FAO NEAL: Reported Attack Site? Anyone else getting this too?

[DarkFish]

Yep, it's still there

[Reece]

Quote:

Originally Posted by DarkFish

Yep, it's still there

What exactly is there? I still have to have "Block reported attack sites" unticked in FF settings or I get the "Reported Attack Page" red box!! Is this a virus/trojan on my machine that Ad-Aware and Avira can't find or is Subsim still being blocked by Google!

[SeaWolf U-57]

And that is the real problem there is no way of being really sure
It looks like it is still attacking in some form or other but that said
Your antivirus may have already updated itself to the threats before
You encounter them so they are blocked I just keep an eye on my system
If it seems to be doing something over the internet when I think it should
Not be then I will pull the plug and do a full scan just to make sure.

[Onkel Neal]

Quote:

Originally Posted by Oberon

A friend of mine (registered here as Nagy) just got the Chrome warning, ignored it and then his virus checker intercepted a "Kryptik.L.Gen trojan" attempt to download itself to his machine from an advert. Sadly he didn't see what advert was up at the time it tried, but just a heads up to people that it's still out there. I'll also PM this to Neal to let him know since this is on page ten of the thread.
There is also this message, if it's helpful:

"The website at www.subsim.com contains elements from the site 48572835.cz.cc, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer."

Thanks, Jamie. I need to know:

Which exact page was he on when he got the warning?

I removed the Google ads from the forum and the main subsim.com page two weeks ago, was it another page on the website, such as one of the reviews or such?

That string does not exist in the forum database, other than the PM and this thread where you describe it.

[Reece]

A horrid thought is that a lot of the links to various pictures being displayed on threads like:
I know curiosity killed the cat
Funny picture thread
Just open the one above ( http://www.subsim.com/radioroom/showthread.php?t=163913 ) and check the loading addresses at the lower left of the screen, you can see a lot of loading from various sites, if these sites hosted malware could these links be what Google is detecting! If so then the job to clean these threads would be almost impossible!
BTW, some of these links are to things like movies (youtube), newspaper articles, downloads etc etc.

[Onkel Neal]

I'm contacting a new server datacenter tomorrow about shutting down the site and moving it.

[Grayghost59]

I have ran scan after scan and there has not been a problem. My computer is about as secure as fort knox, if it's there I'd find it.

[Reece]

Quote:

Originally Posted by Neal Stevens

I'm contacting a new server datacenter tomorrow about shutting down the site and moving it.

Cripes Neal, that's no small job, and certainly a big decision! What advantages would there be though?
Be assured that if you have to do this I, and others, will help with donations, the cost would be huge!
Wasn't that long ago you had to do this due to cyclone damage!

[Onkel Neal]

I don't know what else to do. I have checked everything I can think of, and my tech support guys have run AV scans, checked the databases, and whatever they do, and found nothing. I have not been able to get a AV warning on my system, on the college lab PC, my friend's PC, or the hotel PC, using Chrome, IE, and FF.

I need to find another security IT team, maybe the Planet techs are mmissing something. Any suggestions?

[Onkel Neal]

I have contacted this service, let's see if they can do anything.
http://www.rack911.com/

I wish my computer would see these issues, so far Norton has been very quiet.

[kraznyi_oktjabr]

Neal, havey you checked if there is any pattern on who have and who have not problems? Geographical location etc.

[Dowly]

Neal, I recommend you include the image posted by Seeadler with when you contact IT security people. It should give them a good idea what exactly is attacking the site.

Quote:

Originally Posted by Seeadler

Today when I visited the forum main page, KAV reported again blocked trojan downloads.

[Dowly]

Mate also got a trojan trying to get into his PC from one of those cc.co urls while visiting the forum.

He's using Firefox and AVG.

[Seeadler]

Just now I've investigated this a little bit. On my home PC I deactivated the Firefox AddOn "AddBlock Plus" and opened the forum page, while loading the page, KAV reported immediately the Java Trojan download.



On my PC here is Firebug (http://getfirebug.com/), a web designer tool for Firefox, installed and it can display and debug all the scripts of a visited web page.

Here we see that with a <iframe> on the forum page the infected script is loaded through the URL xxxx://bulkmode.co.cc/get/




I'm strongly believe that the suspect codes are loaded through the add's on these pages, because with active AddBlocker Plus, KAV reports no trojans downloads.

Therefore the data center found no malware / spyware / trojans in the hosted data of Subsim.com because they are only loaded at execution time depending on how a browser and his installed browser addon's are configured.

Also no trojan downloads when I use the FF addon "NoScripts" and block all execution of scripts from the forum page.

[Dowly]

Congrats, I think you just cracked this one.