FAO NEAL: Reported Attack Site? Anyone else getting this too?

[Task Force]

Oah, and I figured id say im getting it with FF also...

Quote:

Originally Posted by the_tyrant

A few ideas:
Why does Subsim have an FTP server that allows anonymous connections?
Google says that subsim is linked to reported attack sites, who or what linked it?

I think It might be from people reporting the virus alert they were getting, I believe it had something to do with the ads, and google may have put it in as a site that will give you a virus.

my best guess.

[SeaWolf U-57]

Quote:

Originally Posted by Molon Labe

How long ago was that? If it wasn't yesterday, then you're right, it's not funny.

It's not funny because potential members/users are being scared away from a great community and sim resource because of a mistake. It's not funny because Neal is being impugned as a purveyor of viruses.

If the posts about this problem had not been merged and certain posts within the original threads left out you would know when the threats were on site.
And as for “It's not funny because potential members/users are being scared away from a great community and sim resource because of a mistake.” What Mistake are you talking about read my post again there was no mistake the threat was real and for some who will not find out about this until they start getting return e-mails that they have not sent or worse then lets see how much of a mistake they think it is also.

[Molon Labe]

Quote:

Originally Posted by SeaWolf U-57

If the posts about this problem had not been merged and certain posts within the original threads left out you would know when the threats were on site.
And as for “It's not funny because potential members/users are being scared away from a great community and sim resource because of a mistake.” What Mistake are you talking about read my post again there was no mistake the threat was real and for some who will not find out about this until they start getting return e-mails that they have not sent or worse then lets see how much of a mistake they think it is also.

If you're going to respond to me, then answer the direct question. Why are you punting because of thread merging?

The rest of your response, and any further response on my part, are meaningless unless you answer that first, since my calling Google/badaware's action is conditioned on the actual attack not taking place yesterday.

[the_tyrant]

somehow, i think this is linked to the problem:http://www.esecurityplanet.com/patch...41/article.htm

[DarkFish]

Quote:

Originally Posted by the_tyrant

somehow, i think this is linked to the problem:http://www.esecurityplanet.com/patch...41/article.htm

Could be.
But IIRC, the last time before today that my FF updated itself was several days ago, well before the problems started (for me the problems at subsim started the day before yesterday).

[FIREWALL]

I kinda feel left out. I haven;t had a warning or any kind of problem.

SubSim works as advertised. Trouble Free for Me.

[MaddogK]

Just to add, been getting these warnings all day, and about 10 AM CST lost ALL comms with subsim.com even tho I was still getting warning messages. Couldn't get a ping response either. I suspect I may have an ISP block to this site as I don't have this problem (other than the warnings) using my backup account from a different ISP. Also strange 2 different versions (3.6.10 and 3.6.8) of FF and BOTH started with this warning today, neither have been updated in recently. Another reason to hate google.

Least I know the site isn't down.

[the_tyrant]

I am pretty sure that this has already been done, but just to be sure:http://www.google.com/support/webmas...?answer=168328

[K-61]

I've also been getting messages from my Norton 360 that it has blocked an attempt to attack my computer a number of times when I first log in to Subsim. Just now I received another warning, but it doesn't happen every time, just now and then. I've used a number of tools to perform repeated scans on my system and nothing has been found; as well, my system is not exhibiting any behaviour to lead me to believe it has been infected: no pop ups, no slowness, no unexplained hard drive lights, etc.

[Lane]

Signed on to the forum tonight with Firefox 3.6.11.
No warning message. about the web site.

I did upgrade my free AVG Last night to Ver 2011.
but I don't think AVG was the problem.
I am glad the warning message is gone guess Neal fixed it?

Thanks to the person that fixed the problem.

Lane

[frau kaleun]

Quote:

Originally Posted by K-61

I've also been getting messages from my Norton 360 that it has blocked an attempt to attack my computer a number of times when I first log in to Subsim.

FWIW, I've got Norton 360 too, but so far no alerts of any kind. None at work either and I've got the free AVG software on that machine.

If I do a Google search for "subsim" all the links that come up are rated 100% safe by Norton Site Safety, with no identified threats of any kind.

I just upgraded the AVG on the work machine this week and did a full system scan in the process which found nothing. This computer gets scanned regularly as well and nothing bad has shown up.

I use IE8 on both machines.

[August]

I'm still getting the warning when I re-check "Block reported attack sites" in firefox security settings.

[Onkel Neal]

Quote:

Originally Posted by SeaWolf U-57

Lets not forget that there was an original threat containing Trojans and some other type of nasty just because it was not seen by everyone is not the issue.
To prove what was happening when I view Subsim main page I click yes to install the items to gain screen shots of what happened.
I will tell you what happened my computer started sending out information of which I have no idea and I had to pull the connection.
I then tried to remove what had been installed and then my computer froze up so a total re-install needed. So I am glad that the site has no problems now but it did have
if Neal managed to remove the nasty from the code or whoever placed it in the site realized he had been found out and removed it no one knows it seems.
So now some of you are seeing warnings a little late yes but would you not rather be warned then to go through what I had to do.
So just go on amusing yourselves about this for some it was not so funny

Seawolf, so far I have not been able to determine there ever was any trojans on the Subsim server. You may think there was, with your free AV system warning you, but that and $1 will buy a cup of coffee.

There may have been some problems with the Google ads being served (becoming more common, read this for more), I removed the ads from the forum.

Yes, a few people had AV warnings, but that does not prove anything, AVs often have false alarms. I checked the server and files, The Planet checked the server and files, and Admin Geeks checked the server and file--nothing has been discovered.

With the current Firefox/Chrome alerts, I have had the Planet Advance Support team check everything again. Still, nothing malicious has been found:

Quote:

Hello Neal,

I've scoured your site and I can't find any malicious activity. I've searched through all of your files and sql database tables looking for references to those malicious domains but so far haven't found any (other than the forum posts referencing the google warning). Also, of the handful of files that were modified on the 18th none of them seem malicious.

root@server2 [/home/subsimc/public_html]# find . -mtime -2 -print
.
./mods1/sailorsteve/.ftpquota
./mods1/serg/.ftpquota
./mods1/keltos/.ftpquota
./nucleus/error_log
./radioroom
./radioroom/error_log
./radioroom/downloads
./radioroom/downloads/26665-Ui-Boat V2.2.7z
./radioroom/downloads/ec_tmp
./radioroom/downloads/65946-IO_Fix_StrategicMap_for_Ui-Boat V2.2.rar
./radioroom/includes
./radioroom/subsim_forum.sql
./error_log
./googlecec18389fc0e7a38.html
./harpoon
./harpoon/.ftpquota
./harpoon/OldHarpoon3PicResFiles.zip
./harpoon/PlayersDB-ANW [Oct 31].zip
./harpoon/PlayersDB [Oct 31].zip
./_private/_vti_cnf
./_private/_vti_cnf/newsletter.txt
./_private/newsletter.txt
./_vti_pvt/doctodep.btr
./_vti_pvt/deptodoc.btr
./_vti_pvt/linkinfo.btr
./_vti_pvt/service.lck


The last time Google visited this site was on 2010-10-19, and the last time suspicious content was found on this site was on 2010-10-18. So it looks like the actual exploits are gone from your server. Its possible these were posted in a forum post and google just picked them up.

Since I can't find any malicious code your best bet is going to be to contact google to get this warning removed. There is a link in the "next steps" section on that warning page which should provide more detail on how to get your site de-listed.


I hope this helps answer your questions.

So far 30 minutes of admin time have been used on this request.

Christopher Gallo
Advanced Services Senior Systems Admin
www.theplanet.com

If SOMETHING evil had been found by these professionals, they would have fixed it and I would be 100% glad to report this. We could fix it and move on.

I am not saying there is absolutely nothing wrong, just that we cannot find anything wrong. I think the problem originated from Google ads, and some awesome dope reported Subsim as an evil site, and now Google is blacklisting us. Thanks, Google!

I am going to have an independent vBulletin technician check the database and files tomorrow, to double-check the work done by TPAS. Better safe than sorry.

Will report what I find, thanks.
Neal

[Onkel Neal]

Google Webmaster Tools/Diagnostics/Malware

Malware

Google has not detected any malware on this site.

[Onkel Neal]

Search: google ads malware

Quote:

While researching an antivirus article here at Maximum PC, we noticed something very curious: a Google AdWords link
0diggsdigg

called “Antivirus xp 2008,” which led to the url “antivirus-world-2009.com.” (Don't go there)
Anyone who’s been paying attention during the last year or so know that "Antivirus xp 2008" is the name of one of the most widespread and obnoxious bits of malware floating around the internet. It hides itself in your system and launches a bogus antivirus program at intervals to warn you that you’ve got spyware and trojans and the sky is falling. Then, it recommends that you buy the pro version of the program, which presumably also does nothing except rip you off. The virus is frequently updated to evade malware removal tools, and is just generally a pain.




So why is Google advertising for it? It’s not exactly tough to figure out that the site is hosting the virus; the link is called “antivirus xp 2008” after all. Well, maybe we should say that it’s not tough for users like us to figure out that it’s a virus—we suspect that less-experienced surfers (our moms, for instance) could very easily be duped into clicking the link, particularly if they were already searching for antivirus software.

And there’s reason to believe that Google knows the site hosts malware. We know that Google purges so-called “attack sites” from its index, and when we searched for “site: antivirus-world-2009.com,” which ought to turn up all pages at that domain indexed by Google, we got zero results. This isn’t conclusive, of course; there are other reasons that a site might not be indexed by Google, but it is suspicious. Malware-hosting sites are generally designed to try to climb to the top of the Google results page, and it’s probably safe to assume that a site that advertises with Google would be search-savvy enough to get its page indexed, if it weren’t blacklisted.

http://www.maximumpc.com/article/new..._malware_sites