TriS reported as an Attack site

[CX]

www.stopbadware.org blocked TriS in my Firefox browser and claimed that it was an attack site, so you might want to contact them and see about getting it taken off of their black list. I ended up disabling this new "feature" in my browser, because even if I ignored the warning, it messed up the formatting of each page, and literally blocked me on every page.

[Kotik]

Happened to me as well. Looks like either someone broke into our cozy little home or it is a false alarm.
If you want to reach the forum without deactivating the virus warning feature of FireFox, just use CRL-H to open the history and use one of the forum links from the days before.

[justTripn]

Wow, bad news. OK, I'll tell the IT guys. Thanks CX, and Kotik.

[putaro]

They found the stash of photon torpedoes!

[justTripn]

Where is my "like button!"

[Kotik]

I think, I know what could be triggering this alarm. I just took a look at the HTML source of the main page and found this little gem :

Code: Select all

<script src="http://1.2.3.8/bmi-int-js/bmi.js" language="javascript">


That means, the site downloads executable code from an external website, which is usually considered a bad security risk. I also had a quick look at the javascript file that is linked and it does some seriously shady sh*t, like rerouting images through a proxy degrading their quality to save bandwidth. It looks like it's not included in the original TriS source, but rather added by the internet provider. So far I've found confirmed user reports that both German Telekom and Vodafone UK uses this shady practice.

[WarpGirl]

My computer is always popping up a warning that there's dangerous content here. I lick the ignore button.

[Cogito]

I don't get that nasty code insertion when I view from the UK, but Firefox still blocks it by default. As far as I can see, once Google have scanned it and seen something bad, it's going to stay blocked until the website admin 'fixes' the problem and then asks Google to rescan it. If the code was inserted by an ISP, I suppose this is going to be a widespread problem.

Kotik's link at http://www.stopbadware.org does explain what the admin needs to do.

[Kotik]

I've done some more digging. The suspiscious script is added, since mobile internet providers like T-Mobile, O2/Vodafone etc. use transparent proxies. I'm using an UMTS connection (3G). It seems this whole stuff is not added if you use broadband DSL connections, only with UMTS cards or connections.

So, effectively TriS is not an attacking site, rather than the victim of unauthorized defacement by (so far personally confirmed)

-Fonic
-T-Mobile
-congstar

A fellow codemonkey found out about T-Mob and Vodafone's intrusions:

http://jonatkinson.co.uk/http1238bmi-int-jsbmijs/

EDIT:

Some more digging and the thorough examination of google's diagnostic page. We've been blacklisted because we somehow got connected to a malware carrying network. And the only real way I could think of would be our comments. The whole commenting interface had a few hiccups over the past few months. Could we do a scan of the comments for

a) links or URL's
b) javascript injection

[Cogito]

That doesn't entirely explain why Google have flagged it up. I doubt their web spiders use mobile broadband.

I can see the benefit in having a central database of web sites that are phishing and so on, because that's not something the browser could detect for itself. But I'm baffled why anyone would introduce a central database of sites using dodgy technology. The browser can and should work that out for itself and relying on a central database is crazy.

[Kotik]

That doesn't entirely explain why Google have flagged it up. I doubt their web spiders use mobile broadband.

TriS is blocked because of exactly 1 suspicion over the last 90 days. So a single user could have caused the blackflag, just by using a 3G stick. The IP that hosts TriS hosts a few dozen domains and they are not all blackflagged, but triaxiansilk.com is blacklisted, including the forum. Whatever happens, it's a very damaging, because every search result for our page is flagged with a big phat warning on google.

[Cogito]

That doesn't entirely explain why Google have flagged it up. I doubt their web spiders use mobile broadband.

TriS is blocked because of exactly 1 suspicion over the last 90 days. So a single user could have caused the blackflag, just by using a 3G stick. The IP that hosts TriS hosts a few dozen domains and they are not all blackflagged, but triaxiansilk.com is blacklisted, including the forum. Whatever happens, it's a very damaging, because every search result for our page is flagged with a big phat warning on google.

I may be wrong, but I don't think this database is driven by reports from users. If it was, every web site visited by any of those ISPs would be flagged up immediately. I think it's driven by the Google web spiders.

[Silverbullet]

Not part of your Problem. I hve been sent a message the past few days that my firewall blocked an attack by Something called blackbox Tooolkit. Not sure exactly if it is a virus but am going to run some anti-Malware and anti-virus programs I have. Hopefully this will do it. Seems that the only place I have been on besides Trisilk has been FF Net. Wonder

SB

[Elessar]

I see it too - on Safari it says 'visiting this site may harm your computer are you sure you want to proceed?' and I have to say yes twice. I'll make sure Mike and Troy are investigating.

[CX]

I emailed them and got the following response:

Good morning.

I appreciate your frustration, but it seems you're operating under a common misconception: we, StopBadware, are not blocking this sites. We don't block sites, and we don't issue the warnings. The company blacklisting the site in question is Google, and they are doing so because they found badware on the site: http://www.google.com/safebrowsing/diag ... ansilk.com

Unfortunately, many legitimate websites are infected with some badware without their webmasters' knowledge. That may well be what happened here. As soon as the webmaster finds and removes the badware and requests a review from Google, the warnings should be removed quickly. Until then, please don't visit the site!

If you're afraid that the webmaster is not aware of the problem, you can refer him or her to StopBadware. We help blacklisted webmasters clean up their sites and request removal from blacklists.

Regards,

Caitlin Condon, StopBadware

Here's what it says at the link:

Safe Browsing
Diagnostic page for www.triaxiansilk.com

What is the current listing status for www.triaxiansilk.com?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 1 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-06-24, and the last time suspicious content was found on this site was on 2011-06-23.

This site was hosted on 1 network(s) including AS11798 (ACEDATACENTERS).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, www.triaxiansilk.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.