reported attack site

[Rollouts]

Quote:

Originally Posted by whitefish

Every one stay calm.... we will take corrective action to resolve this....

goose-fabba )

[Ladybbird]

Quote:

Originally Posted by whitefish

I do not get this message on my Mac logging on/off.... So I logged on using my wifes HP and got that message you are talking about... This would be at the server level and out of my reach to check the log file...

I think you may well be right to a certain degree about the server WF. As less folk are on board tonight the probs seem to have lessened.


.

[bullfloat]

I too have the same problem I have since gone into firefox and modified the security settings. Weird huh. Oh well. Not a big deal.

[jackofall1232]

it is from earlier problem with the 2008 winvirus now 2009 winvirus I tried to warn you about back in October, on your main page. I dont think this issue has been resolved because just recently avg was picking up the virus on the main page.


problem possible virus

[Ladybbird]

Quote:

Originally Posted by jackofall1232

it is from earlier problem with the 2008 winvirus now 2009 winvirus I tried to warn you about back in October, on your main page. I dont think this issue has been resolved because just recently avg was picking up the virus on the main page.


problem possible virus

Actually I dont think it has anything to do with that, they know what the problem might be, avg didnt pick it up on mine and what ever it is it has caused me a lot of problems.


.

[icechip1]

thanks Whitefish ,
I don`t understand why people seem to think they can do this to a site and get away with it , google like aaafta is just a server and a site on the net the way i look at it.and every one should have access to what they wish to involve themselves in, with in reason. keep up the good fight ,you have my support

[dssnovice]

The problem has not been resolved and no, it does not occur on other forum sites so there is definitely "something" that is triggering the alert. I just returned from the CES show in Las Vegas and when I logged on, I was not able to post at all (I elected not to change my security settings). I switched over to Internet Explorer (from Firefox) and when I logged on, my antivirus program immediately flagged an infection located in the IE temporary cache folder which could suggest what Google reported:

What happened when Google visited this site?
Of the 123 pages that we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time that Google visited this site was on 2009-01-13, and the last time that suspicious content was found on this site was on 2009-01-11.

In any event, I think it might be prudent to make sure the server has not been compromised and purge any suspicious TSR tools. Then request a review of the site from Google:
http://www.google.com/webmasters/tools/

Google's Webmaster Help Centre's link is:
My site's been hacked - Webmasters/Site owners Help

[Ladybbird]

So DSS, can you read my thread here and advise me how on earth these hackers managed to do this, they also changed my password so I couldnt get access to my emails on that account. Please reply on that thread as I dont wish to hijack this one.

Thanks

Someone is stealing my email address




.

[Mr.BoJangles]

If you are running google chrome or google toolbar get rid of it. A good popup blocker and toolbar is yahoo. The admins can also install anti spam for VB if they have not already. It is a PITA because you have to add keywords but it helps greatly once its all set up.

[bassman98]

Here's the low-down from Google's website regarding AAAFTA being reported as an attack website. It seems to be coming from OTHER websites, or this site has been hacked somehow: http://safebrowsing.clients.google.c...ww.aaafta.com/

Safe Browsing

Diagnostic page for aaafta.com

What is the current listing status for aaafta.com?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 302 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-01-20, and the last time suspicious content was found on this site was on 2009-01-11.
Malicious software is hosted on 5 domain(s), including liveantivirusscanner.com/, premium-antispyware-scan.com/, premium-advanced-scan.com/.
2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including internetsecuredweb.com/, 87.248.180.0/.
This site was hosted on 1 network(s) including AS25847 (SERVINT).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, aaafta.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:

• Return to the previous page.
• If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

-------------

Here is the report about this site being hosted on the network AS25847 (SERVINT):

Safe Browsing

Diagnostic page for AS25847 (SERVINT)

What happened when Google visited sites hosted on this network?
Of the 11321 site(s) we tested on this network over the past 90 days, 302 site(s), including, for example, dailymailnews.com/, whyislamwest.org/, cheapfootballteamkits.co.uk/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2009-01-20, and the last time suspicious content was found was on 2009-01-20.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 2 site(s) on this network, including, for example, fioeiofoiejfojfoejfo.ne1.net/, takru.com/, that appeared to function as intermediaries for the infection of 2 other site(s) including, for example, my-blog-gogo.com/, ucoz.net/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, adolix.com/, web-photo-search.com/, advtimesync.com/, that infected 20 other site(s), including, for example, softforall.com/, sharetool.com/, freedownloadscenter.com/.
Next steps:

• Return to the previous page.

[bassman98]

Here's more from Google's website about the related websites, IP addresses, and networks:

The site that seems to be an intermediary for malware is 87.248.180.0. That's where the attacks seem to be coming from: http://safebrowsing.clients.google.c...=87.248.180.0/
Safe Browsing

Diagnostic page for 87.248.180.0



What is the current listing status for 87.248.180.0?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 11 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-01-20, and the last time suspicious content was found on this site was on 2009-01-20.Malicious software includes 453 adware(s), 40 trojan(s), 2 scripting exploit(s). Successful infection resulted in an average of 0 new processes on the target machine.

Malicious software is hosted on 10 domain(s), including powerantivirusscan.com/, power-antivirus-scanner.com/, advanced-antivirus-scanner.com/.

5 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including infoclicknow.com/, systmesecureclicks.com/, clicksoverview.com/.

This site was hosted on 1 network(s) including AS31252 (STARNET).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, 87.248.180.0 appeared to function as an intermediary for the infection of 1028 site(s) including bigtitsvision.com/, magneticarticles.com/, kbcblowers.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 315 domain(s), including bigtitsvision.com/, jdfunariproductions.com/, kbcblowers.com/.

Next steps:

• Return to the previous page.
• If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

---------------------
And this info is from the network that hosts the above IP address:

Safe Browsing
Diagnostic page for AS31252 (STARNET)



What happened when Google visited sites hosted on this network?

Of the 198 site(s) we tested on this network over the past 90 days, 3 site(s), including, for example, 89.28.13.0/, 87.248.180.0/, cahulinfo.md/, served content that resulted in malicious software being downloaded and installed without user consent.

The last time Google tested a site on this network was on 2009-01-20, and the last time suspicious content was found was on 2009-01-20.

Has this network hosted sites acting as intermediaries for further malware distribution?

Over the past 90 days, we found 5 site(s) on this network, including, for example, 89.28.13.0/, 87.248.180.0/, lastpoher.ru/, that appeared to function as intermediaries for the infection of 3310 other site(s) including, for example, sof2lounge.com/, trandainghia.info/, webmed.com/.

Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 6 site(s), including, for example, 89.28.13.0/, 87.248.180.0/, money2008.org/, that infected 2389 other site(s), including, for example, sof2lounge.com/, trandainghia.info/, webmed.com/.

Next steps:

• Return to the previous page.

---------

It seems to be that these websites are posed as a "Free Antivirus Scanner". I know that revenue is needed to continue hosting the website, but please stay away from unknown "free Antivirus scanner" websites because MANY of them are malicious these days, especially if they are from UNKNOWN companies. Thanks whitefish and Rollouts. Please contact Google by using the links on their website to find out where these attacks are coming from. They seem to be coming from the IP address that I listed last. Here's the report on that IP address from the RIPE Whois database:


Query the RIPE Database

Search forSwitch to the RIPE TEST Database
% This is the RIPE Whois query server #3.% The objects are in RPSL format.%% Rights restricted by copyright.% See http://www.ripe.net/db/copyright.html% Note: This output has been filtered.% To receive output for a database update, use the "-B" flag.% Information related to '87.248.176.0 - 87.248.191.255'inetnum: 87.248.176.0 - 87.248.191.255netname: STARNETMDdescr: SC STARNET SRLdescr: Chisinau, Moldovacountry: MDadmin-c: SA4929-RIPEtech-c: SA4929-RIPEstatus: ASSIGNED PA remarks: INFRA-AWremarks: Leased for Usersmnt-by: MNT-STARNETMDsource: RIPE # Filteredrole: StarNet Administratorremarks:address: SC "STARNET" SRLaddress: 55, Maria Cibotari str.address: MD2012 Chisinauaddress: Moldova, Republic ofremarkshone: +373 (22) 844444fax-no: +373 (22) 844445remarks:remarks: ----------------------------------------------remarks: SC STARNET SRLremarks: ISP in Republic of Moldovaremarks:remarks: General questions: info@starnet.mdremarks: Routing and Technical questions: noc@starnet.mdremarks: Abuse reports: abuse@starnet.mdremarks: Last Update: 03.11.2008 (vfilatov@starnet.md)remarks: ----------------------------------------------remarks:remarks:abuse-mailbox: abuse@starnet.mdremarks:admin-c: OB1145-RIPEtech-c: OB1145-RIPEadmin-c: DG3460-RIPEtech-c: DG3460-RIPEadmin-c: VF1333-RIPEtech-c: VF1333-RIPEnic-hdl: SA4929-RIPEmnt-by: MNT-STARNETMDsource: RIPE # Filtered% Information related to '87.248.180.0/24AS31252'route: 87.248.180.0/24descr: StarNet SRLdescr: Chisinau, Moldova.origin: AS31252mnt-by: MNT-STARNETMDsource: RIPE # Filtered% Information related to '87.248.176.0/20AS31252'route: 87.248.176.0/20descr: SC STARNET SRLdescr: Chisinau, Moldovaorigin: AS31252mnt-by: MNT-STARNETMDsource: RIPE # Filtered% Information related to '87.248.160.0/19AS31252'route: 87.248.160.0/19descr: SC STARNET SRLdescr: Chisinau, Moldovaorigin: AS31252mnt-by: MNT-STARNETMDsource: RIPE # Filtered% Information related to '87.248.176.0/21AS31252'route: 87.248.176.0/21descr: StarNet SRLdescr: Chisinau, Moldova.origin: AS31252mnt-by: MNT-STARNETMDsource: RIPE # Filtered
----------

So the attacks are coming from outside the USA.......

[Ladybbird]

Thanks Bassman, your info had already been posted in this thread twice. It might be worth reading Woodcreekers post on here and downloading the Malware link provided by him, to be safe.

Conficker Worm Spikes, Infects 1.1 Million PCs In Less Than 24 Hours




.

[Rollouts]

Google issues statement about a lot of sites being reported as attack sites

"This site may harm your computer" on every search result?!?!

1/31/2009 09:02:00 AM
If you did a Google search between 6:30 a.m. PST and 7:25 a.m. PST this morning, you likely saw that the message "This site may harm your computer" accompanied each and every search result. This was clearly an error, and we are very sorry for the inconvenience caused to our users.

What happened? Very simply, human error. Google flags search results with the message "This site may harm your computer" if the site is known to install malicious software in the background or otherwise surreptitiously. We do this to protect our users against visiting sites that could harm their computers. We maintain a list of such sites through both manual and automated methods. We work with a non-profit called StopBadware.org to come up with criteria for maintaining this list, and to provide simple processes for webmasters to remove their site from the list.

We periodically update that list and released one such update to the site this morning.Unfortunately (and here's the human error), the URL of '/' was mistakenly checked in as a value to the file and '/' expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes.

Thanks to our team for their quick work in finding this. And again, our apologies to any of you who were inconvenienced this morning, and to site owners whose pages were incorrectly labelled. We will carefully investigate this incident and put more robust file checks in place to prevent it from happening again.

*****note from Rollout: This just goes to show google has messed up, it is not the reason aaafta was attacked by them, but it is of interest to the subject ******

[Ladybbird]

I agree with your comments about this being interesting Rollouts, read my solution in my post on Oscars thread about the same subject. http://www.aaafta.com/forum/current-...-searches.html



.

[woodcreeker]

Well, the long awaited news on all this is we had one little affected file, as far as we can tell. We are still checking other files that are not as vital as the other files were.

This has been fixed, as far as I know. We still have not totally gone over every file, but we will.

We resubmitted and are waiting for Google to unflag our site.

We are still going to do some upgrading also in a few days.

The admin will drop a note about all this. All I can say this all occurred at the same time during the time ECMs intensified a couple of weeks ago. Since Google checks on complaints, I wonder who the complainers were (??) Seems funny the timing of all this coincided with a new barage of ECMs a couple of weeks ago. Anyway, the site will back to normal next week.

Our apologies to everyone who went through the warnings. You probably found the site worked fine, and the files were fine during this time. There was just a redirect problem on an index file. We will also figure out how it was changed as well.

[Ladybbird]

Quote:

Originally Posted by woodcreeker

Well, the long awaited news on all this is we had one little affected file, as far as we can tell. We are still checking other files that are not as vital as the other files were.

This has been fixed, as far as I know. We still have not totally gone over every file, but we will.

We resubmitted and are waiting for Google to unflag our site.

We are still going to do some upgrading also in a few days.

The admin will drop a note about all this. All I can say this all occurred at the same time during the ECMs intensified a couple of weeks ago. Since Google checks on complaints, I wonder who the complainers were (??) Seems funny the timing of all this coincided with a new barage of ECMs a couple of weeks ago. Anyway, the site will back to normal next week.

Our apologies to everyone who went through the warnings. You probably found the site worked fine, and the files were fine during this time. There was just a redirect problem on an index file. We will also figure out how it was changed as well.

I completely agree with you WC, as I am on the site so much, I noticed the problems started around the barage of ECMs, not only that, but a link that was posted on one thread and was reported by the op of that thread as not working encouraged participants to click on it and test it, when I did I received a virus with a false windows warning advising I had received a threat/malware. It entered every part of my laptop and I had to take rapid action to wipe it. Spyder was very quick in correcting this link. It was that ops first and only post and he had just registered, he has never returned.

I, like others had the redirect problem, but it happened again today, when I tried to change pages on the forum and other little irritating occurrences. I dont believe this is all coincidence. This is being done by people that know what they are doing. I dont consider it coincidence that my Ladybbird email account was hacked during this period, it had the same password on there that I used to access this site. This has now been changed on my email account by my server, but the hacker had changed my password on that account so I couldnt have access and the server put this right. Maybe they choose me because I defend the site so much, or that I refused the offers by pm to join other sites not doing so well.

I am glad during this busy period again you had time to work on this. Thank you muchly.




.

[Gmantoo]

hey guys i was getting those same reports and BUT i was using MOZILLA then i switched back to Explorer and PRESTO no more issues! Give it a try That's all i can say if not Sorry fellas !

[Ladybbird]

Quote:

Originally Posted by Gmantoo

hey guys i was getting those same reports and BUT i was using MOZILLA then i switched back to Explorer and PRESTO no more issues! Give it a try That's all i can say if not Sorry fellas !

Thank you Gmantoo for contributing and helping to support this site, I am glad you have finally started posting, hope you join in more.



.

[samaelex]

Funny, I just tried to enter AAAFTA from a public computer and I couldn't. I just kept getting a message that it was "Potentially dangerous", so the access to it was blocked. Do you know why?

[yttocs]

Quote:

Originally Posted by samaelex

Funny, I just tried to enter AAAFTA from a public computer and I couldn't. I just kept getting a message that it was "Potentially dangerous", so the access to it was blocked. Do you know why?

Discussed in the following thread:
reported attack site