FAO NEAL: Reported Attack Site? Anyone else getting this too?

[Scion]

Long time since my last post here!

I too am receiving the warnings, using Chromium 6.0.472.62 & Ubuntu 10.04. Link to diagnostic page

[DarkFish]

There are something like 4 different threads about this now Maybe one of the moderators can merge them?

I might have found one cause of the problem, can other people confirm this? See this post of mine in one of the other threads.
Basically it says that if my browser loads an image of which the url starts with "subsim.com/radioroom/" (e.g. http://www.subsim.com/radioroom/imag...ner_468x60.png), my AV goes nuts.

[Yosarian]

Quote:

Originally Posted by Hydra

I'm getting it with Firefox.

The warning page appears only with browsers which use the Google Safe Browsing API.

to learn more about Google Safe Browsing API:
http://code.google.com/intl/de-DE/apis/safebrowsing/

Quote:

What can be done besides disabling alert warning?

Google web-robots checks the contents of web pages, and if they find a site which distribute suspected malware or spyware code eg. through banner ads, active web 2.0 scripts, active content in postings or signature links/pictures, then this site comes on Google's blacklist.

After a certain time, the Google web-robots examine the websites of their blacklist again and if they found no longer suspicious code on the site, they put this website on the whitelist.

To speed up this process, an affected website owner who has cleaned his website and removed the suspicious code can request through the Google Webmaster Tools a review of his website.
http://www.google.com/support/webmas...?answer=163633

[Onkel Neal]

This is such bs, google reports a problem and says

Quote:

If your site has been infected with malware, check the Malware page in Webmaster Tools. (On the site dashboard, click Diagnostics and then click Malware.) This page lists sample URLs from your site that have been identified as containing malicious code. Sometimes hackers will add new URLs to your site for their nefarious purposes (for example, phishing).

But when I check that part of the dashboard, there are zero issues or pages listed.


There is a line on the Google page that says
Please review StopBadware.org's Security Tips for Websites and make any necessary changes to your site. When you have cleaned your site, you can request a review, and we'll evaluate your site.


When I check that fly-by-night outfit, I get

Quote:

You searched for items containing the term 'subsim.com' there are 0 results.

You searched for items containing the term 'subsim.com/radioroom/ ' there are 0 results.

Awesome.

[SteamWake]

I'll bet that this is some sort of ploy to get you to buy some sort of 'security' software.

Like those web pages that warn you have dozens of viruses (that they put there).

[CaptainMattJ.]

open up FF go to tools > options > security > uncheck "Tell me if this site is an attack site" and click ok.

Clean and simple

[Takeda Shingen]

Quote:

Originally Posted by SteamWake

I'll bet that this is some sort of ploy to get you to buy some sort of 'security' software.

Like those web pages that warn you have dozens of viruses (that they put there).

Ah, the new protection racket.

[DarkFish]

Quote:

Originally Posted by CaptainMattJ.

open up FF go to tools > options > security > uncheck "Tell me if this site is an attack site" and click ok.

Clean and simple

Ehm, all fine and well, but that isn't a solution to the problem. It's a workaround at the very most.

[CaptainMattJ.]

Quote:

Originally Posted by DarkFish

Ehm, all fine and well, but that isn't a solution to the problem. It's a workaround at the very most.

it got the job done, so who cares what classification it is.

[Molon Labe]

Defamation lawsuit time!

[SeaWolf U-57]

Lets not forget that there was an original threat containing Trojans and some other type of nasty just because it was not seen by everyone is not the issue.
To prove what was happening when I view Subsim main page I click yes to install the items to gain screen shots of what happened.
I will tell you what happened my computer started sending out information of which I have no idea and I had to pull the connection.
I then tried to remove what had been installed and then my computer froze up so a total re-install needed. So I am glad that the site has no problems now but it did have
if Neal managed to remove the nasty from the code or whoever placed it in the site realized he had been found out and removed it no one knows it seems.
So now some of you are seeing warnings a little late yes but would you not rather be warned then to go through what I had to do.
So just go on amusing yourselves about this for some it was not so funny

[DarkFish]

Quote:

Originally Posted by CaptainMattJ.

it got the job done, so who cares what classification it is.

Yeah, but you can't expect every single one of the 55,000 members to tweak their firefox. It's absolutely great that you've solved the problem for yourself, and I'm really happy for you, but there are people who are not so adept at computers as yourself, or who simply don't read this particular thread, and thus stick with all the problems.

The "solution" you gave is not a solution. It's a workaround. It doesn't get rid of the problems, it only hides them.

[polyfiller]

Just to add my epxerience and some structure to the reporting of this issue;

Browser Used : IE V 8.0.6001.18702
Antivirus Used : Avira
Browser protection : IE settings + Spybot S&D

Error / attack reported by : Avira

Message : Threat detected in two temporary internent explorer files (can't repeat just now, will post message when I do). One talked about windows_securitycheck.exe in the temproary internet files folder.

Link Error encountered from : Multiple;

http://www.subsim.com/radioroom/index.php and
http://www.subsim.com/radioroom/forumdisplay.php?f=234

Error occurs each time link is used : NO

Action taken : selected deny access and delete from the Avira pop window and continued to browse the pages.

Now given the above, and other posts I think we can deduce;

1) Issue is NOT isolated to Firefox therefore ...
2) There is an issue (maybe attack, maybe false positive) with content delivered when clicking the links.
3) Given post above about cleaning up computer after impact and my own experiences with a windows securtiy check type attack earlier this year (did not have to re-install, but by golly it took some cleaning up)... I do not intend to test and allow the suspected threat files to execute.
4) OK, because we do not know whether or not this is a false positive or a seriously malicous package, then I think anyone who is turning down their FF security levels to access the site and who is not getting any additional protection / popup messages may be sailing a little too close to the wind.... may therefore be prudent to run some additional malware / antivirus scans on your machines.

On the basis of some experience in this space, and the fact the attack does nto appear each time a link is selected, then it is unlikely to be the core message board content or code. Not many attacks embed themselves in the message board code without attacking every time a link is selected. My best guess here is an advertising link where the advertiser content is infected. I reckon it's just a case of figuring which one.

[Molon Labe]

Quote:

Originally Posted by SeaWolf U-57

Lets not forget that there was an original threat containing Trojans and some other type of nasty just because it was not seen by everyone is not the issue.
To prove what was happening when I view Subsim main page I click yes to install the items to gain screen shots of what happened.
I will tell you what happened my computer started sending out information of which I have no idea and I had to pull the connection.
I then tried to remove what had been installed and then my computer froze up so a total re-install needed. So I am glad that the site has no problems now but it did have
if Neal managed to remove the nasty from the code or whoever placed it in the site realized he had been found out and removed it no one knows it seems.
So now some of you are seeing warnings a little late yes but would you not rather be warned then to go through what I had to do.
So just go on amusing yourselves about this for some it was not so funny

How long ago was that? If it wasn't yesterday, then you're right, it's not funny.

It's not funny because potential members/users are being scared away from a great community and sim resource because of a mistake. It's not funny because Neal is being impugned as a purveyor of viruses.

[the_tyrant]

A few ideas:
Why does Subsim have an FTP server that allows anonymous connections?
Google says that subsim is linked to reported attack sites, who or what linked it?