Dave Posted September 14, 2014 Posted September 14, 2014 Dear all, We received notification from Google a few hours ago that some malware had been injected into some of our forum pages, leading to a warning being displayed whenever SFN is listed in Google search results. Both myself and Capn have investigated this issue and have found no evidence of this so far -- it may be the result of an IP.Board vulnerability that we have just patched. Additionally, we have checked servers and done our best to ensure the site is safe. The issue has been bounced back to Google, and hopefully this should be resolved within the next few hours or days. I will post again once we have received an update.
studiot Posted September 14, 2014 Posted September 14, 2014 (edited) Let me have an allegedly infected page link (by pm if you like) for test. My sensors have not tingled about any thread I have looked at except the one I reported recently as spam. Edit nothing detected upon leaving this thread, but immediately upon leaving this thread (85514) the following detected. Edited September 14, 2014 by studiot
Cap'n Refsmmat Posted September 14, 2014 Posted September 14, 2014 Hmm, interesting. When you say "leaving the thread", which page did you go to?
studiot Posted September 14, 2014 Posted September 14, 2014 I clicked on the "View New topic" option to go to the next thread. That worked OK, but as the list came up so did the warning. I have tried it again a couple of times but see no warning now. I don't think I will get the warning if the site is now blocked though. As I said any help I can give is all yours.
Dave Posted September 15, 2014 Author Posted September 15, 2014 Thanks studiot for the update. After a bit more searching we did identify the problem and have rectified it. Let us know if you see it again. Hopefully this should be sorted in the next few hours from the standpoint of Google and Safari/Firefox warnings. 1
Sato Posted September 15, 2014 Posted September 15, 2014 It is 8:49 PM EST and I chose to ignore Firefox's warning against visiting this page. This thread was posted ~6 hours ago and so I hope you have definitively removed the threat/malware from the site. Can you verify this? What was the problem?
Dave Posted September 15, 2014 Author Posted September 15, 2014 As far as we can tell, the problem has been fixed. It was a little hard to trace since it only appeared infrequently (roughly every 2 in 70 or so page requests according to Google). I will post a further update later as to the probable cause, but want to discuss the matter with the forum developers first. In the meantime we will keep a very close eye on the situation and await a review from Google.
studiot Posted September 15, 2014 Posted September 15, 2014 Having accessed SF in my normal manner this morning I have not seen any more issues. It is most unusual for me to access SF via Google so I cannot comment on this route. Clearly a recommendation for my antivirus. Dave/Capt Later on this morning I will try out the forum using an unprotected version of Windows (I can do this easily) and report. Cheers
sunshaker Posted September 15, 2014 Posted September 15, 2014 I am using google chrome, Still getting warnings, cannot enter any topic without warning, It is 11.20am uk. Tried to post with my tor browser but needed secure key. Details I am still getting. Should I change any google settings? Safe Browsing Diagnostic page for scienceforums.net/topic What is the current listing status for scienceforums.net/topic? Site is listed as suspicious - visiting this web site may harm your computer. Part of this site was listed for suspicious activity 3 time(s) over the past 90 days. What happened when Google visited this site? Of the 76 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-09-14, and the last time suspicious content was found on this site was on 2014-09-14. Malicious software includes 3 exploit(s). Successful infection resulted in an average of 13 new process(es) on the target machine. Malicious software is hosted on 1 domain(s), including yquerry.in.ua/. 1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, includingmaskinnik.com/. This site was hosted on 1 network(s) including AS42831 (UKSERVERS-AS). Has this site acted as an intermediary resulting in further distribution of malware? Over the past 90 days, scienceforums.net/topic did not appear to function as an intermediary for the infection of any sites. Has this site hosted malware? No, this site has not hosted malicious software over the past 90 days. How did this happen? In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message. Next steps: Return to the previous page. If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center. Updated 8 hours ago © Google - Google Home
studiot Posted September 15, 2014 Posted September 15, 2014 I see Google also identified maskinnik dot Kom. domain.
ydoaPs Posted September 15, 2014 Posted September 15, 2014 Dear all, We received notification from Google a few hours ago that some malware had been injected into some of our forum pages, leading to a warning being displayed whenever SFN is listed in Google search results. Both myself and Capn have investigated this issue and have found no evidence of this so far -- it may be the result of an IP.Board vulnerability that we have just patched. Additionally, we have checked servers and done our best to ensure the site is safe. The issue has been bounced back to Google, and hopefully this should be resolved within the next few hours or days. I will post again once we have received an update. I commented on a report yesterday or so that going to the thread from a certain report gave me a malware warning on my phone.
Cap'n Refsmmat Posted September 16, 2014 Posted September 16, 2014 Google now confirms that we're clean, so you should no longer get any warnings. Many thanks to Dave for helping track down the cause. We were able to eradicate the malicious code fairly easily. We just need to be sure it doesn't return.
MonDie Posted October 6, 2014 Posted October 6, 2014 (edited) I got the warning when I tried to visit this page without logging in on September 14. http://www.scienceforums.net/topic/85500-more-complicated-experimental-designs/ I'm awfully paranoid since yesterday I was responding to my autism-nonconformity thread on another forum it would be against the rules to advertise when my pointer began to move up and down the length of the screen erratically until I cleared my history and closed my browser. I should probably report it to them. Edited October 6, 2014 by Phi for All removed irrelevant offsite link
TJ McCaustland Posted October 14, 2014 Posted October 14, 2014 Hrmmmm...... Good thing I have a chromebook, It can't download stuff so I can view any page with no risk LOL
MonDie Posted May 6, 2015 Posted May 6, 2015 Hrmmmm...... Good thing I have a chromebook, It can't download stuff so I can view any page with no risk LOL Hmm. I'd say anything with a connection and writable media is vulnerable. They'll find a way, and the self-assured ones will be the first to get hit. That stuff stored in the cloud still has to execute on the computer. Plus you technically can't view a webpage without "downloading" it.
TJ McCaustland Posted June 30, 2015 Posted June 30, 2015 Hmm. I'd say anything with a connection and writable media is vulnerable. They'll find a way, and the self-assured ones will be the first to get hit. That stuff stored in the cloud still has to execute on the computer. Plus you technically can't view a webpage without "downloading" it. Dangit, You're right.
fiveworlds Posted June 30, 2015 Posted June 30, 2015 Plus you technically can't view a webpage without "downloading" it. And the content of the webpage such as videos,images and music
TJ McCaustland Posted June 30, 2015 Posted June 30, 2015 (edited) And the content of the webpage such as videos,images and music Hey man, Haven't seen you around for ages, and yeah the way computers work is very frustrating. (To keep it on subject ) Edited June 30, 2015 by TJ McCaustland
MonDie Posted July 2, 2015 Posted July 2, 2015 Tell me about it. I was getting really mean recommendations while listening to music on YouTube, with it culminating when I got a Chic-Fil-A ad every time I visited the YouTube home page on, I believe it was April 1st. It finally occurred to me that somebody operating a YouTube server's firewall could have been doing this, and that they may have done it to any number of IP addresses reaching out to that server. ... Or it could have been a peculiar fluke. Who knows. I've uncovered little in the way of evidence of intrusion, although I intend to write code for a keylogger to use with a special flashdrive I still have lying around. Who knows.
sunshaker Posted July 3, 2015 Posted July 3, 2015 this last week my anti virus as gone mad on this site, I just clicked on http://www.scienceforums.net/topic/88578-mmorpg-about-educating-people-on-how-hacking-works/ and my anti virus went of infection JS:LOIC-B[Trj] googled this infection from what I can make out it is used by Hackers, strange that this is the topic it went off on. http://www.satinfo.es/blog/tag/js-loic/ http://www.satinfo.es/blog/tag/ataques-ddos/page/2/ now my software will not even open a page to above thread on hacking. it may be nothing but I thought I would share.
DanTrentfield Posted January 11, 2017 Posted January 11, 2017 Ah. Well then. I just got redirected from the post Magentic Pole Reversal imminent in Speculations to a malicious website, I was not able to grab the URL of said website regrettably but I recommend that the moderators/webmaster of SFN check this out. Here is the URL to the post which I was redirected from. http://www.scienceforums.net/topic/94554-magnetic-pole-shift-reversal-imminent/ I do not know if that result can be replicated, but this an anomaly because though I have seen a few rare ads on SFN my mouse was nowhere one. I checked my extensions and even the javascript console but have found nothing. Please investigate this matter, because I believe that either: A: The page contains an embedded malicious redirect, B: Someone is attempting to redirect traffic going to that page specifically or possibly SFN as a whole to a malicious website C: There is a breach of the firewall or security system of the SFN servers which is allowing these malicious redirects to control a limited amount of traffic (Unlikely but a distinct possibility.)
Dave Posted January 11, 2017 Author Posted January 11, 2017 Hi Dan, thanks for getting in touch - we had spotted this a few weeks ago, but the template cache did not get rebuilt so it has been lingering on a few pages. I have now rebuilt the caches and removed the offending code. It seems that there is some unknown attack vector, we believe inside IP.Board 3, that is allowing this to reoccur, since there are no other server infarctions and no out-of-place or different files from the original IPB installation. We're scheduling an update to IPS4 which should hopefully permanently eliminate this issue, but the update affects quite a bit of the site, so we have to do a little planning first. 3
DanTrentfield Posted January 12, 2017 Posted January 12, 2017 Hi Dan, thanks for getting in touch - we had spotted this a few weeks ago, but the template cache did not get rebuilt so it has been lingering on a few pages. I have now rebuilt the caches and removed the offending code. It seems that there is some unknown attack vector, we believe inside IP.Board 3, that is allowing this to reoccur, since there are no other server infarctions and no out-of-place or different files from the original IPB installation. We're scheduling an update to IPS4 which should hopefully permanently eliminate this issue, but the update affects quite a bit of the site, so we have to do a little planning first. Thank you. I had told Swansont and he notified Capn' Refsmm but if you've already fixed it then I believe I owe them an apology and you a thank you.
StringJunky Posted January 12, 2017 Posted January 12, 2017 (edited) I had an attack when admin dealt with it last but I knew what was happening and shut the browser down through Task Manager. If that hadn't worked I'd have done the nuclear option and held the power button down to do a hard shutdown. It was acting under the guise of a warning from MS Essentials which is no more. Edited January 12, 2017 by StringJunky
DanTrentfield Posted January 12, 2017 Posted January 12, 2017 I had an attack when admin dealt with it last but I knew what was happening and shut the browser down through Task Manager. If that hadn't worked I'd have done the nuclear option and held the power button down to do a hard shutdown. It was acting under the guise of a warning from MS Essentials which is no more. Mine was a .biz website..... with all sorts of gritty ads all over the place It was advertising well among that my computer had a bunch of viruses (Which it did not, thanks to AVG) some very..... interesting photos. I'm just hoping that whatever happens I don't get put on the NSA child predator watchlist because of that stupid redirect..... I hate the promiscuous minds of many of the internet's denizens.... cause frankly really..... that's just disgusting.....
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now