Security Issues...........

Discussion in 'tMP Computer Corner' started by tubafran, Mar 27, 2011.

  1. Jan H

    Jan H Moderator Staff Member

    I haven't had any warnings either, on different PCs, with different Windows-versions and different virusscanners (but always using Firefox, release 3 or 4).
    The three adds on the right side of the screen are, afaik, only animated gifs with a hyperlink. They have been on the site for quite a long time already ("the new 2009/2010 brochure" ????).
    What else could it be? the Twitter app? the Paypal link?
    Apparently there is a link to suspicious server with IP address 129.121.128.110. I have looked through the source code of several forum pages, but can't find this link
    I found this though the website http://safeweb.norton.com/safety?ulang=eng, but they are not clear at all about what they mean with "Embedded Link To Malicious Site". I've looked around on Google a bit, and I found several other websites that colmplaiend about "false positives" from Norton as well.
     
  2. Pauli Walnuts

    Pauli Walnuts Moderator Staff Member

    embedded links within tMp will most likely have the URL and not the IP address .
     
  3. andyp

    andyp Active Member

  4. Thirteen Ball

    Thirteen Ball Active Member

    I havent had any warnings either - but I still got the virus. It came straight past AVG without so much as a by-your-leave. Same 'windows defender/protector sort of virus that's been mentioned on the thread before.

    I have to say - without any hint of malice (I know you guys are doing your damndest to make sure TMp is clean) it definitely came down from somewhere on this site too. I'd been happily sibeliussing away for a couple of hours, and (thankfully) saved mystuff and decided to check my subscribed threads. Boom. Pop-ups, errors, disappearing files, the whole nine yards.

    I've since given AVG the heave-ho (useless sack of old iron that it was) and invested in Kaspersky - which took it's time but threw it out.... and found a shedload of other spyware cookies that AVG had been ignoring for months....
     
  5. Jan H

    Jan H Moderator Staff Member

    if there's anyone who can definitely say which link on the website is referring to this supposedly malicious, please let us know, so we can take care of removing the add or whatever is causing it.
    All the other speculations aren't really helping us further...
     
  6. sunshine

    sunshine Member

  7. MoominDave

    MoominDave Active Member

    Maybe not a bad idea for the tMP powers-that-be to speak to the dude who runs this site? Sounds like he's got some good handles on how to deal with this kind of problem - and the description does seem to match what's going on here pretty well... If it's conditional, then presumably Google will catch this at some point, at which point they'll stick tMP on a blacklist until it can be proven to them that the site has been cleared - not something that would benefit anybody!
     
    Last edited: May 4, 2011
  8. Jan H

    Jan H Moderator Staff Member

    I'm still not convinced.
    If you google around a bit, there seem to be quite a number of cases where Norton and/or AVG generate "falls positives" for the "malicious link" warning.
    I tried to have look a that link, but I didn't get everything thay were trying to explain. I still don't understand why some users would get the malicious links, while many other users wouldn't.
     
  9. MoominDave

    MoominDave Active Member

    Somebody complained a page or so back about seeing this with Kaspersky. I don't think there are too many reported problems with Kaspersky out there?

    The link suggested that (at least for PhP - although I know tMP doesn't run on PhP any more) malicious redirecting code could be inserted in an encoded fashion (so a simple grep wouldn't see it very easily) - and further, that that redirect can be made conditional so that it's often not seen by someone navigating to the page. It talks about a redirect asking for a user's OS, browser, cookies, etc., and testing against those - one particular combination would cause it to redirect; failing the test would leave the page operating as normal.

    Makes sense to me?
     
  10. andyp

    andyp Active Member

    Kaspersky aren't immune either......
    http://mobile.pcadvisor.co.uk/news/...rsky-website-hacked-in-fake-antivirus-attack/

    A google for "advert sites hacked fake anti virus" shows Ebay, Facebook, Twitter, Spotify and more also being hit at some point.

    IMO it all points to problems somewhere in the adverts (or the sites of the advertisers, or their links) served up on tMP rather then anything in the TMP site itself.

    As here: http://www.gadgetell.com/tech/comment/shields-up-iq-tests-and-other-facebook-scams/

    quote "Sometimes legit apps can become compromised as well. A few weeks ago the wildly popular FarmTown app, which lets users tend to a virtual farm, sell crops, and chat with other farmers, began redirecting users to a site serving up a fake anti-virus program, also known as scareware. It appears that the ad network serving ads in the game was poisoned with a malicious banner ad and was responsible, not the app developers. "
     
  11. Jan H

    Jan H Moderator Staff Member

    Yes that's what I undertsood more or less as well (before it got too technical anyway ;) )
    So would it help if we ask every user that gets the "malicious link" warning, to give certaind etails about their pc, to determine which combination could triggers these conditional hacks?

    for example:
    OS + release = ...
    browser + release = ...
    antivirus software + release = ...
    ...

    or would this be looking for a needle in a haystack?

    Myself, I've recently visited the website on 3 different PCs, 2 with Windows XP SP3 and 1 with Windows 7, using Firefox 3.6 and 4, end up-to-date versions of AVG or Trend Micro Officescan. I haven't had any problems.
     
    Last edited: May 4, 2011
  12. Thirteen Ball

    Thirteen Ball Active Member

    Sorry but I put in as much detail as I could. If it helps, I definitely didn't click banners, links or adverts while I was on. I was just checking subscribed threads.

    I shall refrain from further speculation.....
     
  13. Thirteen Ball

    Thirteen Ball Active Member

    PS - I've just remembered I was typing a reply when it all kicked off - so it's very likely I will have contracted it from a thread I posted on on the evening of 21/04/2011. Probably about 10-10:30pm.

    Using Firefox and Adblock plus, Windows vista and (then ) AVG anti-virus. (Now on Kaspersky.)
     
  14. andyp

    andyp Active Member

    Andi - as you use Firefox/Adblock Plus, do you still see the adverts on the right of tMP (top one being twitter.com), any across the top, or none at all?

    Highly recommend you add the NoScript add-on to Firefox as well, you have to tell it which sites you trust as you go along to start with, but it remembers and then won't allow Javascript code from other sites to run, which makes it a great safety feature.
     
  15. Jan H

    Jan H Moderator Staff Member

    Thanks Andi, all concrete information is helpful!
    But some people were just guessing ("it could be the adds"). I would rather get a reply from someone who really knows about internet security, and who can point us to which add it is exactly that is causing the problem (if there is one at all)
     
  16. Jan H

    Jan H Moderator Staff Member

    I only see the adds on the right. At the top of the page I only see the tMP logo on the left, and in the middle a link to the tMP Twitter account, with the text "follow me icon".

    I seem to remember frrom before taht tehre used to be an add banner on the top right as well? Or could have I blocked that? I do have the AdBlock Plus addon for Firefox.
     
  17. andyp

    andyp Active Member

    Well, looking on mine at home, NoScript is blocking scripts from shoppingads.com, and AdBlock Plus is blocking anything with \adserver\, or images_ad, or |http://ads.$domain+~ads.su~ahds.ac.uk in the filename. However I still see the column of ads at the RHS with the Twitter bit at the top, as well as the ones for Helios, Jupiter and Rayburn Tours. The view is the same at work using FF3 with just Adblock Plus.

    This is a much simpler explanation than the link I found before....

    http://answers.yahoo.com/question/index?qid=20100112050141AAxgGzg
     
  18. Jan H

    Jan H Moderator Staff Member

    It seems to me that AdBlock Plus keeps the possibly malicious links away, So I would recommend every Firefox user to use that addon. Maybe there are similar extensions for other browsers as well?

    the adds on the right hand side are, I believe, just animated gifs made by the Forum administrators, with a static link. There is no javescripting or something like that involved, so I suppose those adds are not vulnerable?
     
  19. andyp

    andyp Active Member

    I knocked AdBlock Plus off on the tMP homepage, and what it's blocking is the advert immediately to the right of the tMP logo (in between it and the Twitter "follow me") - this is randomly generated (presumably from a list) by this code in the tMP page: (the // at the start of every line is to comment the line out so you can see it rather than it running on this page!)

    //<script language='JavaScript' type='text/javascript'>
    //<!--
    // if (!document.phpAds_used) document.phpAds_used = ',';
    // phpAds_random = new String (Math.random()); phpAds_random =
    // phpAds_random.substring(2,11);
    // document.write ("<" + "script language='JavaScript' type='text/javascript' src='");
    // document.write ("http://www.themouthpiece.com/adserver/adjs.php?n=" + phpAds_random);
    // document.write ("&amp;what=zone:16&amp;target=_blank");
    // document.write ("&amp;exclude=" + document.phpAds_used);
    // if (document.referer)
    // document.write ("&amp;referer=" + escape(document.referer));
    // document.write ("'><" + "/script>");
    //-->
    // </script><noscript>
    // <a href='http://www.themouthpiece.com/adserver/adclick.php?n=a346483c'
    // target='_blank'><img src='http://www.themouthpiece.com/adserver/adview.php?what=zone:16&
    //amp;n=a346483c' border='0' alt=''></a></noscript>

    So every visit to the page you get a different advert, pressing refresh changes it too. I think this is why some poeple have got unlucky and a lot haven't (plus choice of browser, etc as before).

    If it is one of them that's been unlucky to get a dodgy redirect, the problem is finding out which one.......

    There are adblockers available for other browsers, however I'm not sure John would like us to encourage them as that's a revenue stream for the site?
     
  20. tubafran

    tubafran Active Member

    Had an issue on a separate older works computer requiring a complete re-instal of the HD after using Tmp - may be totally coincidental.

    Any one noticed a reduction on postings and people accessing this site? Or is that again coincidental to the holiday period?

    Still havijng the Norton warning at home but says "no threats" after telling me this site is unsafe and also the warning about an attack on my computer on the first daily access.
     

Share This Page