[SOLVED] Google just said LQ was an "attack site".

unSpawn · 02-04-2013, 08:27 AM

Quote:

Originally Posted by DrLove73

It seams that openx.org, d1.rumbaypelo.com, and/or aboelaraby.com are culprits. So not the LQ directly but third-party links.

And that indeed is the problem. It's not the first time ad networks served malware or PUA but openx.{org,net} reputation is especially bad.

*Just for fun this is a diff of checking Google itself:

Code:

     This site is not currently listed as suspicious.
 
-    Part of this site was listed for suspicious activity 28 time(s) over the past 90 days.
+    Part of this site was listed for suspicious activity 29 time(s) over the past 90 days.
 
 What happened when Google visited this site?
 
-    Of the 670408 pages we tested on the site over the past 90 days, 109 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-02-03, and the last time suspicious content was found on this site was on 2013-02-03.
+    Of the 664546 pages we tested on the site over the past 90 days, 121 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-02-04, and the last time suspicious content was found on this site was on 2013-02-03.
 
-    Malicious software includes 140 trojan(s), 10 virus, 8 scripting exploit(s). Successful infection resulted in an average of 4 new process(es) on the target machine.
+    Malicious software includes 134 trojan(s), 10 virus, 7 scripting exploit(s). Successful infection resulted in an average of 4 new process(es) on the target machine.
 
-    Malicious software is hosted on 53 domain(s), including adsbyisocket.com/, imaginginsider.com/, dgsdfhsdfh.osa.pl/.
+    Malicious software is hosted on 55 domain(s), including adsbyisocket.com/, ads.zitaholdings.com/, imaginginsider.com/.
 
-    34 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including googleusercontent.com/, zegreenweb.com/, feedsportal.com/.
+    42 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including googleusercontent.com/, zegreenweb.com/, feedsportal.com/.
 
     This site was hosted on 145 network(s) including AS15169 (Google Internet Backbone), AS8359 (MTS), AS36040 (Bandaid XT+).
 
 Has this site acted as an intermediary resulting in further distribution of malware?
 
-    Over the past 90 days, google.com appeared to function as an intermediary for the infection of 23 site(s) including stroupecondoblog.com/, ow.ly/, www.jazaan.com.googlepages.com/.
+    Over the past 90 days, google.com appeared to function as an intermediary for the infection of 28 site(s) including stroupecondoblog.com/, ow.ly/, www.jazaan.com.googlepages.com/.
 
 Has this site hosted malware?
 
-    Yes, this site has hosted malicious software over the past 90 days. It infected 2 domain(s), including hahait.com/, tedaltenberg.com/.
+    Yes, this site has hosted malicious software over the past 90 days. It infected 1 domain(s), including tedaltenberg.com/.

As you can see it considers itself "not suspicious" even though it listed itself as suspect for about 30 out of 90 past days ;-p

273 · 02-04-2013, 08:35 AM

Quote:

Originally Posted by DrLove73

It seams that openx.org, d1.rumbaypelo.com, and/or aboelaraby.com are culprits. So not the LQ directly but third-party links.

I was about to say that I guessed it was a link somewhere. Usually these warnings are because there's a post somewhere that's managed an XSS attack or something though I suspect here it may even just be somebody posting malicious links.

By the above I mean that I don't see this as a false positive and won't until I see it confirmed. Whilst I'm not entirely comfortable that Firefox using Google's listings isn't invading my privacy somehow, and I certainly don't trust or like Google much I don't think warning like this are a bad thing. I've seen enough legitimate sites host malicious code and/or links to prefer that "the man in the street" is warned of these things.

webmastir · 02-04-2013, 08:38 AM

Does someone who maintains these forums know about this yet?

273 · 02-04-2013, 08:40 AM

Quote:

Originally Posted by webmastir

Does someone who maintains these forums know about this yet?

Yes:

Quote:

Originally Posted by jeremy

Looking at our Google Webmaster Tools account, this is definitely a mistake and LQ is not currently serving malware. I'm looking into it further now. Thanks for the heads up.

--jeremy

webmastir · 02-04-2013, 08:41 AM

my bad. i guess i missed that post. thanks

chrisretusn · 02-04-2013, 08:48 AM

I see I am not alone.... saw it earlier but it cleared up. Now it's doing it again.

jeremy · 02-04-2013, 09:26 AM

As an update: I can confirm that LQ was not serving malware and that this was the result of one of our ad providers (OpenX). We've stopped using them to serve ads while they clear this up and have notified Google of this.

--jeremy

brianL · 02-04-2013, 09:28 AM

Still warnings with Firefox, but none with Midori.

rjw1678 · 02-04-2013, 10:27 AM

Does anyone know what OS the malware was targeted at?

Thank You
Bob W

jeremy · 02-04-2013, 10:34 AM

Quote:

Originally Posted by rjw1678

Does anyone know what OS the malware was targeted at?

As mentioned, LQ was at no time serving malware.

--jeremy

szboardstretcher · 02-04-2013, 10:41 AM

http://www.google.com/safebrowsing/d...-492384/&hl=en

For information regarding the error.

FeyFre · 02-04-2013, 11:01 AM

That why I use Opera. It never gave me false alarms.

273 · 02-04-2013, 11:17 AM

Quote:

Originally Posted by FeyFre

That why I use Opera. It never gave me false alarms.

It's not a "false alarm" though. It was a legitimate warning that this site was serving pages from a compromised site.
In fact, were it not for the warning, it could be argued that nobody would have noticed until compromised adverts were hosted, making it much worse.
(Opera is a good browser though, I have to say)

jeremy · 02-04-2013, 11:19 AM

Quote:

Originally Posted by 273

It's not a "false alarm" though. It was a legitimate warning that this site was serving pages from a compromised site.
In fact, were it not for the warning, it could be argued that nobody would have noticed until compromised adverts were hosted, making it much worse.
(Opera is a good browser though, I have to say)

I'd consider it a false alarm in that LQ never served malware via the site in question, as we do not use the OpenX marketplace or allow any unknown third parties to serve ads at LQ. For them to block every site that uses an ad network because of a small number of rogue ads somewhere in the network seems extreme, especially considering how long it's taking to get LQ unlisted.

--jeremy

273 · 02-04-2013, 11:28 AM

Quote:

Originally Posted by jeremy

I'd consider it a false alarm in that LQ never served malware via the site in question, as we do not use the OpenX marketplace or allow any unknown third parties to serve ads at LQ. For them to block every site that uses an ad network because of a small number of rogue ads somewhere in the network seems extreme, especially considering how long it's taking to get LQ unlisted.

--jeremy

Sorry I hadn't realised it was a third-party of a third-party. Perhaps, then, google ought to spend more of their billions being a little more careful.
I wasn't suggesting that LQ were in any way responsible for malware, by the way, just that using adverts from someone who has been compromised at least lets you look at hosting their adverts again. It may cost you a lot of time and effort but if this isn't the first time they've been a problem at least it gives you a heads-up that they're perhaps not that great.