Peetza mentioned or some other vulnerability.
Now the internet bad guy has free reign to hide the virus that we're all seeing on their front page and try to get as much personal data from the computers that are infected by the site.
Computers infected with viruses providing backdoor access like this (kel-tec's server and your computer if it was infected by it) are known as "zombies" and often traded like commodities around the circle of people who deal in this sort of thing. If you even suspect that your computer was a target, you really need to make sure that everything is cleaned up properly (pay someone if you need to) and then change the password to every single service that you use on the web. Email, online banking, this forum, etc.
Each of those port numbers there correspond to a service running on whatever server keltecweapons.com points at. I can't think of a whole lot of good reasons to have anything other than 80 and 443 open on a webserver. Port 21 and 22 are used by well known web services and aren't necessarily telling of anything bad on their own until you add all of those "unknown" ports in the 50000 range.
If I were to bet on what's going on here, I'd say that someone found a way into their systems somehow. Maybe a keylogger that one of their employees picked up, SQL injection as Peetza mentioned or some other vulnerability.
Now the internet bad guy has free reign to hide the virus that we're all seeing on their front page and try to get as much personal data from the computers that are infected by the site.
Computers infected with viruses providing backdoor access like this (kel-tec's server and your computer if it was infected by it) are known as "zombies" and often traded like commodities around the circle of people who deal in this sort of thing. If you even suspect that your computer was a target, you really need to make sure that everything is cleaned up properly (pay someone if you need to) and then change the password to every single service that you use on the web. Email, online banking, this forum, etc.
TriumphGuy
New member
Heck, I'm feeling nice tonight. If anybody from Kel-Tec is listening, here's the bit of offending HTML from the front page that's causing all of the mischief.
Basically, it creates a tiny little invisible box in the top left hand of their page that contains some very bad web content from another server, the address to which I've removed.
Maybe Kel-Tec will send me that KSG I was wanting for free on account of all of this free consulting.
Basically, it creates a tiny little invisible box in the top left hand of their page that contains some very bad web content from another server, the address to which I've removed.
Maybe Kel-Tec will send me that KSG I was wanting for free on account of all of this free consulting.
Brian Pfleuger
Moderator Emeritus
Well done, Computer Geek.
TriumphGuy
New member
As of about a minute ago, that frame no longer exists. I wonder if they actually are listening.
I wouldn't say that means that the site is safe to visit yet though. I'd wait for some sort of official announcement on their part. Plus, as of right now those nasty TCP ports are still open.
I wouldn't say that means that the site is safe to visit yet though. I'd wait for some sort of official announcement on their part. Plus, as of right now those nasty TCP ports are still open.
Yep, I got it to. I have Micro Trend and still go it. I found on the net how to get rid of it, long process took over 4 hours.
Here are the instructions I used:
http://www.bleepingcomputer.com/virus-removal/remove-system-check
Here are the instructions I used:
http://www.bleepingcomputer.com/virus-removal/remove-system-check
Last edited:
Thanks for the warning.
I delete everything I look at every night as well as clean disk and do the McAfee cleaning utility too.
Plus,I can always do a hard drive format if it gets bad-I have a disk that will auto load from the dvd drive and kill anything that's on the disk as well as all my data too.
Had to do that once-I fought that sucker back through several popup pages and turned off the surge protector to the computer before it could go really deep.
But I don't depend on my computer for much of anything anyway.
Frankly,if it was'nt for a few sites and the heatpump parts I am getting online for 10% of what a ac company would charge me,I'd take a sledge hammer to mine right now.
MASSIVE life wasters.
A billion times worse then television.
I delete everything I look at every night as well as clean disk and do the McAfee cleaning utility too.
Plus,I can always do a hard drive format if it gets bad-I have a disk that will auto load from the dvd drive and kill anything that's on the disk as well as all my data too.
Had to do that once-I fought that sucker back through several popup pages and turned off the surge protector to the computer before it could go really deep.
But I don't depend on my computer for much of anything anyway.
Frankly,if it was'nt for a few sites and the heatpump parts I am getting online for 10% of what a ac company would charge me,I'd take a sledge hammer to mine right now.
MASSIVE life wasters.
A billion times worse then television.
I haven't visited their site and don't plan to. I did get hit by a very vicious piece of malware about two years ago that was bad enough that I had to re-format the hard drive (on a side note, it did help to get rid of some of the junk).
It also managed to steal a "credit card" number that I used for online purchases. Fortunately, I have always been leery about sending my real credit card/debit card info over the net. I had purchased a pre-paid VISA card from AAA which I would load when I wanted to buy anything. The thieves only got about $10 and I got a different pre-paid card.
The point about all this is to recommend the use of these sorts of pre-paid cards. I am fairly computer savvy but sometimes even the pros get hit.
It also managed to steal a "credit card" number that I used for online purchases. Fortunately, I have always been leery about sending my real credit card/debit card info over the net. I had purchased a pre-paid VISA card from AAA which I would load when I wanted to buy anything. The thieves only got about $10 and I got a different pre-paid card.
The point about all this is to recommend the use of these sorts of pre-paid cards. I am fairly computer savvy but sometimes even the pros get hit.