Google blocking access to TUG

[emuyshondt]

Paco,

Any additional information on which virus it is (does it have a name I can google) and what all it does? My system scans are clean, but I want to make sure there's nothing hiding somewhere in my machine?

Henry

[TUGBrian]

the only people ive seen report getting any sort of infection seem to describe the same "xp defender" fake antivirus download type.

although again, we cant find any source for it...no malicious code anywhere...and all the security scans (even 3rd party ones) show the site as clean.

Believe me its as frustrating on our end as it is yours.

Ill avoid putting more forum links in this weeks newsletter as well just in case.

[Makai Guy]

Not sure how I missed this and failed to respond ..

Quote:

Originally Posted by emuyshondt

Was anything specific found and cleaned up by the TUG administrators? Have they done anything beyond contacting Google and McAfee to get off their blacklist? I would like to know if there was some virus that has been fixed, and if so, what it was, so I can try to chase the issue down on my end. If I got infected, I want to make sure I find a way to disinfect my machine.

On 12/23 I found an image file that had some extraneous binary code added to it. This was an image file that is only viewed when a user is viewing a particular message in the BBS Help area, so it's not one that would have been visited much. I immediately replaced it with a clean copy of the image file. I don't know the nature of the injected code, just that it shouldn't have been there.

[pacodemountainside]

Quote:

Originally Posted by emuyshondt

Paco,

Any additional information on which virus it is (does it have a name I can google) and what all it does? My system scans are clean, but I want to make sure there's nothing hiding somewhere in my machine?

Henry

No, unfortunately this was all the info I have.

Interestingly, today I got same from 118.219.232.216. Just got another one with 121 that disappeared before I could copy while using spell checker!

Kinda like olde days when one had electrical problem with car. Lots of diagnosing and some luck finding!

Managers are giving best shot and fortunately no one with good virus programs reporting being infested just inconvenienced!

[Timeshare Von]

My sign on tonight (just now) was the first in days (weeks?) that I didn't get the notice via Firefox. Maybe it has been fixed

[Makai Guy]

FWIW, for Firefox users:

Firefox 17 apparently is not updating its internal cache of the Reported Site list properly when a site drops off the Google list. (See Mozilla bug 820283.) This is reported to be fixed in Firefox 18, due to be released the week of Jan 6.

Meanwhile, users of Firefox 17 can force Firefox to check the current list at Google every time, instead of relying on cached data, as follows:

Enter about:config in the Address/URL bar.
Press the big button to bypass the warning (if you haven't turned this off already).
Enter confirm in the Filter bar to limit display to just options containing 'confirm'.
Double-click on urlclassifier.confirm-age and change the value to 0.

[memereDoris]

Quote:

Originally Posted by Makai Guy

FWIW, for Firefox users:

Firefox 17 apparently is not updating its internal cache of the Reported Site list properly when a site drops off the Google list. (See Mozilla bug 820283.) This is reported to be fixed in Firefox 18, due to be released the week of Jan 6.

Meanwhile, users of Firefox 17 can force Firefox to check the current list at Google every time, instead of relying on cached data, as follows:

Enter about:config in the Address/URL bar.
Press the big button to bypass the warning (if you haven't turned this off already).
Enter confirm in the Filter bar to limit display to just options containing 'confirm'.
Double-click on urlclassifier.confirm-age and change the value to 0.

This fix worked and was actually very easy.
Thanks.

[Beaglemom3]

I have not received any warning of any kind, ever on Tug.

Not at all tech savvy here, but I have Windows 7 Premium Home and Webroot.

I stand in awe of all who know this stuff.







-

[Timeshare Von]

Quote:

Originally Posted by Timeshare Von

My sign on tonight (just now) was the first in days (weeks?) that I didn't get the notice via Firefox. Maybe it has been fixed

Oops - I spoke too soon (or jinxed it). This morning, the red bar warning returned

[judyjht]

I followed those instructions posted by Makai Guy and it looks good so far - what a pain in the butt this has been! Thanks (I hope)!

[Blues]

Hadn't gotten it for a few days, but got the Firefox warning again this AM (Jan 5, 2013). Firefox 17.0.1. Haven't tried Makai's fix yet.

-Bob

[TUGBrian]

We are still experiencing what appears to be some sort of malware or exploit impacting the TUGBBS FORUMS. It seems to only impact a small number of visitors, but still to be sure, we would suggest not browsing the TUGBBS FORUMS unless you have a current/updated active virus scanner/protection software loaded on your computer. note this does NOT impact the member only section of the site, tug2.com is unaffected by this issue.

I myself have been able to get an unprotected laptop I own infected with this virus from surfing the forum...sadly it simply appears the forum is "redirecting" random users to some other location and the virus is not actually loaded on the TUGBBS...just the exploit that redirects people.

Hopefully we can come up with a solution with our host here soon.

I sincerely apologize for any of you that have had to deal with this. I will point out that I was able to restore my laptop using the native system restore tool to the previous days restore point and suffered no ill effects from the virus. I would urge all of you to make sure that you have system restore enabled on your windows machines...its way easier than trying to clean these viruses in other ways for sure!

[Htoo0]

Although I get the warning each time I come to the site this is only the second time my antivirus actually 'caught' something. Probably won't help but here it is.

Infection Details
URL: http://qahihahur.longmusic.com/lrf2x7zxw...
Process: C:\Program Files (x86)\Mozilla Firefox\f...
Infection: URL:Mal

[sptung]

The only way to clean the server is to build the server os from scratch and reload data onto the server. Alot of these malware just cannot be gotten rid of. I get the malware warning everyday on my laptop when I visit TUGbbs . No warning on the IPAD or my Droid phone. Wonder if they are now infected!

[Tia]

Crossing fingers as this is the first time I have come to TUG in days and not gotten the warning page!

It's back spoke too soon

[emuyshondt]

Quote:

Originally Posted by TUGBrian

I myself have been able to get an unprotected laptop I own infected with this virus from surfing the forum...

Which virus is it? What does it do to your system? I am asking about the virus that infected my machine, not the redirecting code you had on TUG that caused my machine to catch the bug.

[mpumilia]

I am still getting the warning but chanced going on the site today. What is going on?

[csxjohn]

I went to the other side of tug this morning on my daughter's computer and avast told me a harmful url was blocked. I don't have any details but did not come directly to the forums.

[TUGBrian]

it was the one listed earlier that masks itself as the "security scan" downloaded to your computer.

we are going to try to reimage the server this week in the hopes that it will clear this issue, as all of our attempts to find it have failed.

[lcml11]

Quote:

Originally Posted by TUGBrian

it was the one listed earlier that masks itself as the "security scan" downloaded to your computer.

we are going to try to reimage the server this week in the hopes that it will clear this issue, as all of our attempts to find it have failed.

Wish you luck. Hope it works.

[KauaiMark]

Still getting warnings when accessing the BBS but not the TUG2.com main pages

..Mark (risking getting here by ignoring the warning, and Kasperski's not squawking about it)
...Mark


-----------------------------------------------------------------------
Safe Browsing
Diagnostic page for tugbbs.com/forums

What is the current listing status for tugbbs.com/forums?

This site is not currently listed as suspicious.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 129 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-01-07, and the last time suspicious content was found on this site was on 2012-12-23.

Malicious software includes 1 exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including hivanopi.longmusic.com/.

This site was hosted on 1 network(s) including AS32244 (LIQUID).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, tugbbs.com/forums did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

Next steps:

Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
-------------------------------------------------------------------------

[HatTrick]

[TUGBrian]

as a stopgap I have had our host block that URL that is being reported as the malware redirect...at least until we get this sorted out I hope at least this will be an effective stopgap measure.

although what baffles me is that if tug can get "flagged" for malware just for redirecting a small %of people to a virus site, why cant they blacklist the virus site?

[lcml11]

Quote:

Originally Posted by TUGBrian

as a stopgap I have had our host block that URL that is being reported as the malware redirect...at least until we get this sorted out I hope at least this will be an effective stopgap measure.

although what baffles me is that if tug can get "flagged" for malware just for redirecting a small %of people to a virus site, why cant they blacklist the virus site?

I would have thought since their staff verified it that would have been done within seconds of there finding it.

[TUGBrian]

clearly not if people are still being redirected there and getting infected.