Using Firefox as I always do, I've just clicked to come onto Subsim tonight and have been greeted by this:

http://i143.photobucket.com/albums/r131/ajrimmer42/5336cfeb.jpg

Is anyone else getting it?

I can click 'ignore' in the bottom right corner to continue browsing but whenever I click a link it comes up again. Upon clicking 'Why was this page blocked', this comes up:

http://i143.photobucket.com/albums/r131/ajrimmer42/9dcac611.jpg

To stop it all I have to do is change my security settings in FF options, but I thought Neal probably ought to know.

My immediate instinct was that this was some sort of malware but it appears to be legit Google stuff, after a bit of searching.

Wierd

:hmmm:

I'm getting it as well.

me too.

Yes, me too, and it's preventing me from posting with Firefox.

WTF does Google have to do with it?

WTF does Google have to do with it?

Google tests different sites as the diagnostic thingy says.

Oh and yes, having the same problem here. Flagging + not able to post using Firefox.

WTF does Google have to do with it?

I believe Firefox automatically uses Google's data for identifying suspicious or infected sites.

I disabled the suspicious site blocking for now, and I can post just fine.

Same here with Chrome.

Yeah, I had it, got rid of it via Options/Security/'Block reported sites' off.
Not the first time I've seen a site get wrongly blocked, but that's the age we live in I guess.

I think it's the GT forum.

I think it's the GT forum.

In before Obama :03:

In before Obama :03:
W?
Haliburtoncheneyrumslefeldpalin?
klinton?
ol' gordy brown?
prince charles?

could be a putin thing, but not putin's thingy!

Glad it's not just me :DL

I'm getting it too now with FF...

My Avast Internet Security stays quiet though.

HunterICX

McAfee says okay here.

Yes, me too, and it's preventing me from posting with Firefox.

Exactly the same!! :damn:

Avast shows clean too. The problem we had some time ago with few people getting trojan warnings has now resulted in Google flagging the site. :-?

This is why I use Internet Explorer. Let'in people in and out unencumbered for decades. :up: :O:

This is why I use Internet Explorer. Let'in people in and out unencumbered for decades. :up: :O:

:haha:

I was going to say something similar, but didn't want to come off as being smug. You struck the right balance there.

IE freezes on me too much.fire fox has never done that

IE freezes on me too much.fire fox has never done that

I can read SubSim on IE. :O:

Joking. Don't take offense.

http://www.stopbadware.org/home/reviewinfo


Next step I guess.

Well, the google info site says this:

The last time Google visited this site was on 2010-10-18, and the last time suspicious content was found on this site was on 2010-10-18.Malicious software includes 9 exploit(s), 7 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
So that's not a report to google, google found something here themselves. I'm thinking someone uploaded something that was infected to the Downloads section. In any case, Neal or another webmaster should probably get in touch with Google and get all the details straight from them. If there are infected files here they probably created a record of that.

none taken i sometimes wish i could use it but my machine i use for the internet is funny about it,the xp computer i got wont run it at all,it just tells me ie has ecountered an error and needs to close otherwise the machine runs great so i just use firefox insted of screwing with it. the gaming machine in my sig doesn't go on the internet -except for DRM.So with this firefox problem you think someone is mad at us ?

My Avast blocks a Malware every time I swing by for the last three weeks.

Just got that page in my Firefox browser too.

It's the lolcats exacting their revenge for us laughing at them every day. Never trust a cat, nor even a picture of a cat... there is a reason they're right under your feet when you turn around. :O:

Yup I have the warnings here too sigh Cheers Garion

This is why I use Internet Explorer. Let'in people in and out unencumbered for decades. :up: :O:

Well stated.
I'm thinking of all the times I was ragged on for NOT useing FireFox and how much better off I'd be if I did.
:hmmm:

To you'se Guys that did all the ragging?
:har:
Whatcha got to say now?
:smug:

I don't think it really matters which browser we use, sooner or later it will be compromised. Welcome to the internets. :rotfl2:

Well, the google info site says this:


So that's not a report to google, google found something here themselves. I'm thinking someone uploaded something that was infected to the Downloads section. In any case, Neal or another webmaster should probably get in touch with Google and get all the details straight from them. If there are infected files here they probably created a record of that.

Could be anything heck even some hacker who exploited the web weakness. My own blog for example, once and just once, tried to download virus when I was logged in to it. :nope:.
A more popular political blog on the other hand suffered from more hacker attack which tried to steal email password and login detail when one tried to comment on it. It wasn't the blog owner's fault nor was it the blog site's fault. Some hackers must be the one(s) to put the malware(clickjacking attempt) in it.

I have two AV which don't report anything suspicious when I logged to subsim ever.

I hope this will not discourage the teenager or kids out there who are regular visitors to the forum.

Same issue here ,had to use IE to post

I'm not an average Internet user.
Opened and ran my own ISP way back in '94.
(The first dial-up provider in 2 counties where I live.)
Sold that then did Networks for all the Lawyers and Court systems here.
I've also Beta tested every version of Windows since 98

I am seeing NO problems at all with IE8.
Then again maybe my Router is catching them.
It's not your average Wal-Mart router.
:03:

Same issue here ,had to use IE to post

Just need to uncheck blocking attack sites from firefox security setting then you're good to go ;)

Got the same problem with firefox. :down:

Disabled the blocker in the tools... not happy about leaving that open... :x

It's doing the same on my PC, and my mac (firefox, and safari).

I got the exact same message now too.
Normally using FireFox 3.6, with AVG antivirus and Comodo IS as firewall. For FF, I have further two plugins: *******Plus and NoScript, however for subsim I have it all allowed in NoScript.
Now, I have logged in through IE...

I'm thinking someone uploaded something that was infected to the Downloads section. In any case, Neal or another webmaster should probably get in touch with Google and get all the details straight from them. If there are infected files here they probably created a record of that.

I have wondered too whether this could be a reason.:hmmm:

AVG says subsim is ok. Don't forget last year, when norton thought windows xp was a virus:haha:

It must be dowly's sig

Neal has had people check the server for infected files twice I believe in the past month or so and they found nothing.

So Nickimbee must be true. It must be your sig Dowly!:haha:

Or google flagged subsim because it thinks the we're or the hobby's infectious..damn you google.

My sig stays. :stare:

What happened when Google visited this site?
Of the 407 pages we tested on the site over the past 90 days, 15 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-10-18, and the last time suspicious content was found on this site was on 2010-10-18.
Malicious software includes 10 exploit(s), 8 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 5 domain(s), including tyqudaf.co.cc/, rrcch.com/, vifyxoq.co.cc/.

This site was hosted on 1 network(s) including AS21844 (THEPLANET).
Ok guys, who did it?
who linked to tyqudaf.co.cc/, rrcch.com/, or vifyxoq.co.cc/?:down:

I note that it's only the GT page. The Subsim meet page doesn't give that error when visited.

I note that it's only the GT page. The Subsim meet page doesn't give that error when visited.

I get it on the main directory page.

Yeah Im getting it with Chrome & Firefox every time now.

IE 8 works though.

Chrome says wtfhax... Ill just ignore it

Seeing how Google is the #1 problem we have with spammer email here, they should clean themselves up first.

I've asked the IT security team to do another sweep.

Hi, for some reason I can't access any subsim forums whilst using firefox, I am currently using IE, this is the warning:
http://i66.photobucket.com/albums/h244/Reecehk/firefoxvirusproblem.jpg
Seems like a virus to me that has effected firefox though all other sites seem to be ok!:hmmm:

Already noted on the GT board... :03:

Neal is working on it.

Already noted on the GT board... :03:
At least four times, and at least once in other forums. :sunny:

Whew!!:oops::doh: That's a relief, I thought I had a virus, thanks all!!:yeah:

Seems to be only FF on my system, IE works fine, maybe that's just a setting though!:hmmm:

Seems to be only FF on my system, IE works fine, maybe that's just a setting though!:hmmm:

It is a setting on the Security tab: 'Block reported attack sites'

I unchecked that and haven't had any problems at all with this site. Pretty sure the AV and/or firewall would have thrown a red flag at me but nothing happened there, so I'm trusting that it's just that Subsim is on Google's "Badware" list.

:salute:

This was really messing with me today until i finally said the hell with it and clicked ignore and checked this message. Like Krashkart said i'm sure my AV would have detected if something was really wrong.

Anyway, Glad to be back and i hope this gets straightened out so other users are not kept away because of it. Stupid Google! :down:

The appropriate comment for google . . . .
http://www.youtube.com/watch?v=eKgPY1adc0A

No point in blaming google. We had few people getting actual trojans not too long ago (check the "java problems and more" thread at Comments to Subsim Review forum), that's probably the reason SS is now flagged.

I had to reset my security settings on Firefox to get here, but as a precaution ran a anti-spyware check. All is well as my firewall/AV software picked up nothing.

It is a setting on the Security tab: 'Block reported attack sites'

Turn it off, and all will be well.

I wonder if Reported Attack Sites just means that someone, perhaps a disgruntled former poster, is trying to cause trouble?

I wonder if Reported Attack Sites just means that someone, perhaps a disgruntled former poster, is trying to cause trouble?

Don't think so, since it's apparently based on data Google collected themselves.

It probably is. And the original problem was with the Google ads on thie site, so it's ironic that Google caused the problem and then reported it.

This is what I get, using Google Chrome browser
http://img156.imageshack.us/img156/6955/problemsus.jpg
Yesterday I was having just a warning advice when I connected to subsim, but since this morning it has increased to 2 advices each time I try to acces. Getting worse? :hmmm:

It probably is. And the original problem was with the Google ads on thie site, so it's ironic that Google caused the problem and then reported it.

Ironic, but surely not suprising? :hmmm:

Got the message this morning as well, gawd it was annoying trying to navigate with 'REPORTED ATTACK SITE' popping up with every new page :shifty:

Oddly enough, I've had nothing at all here - no warnings or anything. Using Chrome.

Only the forum site is blocked, http://www.subsim.com/index.php itself not!

Interesting. I can use General Games without a problem, but this thread and the main forum are Reported Attack sites.

That's reassuring. I am contracting vBulletin to check the database again.

I only had a little time to research "Reported Attack Sites", http://www.searchenginejournal.com/yes-youre-an-attack-site-that-contains-malware-now-heres-what-to-do-about-it/10035/


Someone suggested that a previous user here could be behind this, as a result of being banned, he may be engineering a malicious attack on Subsim. Hopefully the DBA will find a problem in the db and we can fix this, as opposed to fighting some ^&%%*@ who is repeatedly reporting Subsim as a bad place. That would be easier.

Someone suggested that a previous user here could be behind this, as a result of being banned, he may be engineering a malicious attack on Subsim.

I was afraid of this too. Hopefully it is a problem with the database.

I've changed the Ironclads banner link to a google search result for Totem games, instead of a link to Totem games, as a temporary measure. I will contact Maxim and suggest he set up an alternate host, at least for US and non-Russian visitors.

Just some follow up, I'm only getting the reported attacked site if I use the link in the Announcement, otherwise I can now browse everything without a problem.

Just some follow up, I'm only getting the reported attacked site if I use the link in the Announcement, otherwise I can now browse everything without a problem.


Interesting, I'm still getting it on all pages viewed... :x

I get the error when i click on subsim forums on the homepaga, knowing this site is save i clicked continue anyway..

New visitors may not feel the same :(

Usually it's a bad link in a banner or an attack, usually it's the first.

Just some follow up, I'm only getting the reported attacked site if I use the link in the Announcement, otherwise I can now browse everything without a problem.


Eh, you only get it when you visit this page?
http://www.subsim.com/radioroom/announcement.php?f=175

Getting it everywhere on the forum.

Yeah I'm still getting it everywhere with Firefox

Getting it everywhere on the forum.

As am I with Chrome.

Eh, you only get it when you visit this page?
http://www.subsim.com/radioroom/announcement.php?f=175


Now I'm getting it when I click that link. Before I was getting it when I clicked on the link in the announcement for this topic.

Edit: Odd, I can go anywhere without problems when I go through the normal methods. But if i go via links Neal posted, I get the report.

Edit2: Lemme test a normal link: http://subsim.com/radioroom/showthread.php?t=155379


Edit3: Yeah, I only get the error when clicking on links Neal posted.

I get this message...............

Cannot display the page

The page you are trying to view has an incorrect address and cannot be displayed. Please try another page.

All I see in this thread is flag messages from your browsers
The original problem was attempted Trojan infections that My antivirus software picked up ( see the other thread to name them ).
There is no threat in a flag message its just advisory messages place in your browser.
I have seen no threat message or had any attack blocked from this site for weeks so is it not the case of Google closing the barn door after the horse has bolted.
Surly all that needs reporting would be any attacks that your antivirus reports to you because at this time the site itself seems clean :hmmm:

The Users in our german ubi-Forum reported the same problems with SubSim: http://forums-de.ubi.com/eve/forums/a/tpc/f/2371008762/m/9151040888

All have with FireFox (and other Browsers) the Virus warning !

Best regards,
Magic

It may take some time to see results from Google.

the owner of a blacklisted website by Google can request a review to remove the site from the list
see here: http://www.stopbadware.org/home/reviewinfo

It may take some time to see results from Google.

More than likely. Subsim was flagged from a scan that was performed in the last ninety days. No specifics are given as to when the scan was performed or how long it took for those results to filter down to the Badware site that Firefox users are being redirected to.

Kinda frustrating knowing that this site is superb and yet ended up on a list. (Imma fanboy, so sue me :P) Out of curiosity I visited the forums in IE, which has a website inspector plugin from CA installed, and it's not blacklisted in the results they're using. So at least there's that bit of good news. :)

Kept getting it on my Firefox too.:damn:SoI said to myself "Ahh screw it!"and had it uninstalled until they(firefox,Google) fix this little screw-up.Til then,I'm usung Explorer.

Kept getting it on my Firefox too.:damn:SoI said to myself "Ahh screw it!"and had it uninstalled until they(firefox,Google) fix this little screw-up.Til then,I'm usung Explorer.

You can just disable it in Firefox's settings...

...and I am still yet to get any warnings. I'm almost disappointed, like I'm missing out on something :stare:

FYI - Google Chrome shows the following message. This just started happening today for me and only when I attempt to access any of the forums.
http://www.subsim.com/radioroom/picture.php?albumid=196&pictureid=3144

Finally I got in ... through Spikes back door link

FF is so much better than IE I hope this is just temporary.

Yes, I went to FF security to see what I could do even though I hate having to read everything a copy writer writes just to solve a problem.

I feel sorry for new people being turned away.

Can Neal sue?

It was bad enough getting your mail server black listed, now websites? And I was worried about the goverment taking over the internet....

This only reminds me never to install anything from Google.

I'm getting it with Firefox. What can be done besides disabling alert warning?

Same here I am getting warning using Firefox 3.6.11.

No problem using E.I. Verson 8 which I am using.

Used safety, SmartScreen filter it shows no problem.
And I have a AVG toolbar with a website checker and it says its safe.
I guess if I want to keep using Firefox I will disable attact sites:down:
Just makes me a little nervous seeing the warning.

Lane

Long time since my last post here!

I too am receiving the warnings, using Chromium 6.0.472.62 & Ubuntu 10.04. Link to diagnostic page (http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://www.subsim.com/radioroom/showthread.php%3Ft%3D176196&client=chromium&hl=en-US)

There are something like 4 different threads about this now:hmmm: Maybe one of the moderators can merge them?

I might have found one cause of the problem, can other people confirm this? See this (http://subsim.com/radioroom/showpost.php?p=1518072&postcount=5)post of mine in one of the other threads.
Basically it says that if my browser loads an image of which the url starts with "subsim.com/radioroom/" (e.g. http://www.subsim.com/radioroom/images/TotemGames_Ironclads_banner_468x60.png), my AV goes nuts.

I'm getting it with Firefox.

The warning page appears only with browsers which use the Google Safe Browsing API.

to learn more about Google Safe Browsing API:
http://code.google.com/intl/de-DE/apis/safebrowsing/


What can be done besides disabling alert warning?
Google web-robots checks the contents of web pages, and if they find a site which distribute suspected malware or spyware code eg. through banner ads, active web 2.0 scripts, active content in postings or signature links/pictures, then this site comes on Google's blacklist.

After a certain time, the Google web-robots examine the websites of their blacklist again and if they found no longer suspicious code on the site, they put this website on the whitelist.

To speed up this process, an affected website owner who has cleaned his website and removed the suspicious code can request through the Google Webmaster Tools a review of his website.
http://www.google.com/support/webmasters/bin/answer.py?answer=163633

This is such bs, google reports a problem and says


If your site has been infected with malware, check the Malware page in Webmaster Tools. (On the site dashboard, click Diagnostics and then click Malware.) This page lists sample URLs from your site that have been identified as containing malicious code. Sometimes hackers will add new URLs to your site for their nefarious purposes (for example, phishing).


But when I check that part of the dashboard, there are zero issues or pages listed.


There is a line on the Google page that says
Please review StopBadware.org's Security Tips for Websites (http://www.stopbadware.org/home/security)and make any necessary changes to your site. When you have cleaned your site, you can request a review, and we'll evaluate your site.


When I check that fly-by-night outfit, I get


You searched for items containing the term 'subsim.com' there are 0 results.

You searched for items containing the term 'subsim.com/radioroom/ ' there are 0 results.


Awesome.

I'll bet that this is some sort of ploy to get you to buy some sort of 'security' software.

Like those web pages that warn you have dozens of viruses (that they put there). ;)

open up FF go to tools > options > security > uncheck "Tell me if this site is an attack site" and click ok.

Clean and simple

I'll bet that this is some sort of ploy to get you to buy some sort of 'security' software.

Like those web pages that warn you have dozens of viruses (that they put there). ;)

Ah, the new protection racket.

open up FF go to tools > options > security > uncheck "Tell me if this site is an attack site" and click ok.

Clean and simpleEhm, all fine and well, but that isn't a solution to the problem. It's a workaround at the very most.

Ehm, all fine and well, but that isn't a solution to the problem. It's a workaround at the very most.
it got the job done, so who cares what classification it is.

Defamation lawsuit time!

Lets not forget that there was an original threat containing Trojans and some other type of nasty just because it was not seen by everyone is not the issue.
To prove what was happening when I view Subsim main page I click yes to install the items to gain screen shots of what happened.
I will tell you what happened my computer started sending out information of which I have no idea and I had to pull the connection.
I then tried to remove what had been installed and then my computer froze up so a total re-install needed. So I am glad that the site has no problems now but it did have
if Neal managed to remove the nasty from the code or whoever placed it in the site realized he had been found out and removed it no one knows it seems.
So now some of you are seeing warnings a little late yes but would you not rather be warned then to go through what I had to do.
So just go on amusing yourselves about this for some it was not so funny

it got the job done, so who cares what classification it is.Yeah, but you can't expect every single one of the 55,000 members to tweak their firefox. It's absolutely great that you've solved the problem for yourself, and I'm really happy for you, but there are people who are not so adept at computers as yourself, or who simply don't read this particular thread, and thus stick with all the problems.

The "solution" you gave is not a solution. It's a workaround. It doesn't get rid of the problems, it only hides them.

Just to add my epxerience and some structure to the reporting of this issue;

Browser Used : IE V 8.0.6001.18702
Antivirus Used : Avira
Browser protection : IE settings + Spybot S&D

Error / attack reported by : Avira

Message : Threat detected in two temporary internent explorer files (can't repeat just now, will post message when I do). One talked about windows_securitycheck.exe in the temproary internet files folder.

Link Error encountered from : Multiple;

http://www.subsim.com/radioroom/index.php and
http://www.subsim.com/radioroom/forumdisplay.php?f=234

Error occurs each time link is used : NO

Action taken : selected deny access and delete from the Avira pop window and continued to browse the pages.

Now given the above, and other posts I think we can deduce;

1) Issue is NOT isolated to Firefox therefore ...
2) There is an issue (maybe attack, maybe false positive) with content delivered when clicking the links.
3) Given post above about cleaning up computer after impact and my own experiences with a windows securtiy check type attack earlier this year (did not have to re-install, but by golly it took some cleaning up)... I do not intend to test and allow the suspected threat files to execute.
4) OK, because we do not know whether or not this is a false positive or a seriously malicous package, then I think anyone who is turning down their FF security levels to access the site and who is not getting any additional protection / popup messages may be sailing a little too close to the wind.... may therefore be prudent to run some additional malware / antivirus scans on your machines.

On the basis of some experience in this space, and the fact the attack does nto appear each time a link is selected, then it is unlikely to be the core message board content or code. Not many attacks embed themselves in the message board code without attacking every time a link is selected. My best guess here is an advertising link where the advertiser content is infected. I reckon it's just a case of figuring which one.

Lets not forget that there was an original threat containing Trojans and some other type of nasty just because it was not seen by everyone is not the issue.
To prove what was happening when I view Subsim main page I click yes to install the items to gain screen shots of what happened.
I will tell you what happened my computer started sending out information of which I have no idea and I had to pull the connection.
I then tried to remove what had been installed and then my computer froze up so a total re-install needed. So I am glad that the site has no problems now but it did have
if Neal managed to remove the nasty from the code or whoever placed it in the site realized he had been found out and removed it no one knows it seems.
So now some of you are seeing warnings a little late yes but would you not rather be warned then to go through what I had to do.
So just go on amusing yourselves about this for some it was not so funny

How long ago was that? If it wasn't yesterday, then you're right, it's not funny.

It's not funny because potential members/users are being scared away from a great community and sim resource because of a mistake. It's not funny because Neal is being impugned as a purveyor of viruses.

A few ideas:
Why does Subsim have an FTP server that allows anonymous connections?
Google says that subsim is linked to reported attack sites, who or what linked it?

Oah, and I figured id say im getting it with FF also...


A few ideas:
Why does Subsim have an FTP server that allows anonymous connections?
Google says that subsim is linked to reported attack sites, who or what linked it?


I think It might be from people reporting the virus alert they were getting, I believe it had something to do with the ads, and google may have put it in as a site that will give you a virus.

my best guess.

How long ago was that? If it wasn't yesterday, then you're right, it's not funny.

It's not funny because potential members/users are being scared away from a great community and sim resource because of a mistake. It's not funny because Neal is being impugned as a purveyor of viruses.

If the posts about this problem had not been merged and certain posts within the original threads left out you would know when the threats were on site.
And as for “It's not funny because potential members/users are being scared away from a great community and sim resource because of a mistake.” What Mistake are you talking about read my post again there was no mistake the threat was real and for some who will not find out about this until they start getting return e-mails that they have not sent or worse then lets see how much of a mistake they think it is also. :timeout:

If the posts about this problem had not been merged and certain posts within the original threads left out you would know when the threats were on site.
And as for “It's not funny because potential members/users are being scared away from a great community and sim resource because of a mistake.” What Mistake are you talking about read my post again there was no mistake the threat was real and for some who will not find out about this until they start getting return e-mails that they have not sent or worse then lets see how much of a mistake they think it is also. :timeout:

If you're going to respond to me, then answer the direct question. Why are you punting because of thread merging?

The rest of your response, and any further response on my part, are meaningless unless you answer that first, since my calling Google/badaware's action is conditioned on the actual attack not taking place yesterday.

somehow, i think this is linked to the problem:http://www.esecurityplanet.com/patches/article.php/3909141/article.htm

somehow, i think this is linked to the problem:http://www.esecurityplanet.com/patches/article.php/3909141/article.htmCould be.
But IIRC, the last time before today that my FF updated itself was several days ago, well before the problems started (for me the problems at subsim started the day before yesterday).

I kinda feel left out. :cry: I haven;t had a warning or any kind of problem.

SubSim works as advertised. Trouble Free for Me. :)

Just to add, been getting these warnings all day, and about 10 AM CST lost ALL comms with subsim.com even tho I was still getting warning messages. Couldn't get a ping response either. I suspect I may have an ISP block to this site as I don't have this problem (other than the warnings) using my backup account from a different ISP. Also strange 2 different versions (3.6.10 and 3.6.8) of FF and BOTH started with this warning today, neither have been updated in recently. Another reason to hate google.

Least I know the site isn't down.

I am pretty sure that this has already been done, but just to be sure:http://www.google.com/support/webmasters/bin/answer.py?answer=168328

I've also been getting messages from my Norton 360 that it has blocked an attempt to attack my computer a number of times when I first log in to Subsim. Just now I received another warning, but it doesn't happen every time, just now and then. I've used a number of tools to perform repeated scans on my system and nothing has been found; as well, my system is not exhibiting any behaviour to lead me to believe it has been infected: no pop ups, no slowness, no unexplained hard drive lights, etc.

Signed on to the forum tonight with Firefox 3.6.11.
No warning message. about the web site.

I did upgrade my free AVG Last night to Ver 2011.
but I don't think AVG was the problem.
I am glad the warning message is gone guess Neal fixed it?

Thanks to the person that fixed the problem.

Lane:)

I've also been getting messages from my Norton 360 that it has blocked an attempt to attack my computer a number of times when I first log in to Subsim.

FWIW, I've got Norton 360 too, but so far no alerts of any kind. None at work either and I've got the free AVG software on that machine.

If I do a Google search for "subsim" all the links that come up are rated 100% safe by Norton Site Safety, with no identified threats of any kind.

I just upgraded the AVG on the work machine this week and did a full system scan in the process which found nothing. This computer gets scanned regularly as well and nothing bad has shown up.

I use IE8 on both machines.

I'm still getting the warning when I re-check "Block reported attack sites" in firefox security settings. :hmmm:

Lets not forget that there was an original threat containing Trojans and some other type of nasty just because it was not seen by everyone is not the issue.
To prove what was happening when I view Subsim main page I click yes to install the items to gain screen shots of what happened.
I will tell you what happened my computer started sending out information of which I have no idea and I had to pull the connection.
I then tried to remove what had been installed and then my computer froze up so a total re-install needed. So I am glad that the site has no problems now but it did have
if Neal managed to remove the nasty from the code or whoever placed it in the site realized he had been found out and removed it no one knows it seems.
So now some of you are seeing warnings a little late yes but would you not rather be warned then to go through what I had to do.
So just go on amusing yourselves about this for some it was not so funny


Seawolf, so far I have not been able to determine there ever was any trojans on the Subsim server. You may think there was, with your free AV system warning you, but that and $1 will buy a cup of coffee.

There may have been some problems with the Google ads being served (becoming more common, read this for more (http://news.cnet.com/8301-27080_3-20000898-245.html)), I removed the ads from the forum.

Yes, a few people had AV warnings, but that does not prove anything, AVs often have false alarms. I checked the server and files, The Planet checked the server and files, and Admin Geeks checked the server and file--nothing has been discovered.

With the current Firefox/Chrome alerts, I have had the Planet Advance Support team check everything again. Still, nothing malicious has been found:
Hello Neal,

I've scoured your site and I can't find any malicious activity. I've searched through all of your files and sql database tables looking for references to those malicious domains but so far haven't found any (other than the forum posts referencing the google warning). Also, of the handful of files that were modified on the 18th none of them seem malicious.

root@server2 [/home/subsimc/public_html]# find . -mtime -2 -print
.
./mods1/sailorsteve/.ftpquota
./mods1/serg/.ftpquota
./mods1/keltos/.ftpquota
./nucleus/error_log
./radioroom
./radioroom/error_log
./radioroom/downloads
./radioroom/downloads/26665-Ui-Boat V2.2.7z
./radioroom/downloads/ec_tmp
./radioroom/downloads/65946-IO_Fix_StrategicMap_for_Ui-Boat V2.2.rar
./radioroom/includes
./radioroom/subsim_forum.sql
./error_log
./googlecec18389fc0e7a38.html
./harpoon
./harpoon/.ftpquota
./harpoon/OldHarpoon3PicResFiles.zip
./harpoon/PlayersDB-ANW [Oct 31].zip
./harpoon/PlayersDB [Oct 31].zip
./_private/_vti_cnf
./_private/_vti_cnf/newsletter.txt
./_private/newsletter.txt
./_vti_pvt/doctodep.btr
./_vti_pvt/deptodoc.btr
./_vti_pvt/linkinfo.btr
./_vti_pvt/service.lck


The last time Google visited this site was on 2010-10-19, and the last time suspicious content was found on this site was on 2010-10-18. So it looks like the actual exploits are gone from your server. Its possible these were posted in a forum post and google just picked them up.

Since I can't find any malicious code your best bet is going to be to contact google to get this warning removed. There is a link in the "next steps" section on that warning page which should provide more detail on how to get your site de-listed.


I hope this helps answer your questions.

So far 30 minutes of admin time have been used on this request.

Christopher Gallo
Advanced Services Senior Systems Admin
www.theplanet.com (http://www.theplanet.com)

If SOMETHING evil had been found by these professionals, they would have fixed it and I would be 100% glad to report this. We could fix it and move on.

I am not saying there is absolutely nothing wrong, just that we cannot find anything wrong. I think the problem originated from Google ads, and some awesome dope reported Subsim as an evil site, and now Google is blacklisting us. Thanks, Google!

I am going to have an independent vBulletin technician check the database and files tomorrow, to double-check the work done by TPAS. Better safe than sorry.

Will report what I find, thanks.
Neal

Google Webmaster Tools/Diagnostics/Malware

Malware

Google has not detected any malware on this site.

Search: google ads malware (http://www.google.com/webhp?hl=en#hl=en&expIds=17259,24416,26637,26992,27177,52764&sugexp=ldymls&xhr=t&q=google+ads+malware&cp=14&pf=p&sclient=psy&site=webhp&aq=f&aqi=g4g-o1&aql=&oq=google+ads+mal&gs_rfai=&pbx=1&fp=439bdff367038ee9)


While researching an antivirus article here at Maximum PC, we noticed something very curious: a Google AdWords link
0diggsdigg

called “Antivirus xp 2008,” which led to the url “antivirus-world-2009.com.” (Don't go there)
Anyone who’s been paying attention during the last year or so know that "Antivirus xp 2008" is the name of one of the most widespread and obnoxious bits of malware floating around the internet. It hides itself in your system and launches a bogus antivirus program at intervals to warn you that you’ve got spyware and trojans and the sky is falling. Then, it recommends that you buy the pro version of the program, which presumably also does nothing except rip you off. The virus is frequently updated to evade malware removal tools, and is just generally a pain.




(http://www.subsim.com/files/u57670/antivirus-xp-homepage.png)So why is Google advertising for it? It’s not exactly tough to figure out that the site is hosting the virus; the link is called “antivirus xp 2008” after all. Well, maybe we should say that it’s not tough for users like us to figure out that it’s a virus—we suspect that less-experienced surfers (our moms, for instance) could very easily be duped into clicking the link, particularly if they were already searching for antivirus software.

And there’s reason to believe that Google knows the site hosts malware. We know that Google purges so-called “attack sites” from its index (http://www.techspot.com/news/28050-google-purges-thousands-of-malware-sites-from-search.html), and when we searched for “site: antivirus-world-2009.com,” which ought to turn up all pages at that domain indexed by Google, we got zero results. This isn’t conclusive, of course; there are other reasons that a site might not be indexed by Google, but it is suspicious. Malware-hosting sites are generally designed to try to climb to the top of the Google results page, and it’s probably safe to assume that a site that advertises with Google would be search-savvy enough to get its page indexed, if it weren’t blacklisted.


http://www.maximumpc.com/article/news/why_google_running_ads_known_malware_sites

Adding my small input, I've had Kaspersky Pure report infected links before trying to load together with Subsim.com. Now, even when blocking, it didn't stop the site from functioning, which would mean that there was some background link somewhere.

I'm just glad I can access Subsim again.

Defamation lawsuit time!

It's left with google trying to defame subsim or advanced hackers not happy with subsim content.

And judging from subsim content it could range from North Korea, Iran, Obama, or the corrupt children in Singapore offended by my blog link or simply a recently disgruntled immature forum member. . . .

But we never know for sure but the intention is surely to ruin the site's reputation and bring down the number of visitors and would be visitors.....to discourage them information or seeing content on this site.

My AV didn't report anything while loading subsim . . .so if there were something it was brief . .. .

I've got the red warning for two days, tried several scans with various progs and found nothing.
This morning it's gone.

Back to normal here too. (Firefox user)

I, too, am no longer experiencing 'attack site' complaints when using FireFox.

It is, perhaps, a little unfair to refer to stopbadware.org as a 'fly-by-night' company; worse, like another poster on this thread, to suggest that it might be involved in extortion.

I made a formal complaint yesterday to their contact e-mail address concerning the facts that:
a) SubSim was not an attack site (evidence: I had accessed SubSim.com repeatedly with FireFox and Internet Explorer, and then had made numerous anti-malware sweeps with different competing anti-virus/anti-spyware programs - no threat was ever seen.)
b) That there was no means for users to communicate to them on their web-pages that there was, in fact, no threat (or no longer a threat) and they should conduct fresh trials for malware.

I received, promptly back by e-mail, a friendly and knowledgeable answer acknowledging my points, stating that SubSim had already been taken off their 'attack sites' list, and agreeing that the real problem probably was attributable to links by users to infected third-party sites (a problem which could affect *any* website that allows readers to make comments, as well as SubSim itself), or alternatively malware delivered by one of SubSim's advertisers (probably unknowingly).

They still haven't addressed point (b) though.

Neal, if you're reading this:
I don't know whether the 'attack sites' problem is connected or not, but a click on my signature brings up a blank page, despite the fact that the files it should access are still there (seen by FTP). PM also sent.

Stiebler.

It's gone now the attack site warning is now GONE!

:yep:

I am still getting a red "malware detected!" warning, using Google Chrome.

here can help you find the culprit.

http://i4.imageban.ru/out/2010/10/21/de1b6b24cd8cde58f9869ef222b93bd6.jpg (http://imageban.ru)

here can help you find the culprit.

http://i4.imageban.ru/out/2010/10/21/de1b6b24cd8cde58f9869ef222b93bd6.jpg (http://imageban.ru)

I can't read the language but can you send the file mentioned on the third line through filedropper.com

I can't read the language but can you send the file mentioned on the third line through filedropper.com

That'd be the trojan, why on earth would he want to infect his PC just so he can send it to you? :O:

Received a FF update and problem is gone. Don't know if there related.

here can help you find the culprit.

http://i4.imageban.ru/out/2010/10/21/de1b6b24cd8cde58f9869ef222b93bd6.jpg (http://imageban.ru)


Thanks, can you translate the Cyrrilic text? When was that screenshot taken? Does anyone with English Kapeinsky AV get this? I will have to check again but I am pretty sure there are no javascripts in the forum other than the stock forum files.

thanks
Neal

Just got this:

21.10.2010 14:51:45 Web Anti-Virus Detected: HEUR:Exploit.Script.Generic Firefox betaword.co.cc /images/js.php//JIM (http://betaword.co.cc/images/js.php//JIM)

21.10.2010 14:51:47 Web Anti-Virus Detected: Trojan-Downloader.Java.Agent.hx Java(TM) Platform SE binary betaword.co.cc /images/jar5.php/bpac/a.class (http://betaword.co.cc/images/jar5.php/bpac/a.class)

21.10.2010 14:51:49 Web Anti-Virus Detected: Trojan-Downloader.Java.Agent.hw Java(TM) Platform SE binary betaword.co.cc /images/j.php/M8PFGFzL.class (http://betaword.co.cc/images/j.php/M8PFGFzL.class)

This attack repeated 4 times. I'm using KAV Pure English version, latest database.

Man I just love KAV. Slows down computers to a halt, but creates a damn good barrier.

Hope this helps a bit.

Seawolf, so far I have not been able to determine there ever was any trojans on the Subsim server. You may think there was, with your free AV system warning you, but that and $1 will buy a cup of coffee.

There may have been some problems with the Google ads being served (becoming more common, read this for more (http://news.cnet.com/8301-27080_3-20000898-245.html)), I removed the ads from the forum.

Yes, a few people had AV warnings, but that does not prove anything, AVs often have false alarms. I checked the server and files, The Planet checked the server and files, and Admin Geeks checked the server and file--nothing has been discovered.

With the current Firefox/Chrome alerts, I have had the Planet Advance Support team check everything again. Still, nothing malicious has been found:


If SOMETHING evil had been found by these professionals, they would have fixed it and I would be 100% glad to report this. We could fix it and move on.

I am not saying there is absolutely nothing wrong, just that we cannot find anything wrong. I think the problem originated from Google ads, and some awesome dope reported Subsim as an evil site, and now Google is blacklisting us. Thanks, Google!

I am going to have an independent vBulletin technician check the database and files tomorrow, to double-check the work done by TPAS. Better safe than sorry.

Will report what I find, thanks.
Neal

I Found this in my quarantine folder of Nod32 it was never allowed to install

29/09/2010 …. drerlre.co.cc/client.zip… java/TrojanDownloader.agent.NBU trojan
29/09/2010 … drerlre .co.cc/1.zip ….. A variant of java/Mugade

(I removed the http:// to stop them being active links)

I connected using my Firefox browser http://www.silenthuntermods.com/forum/Smileys/extended/nononono.gif

As for you saying that my antivirus is a free $1 worthless package I would reply well At least it found the Trojans and blocked them the first time and to prove to you it was Real I was stupid enough to let them in.

29/09/2010 … drerlre.co.cc/client.zip …java/trojandownloader.agent.nbu
29/09/2010 … drerlre.co.cc/1.zip … a variant of java/mugade
I already said that they seemed to have gone

But I dont see why other people who in this instance are just blowing wind try to
Rubbish anyone who reported this

I can vouch that the trojan Seawolf is speaking of was there, I tried one of the links he posted above back then and my Avast picked it up aswell.

I also googled the address and it was listed on multiple malware/trojan prevention sites as a a trojan.

I have no idea why only few are getting these things, tho. :hmmm:

One thing to note is that most of these trojans (I think all but one) that have been reported are all coming from co.cc ending URLs.

Hey guys, maybe this is already mentioned, but I was to lazy to read the whole thread so sorry in advance if it was. And although I never see any ads on this site, maybe it helps....

We had this problem as well with our company website a few months ago. Scanned our whole system and servers and nothing wrong was found. But we found out our ad-server was kind of hijacked. Every time the implementation code for an ad was fetched from the ad-system and implemented on the page, a piece of extra javascript was included with it, which was the reason for our trojan/malware warnings. And the baddest thing, excluded from the google search.

If this could be the reason (and it's your own ad-server), make sure you disable your ads as fast as possible, because the trojan/malware can spread further through the ad-system.

Our solution was to disable the complete ad-system running on our site. Once you're almost sure your site is clean again, request a new review (i guess it was: http://www.google.com/support/webmasters/bin/answer.py?answer=168328). It can take a few days before it is reviewd.

Good luck with it m8!

I can vouch that the trojan Seawolf is speaking of was there, I tried one of the links he posted above back then and my Avast picked it up aswell.

I also googled the address and it was listed on multiple malware/trojan prevention sites as a a trojan.

I have no idea why only few are getting these things, tho. :hmmm:

One thing to note is that most of these trojans (I think all but one) that have been reported are all coming from co.cc ending URLs.

Thanks Dowly I'm glad you remembered :salute:

Beat the hackers - be prepared


You've been hacked. What do you do? Who do you call?
It's good to know before time, because you can waste a lot of time, and do a lot of damage to your systems and your organisation if you don't, according to Paul Craig, the lead forensic incident responder at Security-Assessment.com (http://security-assessment.com/).
There are people out there who will hack into your system with criminal intent. There are people who do it for fun, or so they can skite about it on sites like zone-h.com - which will point other people to your servers, your databases and your credit card numbers if you don't move fast to secure them. Craig says most hacking now starts with web applications, because the firewalls that aim to stem other types of network intrusion are now almost ubiquitous.

Once a server has been hacked, people need to work out what the hacker has done in the system, whether they have taken anything or made queries on the database, whether they have left any back doors so they can come in later.

Craig says a common response to being hacked is the worst one.
"People say, 'We've reformatted the servers, reinstalled from back-ups, the crisis was averted.'
"What they've actually done is destroyed forensic evidence, and they have no way to find out what the hacker has done."
He says in one New Zealand government agency where Security-Assessment.com was called in, the security manager was unaware the website had been defaced.

The content manager was, but just restored from back-ups whenever it happened. Craig says once he ran all the available data through his tools and in effect recreated what had happened by automatically sifting through gigabytes of logs to find out what, when and who, he discovered eight separate hackers had exploited a vulnerability in the DotNetNuke web content management system.

Hacker five had listed his exploit on zone-h.com, where hacking government sites earns extra points, and hackers six, seven and eight followed the link in. He recommends organisations sort out their business processes and technical response before they get hacked.
If they identify a preferred forensic supplier, one with the trained staff, the equipment and the processes to do the job right, they can have emergency response numbers, pre-signed non-disclosure agreements and to-do lists in place if the worst happens.

Digital evidence degrades over time, so it's important to move fast.
Craig says if a server is hacked, leave it on and connected to the internet. That means the forensic examiner can look at logs and routing tables and get an accurate picture.
Action may need to be taken so the machine does not restart. That means disabling any automated shut-downs or patch routines.
If the incident responder can't get there for a few days, get a new one - and rip the power cord out of the wall.

"Don't do a shut down. When Windows shuts down, it clears a lot of volatile information," Craig says.
It's good if organisations know what their incident responder needs and have it ready. They will be paying big money for forensics, maybe $2000-plus a day, so why waste it by having the person wandering the building chasing up network topography maps and server logs.
Craig says he is still waiting for the job that leads to a successful prosecution.

If the hack came from New Zealand or Australia, that would be relatively simple, but most hacks come from places where local law enforcement doesn't seem inclined to chase down the culprits - such as when he identified a United States-based hacker who was even using his smartphone to grab credit card numbers.

And if the hacker comes from China, there may be a prosecution - but the sentence is to be drafted in to the army's cyberwar division.

http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10681664

Well I'm posting with FF and no message. Good news. :yeah:

Am I the only when who thinks hackers, if they can be caught, should be put in stockades so we can throw rotten fruit and or worse stuff at them? :shifty:

Australian territory? 80% Sunni Muslim speaking people.

http://en.wikipedia.org/wiki/.cc

Well I'm posting with FF and no message. Good news. :yeah:



I'm still getting it unfortunately :-?

Alerts are indeed gone from my FF 3.6.8 install- good job.

I am however miffed that my other computer is being blocked by the site host. I ran a trace this morning and 'theplanet.com' appears to be the culprit, just as well I shouldn't be surfing this site while at work. A shame I have to watch all that beautiful cable bandwidth go to waste.

The Planet is the host for Subsim. ;)

I've logged on an not seen it... Is it really gone? :hmmm:

It appears to be yes and no right now, depending on the browser and AV software used. This alone leads me to believe that it is a technical issue rather than an attack.

I still have the error with FF 3.6.3!:-? It seems that some don't have this problem, is the solution to upgrade to 3.6.11 the answer?:hmmm:
I use COMODO firewall with Ad-Aware and Avira.

Australian territory? 80% Sunni Muslim speaking people.

http://en.wikipedia.org/wiki/.cc
Read that link more carefully... we're talking ".co.cc", not ".cc". www.co.cc (http://www.co.cc) is not a heirachy, but a company (South Korean, to be exact) that offers subdomain services.

Thus http:\\clickplus.co.cc is a subdomain of www.co.cc (http://www.co.cc), and not affiliated with the Cocos Islands. The giveaway is the missing www. ;)

Today when I visited the forum main page, KAV reported again blocked trojan downloads.

http://s5.directupload.net/images/101022/temp/zmvvz42z.png (http://s5.directupload.net/file/d/2320/zmvvz42z_png.htm)

Australian territory? 80% Sunni Muslim speaking people.

http://en.wikipedia.org/wiki/.cc

It's a few hundred miles from Christmas Island, but maybe we tested atom bombs there knowing there was a prevailing easterly wind? :shifty:

A friend of mine (registered here as Nagy) just got the Chrome warning, ignored it and then his virus checker intercepted a "Kryptik.L.Gen trojan" attempt to download itself to his machine from an advert. Sadly he didn't see what advert was up at the time it tried, but just a heads up to people that it's still out there. I'll also PM this to Neal to let him know since this is on page ten of the thread.
There is also this message, if it's helpful:

"The website at www.subsim.com contains elements from the site 48572835.cz.cc, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer."

Yep, it's still there:yep: :88) :dead:

Yep, it's still there:yep: :88) :dead:
What exactly is there?:-? I still have to have "Block reported attack sites" unticked in FF settings or I get the "Reported Attack Page" red box!! Is this a virus/trojan on my machine that Ad-Aware and Avira can't find or is Subsim still being blocked by Google!:hmmm:

And that is the real problem there is no way of being really sure
It looks like it is still attacking in some form or other but that said
Your antivirus may have already updated itself to the threats before
You encounter them so they are blocked I just keep an eye on my system
If it seems to be doing something over the internet when I think it should
Not be then I will pull the plug and do a full scan just to make sure.

A friend of mine (registered here as Nagy) just got the Chrome warning, ignored it and then his virus checker intercepted a "Kryptik.L.Gen trojan" attempt to download itself to his machine from an advert. Sadly he didn't see what advert was up at the time it tried, but just a heads up to people that it's still out there. I'll also PM this to Neal to let him know since this is on page ten of the thread.
There is also this message, if it's helpful:

"The website at www.subsim.com (http://www.subsim.com) contains elements from the site 48572835.cz.cc, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer."

Thanks, Jamie. I need to know:

Which exact page was he on when he got the warning?

I removed the Google ads from the forum and the main subsim.com page two weeks ago, was it another page on the website, such as one of the reviews or such?

That string does not exist in the forum database, other than the PM and this thread where you describe it.

A horrid thought is that a lot of the links to various pictures being displayed on threads like:
I know curiosity killed the cat
Funny picture thread
Just open the one above ( http://www.subsim.com/radioroom/showthread.php?t=163913 ) and check the loading addresses at the lower left of the screen, you can see a lot of loading from various sites, if these sites hosted malware could these links be what Google is detecting!:hmmm: If so then the job to clean these threads would be almost impossible!:doh:
BTW, some of these links are to things like movies (youtube), newspaper articles, downloads etc etc.

I'm contacting a new server datacenter tomorrow about shutting down the site and moving it.

I have ran scan after scan and there has not been a problem. My computer is about as secure as fort knox, if it's there I'd find it.

I'm contacting a new server datacenter tomorrow about shutting down the site and moving it.
Cripes Neal, that's no small job, and certainly a big decision!:oops::doh: What advantages would there be though?:hmmm:
Be assured that if you have to do this I, and others, will help with donations, the cost would be huge!:o
Wasn't that long ago you had to do this due to cyclone damage!:damn:

I don't know what else to do. I have checked everything I can think of, and my tech support guys have run AV scans, checked the databases, and whatever they do, and found nothing. I have not been able to get a AV warning on my system, on the college lab PC, my friend's PC, or the hotel PC, using Chrome, IE, and FF.

I need to find another security IT team, maybe the Planet techs are mmissing something. Any suggestions?

I have contacted this service, let's see if they can do anything.
http://www.rack911.com/

I wish my computer would see these issues, so far Norton has been very quiet.

Neal, havey you checked if there is any pattern on who have and who have not problems? Geographical location etc.

Neal, I recommend you include the image posted by Seeadler with when you contact IT security people. It should give them a good idea what exactly is attacking the site. :salute:

Today when I visited the forum main page, KAV reported again blocked trojan downloads.

http://s5.directupload.net/images/101022/temp/zmvvz42z.png (http://s5.directupload.net/file/d/2320/zmvvz42z_png.htm)

Mate also got a trojan trying to get into his PC from one of those cc.co urls while visiting the forum.

He's using Firefox and AVG.

Just now I've investigated this a little bit. On my home PC I deactivated the Firefox AddOn "AddBlock Plus" and opened the forum page, while loading the page, KAV reported immediately the Java Trojan download.

http://s1.directupload.net/images/101023/temp/vztrnpls.png (http://s1.directupload.net/file/d/2321/vztrnpls_png.htm)

On my PC here is Firebug (http://getfirebug.com/), a web designer tool for Firefox, installed and it can display and debug all the scripts of a visited web page.

Here we see that with a <iframe> on the forum page the infected script is loaded through the URL xxxx://bulkmode.co.cc/get/

http://s10.directupload.net/images/101023/temp/bnrhcft8.png (http://s10.directupload.net/file/d/2321/bnrhcft8_png.htm)


I'm strongly believe that the suspect codes are loaded through the add's on these pages, because with active AddBlocker Plus, KAV reports no trojans downloads.

Therefore the data center found no malware / spyware / trojans in the hosted data of Subsim.com because they are only loaded at execution time depending on how a browser and his installed browser addon's are configured.

Also no trojan downloads when I use the FF addon "NoScripts" and block all execution of scripts from the forum page.

Congrats, I think you just cracked this one. :yeah:

That's exactly what I just got! I got a pop-up saying AVG blocked a trojan (forgot the name) when I got on here. Same .cc url. Didn't have the presence of mind to take a SS. :damn:

Just happened to me, I've AVG and it said "Threat Blocked". Evidently it was as everything OK on my computer at moment.

We have some very screwed up people in this world whom just love doing things like that.

BTW Neal. I'm running IE8.

OK I just tried to change pages and http://i4.photobucket.com/albums/y116/oleman/Threat.jpg

Only here at Subsim, must be a cure.

I'm strongly believe that the suspect codes are loaded through the add's on these pages, because with active AddBlocker Plus, KAV reports no trojans downloads.

Therefore the data center found no malware / spyware / trojans in the hosted data of Subsim.com because they are only loaded at execution time depending on how a browser and his installed browser addon's are configured.

Also no trojan downloads when I use the FF addon "NoScripts" and block all execution of scripts from the forum page.
That's been my suspicion too. I think there's no doubt that subsim.com itself is free from trojans.

I now only access this site through my 64-bit IE9 browser, no flash installed, and haven't had the warning since.

Notwithstanding different virus scanners/firewalls, I think the "appearance" certainly depends on what is installed on the client's PC, viz java, flash, ad blockers etc. A certain combination is what "sparks" the code, dropped into the third-party ads (or, perhaps possibly, some other feature/function that has been enabled on subsim that requires/uses java?), to start running on the client's machine.

All is working now, I did just update to the latest Ad-Aware that found a couple of items and had to reboot that ran a dos clean app, I then tried FF, re-ticked the "Block reported attack sites" and no problems!!:up:
Now whether this is due to a Trojan (though I doubt it), or Subsim has been wiped off Googles attack site list I don't know!:hmmm:
Good news anyway.:yep:

AVAST just warned me that this is malware. First time for me.

malware name Win32:Bamital-AG [Drp]

that is what AVAST just told me

Ok, contracted rack911 to start working on this.

My first thought was ads, too, but I am still worried enough to keep plugging away at this (through IT experts).

If rack911 cannot find anything wrong, I don't know what.

Ok, contracted rack911 to start working on this.

My first thought was ads, too, but I am still worried enough to keep plugging away at this (through IT experts).

If rack911 cannot find anything wrong, I don't know what.
I don't know much about this sort of thing but I'm 99% sure the problem, now gone, wasn't due to anything I did, are you sure the problem still exists?
Maybe they were in the ad links, now they have been taken off is it possible that Google has detected that your site is now clean and all is well again!:hmmm:
Just a thought!:oops:

You may be right, Reece, but some people are still reporting vague malware concerns.

You may be right, Reece, but some people are still reporting vague malware concerns.With all of this hype it has probably made a lot of people paranoid and after a lot of virus/malware updates done to their systems they are only finding what they already had but not detected before, might pay just to sit back and see what happens.:hmmm:
Maybe see if anyone is still getting the "Reported Attack Page" red banner now!:yep:

Why are people getting paranoid about the red warning messages produced by
Your browser these are just that warning messages nothing more the Trojan or
Redirectors depending on what type of attack you may receive will be shown by
Your own anti-virus software as show by the Elder-Pirate post above.
And as for the adverts producing the attacks this was said in some of the
first thread posts that had been left out in the merging of the threads :hmmm:

Why are people getting paranoid about the red warning messages produced by
Your browser these are just that warning messages nothing more the Trojan or
Redirectors depending on what type of attack you may receive will be shown by
Your own anti-virus software as show by the Elder-Pirate post above.
And as for the adverts producing the attacks this was said in some of the
first thread posts that had been left out in the merging of the threads :hmmm:
Not everyone, some, like me are a little paranoid!!:doh: I updated both Ad-Aware and Avira, Ad-Aware then found 3 worms and Trojan, if I did others probably did as well, thing is it might all be over!:yep: Hopefully anyway!:up:

Thanks, Jamie. I need to know:

Which exact page was he on when he got the warning?

I removed the Google ads from the forum and the main subsim.com page two weeks ago, was it another page on the website, such as one of the reviews or such?

That string does not exist in the forum database, other than the PM and this thread where you describe it.

Sorry Neal, didn't see this sooner, it was this page:
http://www.subsim.com/radioroom/showthread.php?t=137181&page=117

Although I actually linked him directly to my post on that page which was:
http://www.subsim.com/radioroom/showpost.php?p=1520101&postcount=1748

Which does not have any visible adverts on it... :hmmm:

With all of this hype it has probably made a lot of people paranoid and after a lot of virus/malware updates done to their systems they are only finding what they already had but not detected before, might pay just to sit back and see what happens.:hmmm:
Maybe see if anyone is still getting the "Reported Attack Page" red banner now!:yep:

I've reactivated my 'Reported Attack Page' alert thing on Firefox, so I'll let you know if it crops up again...so far though it's clean, I've been in the General Topics thread and here...I'll just go and check the Screenshot thread...no...no problems there.

Bizarre... :hmmm:

so far though it's clean, I've been in the General Topics thread and here...I'll just go and check the Screenshot thread...no...no problems there.
<iframe> tag's with malware are often injected only once a day (make it harder to detect)

vbulletin the formum software had in the past problems with addon's, which allowed this <iframe> injection
http://www.vbulletin.com/forum/showthread.php?278169-iFrame-attack-with-Malware

I've reactivated my 'Reported Attack Page' alert thing on Firefox, so I'll let you know if it crops up again...so far though it's clean, I've been in the General Topics thread and here...I'll just go and check the Screenshot thread...no...no problems there.

Bizarre... :hmmm:

Ok, thanks for that.

<iframe> tag's with malware are often injected only once a day (make it harder to detect)

vbulletin the formum software had in the past problems with addon's, which allowed this <iframe> injection
http://www.vbulletin.com/forum/showthread.php?278169-iFrame-attack-with-Malware

Appreciate the link, will check that out and see about stopping all iframe functions in vB if possible.

All's quiet on the front here at 5:25 PM central.

Maybe someone squashed the bugger. ( I hope ) :arrgh!:

20:10 hrs and just logged in. No problems.

I first got a warning with Fire Fox, that this site Subsim, was a attack site, I ran a scan of my computer with avast, it found Trojans called On line gaming.com I quarantined them, then deleted them off my system, so far I think my system is free of any critters.

I can not say for sure that I got these Trojans from Subsim site.


Some of you mentioned that you turned off the site attack warnings, in Fire Fox or you put subsim as trusted. I don't think turning off attack site warnings, or putting any site as trusted is a very bright thing to do, I personally want all the protection out here that I can get.
Any one or any site can be hacked or infected, "My thoughts" Indy.

Some of you mentioned that you turned off the site attack warnings, in Fire Fox or you put subsim as trusted. I don't think turning off attack site warnings, or putting any site as trusted is a very bright thing to do, I personally want all the protection out here that I can get.
Any one or any site can be hacked or infected, "My thoughts" Indy.

What's even more concerning is there are a few people, maybe not in this thread but definitely in one of the five or seven threads raised so far about this, who have criticised Microsoft for having the audacity to annoy them with warnings! <shakes head in amazement>

FF 3.6.11- warnings gone and site unblocked from my work pc.
:rock:
Still havent received any malware warnings from AVG (home PC) as I dont run with admin privileges, or norton corp ed AV (work)- am thinking noscript is working and java scripts are disabled have something to do with it.

Wasn't just firefox. Safari did it, too.

Wasn't just firefox. Safari did it, too.Yes I would say that it past tense now!:hmmm:

Sorry guys but again, I'm stilll getting the warnings :( FF 3.6.11

Everything is good and in the green here neal.. No more odd pop ups. :salute:

Sorry guys but again, I'm stilll getting the warnings :( FF 3.6.11What warnings, the first post of this thread?:hmmm:
I have just updated FF to 3.6.11 and Java to 6.0.21 and all clear.:yep:

What warnings, the first post of this thread?:hmmm:


yup, just tried again now and I'm still getting it on every page :06:

yup, just tried again now and I'm still getting it on every page :06:That is just so weird, no wonder poor Neal is knocking himself out, makes no sense!:oops::hmmm:

yup, just tried again now and I'm still getting it on every page :06:
did you clear your browser cache?

http://www.helpwithpcs.com/tipsandtricks/mozilla-firefox/clear-cache-version-3.gif

did you clear your browser cache?



:shifty:

tis fine now :yeah:

Excellent, I think it is about time for Neal to make a statement/comment on the situation.:yep:

I didnt have firefox problems but i did get "Malware infested site" reports while using safari for about a week? I used IE and nothing bad came up and it loaded properly and everything.

Well Well take a look at this

http://www.siliconindia.com/shownews/0day_bug_detected_in_Firefox_35__36-nid-73275-cid-2.html :hmmm:

WOW!!:o I must upgrade my FF to 3.6.12 today, also Avira and Ad-Aware definitions, I wonder where the svchost.exe would be stored if created!.:hmmm:

WOW!!:o I must upgrade my FF to 3.6.12 today, also Avira and Ad-Aware definitions, I wonder where the svchost.exe would be stored if created!.:hmmm:

along with every other svchost.exe I'm guessing - it's always been a favourite as it's nearly always running multiple occurrances! :nope:

I've just checked my pc for this file and I have six in the prefetch folder (C:\Windows\Prefetch) (which are supposed to be there, but are ok to delete - they'll just come back when needed), and a few others that were installed in July when the OS was put on.

If there were any from the last month not in the Prefetch folder,and you've not reinstalled your OS recently I'd delete and scan, or scan and delete. :yep:

Well Well take a look at this

http://www.siliconindia.com/shownews/0day_bug_detected_in_Firefox_35__36-nid-73275-cid-2.html :hmmm: :up:

along with every other svchost.exe I'm guessing - it's always been a favourite as it's nearly always running multiple occurrances! :nope:

I've just checked my pc for this file and I have six in the prefetch folder (C:\Windows\Prefetch) (which are supposed to be there, but are ok to delete - they'll just come back when needed), and a few others that were installed in July when the OS was put on.

If there were any from the last month not in the Prefetch folder,and you've not reinstalled your OS recently I'd delete and scan, or scan and delete. :yep:I don't have any in the C:\Windows\Prefetch folder, only a load of .pf files that don't contain the word "svchost", the only svchost.exe is located in the C:\Windows\System32 folder.:yep:

Rack911 reported back that the server had been rooted,:cry: and they cleaned it up. They have been monitoring it the last few days and I wanted to wait before posting the news. Steven says he has updated the server, and hardened it. All good stuff, I am sure.

When this first broke out, I suspected a problem with the Google ads. I had heard about this before on other websites such as this (http://www.quartertothree.com/game-talk/showthread.php?t=58970)one. But even though I suspected the google ads, I knew that I did not know with certainty what the problem was, so I contacted Scott at AdminGeeks. He had done some work for me before and did it well, in a timely fashion. Not this time. When AdminGeeks reported no issues (after 4 days delay), I thought it could be false positives on some AVs, especially since many people did not get AV alerts. I never got an AV warning from Norton, not at home, college or the hotel. Turns out it was not a false positive.

When the problem persisted, I contacted Planet Advance Services to find this problem. They ran a clamscan and let it go at that. That was not what I asked them to do, I specifically directed them to find the problem, at any cost, and they showed no initiative in helping. When a long time customer (7 years) reports the number of users getting alerts on their server, they should be much more proactive .It should be their problem too. I made it clear to them I wanted to know if they could handle this, and if not, let me know who could. Their responses were very sketchy. I'm talking with their management about this now.

I apologize to everyone that this happened. I sincerely apologize. When I get messages from multiple members about something like this, I have to turn it over to an IT expert. It's a shame that you cannot depend on professionals to follow through.

Neal

I never got an alert from my virus scan and I do not see any strange processes working. However because I was here before google locked the site and had the issue of not being able to post. I will have to keep an eye on things.

I hope the butthole that did this gets arrested and charged.

If you received the notification to up-date your Java script
and if you clicked yes then you would be at danger of hosting
the exploit code somewhere on your computer.
if not you should be ok and clear of any problem the messages
received through your browser were never a problem just
a bit of a nuisance to some who didn’t really believe there
was a problem in the first place.
check out my post above
thank you Neal for the update I’m glad it’s all sorted now :up:

Thanks for the update Neal and no apology needed, these things happen and it's quite a remarkable that big site like Subsim has been going without such incidents for so long. Just good thing we have this sorted now. *knocks the wood* :up: