Google Chrome...malicious code detection

Have your say on issues related to using a DSLR camera.

Moderator: Moderators

Forum rules
Please ensure that you have a meaningful location included in your profile. Please refer to the FAQ for details of what "meaningful" is.

Google Chrome...malicious code detection

Postby aim54x on Sat Sep 12, 2009 10:50 pm

Hey guys,

Just wanted to know if anyone else uses Google Chrome, and every so often comes across the malicious code detection warning. At the present, it appears that DSLRusers.com has elements from reycross.com that contains malicious codes, according to my Google Chrome. I have had this happen on several previous occaisions with DSLRusers and Google Chrome but they usually clear up soon.

Does anyone know what Chrome thinks is the bad stuff?

Cheers
Cameron
Cameron
Nikon F/Nikon 1 | Hasselblad V/XPAN| Leica M/LTM |Sony α/FE/E/Maxxum/M42
Wishlist Nikkor 24/85 f/1.4| Fuji Natura Black
Scout-Images | Flickr | 365Project
User avatar
aim54x
Senior Member
 
Posts: 7305
Joined: Fri Feb 01, 2008 10:13 pm
Location: Penshurst, Sydney

Re: Google Chrome...malicious code detection

Postby sirhc55 on Sat Sep 12, 2009 10:59 pm

Not Chrome for me Cameron but Firefox.

Just yesterday and today I’m getting a message that dslrusers.com is an attack site and I can’t get in unless I turn of the preference to detect such sites.
Chris
--------------------------------
I started my life with nothing and I’ve still got most of it left
User avatar
sirhc55
Key Member
 
Posts: 12930
Joined: Fri Sep 17, 2004 6:57 pm
Location: Port Macquarie - Olympus EM-10

Re: Google Chrome...malicious code detection

Postby aim54x on Sat Sep 12, 2009 11:02 pm

I stopped using firefox...but it guess it is very much the same....

This is what Chrome gives me when I ask why

Safe Browsing
Diagnostic page for dslrusers.com

What is the current listing status for dslrusers.com?
Site is listed as suspicious - visiting this web site may harm your computer.

What happened when Google visited this site?
Of the 81 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-09-12, and the last time suspicious content was found on this site was on 2009-09-12.
Malicious software is hosted on 1 domain(s), including reycross.com/.

This site was hosted on 1 network(s) including AS11798 (BLUEHOST).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, dslrusers.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Cameron
Nikon F/Nikon 1 | Hasselblad V/XPAN| Leica M/LTM |Sony α/FE/E/Maxxum/M42
Wishlist Nikkor 24/85 f/1.4| Fuji Natura Black
Scout-Images | Flickr | 365Project
User avatar
aim54x
Senior Member
 
Posts: 7305
Joined: Fri Feb 01, 2008 10:13 pm
Location: Penshurst, Sydney

Re: Google Chrome...malicious code detection

Postby Matt. K on Sat Sep 12, 2009 11:22 pm

I get the same thing. Should I be concerned?
Regards

Matt. K
User avatar
Matt. K
Former Outstanding Member Of The Year and KM
 
Posts: 9981
Joined: Mon Sep 06, 2004 7:12 pm
Location: North Nowra

Re: Google Chrome...malicious code detection

Postby aim54x on Sat Sep 12, 2009 11:52 pm

I have resorted to ignoring it for the moment, hoping that Norton will keep me secure...but I would recommend more caution.
Cameron
Nikon F/Nikon 1 | Hasselblad V/XPAN| Leica M/LTM |Sony α/FE/E/Maxxum/M42
Wishlist Nikkor 24/85 f/1.4| Fuji Natura Black
Scout-Images | Flickr | 365Project
User avatar
aim54x
Senior Member
 
Posts: 7305
Joined: Fri Feb 01, 2008 10:13 pm
Location: Penshurst, Sydney

Re: Google Chrome...malicious code detection

Postby sirhc55 on Sat Sep 12, 2009 11:57 pm

Well, if 3 of us are getting the same thing it would appear that there is some malware on the site.
Chris
--------------------------------
I started my life with nothing and I’ve still got most of it left
User avatar
sirhc55
Key Member
 
Posts: 12930
Joined: Fri Sep 17, 2004 6:57 pm
Location: Port Macquarie - Olympus EM-10

Re: Google Chrome...malicious code detection

Postby biggerry on Sun Sep 13, 2009 12:18 am

yeah i am also getting in firefox, only started today...
gerry's photography journey
No amount of processing will fix bad composition - trust me i have tried.
User avatar
biggerry
Senior Member
 
Posts: 5930
Joined: Tue May 13, 2008 12:40 am
Location: Under the flight path, Newtown, Sydney

Re: Google Chrome...malicious code detection

Postby gstark on Sun Sep 13, 2009 1:20 am

There was a minor hack; now fixed. Or it should be. Please make sure that you refresh your cache. I'm clearing the cache completely from the server side just to be sure.

The initial warning of this was puzzling for me, as I went into the source and could not see anywhere that the source had been hit. And Google told me that the site was, in fact, not a suspicious site.

Google wrote:Safe Browsing
Diagnostic page for www.dslrusers.com

What is the current listing status for www.dslrusers.com?

This site is not currently listed as suspicious.


It made a reference to reycross, but I could not see it anywhere, nor, upon searching the database, could I see it in there.

My reference came up with just the one infection in those 90 days, but I could not find the references to it anywhere. Leigh uses Chrome, and through that he was able to isolate what the problem was, and once that was done, it was fixed within a minute.

Bloody script kiddies .....

The only thing that puzzles me now is that this really just affected just one folder within the server site, but all of the files within the site were previously set to be write only to prevent this sort of thing from happening. I'm puzzled as to when their permissions were changed.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Re: Google Chrome...malicious code detection

Postby Geoff on Sun Sep 13, 2009 1:21 am

Me too (or three, or four)...
Safari is ok, but not firefox...
Geoff
Special Moments Photography
Nikon D700, 50mm 1.4, 85mm 1.4, 70-200 2.8VR, SB800 & some simple studio stuff.
User avatar
Geoff
Moderator
 
Posts: 7791
Joined: Sat Aug 07, 2004 12:08 am
Location: Freshwater - Northern Beaches, Sydney.

Re: Google Chrome...malicious code detection

Postby ATJ on Sun Sep 13, 2009 10:05 am

I cleared my cache. It made no difference.
User avatar
ATJ
Senior Member
 
Posts: 3982
Joined: Fri Feb 18, 2005 10:44 am
Location: Blue Mountains, NSW

Re: Google Chrome...malicious code detection

Postby gstark on Sun Sep 13, 2009 10:47 am

ATJ wrote:I cleared my cache. It made no difference.


Yes, I suspect it did.

Not to the speed by which Google will re-evaluate the site, which appears it may be glacial, but to the content that is the hack. That affects the warning that you see, but what's probably more important is the removal of the suspicious content from the code, and clearing the cache removes that suspicious content.

If you search the page for the text "if rame", and if you find it, then you're still receiving hacked code. (I've inserted a small space into that text so that it doesn't appear within your search.)

But until the Google re-evaluation occurs, it will still appear to be a dangerous site.

Which I think is very poor on the part of Google: if they take it upon themselves to be the arbiter of what is safe and what is ot, then they have a duty to respond to re-evaluation requests with some urgency.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Re: Google Chrome...malicious code detection

Postby sirhc55 on Sun Sep 13, 2009 10:59 am

1 cleared cache, still get an attack site warning
2 Turned off “warn me if site is an attack site” able to log into dlsrusers
3 cleared cache
4 turned on warning in preferences
5 back to attack site warning

So, bye-bye for the time being 8)
Chris
--------------------------------
I started my life with nothing and I’ve still got most of it left
User avatar
sirhc55
Key Member
 
Posts: 12930
Joined: Fri Sep 17, 2004 6:57 pm
Location: Port Macquarie - Olympus EM-10

Re: Google Chrome...malicious code detection

Postby gstark on Sun Sep 13, 2009 11:02 am

gstark wrote:But until the Google re-evaluation occurs, it will still appear to be a dangerous site.


And that has now been completed.

Image


they have a duty to respond to re-evaluation requests with some urgency.


And so they have done.

So this now will just take some time to propogate through the various systems, whatever they may be.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Re: Google Chrome...malicious code detection

Postby gstark on Sun Sep 13, 2009 11:07 am

sirhc55 wrote:1 cleared cache, still get an attack site warning


Yep. The warning isn't yet cleared, Chris, and clearing the cache cannot do anything about that, but it does ensure that the problematic code is gone. That is the more important task, and that was done around midnight.

Please take a few moments to read my posts. You will see that

(a) The code - and the site - is now (again) clean.

(b) Google agrees that the site is clean.

(c) Google have confirmed that they are removing the warnings.

(d) But that the warning removal process takes time.

Cheers.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Re: Google Chrome...malicious code detection

Postby ATJ on Sun Sep 13, 2009 11:08 am

Gary,

If you are going to close the thread I created in the PUBLIC forums, I suggest you move this thread from one of the PRIVATE forums so EVERYONE is able to read it.

Because of the problem, I was not able to see this thread until I logged on - and I wasn't logged on because I came via .net instead of .com.

As it is, only true members (>50 posts, etc.) can see this thread so you will have a lot of people wondering what is happening.
User avatar
ATJ
Senior Member
 
Posts: 3982
Joined: Fri Feb 18, 2005 10:44 am
Location: Blue Mountains, NSW

Re: Google Chrome...malicious code detection

Postby gstark on Sun Sep 13, 2009 11:14 am

ATJ wrote:As it is, only true members (>50 posts, etc.) can see this thread so you will have a lot of people wondering what is happening.


Thanks, Andrew,

I wasn't aware of that, so I shall do exactly that.

And FWIW, the .net domain, which uses the exact same codebase - both sites use the same physical location on the server - reports as clean.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Re: Google Chrome...malicious code detection

Postby gstark on Sun Sep 13, 2009 11:27 am

Just a bit more on this ... from Google ...

Here's what their evaluation of the site looked like around midnight ...

Image

And here is their current report.

Image

The big difference here is in the number of pages that they've looked at over those ten or so hours, and the fact that no further suspicious code has been located.

What's somewhat interesting here is that in one of their reports, they list the site as being fixed, but in another they do not yet list it as such.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Re: Google Chrome...malicious code detection

Postby gstark on Sun Sep 13, 2009 11:32 am

Andrew,

I just noticed this bit ...

ATJ wrote:Because of the problem, I was not able to see this thread until I logged on - and I wasn't logged on because I came via .net instead of .com.


So, you came to the .net site - which was not reporting as containing any problems - logged on, and then, having been logged on to the .com site, you - then - first saw the warning ?
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Re: Google Chrome...malicious code detection

Postby gstark on Sun Sep 13, 2009 11:44 am

And in FF3.5, the warnings (site-blocking) are now gone as well.

We now return you to your normal programming.

Bloody useless hackers ... the waste of time their vandalism creates. Really pisses me off!
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Re: Google Chrome...malicious code detection

Postby ATJ on Sun Sep 13, 2009 12:23 pm

gstark wrote:So, you came to the .net site - which was not reporting as containing any problems - logged on, and then, having been logged on to the .com site, you - then - first saw the warning ?

No. I was on the .com site (from yesterday). I refreshed and got the warning. Read the warning which said it affected the .com site and thought "It probably won't affect the .net site" so went to the .net site. As the .net site will have a different set of cookies, I wasn't logged on automatically. I didn't immediately realise I wasn't logged on. I looked at "View new posts" and saw a) there were very few posts and b) there was nothing there about the warning, so I created a new thread in General Discussion (as I knew everyone could see it). It was only when I went to create the new thread that I realised I wasn't logged on.

After I logged on, I saw this thread.
User avatar
ATJ
Senior Member
 
Posts: 3982
Joined: Fri Feb 18, 2005 10:44 am
Location: Blue Mountains, NSW

Re: Google Chrome...malicious code detection

Postby gstark on Sun Sep 13, 2009 12:37 pm

ATJ wrote:
gstark wrote:So, you came to the .net site - which was not reporting as containing any problems - logged on, and then, having been logged on to the .com site, you - then - first saw the warning ?

No. I was on the .com site (from yesterday). I refreshed and got the warning. Read the warning which said it affected the .com site and thought "It probably won't affect the .net site" so went to the .net site.


While it did not affect the .net site, it should have. That's a failing in the Google system, really.

Let me clarify what I'm saying here ... the .net site was affected by the same suspicious code, but it was not flagged by Google as being a potentially dangerous site. But anyone who logged on after about a quarter past midnight - after I fixed the problem - would have seen a clean site, regardless of which site they went to, and regardless of any Google warnings that they might have seen.

FWIW, neither of the D70Users sites were affected. While they use the same code, they live on a different server.

As the .net site will have a different set of cookies, I wasn't logged on automatically. I didn't immediately realise I wasn't logged on. I looked at "View new posts" and saw a) there were very few posts and b) there was nothing there about the warning, so I created a new thread in General Discussion (as I knew everyone could see it). It was only when I went to create the new thread that I realised I wasn't logged on.


Ok, thanks for the clarification. I appreciate it, as it helps me to understand what you have been seeing. I have a slightly different view of the forum, because of my user access rights etc.

And I appreciate everyone else's help in this too, btw.

Off to Newtown now.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Re: Google Chrome...malicious code detection

Postby ATJ on Sun Sep 13, 2009 1:19 pm

gstark wrote:While it did not affect the .net site, it should have. That's a failing in the Google system, really.

Let me clarify what I'm saying here ... the .net site was affected by the same suspicious code, but it was not flagged by Google as being a potentially dangerous site. But anyone who logged on after about a quarter past midnight - after I fixed the problem - would have seen a clean site, regardless of which site they went to, and regardless of any Google warnings that they might have seen.

FWIW, neither of the D70Users sites were affected. While they use the same code, they live on a different server.

Yes. I fully understand that. The bottom line, however, is that Google only flags the URL, not the site as such, so there was a good chance that it had not checked the site via dslrusers.net (seeing as this only happened in the last 12 hours).
User avatar
ATJ
Senior Member
 
Posts: 3982
Joined: Fri Feb 18, 2005 10:44 am
Location: Blue Mountains, NSW

Re: Google Chrome...malicious code detection

Postby gstark on Sun Sep 13, 2009 4:54 pm

ATJ wrote:The bottom line, however, is that Google only flags the URL, not the site as such, so there was a good chance that it had not checked the site via dslrusers.net (seeing as this only happened in the last 12 hours).


Exactly.
g.
Gary Stark
Nikon, Canon, Bronica .... stuff
The people who want English to be the official language of the United States are uncomfortable with their leaders being fluent in it - US Pres. Bartlet
User avatar
gstark
Site Admin
 
Posts: 22918
Joined: Thu Aug 05, 2004 11:41 pm
Location: Bondi, NSW

Re: Google Chrome...malicious code detection

Postby LaurieE on Sun Sep 13, 2009 11:17 pm

thanks for responding so quickly to it. I got the message last night on chrom and IE. all seems to be good now!
Laurie

Nikon D90, lenses and stuff
User avatar
LaurieE
Member
 
Posts: 59
Joined: Sat Aug 22, 2009 6:54 pm
Location: Lysterfield, Vic


Return to General Discussion