Reply With Quote
Okay, I know that AdSense brings in most of the funds required to run this place, but damnit this is just ridiculous now. Fuzz, we have to do something, whether it's in the form of finding an alternative or whatever...
It's happened again. Google's listed TFF as an attack site again for Firefox users. And once again the culprit seems to be google's adsense ads!
Now I'm unhappy!
My TFF Family
My Chocolate and Theory lovin' Niece -- Unknown Entity
My CRAZY NUTTY Aussie sisters -- Tiger Lily and superjj
Okay, I know that AdSense brings in most of the funds required to run this place, but damnit this is just ridiculous now. Fuzz, we have to do something, whether it's in the form of finding an alternative or whatever...
Community Manager; Forum Administrator
reppin' SOLDIER since 2004 • CPC8 class of 2009Random;:
http://thefinalfantasy.net/forums/ho...refox-3-a.html
That should fix your problem, hopefully.
Has Fuzz actually scanned all the files on the server to see if there is a link to google-analytize.com? That isn't Google, it's a malware site with a similar name. It's possible the forums or the site has a link to it somewhere and Google is picking it up. Either that or someone hi-jacked the ads on Google's search engine itself, which is a known issue they aren't doing anything about. Never click sponsered links... ^_^
Speaking of "google analytize", I see that URL loading whenever I load the TFF forums index, so something may be linking to there, or something like that.
Then it's a good possibility something is screwed up in the forums settings. I'm not sure where he put the ad shit in the forum code at but I can look at it later.
I'm working on scanning all the site files by hand to see if any of those are contaminated.
I looked at the source code for this page, out of curiousity, to see what I could find. It just confirms our problems, but here it is.
I did a quick search to see what others experienced. Here is what I came across.<td align="right">
<script type="text/javascript"><!--
google_ad_client = "pub-3864201044463925";
google_ad_width = 468;
google_ad_height = 60;
google_ad_format = "468x60_as";
google_ad_type = "text_image";
google_ad_channel ="";
google_color_border = "000000";
google_color_bg = "F0F0F0";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
I know it's old, but it still points to the issue we've pinpointed. I don't have time right now to further research anything, so I'm throwing this out there for someone to look up while I'm gone. I'm gonna look into it further tonight when I get home. I'm sick of this being a problem- not just for TFF, but for other people. I want to know exactly what to tell people to be aware of.Originally Posted by jellymeli.com
Why the hell is everyone's sig so long? Be polite and use a freakin' spoiler tag!:
That didn't pinpoint anything... all sites that have Google's adSense use that same block of code, just with a different client id.
I couldn't find any botched code in the forums or in the files. All of them use that same block of code. The phrase google-analytize.com isn't located in any of the files or templates either.
EDIT:
There ARE viruses on the server. I was skipping images since I was focusing on code, but I'm going to do a more thorough search of every file when I get home. Here are some that I found and deleted:
/picturepost/final_fantasy_iii/1408.2007.iTALiAN.AC3.DVDRip.XviD-GOLD.cd1.avi
/picturepost/final_fantasy_iii/La.Bussola.D.Oro.2007.iTALiAN.MD.CAM.XviD-DSi.avi
/picturepost/final_fantasy_iii/xh
I have deleted these files off the server. It looks like someone was using PicturePost to store porn on TFF and the files have viruses.
This needs a separate post, due to its importance:
The following people are BANNED for using vB-exploiting code in their sigs:
Death Sentence
maxpower
Please smoke up
The use of JavaScript of any sort is not allowed on TFF and you have no chances with this. If such code is used in an exploitive manner, you will be banned upon discovery. If you re-register I will ban you again. Keep your script-kiddy shit on your own site and leave it off TFF.
~~~~
I will continue to search for problems when I get home from college. Sarah, you were actually right... just not how you think. I was doing research on a vB exploit one of the above people were using and the site I went to was flagged by my virus software:
Notice who it's from? This IS NOT a knockoff site... the virus is coming straight from Google. Now, this isn't our only problem here at TFF, but it is part of it. Note: The line thing is a cursor when I was copy+pasting the text... its not a L.
I was so mad when we got flagged again by Google. It is just getting beyond annoying at this point. Thanks Merlin for taking the time to scan the files and look over the VB settings. I have also searched all files on TFF for google-analytize and b1izzard and have found nothing. In addition, I have also search the raw forum database and found nothing either.
We have had problems with the picturepost directory having suspicious files being uploaded to it. I just went into the server and made sure all directories were protected again, and yes, there was a loop-hole in there. Merlin did you check all the sub-directories? thanks again for finding those. Also, for the vb exploits you found... can we disable javascript or lock down the signatures to any extent? I wasn't aware of these exploits.
IT is a shame if this is Google Adsense. I know it has been the case a few times in the past, but there is no way we can control that. I have made several attempts to let Google aware of this 3rd party ad problem...
I am isntalling ClamAV to the server for more thorough virus protection. Hopefully this warning will be removed promptly and soon.
Make sure you go through the hosts file in etc/hosts to see if there are any references to pagead2.googlesyndication.com or any other Google stuff and delete them. It's still a possibility that it really isn't Google doing it, but a third-party site which redirects back to Google after it installs shit on your comp unbeknownced to you. Might as well eliminate any possibility it's the box. If it's not the box, then well... we at least know with certainty WE aren't the ones dumping trojans on people.
You still need to scan the entire disk for any more viruses because I didn't want to download every single file off the server and check by hand unless I had to. I can, but it will take a while to dl it all.
Oh and feel free to email that pic to Google and tell them to shove it up their ass. Here is the log of it:
EDIT:9/29/2008 3:49:18 PM SYSTEM 1672 Sign of "SWF:CVE-2007-0071 [Expl]" has been found in "http://pagead2.googlesyndication.com/pagead/imgad?id=CKWl9-Lap9WKDRB4GPABMghBuUR29LmeLA" file.
In case you're interested in the infection on our server, here it is:
I obviously deleted any infected files I found...9/29/2008 3:12:13 PM SYSTEM 1672 Sign of "ELF:Malware-gen" has been found in "C:\Users\Merlin\Desktop\httpdocs\picturepost\imag es\maps\final_fantasy_iii\xh" file.
I could be wrong, but isn't ELF designed to run from a Linux system?
The quoted path:
sounds more Windows Vista-ey, no?C:\Users\Merlin\Desktop\httpdocs\picturepost\imag es\maps\final_fantasy_iii\xh
Still, it's interesting that a piece of DoS malware was the culprit. Just 8kb of malicious code... ><
Good sleuthing Merlin, think anything else'll turn up?
victoria aut mors
I never had any problems with google ads but I only use text ads :/
They seem to be Italian videos. The second one is supposed to be a Golden Compass Movie (I know Italian/picturepost/final_fantasy_iii/1408.2007.iTALiAN.AC3.DVDRip.XviD-GOLD.cd1.avi
/picturepost/final_fantasy_iii/La.Bussola.D.Oro.2007.iTALiAN.MD.CAM.XviD-DSi.avi
/picturepost/final_fantasy_iii/xh).
I think the best way to solve this is by examining all external links and by scanning all the media.
SPOILER!!:
You caught me! I'm using Vista! Wait...I would hope the directory structure was Vista, seeing as how my computer isn't the TFF web server.
Avast doesn't have the magical ability to hijack a FTP connection and scan a remote computer. That would be awesome...
Damn, its not pron?They seem to be Italian videos. The second one is supposed to be a Golden Compass Movie (I know ItalianNo wonder it was so boring when I was watching it. It's a good thing I deleted that trash. ^_^ Even so, we had contraband and virii which I promptly nuked.
This post was brought to you by the word "Sarcasm"
Still working on this issue. I have been in contact with several professionals in a malware group that help support Google. I have done everything in my power to find out what is wrong. I have searched every single file for iframes and many malicious domains (google-analytize, b1izzard, etc)... and have found nothing. I continue to search the forum DB to find nothing either. Merlin finding those 3 files was huge, but even after he deleted the files, I think we're still flagged. I have requested help from the pros I have been talking to, as I continue to investigate. I hope once this is resolved, we can take whatever measure possible to ensure it doesn't happen again.
Merlin, it sounds like you are familiar with the vb exploits. If you can ensure that not only the members are banned that did it, but that the posts are deleted, etc. I also shared that screenshot you found with the google adsense URL in it. I continue to think that is the issue...
Here is a list of the possible 'infected' URLs, at least according to Google. Since it includes both non-forum and forum pages, I'm thinking it has to be adsense, since that is the only include that is shared on both:
Sample pages that may be distributing malware:
The Final Fantasy: Exclusive Final Fantasy Coverage and Community
The Final Fantasy Forums - Powered by vBulletin
http://thefinalfantasy.net/battle/
The Final Fantasy: Exclusive Final Fantasy Coverage and Community
http://thefinalfantasy.net/forums/ca...1&day=2008-5-5
The Final Fantasy: Exclusive Final Fantasy Coverage and Community
http://thefinalfantasy.net/forums/at...5&d=1171478075
***UPDATE***
I found some URL injection code in a DEEP forum JS file. It had the domain google-analytice.com, which is DAMN close enough. I'm thinking this was the culprit. I did a massive search for 'document.write' and there it was. I'm hoping the warning will be removed soon now. I'll keep you updated. thanks again for the help Merlin and everyone.
I don't remember if I got the most updated vB licensce info, but I can upgrade the forums to the latest update, etc once I do... which would include nuking all the files. That is unless you want to go ahead and do that now, since I won't have time to do it until Saturday.
And yes, I deleted all traces of vB exploits I found. I have backups of what they did on my computer. What they were doing didn't actually work, from what I could see, but even attempting it is good enough in my book to ban your ass.
I'll e-mail you the updated VB info. I did update the forums earlier today to 3.7.3 Patch Level 1, which is the latest version. THANK YOU for handling the vb exploits and doing what you gotta do
Oh and good news, I think this is all resolved, apparently that Javascript file with the URL injection was the culprit. Here is the latest message from Google (about 2 hours ago)
"Status of the latest badware review for this site: A review for this site has finished. The site was found clean. The badware warnings from web search are being removed. Please note that it can take some time for this change to propagate."
YAY!
I am currently working on securing the server even more to ensure this type of thing will not happen again... wow, how annoying... Again thanks.
Ehh, just a little FYI, you should update the rules and regulations if you're gonna ban people for something. *nods* I did I search in the Rules and Regulations and the word "javascript" is nowhere to be found.
Now, I only did a "CTRL+F" and typed in Java (I didn't need to type anything else, because it told me it didn't even find that), so, it may be worded different and all. Either way, not to be a prick, which it may seem like I am doing, just saying, it should probably be added so someone doesn't add script they think might be harmless and get banned for it.
~Kaiser Dragoon
XBLA:
You're most active in: Cleft of Dimension · 452 Posts
YES, I Have obtained the power of "Lurker Status"!
Ignorance, ie: "I didn't know the gun was loaded", is not an excuse. You are responsible for what you put in your profile. It goes without saying that anything that interferes with the functionality/behavior of the site/forums is considered hacking and will be dealt with appropriately. Also, the discussion of, linking to, or actual use of hacking on the forums used to be a rule. It was modified outside of my control, but Site Security trumps those rules anyways.
Keep in mind, upon registering you sign a waiver stating that the staff can enforce standards whether they are listed or not. If you have any questions or concerns on a particular banning or decision or are unsure whether the code in your signature is acceptable, please address them to the staff through the Private Message system, not in a topic.
We need to get rid of AdSense. I just pulled seven trojans off of my laptop; first infection I've ever had since I got this laptop nearly three years ago. I only visit a very limited number of websites, and this is the only one that's having security issues.
They showed up on boot and were killed immediately.
Community Manager; Forum Administrator
reppin' SOLDIER since 2004 • CPC8 class of 2009Random;:
Not Adsense this time. a mySQL injection on the forum index. The main site is fine... just the forums this time. I searched the DB and found an 'unescape' javascript with a hidden google-analytize URL on there with a link to malware.
I have updated the security patches and this should resolve the issue yet again
Sorry for the trouble guys, i mean it... I HATE when this happens.
This is so lol...
Google: Here you go, use some of our proprietary Adsense advertisements to make money towards hosting your site!
TFF: HOKAY! (uses Adsense)
Google: OMFG The Final Fantasy: Exclusive Final Fantasy Coverage and Community IS NOW A REPORTED ATTACK SITE!!! NO ONE GO THERE LOL
TFF: :'(
IRANianCha0s:
Is MySQL and Apache up-to-date, or is that what you are refering to? O.o
Also, why the hell is vB so vunerable to XSS all of a sudden... they are supposed to be filtering everything for that shit.
The only other thing I can think of is because you have the site and forums interconnected in a mishmash fashion, so someone is hijacking the DB through the site somehow. The DB has been steadily getting more and more buildup over the years from old hacks, whatever... plus all the crap running now. Last ditch effort might be to back-up the "useful" parts of the db, ie: only the fields that are used by vB 3.7.3 standard, and nuke the whole damned thing, DB, directory, everything. Reinstall everything from the ground up and only add the features we actually need. It'd be a big mess and the forums would be down a few days, but it might be worth looking into. I'd work on it, but I have no clue how to access the DB atm.
You're back. Again.
It's somewhat commical how TFF is listed as an attack site more often than all the porn I stumble across combined.
Until now!
It's being fixed right now. Apparently some douche injected some file. >_>;
And does it over and over again or something. So yeah.
Fixed as in actually fixed, or fixed as in it will happen again in a month?
I never thought I'd give IE such a work out.
Until now!
I have no idea. Fuzz narrowed down the file, and is doing/did some sort of thing to it, so we'll see. No way to really know until we wait. o_O;
Yes. It has happened again. It has become almost a monthly routine at this point... and trust me, I am not happy about it. I have spent quite some time learning server security over the last year, so I'm certain we have almost narrowed this problem down to a pulp. One of the major burdens of maintaining your own self-managed dedicated server. I have been working closely with members of the Google Quality Assurance team in Google Groups and am always fast to pounce on this. Until it is fully resolved, I sincerely thank everyone for understanding and doing the IE switch. I know it is annoying as hell.
I just checked my webmaster account at Google and the warning has already been removed... this is usually the 1st place to spot the removal. I think they are aware of how diligent I have become and I think they have pity at this point... I sent them a request for review before the warning was even issued! haha.
Anyways - we're on it. I know merlin has my back now too on suspicious activity, but the server is slowly becoming Fort Knox, so these warnings should only become less frequent!
Good to see this problem has been addressed and is being fixed
You don't need a reason to help people : Zidane Final Fantasy 9
The problem is, Google is slow at sending updates to Firefox. Even if Google doesn't list it as one anymore, you have to wait for them to tell Firefox that it isn't, which can take weeks. The whole thing is stupid. If it flags something as an attack site, it should re-check the database before blocking your access to it to make sure it still is one. Seriously, was this method designed by a team of monkeys or something? The concept is bad, the execution is poor, and the programming holding it together leaves me wondering where all that money Google has is really going... because it's not to fixing this.
In fact, why don't they warn a webmaster about it before blocking it? Say, "Hey, you have a bad file here. If you don't want us to tell Firefox to block your site, please remove it immediately. Thanks!" The only logical reason they wouldn't is because they don't want their ass sued for demanding sites comply with their ideals. Of course, the real reason is that they use bots to do all the real work. All the programmers do their is hold a pooper scooper and try desperately to clean up the shit trail their crappy programs make. Uh fix it? Yeah.
Last edited by Merlin; 12-02-2008 at 06:26 AM.
Posting Permissions
Bookmarks