Virus issues

[DemonGoddess]

Okay, before I start posting up the screens, here are the steps I've taken on the client side:

• Ran an external scan, checking for issues, using two different services
• Checked each and every file for changes that I did not previously make

I had the hosting company (Nexcess), check the physical hardware as well. That was the slowness yesterday. It took several hours to complete, as there is roughly 9.5GB of data (between all the databases) to scan, as well as the physical program files, graphics, and etc.

Nexcess found NOTHING.

Rechecked with Google's Safe Browsing diagnostics today. Results here.

Submitted a dispute with Norton SafeWeb.

Screens of what I did not find. Meaning there are no infections.

Thursday

Friday (yesterday)

One of the subdomains

I have more, but this is enough on the screen end I think.

In the meantime, it appears that IE is having issues with Ajax again.

I would also suggest to anyone getting this error, to disable any toolbars. Those things are prone to infection, and then spoof clean site addresses when trying to infect your machine.

[DemonGoddess]

Something else to keep in mind, is that we have a dedicated server, meaning that we share space with no one but ourselves for the hardware.

At this point, as it's very easy to use, I'd recommend switching to Chrome for your browser. I'll keep my opinions of Norton to myself, as many of you like it.

However, I use Kaspersky, and it has found absolutely NOTHING. Considering where I often end up when researching things FOR the site, if there was a problem, Kaspersky would've found it. It always does when I'm researching. This is NO different.

[DemonGoddess]

and more

[DemonGoddess]

The site is now in queue at Norton Safeweb to be retested, and is currently showing as "untested"

[KerantliDreamer]

DG, I apologise, but this morning afternoon (around midday my time) I got this;

Not sure if it will help, but its something like the 5th I've gotten in the past few days

[DemonGoddess]

What I would do, is a couple things here. One, make sure your Java is up to date. If it's not, it often will make you get that kind of error. Two, if you have toolbars, get RID of them. Toolbars are vulnerable, will often piggyback nasties in to your system, and spoof a site you visited.

Finally, if you're using IE (although I see you're using firefox), ActiveX is an issue. ActiveX has ALWAYS been an issue. It makes it so that Trojans and the like easily find a way in to your system. Again, because people who write this garbage piggyback their malware in to the ActiveX controls, spoofing them.

You also need to be sure that your BROWSERS are up to date. If you don't choose to use FF 4.x, as many people don't, then I'd go to Chrome, Opera, or Safari. Browsers not kept up to date are vulnerable as well.

Rechecked everything, still shows clear on my end. Checked all the paths that could be affected as well. Where were you trying to go in the site?

[DemonGoddess]

Domain scans from well known AV vendors, done now

AVG shows as "currently safe"

Norton shows as "ok"

UrlVOID shows clean, except for MyWOT, and that is a content warning, as the site is an adult content site.

[Melrick]

Just to strongly reiterate what DG has already said, if you have any third party toolbars on your browsers, delete them! They're a bit like having a permanent open door straight into your computer. The convenience they might offer is really not worth the potential problems they can cause.

When you're installing programs, such as Yahoo Messenger for example, it's always better to select the custom install option, because if the program has a toolbar option, the standard install usually has that selected automatically. So if you select custom install, you should have the option of not downloading the toolbar.

[Daye]

Hey I got actual Malware warnings from GoogleChrome today. Yesterday, nada, today big red screens.

Here's a link to the diagnostic report they gave: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.adult-fanfiction.org%2Fnav%2Fddcolortabs.css&client=googlechrome&hl=en-US

[DemonGoddess]

I'll have everything rechecked again, to be safe.

[DemonGoddess]

...and...

Someone tried to hack the banner software, which is what's doing this now. So I am doing a clean install of it, having the hosting company check again to be sure that nothing escaped, and then doing some stuff with Google webmaster tools.

I do have users telling me Teatimer and Malwarebytes are finding nothing, and I know Kaspersky is finding nothing as I use it.

[AntiDolorifico]

Hey there, I just thought I'd report that I've had my Chrome freak out since this morning around 5am or so, blasting me with a malware warning. I'll include a screenshot (ImageShack link) of the screen. I use Avast for protection, not sure if this has any importance. Thank you!

http://imageshack.us/photo/my-images/121/mlwaff.jpg/

[DemonGoddess]

Not a problem. I'm just waiting for Google to do a rescan so they remove the warning now.

[DemonGoddess]

I'm getting the same results from AVG, Norton and URLVoid as I have been, that the site is clean.

All browsers I checked with, except Chrome are now loading without issue. The other browsers that loaded fine now are Firefox, Internet Explorer, Safari, and Opera.

Chrome is now detecting the Java used in the archive menu as being malicious code, but that code hasn't been changed in years. The newest Java is in the RTE, and that is ALSO unchanged since it was added in February.

It appears that we had someone try to hack in through the banner software in the early hours (for me) between roughly 2 am and 4 am EDT.

So, to get around that, what I did was a fresh install, new database tables and a new user for the db for this particular software.

I then deleted all the old stuff.

This will hopefully fix it all.

Last step, is waiting for Google to do a review. As they do it on PDT, I expect that won't happen until around 2 or 3 am my time.

[vinsmouse]

Hey DG,

I just, a few minutes ago, received a malware warning from firefox. I placed the site in the exceptions list.

[DemonGoddess]

ty Vin! much appreciated.

Latest scans

[DemonGoddess]

Yes, that's exactly what I mean. The compromised install was renamed and then deleted. I also deleted all the tables from the db for it, and the user that was assigned to that program. Thanks again for checking!

On Mon, Jun 20, 2011 at 10:00 PM, Alex Headley <support@nexcess.net> wrote:

Jennie,

I just ran a malware scan on your entire site and didn't get any hits. Do you mean that you deleted the compromised install (after renaming to admanold/) so the new one at adman2/ is clean?

---

Alex Headley

Nexcess - Beyond Hosting

As you can see, what I told you all earlier, is that there was a hack attempt. So, I did what I could my end, and Nexcess did everything I asked on their end.

[DemonGoddess]

How to add exceptions to your browser

In Firefox-

From the menu, select Tools

Select Options, then Security

There is a button "exceptions"

Click it, and add the url you want allowed.

After you do this, you MUST clear your cache and close your browser, then restart it.

Changes don't take effect until you do.

In IE

In the menu, select tools.

Select Internet Options

This brings up a pop up with tabs

Click the security tab.

Click the "trusted sites" green arrow.

Add the url to the site you want to add

Again, you must clear your cache, close your browser, and restart it for any changes to take effect.

In Opera

From the menu, select Settings, and then Preferences. Alternately, use Ctrl+F12

From the advanced tab, click security.

Click trusted websites

Add the url

Clear cache, close browser, restart it

In Safari, there is no real way to set exceptions. However, if you really wanted to, you can click the gear icon, select preferences, click security and uncheck "Warn when visiting fraudulent sites". I wouldn't necessarily do this, as it will leave the browser open to ANY site at all. Including ones that are truly infected.

In Chrome

Click the wrench icon

Select Options

Click "Under the Hood"

Again, you could disable the phishing and malware service, but I wouldn't recommend it.

Click "Content Settings"

For cookies, click "manage exceptions"

Add the url

For Java, click "manage exceptions"

Add the url

When you're done, click "clear browsing data"

Close the browser, and restart it.

---

I put the above information up, because after further research, it can take a week or two to remove a site from Google's black list, no matter if it's clean and been tested.

[ladynightvamp]

Thank you for the instructions!!!!! Finally I can get onto the site without that big red pop up.

How to add exceptions to your browser

In Firefox-

From the menu, select Tools

Select Options, then Security

There is a button "exceptions"

Click it, and add the url you want allowed.

After you do this, you MUST clear your cache and close your browser, then restart it.

Changes don't take effect until you do.

In IE

In the menu, select tools.

Select Internet Options

This brings up a pop up with tabs

Click the security tab.

Click the "trusted sites" green arrow.

Add the url to the site you want to add

Again, you must clear your cache, close your browser, and restart it for any changes to take effect.

In Opera

From the menu, select Settings, and then Preferences. Alternately, use Ctrl+F12

From the advanced tab, click security.

Click trusted websites

Add the url

Clear cache, close browser, restart it

In Safari, there is no real way to set exceptions. However, if you really wanted to, you can click the gear icon, select preferences, click security and uncheck "Warn when visiting fraudulent sites". I wouldn't necessarily do this, as it will leave the browser open to ANY site at all. Including ones that are truly infected.

In Chrome

Click the wrench icon

Select Options

Click "Under the Hood"

Again, you could disable the phishing and malware service, but I wouldn't recommend it.

Click "Content Settings"

For cookies, click "manage exceptions"

Add the url

For Java, click "manage exceptions"

Add the url

When you're done, click "clear browsing data"

Close the browser, and restart it.

---

I put the above information up, because after further research, it can take a week or two to remove a site from Google's black list, no matter if it's clean and been tested.

[DemonGoddess]

WOOT!! In the inbox...

*** DO NOT REPLY TO THIS E-MAIL ***URL: http://www.adult-fanfiction.org/

Congratulations! This URL is no longer reported as badware by any of StopBadware's data providers. We have therefore closed this review and updated our Badware Website Clearinghouse. Any warnings about the URL that are based on our providers' data should be removed shortly.

Please know that this does not necessarily mean your site is completely free of badware or that it is no longer at risk of being reinfected. Help protect your site from future infection by reading our Tips for Cleaning & Securing Your Website. For additional help, visit our online community, BadwareBusters.org. We're always interested in hearing from site owners who have used our independent review process. Have feedback about how we can make it better? Drop us a line at feedback@stopbadware.org.

We're able to manually review websites (like yours!) because we've maintained our status as an independent non-profit organization; this means we rely entirely on donations from individuals and organizations that believe in the value of what we do. If we've helped you, please consider making a small donation. Thanks for helping stop badware!

The StopBadware team

*** DO NOT REPLY TO THIS E-MAIL ***

In a sideways kind of way of way I'm thankful Chrome and Google does that though. I don't even want to THINK about what a mess I would've had, for data recovery and site crash issues had this not been seen.

[AntiDolorifico]

Oi, just wanted to report that my Chrome isn't freaking out about it anymore. Yay.

Thank you for all your hard work, DemonGoddess.

[DemonGoddess]

you're welcome!

[Guest ReariaevawN]

Havent gotten the Attack site warning since the prob was fixed, but did have a trojan warning the other night while visiting - from a very old computer with outdated anti-virus software. I attributed it to my fossil laptop...

[DemonGoddess]

As you say, you had outdated antivirus software, which means all your definitions are out of date as well. Not surprised you got a false positive.