TFF listed as attack site (yet again!) in firefox

[Dragon_Jiriki]

It's happened again. Google's listed TFF as an attack site again for Firefox users. And once again the culprit seems to be google's adsense ads!

Now I'm unhappy!

[LocoColt04]

Okay, I know that AdSense brings in most of the funds required to run this place, but damnit this is just ridiculous now. Fuzz, we have to do something, whether it's in the form of finding an alternative or whatever...

[Blacksmith]

For those using Firefox 3

That should fix your problem, hopefully.

[Merlin]

Has Fuzz actually scanned all the files on the server to see if there is a link to google-analytize.com? That isn't Google, it's a malware site with a similar name. It's possible the forums or the site has a link to it somewhere and Google is picking it up. Either that or someone hi-jacked the ads on Google's search engine itself, which is a known issue they aren't doing anything about. Never click sponsered links... ^_^

[Mistress Sheena]

Speaking of "google analytize", I see that URL loading whenever I load the TFF forums index, so something may be linking to there, or something like that.

[Merlin]

Then it's a good possibility something is screwed up in the forums settings. I'm not sure where he put the ad shit in the forum code at but I can look at it later.

I'm working on scanning all the site files by hand to see if any of those are contaminated.

[Sarah]

I looked at the source code for this page, out of curiousity, to see what I could find. It just confirms our problems, but here it is.

Quote:

<td align="right">
<script type="text/javascript"><!--
google_ad_client = "pub-3864201044463925";
google_ad_width = 468;
google_ad_height = 60;
google_ad_format = "468x60_as";
google_ad_type = "text_image";
google_ad_channel ="";
google_color_border = "000000";
google_color_bg = "F0F0F0";
google_color_link = "0000FF";
google_color_url = "008000";
google_color_text = "000000";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>

I did a quick search to see what others experienced. Here is what I came across.

Quote:

Originally Posted by jellymeli.com

Dear Google: pagead2.googlesyndication.com
November 9, 2007 — jellymeli

Dear Google,

First of all, I would like to start off with letting you know that I love your search engine. I know it, I use it, and it’s a handy little tool when I need to find things on the internet. However, I don’t feel its okay for your ad sense advertisements to freeze my browser when visiting websites.

I started experiencing my browser freezing on me last night on my home laptop computer. I was visiting a website that was attempting to transfer through pagead2.googlesyndication.com. It happened again today at work causing another frozen browser from a different website trying to display pagead2.googlesyndication.com. Now I understand you make money off these advertisements, but when they lag and freeze browsers, you are both causing havoc for the company displaying the ad’s, as well as losing them valuable visitors.

Now, I know you are probably not trying to cause these problems, but before any updates that you may be doing to pagead2.googlesyndication.com, you may want to make sure that it doesn’t freeze browsers.

Sincerely,

JellyMeli

source = Dear Google: pagead2.googlesyndication.com Jellymeli’s Search Engine Optimization Blog

I know it's old, but it still points to the issue we've pinpointed. I don't have time right now to further research anything, so I'm throwing this out there for someone to look up while I'm gone. I'm gonna look into it further tonight when I get home. I'm sick of this being a problem- not just for TFF, but for other people. I want to know exactly what to tell people to be aware of.

[Merlin]

That didn't pinpoint anything... all sites that have Google's adSense use that same block of code, just with a different client id.

I couldn't find any botched code in the forums or in the files. All of them use that same block of code. The phrase google-analytize.com isn't located in any of the files or templates either.

EDIT:

There ARE viruses on the server. I was skipping images since I was focusing on code, but I'm going to do a more thorough search of every file when I get home. Here are some that I found and deleted:

/picturepost/final_fantasy_iii/1408.2007.iTALiAN.AC3.DVDRip.XviD-GOLD.cd1.avi
/picturepost/final_fantasy_iii/La.Bussola.D.Oro.2007.iTALiAN.MD.CAM.XviD-DSi.avi
/picturepost/final_fantasy_iii/xh


I have deleted these files off the server. It looks like someone was using PicturePost to store porn on TFF and the files have viruses.

[Merlin]

This needs a separate post, due to its importance:

The following people are BANNED for using vB-exploiting code in their sigs:

Death Sentence
maxpower
Please smoke up


The use of JavaScript of any sort is not allowed on TFF and you have no chances with this. If such code is used in an exploitive manner, you will be banned upon discovery. If you re-register I will ban you again. Keep your script-kiddy shit on your own site and leave it off TFF.

~~~~
I will continue to search for problems when I get home from college. Sarah, you were actually right... just not how you think. I was doing research on a vB exploit one of the above people were using and the site I went to was flagged by my virus software:

Notice who it's from? This IS NOT a knockoff site... the virus is coming straight from Google. Now, this isn't our only problem here at TFF, but it is part of it. Note: The line thing is a cursor when I was copy+pasting the text... its not a L.

[Fuzz]

I was so mad when we got flagged again by Google. It is just getting beyond annoying at this point. Thanks Merlin for taking the time to scan the files and look over the VB settings. I have also searched all files on TFF for google-analytize and b1izzard and have found nothing. In addition, I have also search the raw forum database and found nothing either.

We have had problems with the picturepost directory having suspicious files being uploaded to it. I just went into the server and made sure all directories were protected again, and yes, there was a loop-hole in there. Merlin did you check all the sub-directories? thanks again for finding those. Also, for the vb exploits you found... can we disable javascript or lock down the signatures to any extent? I wasn't aware of these exploits.

IT is a shame if this is Google Adsense. I know it has been the case a few times in the past, but there is no way we can control that. I have made several attempts to let Google aware of this 3rd party ad problem...

I am isntalling ClamAV to the server for more thorough virus protection. Hopefully this warning will be removed promptly and soon.

[Merlin]

Make sure you go through the hosts file in etc/hosts to see if there are any references to pagead2.googlesyndication.com or any other Google stuff and delete them. It's still a possibility that it really isn't Google doing it, but a third-party site which redirects back to Google after it installs shit on your comp unbeknownced to you. Might as well eliminate any possibility it's the box. If it's not the box, then well... we at least know with certainty WE aren't the ones dumping trojans on people.

You still need to scan the entire disk for any more viruses because I didn't want to download every single file off the server and check by hand unless I had to. I can, but it will take a while to dl it all.

Oh and feel free to email that pic to Google and tell them to shove it up their ass. Here is the log of it:

Quote:

9/29/2008 3:49:18 PM SYSTEM 1672 Sign of "SWF:CVE-2007-0071 [Expl]" has been found in "http://pagead2.googlesyndication.com/pagead/imgad?id=CKWl9-Lap9WKDRB4GPABMghBuUR29LmeLA" file.

EDIT:
In case you're interested in the infection on our server, here it is:

Quote:

9/29/2008 3:12:13 PM SYSTEM 1672 Sign of "ELF:Malware-gen" has been found in "C:\Users\Merlin\Desktop\httpdocs\picturepost\imag es\maps\final_fantasy_iii\xh" file.

I obviously deleted any infected files I found...