DSLRUsers.com

[aim54x]

Hey guys,

Just wanted to know if anyone else uses Google Chrome, and every so often comes across the malicious code detection warning. At the present, it appears that DSLRusers.com has elements from reycross.com that contains malicious codes, according to my Google Chrome. I have had this happen on several previous occaisions with DSLRusers and Google Chrome but they usually clear up soon.

Does anyone know what Chrome thinks is the bad stuff?

Cheers
Cameron

[sirhc55]

Not Chrome for me Cameron but Firefox.

Just yesterday and today I’m getting a message that dslrusers.com is an attack site and I can’t get in unless I turn of the preference to detect such sites.

[aim54x]

I stopped using firefox...but it guess it is very much the same....

This is what Chrome gives me when I ask why

Safe Browsing
Diagnostic page for dslrusers.com

What is the current listing status for dslrusers.com?
Site is listed as suspicious - visiting this web site may harm your computer.

What happened when Google visited this site?
Of the 81 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-09-12, and the last time suspicious content was found on this site was on 2009-09-12.
Malicious software is hosted on 1 domain(s), including reycross.com/.

This site was hosted on 1 network(s) including AS11798 (BLUEHOST).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, dslrusers.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.

How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

[Matt. K]

I get the same thing. Should I be concerned?

[aim54x]

I have resorted to ignoring it for the moment, hoping that Norton will keep me secure...but I would recommend more caution.

[sirhc55]

Well, if 3 of us are getting the same thing it would appear that there is some malware on the site.

[biggerry]

yeah i am also getting in firefox, only started today...

[gstark]

There was a minor hack; now fixed. Or it should be. Please make sure that you refresh your cache. I'm clearing the cache completely from the server side just to be sure.

The initial warning of this was puzzling for me, as I went into the source and could not see anywhere that the source had been hit. And Google told me that the site was, in fact, not a suspicious site.

Safe Browsing
Diagnostic page for www.dslrusers.com

What is the current listing status for www.dslrusers.com?

This site is not currently listed as suspicious.

It made a reference to reycross, but I could not see it anywhere, nor, upon searching the database, could I see it in there.

My reference came up with just the one infection in those 90 days, but I could not find the references to it anywhere. Leigh uses Chrome, and through that he was able to isolate what the problem was, and once that was done, it was fixed within a minute.

Bloody script kiddies .....

The only thing that puzzles me now is that this really just affected just one folder within the server site, but all of the files within the site were previously set to be write only to prevent this sort of thing from happening. I'm puzzled as to when their permissions were changed.

[Geoff]

Me too (or three, or four)...
Safari is ok, but not firefox...

[ATJ]

I cleared my cache. It made no difference.

[gstark]

I cleared my cache. It made no difference.

Yes, I suspect it did.

Not to the speed by which Google will re-evaluate the site, which appears it may be glacial, but to the content that is the hack. That affects the warning that you see, but what's probably more important is the removal of the suspicious content from the code, and clearing the cache removes that suspicious content.

If you search the page for the text "if rame", and if you find it, then you're still receiving hacked code. (I've inserted a small space into that text so that it doesn't appear within your search.)

But until the Google re-evaluation occurs, it will still appear to be a dangerous site.

Which I think is very poor on the part of Google: if they take it upon themselves to be the arbiter of what is safe and what is ot, then they have a duty to respond to re-evaluation requests with some urgency.

[sirhc55]

1 cleared cache, still get an attack site warning
2 Turned off “warn me if site is an attack site” able to log into dlsrusers
3 cleared cache
4 turned on warning in preferences
5 back to attack site warning

So, bye-bye for the time being

[gstark]

But until the Google re-evaluation occurs, it will still appear to be a dangerous site.

And that has now been completed.

they have a duty to respond to re-evaluation requests with some urgency.

And so they have done.

So this now will just take some time to propogate through the various systems, whatever they may be.

[gstark]

1 cleared cache, still get an attack site warning

Yep. The warning isn't yet cleared, Chris, and clearing the cache cannot do anything about that, but it does ensure that the problematic code is gone. That is the more important task, and that was done around midnight.

Please take a few moments to read my posts. You will see that

(a) The code - and the site - is now (again) clean.

(b) Google agrees that the site is clean.

(c) Google have confirmed that they are removing the warnings.

(d) But that the warning removal process takes time.

Cheers.

[ATJ]

Gary,

If you are going to close the thread I created in the PUBLIC forums, I suggest you move this thread from one of the PRIVATE forums so EVERYONE is able to read it.

Because of the problem, I was not able to see this thread until I logged on - and I wasn't logged on because I came via .net instead of .com.

As it is, only true members (>50 posts, etc.) can see this thread so you will have a lot of people wondering what is happening.

[gstark]

As it is, only true members (>50 posts, etc.) can see this thread so you will have a lot of people wondering what is happening.

Thanks, Andrew,

I wasn't aware of that, so I shall do exactly that.

And FWIW, the .net domain, which uses the exact same codebase - both sites use the same physical location on the server - reports as clean.

[gstark]

Just a bit more on this ... from Google ...

Here's what their evaluation of the site looked like around midnight ...



And here is their current report.



The big difference here is in the number of pages that they've looked at over those ten or so hours, and the fact that no further suspicious code has been located.

What's somewhat interesting here is that in one of their reports, they list the site as being fixed, but in another they do not yet list it as such.

[gstark]

Andrew,

I just noticed this bit ...

Because of the problem, I was not able to see this thread until I logged on - and I wasn't logged on because I came via .net instead of .com.

So, you came to the .net site - which was not reporting as containing any problems - logged on, and then, having been logged on to the .com site, you - then - first saw the warning ?

[gstark]

And in FF3.5, the warnings (site-blocking) are now gone as well.

We now return you to your normal programming.

Bloody useless hackers ... the waste of time their vandalism creates. Really pisses me off!

[ATJ]

So, you came to the .net site - which was not reporting as containing any problems - logged on, and then, having been logged on to the .com site, you - then - first saw the warning ?

No. I was on the .com site (from yesterday). I refreshed and got the warning. Read the warning which said it affected the .com site and thought "It probably won't affect the .net site" so went to the .net site. As the .net site will have a different set of cookies, I wasn't logged on automatically. I didn't immediately realise I wasn't logged on. I looked at "View new posts" and saw a) there were very few posts and b) there was nothing there about the warning, so I created a new thread in General Discussion (as I knew everyone could see it). It was only when I went to create the new thread that I realised I wasn't logged on.

After I logged on, I saw this thread.

[gstark]

So, you came to the .net site - which was not reporting as containing any problems - logged on, and then, having been logged on to the .com site, you - then - first saw the warning ?

No. I was on the .com site (from yesterday). I refreshed and got the warning. Read the warning which said it affected the .com site and thought "It probably won't affect the .net site" so went to the .net site.

While it did not affect the .net site, it should have. That's a failing in the Google system, really.

Let me clarify what I'm saying here ... the .net site was affected by the same suspicious code, but it was not flagged by Google as being a potentially dangerous site. But anyone who logged on after about a quarter past midnight - after I fixed the problem - would have seen a clean site, regardless of which site they went to, and regardless of any Google warnings that they might have seen.

FWIW, neither of the D70Users sites were affected. While they use the same code, they live on a different server.

As the .net site will have a different set of cookies, I wasn't logged on automatically. I didn't immediately realise I wasn't logged on. I looked at "View new posts" and saw a) there were very few posts and b) there was nothing there about the warning, so I created a new thread in General Discussion (as I knew everyone could see it). It was only when I went to create the new thread that I realised I wasn't logged on.

Ok, thanks for the clarification. I appreciate it, as it helps me to understand what you have been seeing. I have a slightly different view of the forum, because of my user access rights etc.

And I appreciate everyone else's help in this too, btw.

Off to Newtown now.

[ATJ]

While it did not affect the .net site, it should have. That's a failing in the Google system, really.

Let me clarify what I'm saying here ... the .net site was affected by the same suspicious code, but it was not flagged by Google as being a potentially dangerous site. But anyone who logged on after about a quarter past midnight - after I fixed the problem - would have seen a clean site, regardless of which site they went to, and regardless of any Google warnings that they might have seen.

FWIW, neither of the D70Users sites were affected. While they use the same code, they live on a different server.

Yes. I fully understand that. The bottom line, however, is that Google only flags the URL, not the site as such, so there was a good chance that it had not checked the site via dslrusers.net (seeing as this only happened in the last 12 hours).

[gstark]

The bottom line, however, is that Google only flags the URL, not the site as such, so there was a good chance that it had not checked the site via dslrusers.net (seeing as this only happened in the last 12 hours).

Exactly.

[LaurieE]

thanks for responding so quickly to it. I got the message last night on chrom and IE. all seems to be good now!