TriS reported as an Attack site
Moderators: justTripn, Elessar, dark_rain
TriS reported as an Attack site
www.stopbadware.org blocked TriS in my Firefox browser and claimed that it was an attack site, so you might want to contact them and see about getting it taken off of their black list. I ended up disabling this new "feature" in my browser, because even if I ignored the warning, it messed up the formatting of each page, and literally blocked me on every page.
Re: TriS reported as an Attack site
Happened to me as well. Looks like either someone broke into our cozy little home or it is a false alarm.
If you want to reach the forum without deactivating the virus warning feature of FireFox, just use CRL-H to open the history and use one of the forum links from the days before.
If you want to reach the forum without deactivating the virus warning feature of FireFox, just use CRL-H to open the history and use one of the forum links from the days before.
- justTripn
- Consigliere
- Posts: 3991
- Joined: Tue Dec 26, 2006 11:12 pm
- Show On Map: No
- Location: Pittsburgh
Re: TriS reported as an Attack site
Wow, bad news. OK, I'll tell the IT guys. Thanks CX, and Kotik.
I'm donating my body to science fiction.
- justTripn
- Consigliere
- Posts: 3991
- Joined: Tue Dec 26, 2006 11:12 pm
- Show On Map: No
- Location: Pittsburgh
Re: TriS reported as an Attack site
Where is my "like button!"
I'm donating my body to science fiction.
Re: TriS reported as an Attack site
I think, I know what could be triggering this alarm. I just took a look at the HTML source of the main page and found this little gem :
That means, the site downloads executable code from an external website, which is usually considered a bad security risk. I also had a quick look at the javascript file that is linked and it does some seriously shady sh*t, like rerouting images through a proxy degrading their quality to save bandwidth. It looks like it's not included in the original TriS source, but rather added by the internet provider. So far I've found confirmed user reports that both German Telekom and Vodafone UK uses this shady practice.
Code: Select all
<script src="http://1.2.3.8/bmi-int-js/bmi.js" language="javascript">
That means, the site downloads executable code from an external website, which is usually considered a bad security risk. I also had a quick look at the javascript file that is linked and it does some seriously shady sh*t, like rerouting images through a proxy degrading their quality to save bandwidth. It looks like it's not included in the original TriS source, but rather added by the internet provider. So far I've found confirmed user reports that both German Telekom and Vodafone UK uses this shady practice.
- WarpGirl
- Vice Admiral
- Posts: 9885
- Joined: Thu Apr 16, 2009 6:02 pm
- Location: In A State Of Constant Confusion
Re: TriS reported as an Attack site
My computer is always popping up a warning that there's dangerous content here. I lick the ignore button.
Some of these people haven't taken their medication. Let's see what happens now...
Donna Moss: The West Wing
And by people WG had herself in mind, but then the quote would have been ruined.
Fics
May We Together Become Greater Than The Sum Of Us
*Rights,* Wrongs, and Choices
Donna Moss: The West Wing
And by people WG had herself in mind, but then the quote would have been ruined.
Fics
May We Together Become Greater Than The Sum Of Us
*Rights,* Wrongs, and Choices
Re: TriS reported as an Attack site
I don't get that nasty code insertion when I view from the UK, but Firefox still blocks it by default. As far as I can see, once Google have scanned it and seen something bad, it's going to stay blocked until the website admin 'fixes' the problem and then asks Google to rescan it. If the code was inserted by an ISP, I suppose this is going to be a widespread problem.
Kotik's link at http://www.stopbadware.org does explain what the admin needs to do.
Kotik's link at http://www.stopbadware.org does explain what the admin needs to do.
Re: TriS reported as an Attack site
I've done some more digging. The suspiscious script is added, since mobile internet providers like T-Mobile, O2/Vodafone etc. use transparent proxies. I'm using an UMTS connection (3G). It seems this whole stuff is not added if you use broadband DSL connections, only with UMTS cards or connections.
So, effectively TriS is not an attacking site, rather than the victim of unauthorized defacement by (so far personally confirmed)
-Fonic
-T-Mobile
-congstar
A fellow codemonkey found out about T-Mob and Vodafone's intrusions:
http://jonatkinson.co.uk/http1238bmi-int-jsbmijs/
EDIT:
Some more digging and the thorough examination of google's diagnostic page. We've been blacklisted because we somehow got connected to a malware carrying network. And the only real way I could think of would be our comments. The whole commenting interface had a few hiccups over the past few months. Could we do a scan of the comments for
a) links or URL's
b) javascript injection
So, effectively TriS is not an attacking site, rather than the victim of unauthorized defacement by (so far personally confirmed)
-Fonic
-T-Mobile
-congstar
A fellow codemonkey found out about T-Mob and Vodafone's intrusions:
http://jonatkinson.co.uk/http1238bmi-int-jsbmijs/
EDIT:
Some more digging and the thorough examination of google's diagnostic page. We've been blacklisted because we somehow got connected to a malware carrying network. And the only real way I could think of would be our comments. The whole commenting interface had a few hiccups over the past few months. Could we do a scan of the comments for
a) links or URL's
b) javascript injection
Last edited by Kotik on Fri Jun 24, 2011 3:50 pm, edited 1 time in total.
Re: TriS reported as an Attack site
That doesn't entirely explain why Google have flagged it up. I doubt their web spiders use mobile broadband.
I can see the benefit in having a central database of web sites that are phishing and so on, because that's not something the browser could detect for itself. But I'm baffled why anyone would introduce a central database of sites using dodgy technology. The browser can and should work that out for itself and relying on a central database is crazy.
I can see the benefit in having a central database of web sites that are phishing and so on, because that's not something the browser could detect for itself. But I'm baffled why anyone would introduce a central database of sites using dodgy technology. The browser can and should work that out for itself and relying on a central database is crazy.
Re: TriS reported as an Attack site
Cogito wrote:That doesn't entirely explain why Google have flagged it up. I doubt their web spiders use mobile broadband.
TriS is blocked because of exactly 1 suspicion over the last 90 days. So a single user could have caused the blackflag, just by using a 3G stick. The IP that hosts TriS hosts a few dozen domains and they are not all blackflagged, but triaxiansilk.com is blacklisted, including the forum. Whatever happens, it's a very damaging, because every search result for our page is flagged with a big phat warning on google.
Re: TriS reported as an Attack site
Kotik wrote:Cogito wrote:That doesn't entirely explain why Google have flagged it up. I doubt their web spiders use mobile broadband.
TriS is blocked because of exactly 1 suspicion over the last 90 days. So a single user could have caused the blackflag, just by using a 3G stick. The IP that hosts TriS hosts a few dozen domains and they are not all blackflagged, but triaxiansilk.com is blacklisted, including the forum. Whatever happens, it's a very damaging, because every search result for our page is flagged with a big phat warning on google.
I may be wrong, but I don't think this database is driven by reports from users. If it was, every web site visited by any of those ISPs would be flagged up immediately. I think it's driven by the Google web spiders.
- Silverbullet
- Commodore
- Posts: 3507
- Joined: Thu May 14, 2009 4:38 pm
- Show On Map: No
- Location: Casa Grande , Arizona
Re: TriS reported as an Attack site
Not part of your Problem. I hve been sent a message the past few days that my firewall blocked an attack by Something called blackbox Tooolkit. Not sure exactly if it is a virus but am going to run some anti-Malware and anti-virus programs I have. Hopefully this will do it. Seems that the only place I have been on besides Trisilk has been FF Net. Wonder
SB
SB
I am Retired. Having a good time IS my job
Re: TriS reported as an Attack site
I see it too - on Safari it says 'visiting this site may harm your computer are you sure you want to proceed?' and I have to say yes twice. I'll make sure Mike and Troy are investigating.
"I call shotgun!"
"I call nine millimeter." - John and Cameron
Favorites:
Vulcan For...
Your Mom n' Me
"I call nine millimeter." - John and Cameron
Favorites:
Vulcan For...
Your Mom n' Me
Re: TriS reported as an Attack site
I emailed them and got the following response:
Here's what it says at the link:
Good morning.
I appreciate your frustration, but it seems you're operating under a common misconception: we, StopBadware, are not blocking this sites. We don't block sites, and we don't issue the warnings. The company blacklisting the site in question is Google, and they are doing so because they found badware on the site: http://www.google.com/safebrowsing/diag ... ansilk.com
Unfortunately, many legitimate websites are infected with some badware without their webmasters' knowledge. That may well be what happened here. As soon as the webmaster finds and removes the badware and requests a review from Google, the warnings should be removed quickly. Until then, please don't visit the site!
If you're afraid that the webmaster is not aware of the problem, you can refer him or her to StopBadware. We help blacklisted webmasters clean up their sites and request removal from blacklists.
Regards,
Caitlin Condon, StopBadware
Here's what it says at the link:
Safe Browsing
Diagnostic page for www.triaxiansilk.com
What is the current listing status for www.triaxiansilk.com?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 1 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-06-24, and the last time suspicious content was found on this site was on 2011-06-23.
This site was hosted on 1 network(s) including AS11798 (ACEDATACENTERS).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, www.triaxiansilk.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
* Return to the previous page.
* If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Who is online
Users browsing this forum: No registered users and 31 guests