Site Issues 12/28/2012

This morning, we had a bit of "fun" with the forums -- I got up to find two glaring red screens in Chrome, where it complained about malware on the site. Several of you noticed the same thing, and reported it (thank you). In addition, I had a couple rather urgent IMs from WiK, notifying me of the same.

WiK had already ascertained the source of the problem (the ad module), and had turned it off. As a precaution, we took down the forums, while we did more research, to make sure we knew what was compromised. The problem was isolated to the ad software; the compromised files were identified, and the entire install was trashed, following by verifying that nothing in the database got compromised. A fresh install of the ad software was then performed, to make sure a known clean base was present.

A request has been submitted to Google, to have them rescan the site -- until that happens, Chrome and Firefox will continue to complain. Older versions of IE are ignorant of blacklists, so they just merrily let you visit any site -- if nothing else, this is a good reason to upgrade to a newer version of IE, or if you cannot do that, switch to Chrome or Firefox.

Thanks to WiK for spending the past 3 hours of his day, tracking down and isolating the issue, as well as getting it fixed.

For anyone who visited the site while it was compromised, since we don't know what nasties are on the sites that the links were to, I'd suggest a malware scan on your system, just to be safe. Even if you're running current AV software, I'd suggest a scan -- no software is perfect and catches everything. It's a good practice to periodically run multiple anti-malware scans on your system, as none of them catch everything. Malwarebytes and Spybot Search & Destroy are both good programs.

Sorry for the inconvenience.

-Kevin

Thanks to the team for your diligent work maintaining the forums as a safe and fun place for us all to hang out!

Kevin,

Thanks.

Safari also shows the error.

First time I've ever been grateful that my work requires IE.

Phil,
In the closed thread you had asked:

Can you remember which page you were looking at when the Java popup appeared?

Click to expand...

My popup showed up on the TRF home page (https://www.rocketryforum.com/) at the same time I got the McAfee warning. I ran a Malwarebytes scan which showed no issues and will do a McAfee AV scan tonight.

Thanks to you and Kevin for keeping on top of these issues and getting the site back up so quickly.

My firefox did not work, but my chrome did without any problems...

Safari wouldn't even let me log in on a MacBook, so I guess I'll stick to the iPad for now. I think maybe it's using an older version of Safari...?

Until Google processes the request to review the site, some browsers will continue to complain. This can take up to 24 hours, from the time it is requested.

There are ways to tell the browser, "I don't care, take me there, anyway," but they intentionally make it difficult, to help protect users.

-Kevin

Thanks for jumping on this, Kevin. Since chrome was complaining, I fired up a throw-away virtual machine and used IE to get in. I figured that - worst case - I could just trash the VM if things went south.

I have firefox. It looks like the complaining has stopped.

I have Chrome and it only barfed the second time I visited today.

I ran a full system scan this morning (MSSE) and it came back clean. I don't believe I visited TRF during the infected period.

Just over the last few minutes every time I tried to visit, I got the Google warning.

Forum just quit to the warning page and wouldn't let me back in.

Guess the google machine is satisfied now. Seems back to normal.

I am on a mac mini and have just updated everything over the holiday weekend when I had access to high speed internet.

Google just reported the following:

Status of the latest badware review for this site: A review for this site has finished. The site was found clean. The badware warnings from web search are being removed. Please note that it can take some time for this change to propagate.

Click to expand...

-Kevin

:clap::clap::clap::clap::clap:
:clap::clap::clap::clap::clap:
:clap::clap::clap::clap::clap:
:clap::clap::clap::clap::clap:

Now find the perps and :bangpan::bangbang::bangpan::bangbang:

Thanks for jumping on this quickly guys.

Excellent work Troj, you are really on top of things.

Pem Tech said:

Excellent work Troj, you are really on top of things.

Click to expand...

WiK did most of the work -- I was moral support (I was at work, and in communication with him, but he was doing 95% of the work).

-Kevin

troj said:

WiK did most of the work -- I was moral support (I was at work, and in communication with him, but he was doing 95% of the work).

-Kevin

Click to expand...

Glad to hear it's resolved.

Now, can you help me with the slow leak of coolant from my radiator?

Two other forums I visit regularly have had the same problem in the past couple of months. The good news is that it's been resolved quickly in each case.

-- Roger

Good job Phil and Kevin:wave:

Thats fuuny,(strange) I spent my day trying to revive my main computer that went down two weeks ago. I succeeded. I had to reinstall the OS and back my files all on my own.
Now the question is, do my back up files have to be scanned for viruses?

It wouldn't hurt to scan everything you had previously backed up.

Even as I'm typing this, I'm now getting the attack site warning from Firefox. Don't know if this message will take...

I would scan back-up files depending on the last time you made the back-up...they are probably clean, but why take the chance?
google is no longer telling me that trf is 'unclean'.
rex

Just logged in and am having no problems on IE. Thanks guys for staying on top of this stuff. Your hard work is appreciated.

o1d_dude said:

It wouldn't hurt to scan everything you had previously backed up.

Even as I'm typing this, I'm now getting the attack site warning from Firefox. Don't know if this message will take...

Click to expand...

Firefox must be slower to get the news -- Chrome and Google's search results no longer report an issue.

-Kevin

Big thanx to Wik and Troj for your work, diligence and dedication.

I ran a scan because we trade data within the office on a flash drive, so who knows..... AVG came up with a "hidden driver": mfeavfk . sys. (I think that's the way it spelled it...). Avg sees it, Malware Bytes, Super Anti-Spyware and McAfee do not. I am hoping that it is part of a Company required program. I am sending a note to the IT dept to ask.

Hoping that I did not cause the problem here....

Terry

T-Rex said:

I ran a scan because we trade data within the office on a flash drive, so who knows..... AVG came up with a "hidden driver": mfeavfk . sys. (I think that's the way it spelled it...). Avg sees it, Malware Bytes, Super Anti-Spyware and McAfee do not. I am hoping that it is part of a Company required program. I am sending a note to the IT dept to ask.

Click to expand...

That's probably a false-positive, as what I'm finding says it's a driver used by McAfee, but let your IT folks decide for sure.

Hoping that I did not cause the problem here....

Click to expand...

Nope. Definitely hackers who found an exploit. Their hole has been plugged, though.

-Kevin

It's apparently the day for this nonsense -- just got a call from my dad; a forum he visits, on a subject totally unrelated to rocketry, got compromised today.

-Kevin

troj said:

Nope. Definitely hackers who found an exploit. Their hole has been plugged, though.

-Kevin

Click to expand...

Sad that we live in a world where people make it their lifes ambition to ruin good things that other people do. Then again, I guess it has always been that way (toilet papering houses on Halloween for example), but somehow this is different, maybe because it isn't affecting just 'that mean old guy down the street'.
'Course TPing Mean old Mr Smith's house wasn't a lifes ambition either....