Dave

Malware Warnings

Recommended Posts

Dave    230

Dear all,

 

We received notification from Google a few hours ago that some malware had been injected into some of our forum pages, leading to a warning being displayed whenever SFN is listed in Google search results.

 

Both myself and Capn have investigated this issue and have found no evidence of this so far -- it may be the result of an IP.Board vulnerability that we have just patched. Additionally, we have checked servers and done our best to ensure the site is safe.

 

The issue has been bounced back to Google, and hopefully this should be resolved within the next few hours or days. I will post again once we have received an update.

Share this post


Link to post
Share on other sites
studiot    1161

Let me have an allegedly infected page link (by pm if you like) for test.

 

 

My sensors have not tingled about any thread I have looked at except the one I reported recently as spam.

 

Edit nothing detected upon leaving this thread, but immediately upon leaving this thread (85514) the following detected.

post-74263-0-42243000-1410732856_thumb.jpg

 

Edited by studiot

Share this post


Link to post
Share on other sites
studiot    1161

I clicked on the "View New topic" option to go to the next thread.

 

That worked OK, but as the list came up so did the warning.

 

I have tried it again a couple of times but see no warning now. I don't think I will get the warning if the site is now blocked though.

 

As I said any help I can give is all yours.

Share this post


Link to post
Share on other sites
Dave    230

Thanks studiot for the update. After a bit more searching we did identify the problem and have rectified it. Let us know if you see it again. Hopefully this should be sorted in the next few hours from the standpoint of Google and Safari/Firefox warnings.

  • Upvote 1

Share this post


Link to post
Share on other sites
Sato    87

It is 8:49 PM EST and I chose to ignore Firefox's warning against visiting this page. This thread was posted ~6 hours ago and so I hope you have definitively removed the threat/malware from the site. Can you verify this?

 

What was the problem?

Share this post


Link to post
Share on other sites
Dave    230

As far as we can tell, the problem has been fixed. It was a little hard to trace since it only appeared infrequently (roughly every 2 in 70 or so page requests according to Google). I will post a further update later as to the probable cause, but want to discuss the matter with the forum developers first.

 

In the meantime we will keep a very close eye on the situation and await a review from Google.

Share this post


Link to post
Share on other sites
studiot    1161

Having accessed SF in my normal manner this morning I have not seen any more issues.

 

It is most unusual for me to access SF via Google so I cannot comment on this route.

 

Clearly a recommendation for my antivirus.

 

Dave/Capt

Later on this morning I will try out the forum using an unprotected version of Windows (I can do this easily) and report.

 

Cheers

Share this post


Link to post
Share on other sites
sunshaker    28

I am using google chrome, Still getting warnings, cannot enter any topic without warning,

It is 11.20am uk.

Tried to post with my tor browser but needed secure key.

 

Details I am still getting. Should I change any google settings?

Safe Browsing Diagnostic page for scienceforums.net/topic

What is the current listing status for scienceforums.net/topic?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 3 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 76 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-09-14, and the last time suspicious content was found on this site was on 2014-09-14.

Malicious software includes 3 exploit(s). Successful infection resulted in an average of 13 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including
.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including
.

This site was hosted on 1 network(s) including
.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, scienceforums.net/topic did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

Updated 8 hours ago

© Google - Google Home

 

Share this post


Link to post
Share on other sites
ydoaPs    1581

Dear all,

 

We received notification from Google a few hours ago that some malware had been injected into some of our forum pages, leading to a warning being displayed whenever SFN is listed in Google search results.

 

Both myself and Capn have investigated this issue and have found no evidence of this so far -- it may be the result of an IP.Board vulnerability that we have just patched. Additionally, we have checked servers and done our best to ensure the site is safe.

 

The issue has been bounced back to Google, and hopefully this should be resolved within the next few hours or days. I will post again once we have received an update.

 

I commented on a report yesterday or so that going to the thread from a certain report gave me a malware warning on my phone.

Share this post


Link to post
Share on other sites
Cap'n Refsmmat    1338

Google now confirms that we're clean, so you should no longer get any warnings. Many thanks to Dave for helping track down the cause. We were able to eradicate the malicious code fairly easily. We just need to be sure it doesn't return.

Share this post


Link to post
Share on other sites
MonDie    133

I got the warning when I tried to visit this page without logging in on September 14.

http://www.scienceforums.net/topic/85500-more-complicated-experimental-designs/

 

I'm awfully paranoid since yesterday I was responding to my autism-nonconformity thread on another forum it would be against the rules to advertise when my pointer began to move up and down the length of the screen erratically until I cleared my history and closed my browser. I should probably report it to them.

Edited by Phi for All
removed irrelevant offsite link

Share this post


Link to post
Share on other sites
MonDie    133

Hrmmmm...... Good thing I have a chromebook, It can't download stuff so I can view any page with no risk LOL

 

Hmm. I'd say anything with a connection and writable media is vulnerable. They'll find a way, and the self-assured ones will be the first to get hit.

That stuff stored in the cloud still has to execute on the computer. Plus you technically can't view a webpage without "downloading" it.

Share this post


Link to post
Share on other sites

 

Hmm. I'd say anything with a connection and writable media is vulnerable. They'll find a way, and the self-assured ones will be the first to get hit.

That stuff stored in the cloud still has to execute on the computer. Plus you technically can't view a webpage without "downloading" it.

Dangit, You're right.

Share this post


Link to post
Share on other sites
fiveworlds    67
Plus you technically can't view a webpage without "downloading" it.

 

And the content of the webpage such as videos,images and music

Share this post


Link to post
Share on other sites

And the content of the webpage such as videos,images and music

Hey man, Haven't seen you around for ages, and yeah the way computers work is very frustrating. (To keep it on subject :D )

Edited by TJ McCaustland

Share this post


Link to post
Share on other sites
MonDie    133

Tell me about it. I was getting really mean recommendations while listening to music on YouTube, with it culminating when I got a Chic-Fil-A ad every time I visited the YouTube home page on, I believe it was April 1st. It finally occurred to me that somebody operating a YouTube server's firewall could have been doing this, and that they may have done it to any number of IP addresses reaching out to that server. ... Or it could have been a peculiar fluke. Who knows. I've uncovered little in the way of evidence of intrusion, although I intend to write code for a keylogger to use with a special flashdrive I still have lying around. Who knows.

Share this post


Link to post
Share on other sites
sunshaker    28

this last week my anti virus as gone mad on this site, I just clicked on http://www.scienceforums.net/topic/88578-mmorpg-about-educating-people-on-how-hacking-works/

 

and my anti virus went of infection JS:LOIC-B[Trj]

googled this infection from what I can make out it is used by Hackers, strange that this is the topic it went off on.

 

http://www.satinfo.es/blog/tag/js-loic/

http://www.satinfo.es/blog/tag/ataques-ddos/page/2/

 

now my software will not even open a page to above thread on hacking.

 

it may be nothing but I thought I would share.

Share this post


Link to post
Share on other sites

Ah. Well then. I just got redirected from the post Magentic Pole Reversal imminent in Speculations to a malicious website, I was not able to grab the URL of said website regrettably but I recommend that the moderators/webmaster of SFN check this out. Here is the URL to the post which I was redirected from. http://www.scienceforums.net/topic/94554-magnetic-pole-shift-reversal-imminent/ I do not know if that result can be replicated, but this an anomaly because though I have seen a few rare ads on SFN my mouse was nowhere one. I checked my extensions and even the javascript console but have found nothing. Please investigate this matter, because I believe that either:

A: The page contains an embedded malicious redirect,

B: Someone is attempting to redirect traffic going to that page specifically or possibly SFN as a whole to a malicious website

C: There is a breach of the firewall or security system of the SFN servers which is allowing these malicious redirects to control a limited amount of traffic (Unlikely but a distinct possibility.)

Share this post


Link to post
Share on other sites
Dave    230

Hi Dan, thanks for getting in touch - we had spotted this a few weeks ago, but the template cache did not get rebuilt so it has been lingering on a few pages. I have now rebuilt the caches and removed the offending code. It seems that there is some unknown attack vector, we believe inside IP.Board 3, that is allowing this to reoccur, since there are no other server infarctions and no out-of-place or different files from the original IPB installation. We're scheduling an update to IPS4 which should hopefully permanently eliminate this issue, but the update affects quite a bit of the site, so we have to do a little planning first.

  • Upvote 3

Share this post


Link to post
Share on other sites

Hi Dan, thanks for getting in touch - we had spotted this a few weeks ago, but the template cache did not get rebuilt so it has been lingering on a few pages. I have now rebuilt the caches and removed the offending code. It seems that there is some unknown attack vector, we believe inside IP.Board 3, that is allowing this to reoccur, since there are no other server infarctions and no out-of-place or different files from the original IPB installation. We're scheduling an update to IPS4 which should hopefully permanently eliminate this issue, but the update affects quite a bit of the site, so we have to do a little planning first.

Thank you. I had told Swansont and he notified Capn' Refsmm but if you've already fixed it then I believe I owe them an apology and you a thank you.

Share this post


Link to post
Share on other sites
StringJunky    1504

I had an attack when admin dealt with it last but I knew what was happening and shut the browser down through Task Manager. If that hadn't worked I'd have done the nuclear option and held the power button down to do a hard shutdown. It was acting under the guise of a warning from MS Essentials which is no more.

Edited by StringJunky

Share this post


Link to post
Share on other sites

I had an attack when admin dealt with it last but I knew what was happening and shut the browser down through Task Manager. If that hadn't worked I'd have done the nuclear option and held the power button down to do a hard shutdown. It was acting under the guise of a warning from MS Essentials which is no more.

Mine was a .biz website..... with all sorts of gritty ads all over the place :wacko:

It was advertising well among that my computer had a bunch of viruses (Which it did not, thanks to AVG) some very..... interesting photos. I'm just hoping that whatever happens I don't get put on the NSA child predator watchlist because of that stupid redirect..... I hate the promiscuous minds of many of the internet's denizens.... cause frankly really..... that's just disgusting.....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now