imfdb.org

imfdb.org (http://forum.imfdb.org/index.php)
-   imfdb (http://forum.imfdb.org/forumdisplay.php?f=5)
-   -   Reported Attack Site (http://forum.imfdb.org/showthread.php?t=2112)

The Wierd It 12-24-2012 01:35 AM
Reported Attack Site
 
For whatever reason Firefox has started trying to tell me that IMFDB is an attack site.

Has anyone else had this warning, and what can we do about it?

Mr.Ice 12-24-2012 02:46 AM
Yeah I have the same problem but I just choose the ignore warning option and ran a virus scan which showed no problems for me.

Rockwolf66 12-24-2012 03:35 AM
Google is giving a warning about this site. Bunni needs to run a virus sweep of both our site and the adds then get us re registed as being clean.

I'm guessing that we got some bad code in an ad and got the whole site dinged for it.

Excalibur 12-24-2012 03:45 AM
Yeah I got the warning too and I clicked ignore. Everyone do a virus scan right now

Rockwolf66 12-24-2012 05:12 AM
My scan is clean. Notice how they don't tell you where they found the "Virus" on a site if you are an Admin for that site?

zackmann08 12-24-2012 05:57 AM
We are aware of the issue and are working to find a solution ASAP. Sorry guys!!

bunni 12-24-2012 07:29 AM
Quote:
Originally Posted by Rockwolf66 (Post 37289)
Google is giving a warning about this site. Bunni needs to run a virus sweep of both our site and the adds then get us re registed as being clean.

I'm guessing that we got some bad code in an ad and got the whole site dinged for it.
This is also my best guess at the moment as everything seems clean after check all the usual suspects. Google is reporting malicious code from outside domains, which would suggest an ad, if the software or server was compromised the malware would be store locally... Funnyjunk.com was also hit with similar malware warnings from similar domains (that's the only thing turning up in google searches for the domains attributed to the malware by google) so I'm thinking they were hit with the same malicious ad.

I've disabled ads for now and requested google review the site and remove the block.

So here is a warning on another site with the same domain, rltk.us, but here it also implicates openx.net as being the source - which ads more evidence to the 'bad ad' hypothesis.

Quote:
What is the current listing status for www.satelliteguys.us?
Site is listed as suspicious - visiting this web site may harm your computer.

What happened when Google visited this site?
Of the 96 pages we tested on the site over the past 90 days, 8 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-12-23, and the last time suspicious content was found on this site was on 2012-12-23.
Malicious software includes 2 exploit(s).

Malicious software is hosted on 3 domain(s), including bono.is-found.org/, erikss.dyndns-at-home.com/, rltk.us/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including openx.net/, rltk.us/.

This site was hosted on 2 network(s) including AS32244 (LIQUID), AS15169 (Google Internet Backbone).

bunni 12-24-2012 09:03 AM
Ok, I've removed all ads and cleared all cached page on the site so that hopefully in a few hours once the google bot comes back through we get a clean bill of health.

bunni 12-24-2012 01:51 PM
Quote:
Status of the latest badware review for this site: A review for this site has finished. The site was found clean. The badware warnings from web search are being removed. Please note that it can take some time for this change to propagate.
Yay, looks like we're clean again (:

The Wierd It 12-24-2012 01:53 PM
Confirmed.

The Wierd It 12-26-2012 11:54 AM
Strike that; it's happened again.

EDIT: And suddenly not. Not sure what happened there.

The Wierd It 12-28-2012 10:59 AM
It keeps coming up for me; either there's a problem on my end or the bad code snuck back in.

Mazryonh 12-29-2012 05:02 AM
Yeah, the "Reported Attack Site" keeps coming back for me as well. I was in the middle of creating a new page of mine, but until this is resolved, I'm not sure it's safe to keep doing so.

The Wierd It 01-01-2013 10:31 AM
Seems it's not just our problem but a fairly general one.

bunni 01-02-2013 06:47 AM
It's hard for us to track down which ad causes it due to how specific ad delivery is these days. Every individual sees ads tailored to them. Additionally the ads masquerade as legitimate ads, and load java exploits randomly. Browsers like Chrome and Firefox protect you when this code is detected and don't execute it.

We use two ad networks, AdSense and OpenX, they're as large and legitimate as they come and these issues seem to be hitting quite a lot of large sites right now.

I've looked into analyzing the ad code on our end for exploits before it's served but haven't found anything.

Mazryonh 01-07-2013 12:03 AM
Another strange bug has arisen recently. When I switched to my machine using a 4:3 monitor but did not log in, the main wiki site went into a sort of "safe mode" where frames were not used and only basic HTML text was used, making the site very difficult to navigate. This went away when I logged in, but I'd like to know if anyone else has experienced this bug.

Spartan198 01-07-2013 03:31 AM
Quote:
Originally Posted by Mazryonh (Post 37439)
Another strange bug has arisen recently. When I switched to my machine using a 4:3 monitor but did not log in, the main wiki site went into a sort of "safe mode" where frames were not used and only basic HTML text was used, making the site very difficult to navigate. This went away when I logged in, but I'd like to know if anyone else has experienced this bug.
That's not a bug, it's the site's default skin.

bunni 01-25-2013 08:37 PM
Quote:
Originally Posted by Mazryonh (Post 37439)
Another strange bug has arisen recently. When I switched to my machine using a 4:3 monitor but did not log in, the main wiki site went into a sort of "safe mode" where frames were not used and only basic HTML text was used, making the site very difficult to navigate. This went away when I logged in, but I'd like to know if anyone else has experienced this bug.
That sounds like the css file wasn't being served - my guess would be that file was unavailable at that moment for whatever reason and instead you were just getting plain html text.

Sergei Titov 02-04-2013 01:16 AM
This is actually concerning me a little.
 
What is the current listing status for imfdb.org?
This site is not currently listed as suspicious.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?
Of the 562 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-02-03, and the last time suspicious content was found on this site was on 2012-12-23.
Malicious software includes 1 exploit(s).

Malicious software is hosted on 2 domain(s), including iicl.tk/, rltk.us/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including rltk.us/.

This site was hosted on 2 network(s) including AS13335 (CLOUDFLARENET), AS6939 (HURRICANE).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, imfdb.org did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

bunni 02-05-2013 08:05 PM
Quote:
Originally Posted by Sergei Titov (Post 37863)
What is the current listing status for imfdb.org?
This site is not currently listed as suspicious.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?
Of the 562 pages we tested on the site over the past 90 days, 48 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-02-03, and the last time suspicious content was found on this site was on 2012-12-23.
Malicious software includes 1 exploit(s).

Malicious software is hosted on 2 domain(s), including iicl.tk/, rltk.us/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including rltk.us/.

This site was hosted on 2 network(s) including AS13335 (CLOUDFLARENET), AS6939 (HURRICANE).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, imfdb.org did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
Yea, it happened again over the weekend. It was the same vector again, an ad from one of our ad providers, openx. Here was their response:

Quote:
There was an incident of malicious ads detected within the OpenX Market during the EST evening last night.
The malicious creatives were caught by monitoring & removed from the system.

This issue would cause a Google alert concerning the malicious domain: ads.zitaholdings.com

If your site was blocked by Google, please login to your Google Webmaster account and request a re-scan of the website in order to have the warnings removed.
I now have a direct contact within openx to report malicious ads.


All times are GMT. The time now is 02:23 AM.

Powered by vBulletin® Version 3.8.0
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.