# Malware warning while visiting ss.org...



## wannabguitarist (Nov 21, 2009)

I'm currently using firefox and I don't get anything (Kaspersky doesn't even pop up) but when I browse to the site with chrome I get this:




I'm curious if anyone else has noticed this or if there's anything that can be done. Or is Chrome/Kaspersky just freaking out?


----------



## AK DRAGON (Nov 21, 2009)

I wonder if it is Chrome freaking out
I have visited SS.org both with Firefox and OE neither pop that up
Norton is not popping up either


----------



## minusthemonkey (Nov 21, 2009)

Getting the same thing on Safari. Well, Safari's version of it anyway.


----------



## Galius (Nov 21, 2009)

My AVG is telling me its blocking a threat every time I go to any page here on SS.org


----------



## Sevenstringer (Nov 21, 2009)

Same here on my MAC/Safari


----------



## djpharoah (Nov 21, 2009)

Its protecting you from the


----------



## HighGain510 (Nov 21, 2009)

That's weird, I get the same thing on Safari (browsing from Mac) but when I switch to Firefox no warning?


----------



## wannabguitarist (Nov 21, 2009)

HighGain510 said:


> That's weird, I get the same thing on Safari (browsing from Mac) but when I switch to Firefox no warning?



The thing that's really confusing me is my anti-vi says it blocked a threat when I use Chrome but does nothing with Firefox.



djpharoah said:


> Its protecting you from the


----------



## continental (Nov 21, 2009)

djpharoah said:


> Its protecting you from the



lol 

I'm getting the same thing on Safari


----------



## ZeroSignal (Nov 21, 2009)

Okay, neither AVG, Firefox or Comodo are saying anything at all... Should I be worried?

D:


----------



## ElRay (Nov 21, 2009)

Googling it seems to indicate that it's a problem with vBulletin

Ray


----------



## El Caco (Nov 21, 2009)

I'm using Flock to post this because I'm getting the same warning with Safari, I'm probably going to avoid the place until the issue is fixed.

I thought in the meantime we should make a game of it by seeing who can guess the amount of time it takes Alex to fix this, whoever guesses closest wins.

I'm going to go with never  nah I think he'll get to it one day I just have no clue how soon it will be


----------



## powergroover (Nov 21, 2009)

i use chrome and get this problem, its very annoyinh


----------



## DevinShidaker (Nov 21, 2009)

Yeah I've been getting it from chrome. Alex better fix it, or somebody will be paying a visit to him. I tour, so if he lives in the continental US, I'll be near him. And I'll give him a very stern talking to!


----------



## AK DRAGON (Nov 22, 2009)

hmmm could be a tracking cookie perhaps?


----------



## Empryrean (Nov 22, 2009)

I'm getting this as well, its very irritating


----------



## DDDorian (Nov 22, 2009)

I've informed Alex so the rest is upto him. For those having malware issues, check out Les Paul Forum | Gibson Epiphone - MyLesPaul.com and tell us if you're getting the same warning - Alex will be more likely to do something if it's a server-wide thing.


----------



## Prydogga (Nov 22, 2009)

Fuck so it's not a huge computer killing issue!? I deleted Safari because of this!!!


----------



## wannabguitarist (Nov 22, 2009)

Prydogga said:


> Fuck so it's not a huge computer killing issue!? I deleted Safari because of this!!!



 I'm pretty sure it's something minor. You shouldn't delete the browser that's giving the issue because it's protecting you. If you're able to get on ss.org you're not being "protected" .



DDDorian said:


> I've informed Alex so the rest is upto him. For those having malware issues, check out Les Paul Forum | Gibson Epiphone - MyLesPaul.com and tell us if you're getting the same warning - Alex will be more likely to do something if it's a server-wide thing.



Gave me nothing. I still can't get my anti-virus to do anything if I visit the site with anything other than Chrome. I don't understand why it does that


----------



## ZeroSignal (Nov 22, 2009)

Yeah. I got some sort of infected file on my computer. Something called "fuckthecrisis.biz(somethingsomething).php" that was activated when I started up Firefox and loaded ss.org.

Scan your computas! 

EDIT:

We're not the only ones, apparently...

http://thedailypunt.com/forum/comme...-new-forum-style-all-input-appreciated-4.html


----------



## hufschmid (Nov 22, 2009)

zone alarm extreme gives me sometimes a fishing warning...

I'm with S7eve on this one.... I believe it will never be fixed


----------



## ZeroSignal (Nov 22, 2009)

Holy crap! I'm getting them on Wikipedia too! Salvidor Dali's page anyway... Not good...


----------



## El Caco (Nov 22, 2009)

Apparently it is an issue with VBSEO, if what I read is accurate Alex will need to remove the plugin and any trace of it from the header then reinstall the update. I did not notice the issue on mylespaul, maybe it already has the update.


----------



## Neil (Nov 22, 2009)

My Symantec just gave me this message as soon as I opened ss.org, it's never happened before.


----------



## Winspear (Nov 22, 2009)

Using IE and this problem began around midday yesterday.
Any SS page visited brings up this:
along with another AVG box.
Since this began, I have also been having a variety of loading problems on SS.



Danger: AVG Search-Shield has detected active threats on this page and has blocked access for your protection. 


The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.

*URL:* fuckthecrisis.biz/lib/index.php
*Name:* Javascript Obfuscation (type 714)


----------



## ZeroSignal (Nov 22, 2009)

EtherealEntity said:


> Danger: AVG Search-Shield has detected active threats on this page and has blocked access for your protection.
> 
> 
> The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.
> ...



That's exactly what I got.


----------



## SamSam (Nov 22, 2009)

Getting the same thing on AVG, started 2 days ago if I remember right.


----------



## techjsteele (Nov 22, 2009)

Neil said:


> My Symantec just gave me this message as soon as I opened ss.org, it's never happened before.



I received the exact same thing, but only from here, and it happened with IE and Firefox.


----------



## sami (Nov 22, 2009)

About Bloodhound.Exploit.193, it affects only Windows machines.

Bloodhound.Exploit.193 | Symantec


----------



## HighGain510 (Nov 22, 2009)

If any mods want to see this fixed soon and can get ahold of Alex, please send him the following info:



> One of the most popular plugins that tons of forums run (VBSEO) has been compromised, and many forums will be having errors about Centiyo, such as "Visiting This Site May Harm Your Computer". It's caused by VBSEO.
> 
> Disable, then update VBSEO. Then if you're a webmaster, go into your Vbulletin templates and remove any code about it from the HEADER part of your template, on ALL styles. Search your templates for "Centiyo".



Chop chop.


----------



## asmegin_slayer (Nov 22, 2009)

sami said:


> About Bloodhound.Exploit.193, it affects only Windows machines.
> 
> Bloodhound.Exploit.193 | Symantec



Mac


----------



## HighGain510 (Nov 22, 2009)

asmegin_slayer said:


> Mac



The exploit itself may only affect Windows machines, but I'm getting the pop-up for the warning EVERY TIME I VIEW A PAGE on Safari... ON A MAC.   While it might not be able to do anything to my computer, it sure as hell is a big nuisance!


----------



## El Caco (Nov 22, 2009)




----------



## Xaios (Nov 22, 2009)

My AVG pops up with the warning in IE8, but doesn't do anything in Firefox. Weird.


----------



## djpharoah (Nov 22, 2009)

Nothing here with Noscript+Adblock plus+FF


----------



## El Caco (Nov 22, 2009)

It seems Mozilla based browsers do not block websites tagged unsafe by Google, Safari and Chrome (obviously) do. If this does pose a threat to Windows users I doubt that running FF or not getting the warnings would mean that you are safe.

To be sure I'd recommend that all Windows user run a thorough search for infections. I don't know enough about this particular issue and what type of threat it poses other then that it is apparently a Java script exploit.


----------



## El Caco (Nov 22, 2009)

With that in mind it may mean that Mac users could be at risk also as Java script exploits are often not system dependent.


----------



## El Caco (Nov 22, 2009)

I'm out. After reading about the exploit I'm not hanging around. This board runs VBSEO 3.2 but I have no idea if Alex has patched it or not, either way the site has been compromised. The current Version is VBSEO 3.3.2 but an admin can choose to patch an older version if they do not wish to upgrade.

There are some serious security exploits in the older versions of VBSEO that can allow a hacker to gain control of the forum and inject their own code, this means that the risk is not limited to any single malware, what this means to me is that until Alex corrects this issue I'm not willing to take the risk even though I am a mac user.

Hopefully Alex adresses this shortly, I'll catch you guys when he does.


----------



## Daemoniac (Nov 22, 2009)

I just sent this to Alex, basically begging him to fix the thing... Hopefully he'll listen, cos you know, we're so tight 



> Hi Alex,
> 
> As no doubt you've been made aware, there is a pretty big security threat with the site at the moment. I'm not entirely sure what the go is, but I do know that a few of the members (myself included) are pretty concerned about it, s7eve having already pretty much jumped ship to protect his computer from any potential threat.
> 
> ...


----------



## Koshchei (Nov 23, 2009)

Hi Mods,

One of your advertisers is installing malware on people's computers on the logged off version of the site. I've had PDFs full of gibberish pop up, ActiveX controls try to install themselves, and Apple's Safari won't even let me visit the site without warning me on every single page that the site is compromised.

Please fix this - these problems are limiting site exposure, and probably scaring off registered members who don't want to be part of a botnet.

EDIT: Google is warning me that the culprit is: centiyo.com

Thanks,

Koshchei


----------



## darren (Nov 23, 2009)

Yup. Centiyo seems to be some sort of search engine optimization service.


----------



## HaGGuS (Nov 23, 2009)

I am getting alerts from avast.
This is the link avast is warning me about.......
http:// centiyo. com /in.cgi ?default \ {gzip}


----------



## Baldi (Nov 23, 2009)

Me too!!!
Windows/firefox.. Avast keeps picking up a virus!!!
Mods - What's going on?


----------



## t3sser4ct (Nov 23, 2009)

You can stop the problem on your own computer. Here's how. Open the following file in Notepad: C:\Windows\System32\drivers\etc\hosts

Add the following two lines to the end of the file, then save:

127.0.0.1 fuckthecrisis.biz
127.0.0.1 centiyo.com


This tells your web browser to look for those websites on your own computer, so any time it tries to load, it will fail. It's basically blocking those addresses.  You might still get a warning from your browser, but those sites will no longer be able to load, so at least your anti-virus should be happy.


----------



## caughtinamosh (Nov 23, 2009)

Yeah, I get a "fuckthecrisis" warning too. 

EDIT: Maybe this thread is worth stickying...


----------



## s_the_fallen (Nov 23, 2009)

t3sser4ct said:


> You can stop the problem on your own computer. Here's how. Open the following file in Notepad: C:\Windows\System32\drivers\etc\hosts
> 
> Add the following two lines to the end of the file, then save:
> 
> ...


 Good advice here. I did the same


----------



## ZeroSignal (Nov 23, 2009)

I used my firewall to block the originating IP address and I haven't got a warning yet.

I recommend that the mods sticky this and put up an "announcement" at the top of every page.


----------



## t3sser4ct (Nov 23, 2009)

BTW, if you have Firefox, get Noscript. I use it, and the malware has been blocked this whole time. (I noticed it was blocking a script on sevenstring.org, but I thought it was just a new ad system.)


----------



## Daemoniac (Nov 23, 2009)

This is fucked. Seriously, I wish the site had actually gone to someone who gives a shit. 

Alex, if you read this, for the love of god do something to fix this shit up.


----------



## ZeroSignal (Nov 23, 2009)

Demoniac said:


> This is fucked. Seriously, I wish the site had actually gone to someone who gives a shit.
> 
> Alex, if you read this, for the love of god do something to fix this shit up.


----------



## wannabguitarist (Nov 23, 2009)

t3sser4ct said:


> You can stop the problem on your own computer. Here's how. Open the following file in Notepad: C:\Windows\System32\drivers\etc\hosts
> 
> Add the following two lines to the end of the file, then save:
> 
> ...



Like this 
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1 localhost
#	::1 localhost
#
127.0.0.1 fuckthecrisis.biz
127.0.0.1 centiyo.com

Or am I missing something?


----------



## Daemoniac (Nov 23, 2009)

I sent him another PM asking for a couple more mods as well. I don't know who, but, so far as I can tell we're down to 3 really active ones; s7eve, Djpharaoh, and DDDorian. I've seen Metal Ken and Leon around a little bit, but really, we have 3 who are here all the time.

Not enough.

EDIT: I should point out, that I'm not having a go at the mods, by any stretch. You guys do a fucking incredible job and you deserve seriously epic props for it. The problem is that you can't be on here all the time, and we need more to be here when shit like that uber-spammer came on last night. Hell, even just looking at the visitors for tha past 24 hours, I dont think ive seen that many spam bots banned/visiting ever! It's insane.


----------



## t3sser4ct (Nov 23, 2009)

wannabguitarist said:


> Like this
> # Copyright (c) 1993-2009 Microsoft Corp.
> #
> # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
> ...


That's it exactly.


----------



## DevinShidaker (Nov 23, 2009)

Demoniac said:


> I sent him another PM asking for a couple more mods as well. I don't know who, but, so far as I can tell we're down to 3 really active ones; s7eve, Djpharaoh, and DDDorian. I've seen Metal Ken and Leon around a little bit, but really, we have 3 who are here all the time.
> 
> Not enough.
> 
> EDIT: I should point out, that I'm not having a go at the mods, by any stretch. You guys do a fucking incredible job and you deserve seriously epic props for it. The problem is that you can't be on here all the time, and we need more to be here when shit like that uber-spammer came on last night. Hell, even just looking at the visitors for tha past 24 hours, I dont think ive seen that many spam bots banned/visiting ever! It's insane.



I do agree that our mods all do a spectacular job at keeping this place awesome. The best we can do to help is to report problems we see such as the malware thing, spambots, etc. I already know there of plenty of guys on here that would jump at the chance to moderate (me being one of them because I'm on here like all day every day lol). I think that if they ever need more help, they know they'll be able to get it, so they probably have it all under control right now.


----------



## djpharoah (Nov 23, 2009)

Guys - while we all have our grievances let us not get off topic. The best thing I can say is report everything you see - so far all I can say is thanks to the many who constantly report shit. The active mods are on that shit asap - I get RSS feeds on my PDA so  on spam bots is pretty easy. 

All I can say with regards to this is if you're getting the warning be cautious. It seems to be more if you're not logged in. I've not yet seen anything but then I'm running FF+adblock+noscript and AVG free w/ firewall so I can't say much on this front. But I definitely agree Alex should be here to do something...


----------



## Daemoniac (Nov 23, 2009)

djpharoah said:


> Guys - while we all have our grievances let us not get off topic.
> 
> ... I definitely agree Alex should be here to do something...



Sorry for the rant, but yes. He should.

Thanks for being a kickass mod BTW


----------



## t3sser4ct (Nov 23, 2009)

I thought a couple of other users had admin access (to the forum). Is this not the case?


----------



## Daemoniac (Nov 23, 2009)

I think that was one of the things that got taken off the mods or whoever when Alex took over the forum. Which is why we're in such a rut.


----------



## djpharoah (Nov 23, 2009)

t3sser4ct said:


> I thought a couple of other users had admin access (to the forum). Is this not the case?



Under the old administration mods were given semi-admin like powers. These powers lol: feel like I'm talking mutant powers) allowed more through moderating to be achieved. But it didn't give them access to the behind the scenes kinda stuff with the server/code/VB etc.


----------



## t3sser4ct (Nov 23, 2009)

Yeah, well if someone had full access to even the VB control panel, I think the issue could be solved at least temporarily.

Does anyone have any idea of where the vulnerability is or how it works? I know it seems to be a vBSEO issue, and from what I've been reading, it possbily has something to do with uploads/attachments. I've never really looked at the inner workings of vBulletin, but it's possible if we knew where the problem was, it could be fixed from the outside (through the same security hole the attacker used).


----------



## Daemoniac (Nov 23, 2009)

^ I totally copied your signature. Good idea dude


----------



## t3sser4ct (Nov 23, 2009)

By the way, mods, it's very possible that the attacker was one of the recent spammers. Perhaps by looking at the recently banned users and their activity, you can see how the vulnerability was exploited (provided you have enough access to see that information).


----------



## HaGGuS (Nov 23, 2009)

I better make this clear.
The mods here are cool.
Alex letting this happen..NOT COOL.

This should not happen on a site this big.


----------



## Daemoniac (Nov 23, 2009)

I think Alex has fixed the issue. If so, thank you, it's very much appreciated.


----------



## Alex (Nov 23, 2009)

The problem has been fixed.

Thank you.


----------



## DDDorian (Nov 23, 2009)

Righteous

I'll leave the announcement up and the thread open in case it happens to come back but for te time being we should all be fine


----------



## Daemoniac (Nov 23, 2009)

Alex said:


> The problem has been fixed.
> 
> Thank you.



Thank you!


----------



## El Caco (Nov 23, 2009)

Thanks Alex.


----------

