Infected code detected on Bladeforums

[digdeep]

Here's what I got when I started reading one of the posts on Bladeforums.
I believe one of the ads caused my security software to kick in and blocked it.
Anybody else ever seen this happen? Here's the exact wording:


Website blocked!
G Data TotalSecurity 2012 has denied access to this website.
The site contains infected code: JS:ScriptIP-inf [Trj] (Engine B).

 

[RevDevil]

Most people use adblocker plugins in their browser or buy a membership. That, what you have there is a hyperactive response (typical) of most "internet security" software packages. No need for a tinfoil hat just yet.

 

[shmoe]

I'm pretty sure there is some infected code on one of the ads.think I've isolated it for you.

Whenever a particular sponsored add comes up that looks like a "Download complete" box, I will get new tab opened (so not exactly a popup) with a blank page with nothing in the middle except a 'WARNING Please update Flash Player to continue' button

The URL of the popup/tab is "http://mediaplayer-download888.net/...aruObeSIKNzYuMjMuMzMuMCgB&pubid=&lang=en&at=0"

I ONLY experience this issue on this site and when that particular sponsored ad shows up. I'm not clicking on the ad or anything, it just auto-launches when it is displayed on your site. Maybe some sort of cross-site script attack or something?

Thanks!

 

[richard j]

i get a message asking if i want to continue running script on the page i'm on. it also says that letting the script run will make my browser run slower.

 

[Mossyhorn]

I never encounter any messages, but this is definitely the slowest site that I visit.

 

[Thomas Linton]

I'm pretty sure there is some infected code on one of the ads. I'm running a linux machine so i'm not super concerned about it, but I think I've isolated it for you.

Whenever a particular sponsored add comes up that looks like a "Download complete" box, I will get new tab opened (so not exactly a popup) with a blank page with nothing in the middle except a 'WARNING Please update Flash Player to continue' button

The URL of the popup/tab is "http://mediaplayer-download888.net/lps/flvupdate.php?campaignid=5816578&czid=YXZhenU1ODE2NTc4MQ==&subid=lax1CMLs2a-7ppPsThACGOvH8bTaruObeSIKNzYuMjMuMzMuMCgB&pubid=&lang=en&at=0"

I ONLY experience this issue on this site and when that particular sponsored ad shows up. I'm not clicking on the ad or anything, it just auto-launches when it is displayed on your site. Maybe some sort of cross-site script attack or something?

Thanks!

I get a box saying 'WARNING Please update Flash Player to continue." Only here. Because my Flash Player is up to date, I assumed it was malware/virus and closed it.

 

[marcinek]

I just got a weird Flash pop up too...in bad English. Should have saved it before making ity go away. Something odd is going on.

 

[brownshoe]

I get lots of weird stuff off this forum, more than any other.

On an Ipad, on two separate occasions, clicking on a thread has taken me to a porn selection site.

Using Explorer, I get all sorts of running scripts that never end, sometimes things pop up and sometimes not. I get the same FlashPlayer announcement as Thomas, but only with Explorer.

The best program for this site is Google Chrome, you get the ads, but quickly and no never-ending loops.

This forum has more rules than any other I use, so I just figure it's punishment for not paying in

 

[Locutus D'Borg]

Just curious, what thread takes you to a porn site

I get lots of weird stuff off this forum, more than any other.

On an Ipad, on two separate occasions, clicking on a thread has taken me to a porn selection site.

Using Explorer, I get all sorts of running scripts that never end, sometimes things pop up and sometimes not. I get the same FlashPlayer announcement as Thomas, but only with Explorer.

The best program for this site is Google Chrome, you get the ads, but quickly and no never-ending loops.

This forum has more rules than any other I use, so I just figure it's punishment for not paying in

 

[shmoe]

Well I was checking this thread today from my Android phone. All of the sudden, a file named 'Pug" was downloaded to the phone. I certainly didn't download anything or click on anything to download. I deleted the file (assuming it was a virus of some sort) but there is most certainly something going on with the site and malicious code or something.

 

[brownshoe]

It was in a knifemaker for sale area, but I went back a few days later and it no longer worked.

 

[Bill1170]

I get lots of weird stuff off this forum, more than any other.

On an Ipad, on two separate occasions, clicking on a thread has taken me to a porn selection site.

Using Explorer, I get all sorts of running scripts that never end, sometimes things pop up and sometimes not. I get the same FlashPlayer announcement as Thomas, but only with Explorer.

The best program for this site is Google Chrome, you get the ads, but quickly and no never-ending loops.

This forum has more rules than any other I use, so I just figure it's punishment for not paying in

I just came here to this sub forum for the same reason. It only happens on my iPad, and it has happened three or more times in the past few months. I'll be in General Knife Discussion and click the link for page two or three of a long thread and instead get hijacked to a site advertising a porn app. I took a screenshot of it today. It also hijacks the back button so I can't just return to where I was, and loads a sequence of vile pages that appear in my History just after BF and before the app page that is the first one I see upon being redirected by the rogue code.

Something sinister is going on here. I am sure that Spark doesn't knowingly allow these icky sites to redirect forumites to sleazy porn sites. This has only happened to me at BladeForums, nowhere else. I don't consume porn and don't appreciate being subjected to it.

If I can be of any help to site administrators, please email me at my email on file for my account here. I don't have any special computer knowledge, but am willing to help. The bad site I first see appears to be an ad for a porn app, but that has to be bogus because Apple doesn't allow porn apps in their App Store. It is called "Badoink App HD" and appears to be a phishing site, because it offers a "$1.00 trial membership" and requires valid credit card information. Just trust them - riiiiight. No way. This trash needs to be blocked from this site for good. I wish I knew how to do it, but there are cyber security experts who root out this sort of stuff for hire.

 

[Karda]

I get lots of weird stuff off this forum, more than any other.

On an Ipad, on two separate occasions, clicking on a thread has taken me to a porn selection site.

Using Explorer, I get all sorts of running scripts that never end, sometimes things pop up and sometimes not. I get the same FlashPlayer announcement as Thomas, but only with Explorer.

The best program for this site is Google Chrome, you get the ads, but quickly and no never-ending loops.

This forum has more rules than any other I use, so I just figure it's punishment for not paying in

I just came here to this sub forum for the same reason. It only happens on my iPad, and it has happened three or more times in the past few months. I'll be in General Knife Discussion and click the link for page two or three of a long thread and instead get hijacked to a site advertising a porn app. I took a screenshot of it today. It also hijacks the back button so I can't just return to where I was, and loads a sequence of vile pages that appear in my History just after BF and before the app page that is the first one I see upon being redirected by the rogue code.

Something sinister is going on here. I am sure that Spark doesn't knowingly allow these icky sites to redirect forumites to sleazy porn sites. This has only happened to me at BladeForums, nowhere else. I don't consume porn and don't appreciate being subjected to it.

If I can be of any help to site administrators, please email me at my email on file for my account here. I don't have any special computer knowledge, but am willing to help. The bad site I first see appears to be an ad for a porn app, but that has to be bogus because Apple doesn't allow porn apps in their App Store. It is called "Badoink App HD" and appears to be a phishing site, because it offers a "$1.00 trial membership" and requires valid credit card information. Just trust them - riiiiight. No way. This trash needs to be blocked from this site for good. I wish I knew how to do it, but there are cyber security experts who root out this sort of stuff for hire.

In regards to Porn popup phenomena:
http://www.bladeforums.com/forums/s...appointed-with-bladeforums-com?highlight=porn

In Short: If you don't want sites sending you porn popups, then stop surfing it. It's not BFc sending them to you, but your own activity leaving tracking cookies on your system that is causing it.
If you're not surfing porn, someone in the household must be.
It can be blocked by purchasing a membership or by using a browser that has an "Ad-Blocker" such as Chrome.

 

[Jaxx]

Ghostery paired with AdBlock helps stop that kind of stuff. I use them on Chrome & FireFox.

 

[Bill1170]

Okay, I cleared my cookies. This still baffles me, but if it stops it I am content. Thank you.

 

[shmoe]

Well, here appears to be some proof of what is going on and maybe some explanations. Can a moderator use this info

Safe Browsing
Diagnostic page for bladeforums.com

What is the current listing status for bladeforums.com?

This site is not currently listed as suspicious.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 2886 pages we tested on the site over the past 90 days, 91 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-05-20, and the last time suspicious content was found on this site was on 2013-05-17.

Malicious software is hosted on 2 domain(s), including widelyranginginterests.com/, habboigratis.altervista.org/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including rwclarkknives.com/, home.comcast.net/~jerryd6818/.

This site was hosted on 1 network(s) including AS20021 (LNH).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, bladeforums.com appeared to function as an intermediary for the infection of 1 site(s) including 199.231.142.0/.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

Next steps:

Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

 

[Thomas Linton]

I get a box saying 'WARNING Please update Flash Player to continue." Only here. Because my Flash Player is up to date, I assumed it was malware/virus and closed it.

Just happened again when I started looking at this thread.

 

[brownshoe]

I believe you are incorrect Karda. The Ipad I use is not used for porn. Even if it was, the porn pop-up only happens on Bladeforums, nothing else, thus it is somohow attached to this site.

Bill's post jogged some brain cells, and I remember now that one of the times it was the "Badoink" site.

I expected feral hogs, but got hogs of a different kind

 

[Thomas Linton]

Just happened again when I started looking at this thread.

And again last night. Only at BF.

 

[Yellowhorse]

So far, I have no problems related to this site. I am also a 'paid' member and do not get exposed to the ad's. As a 35 year career IT Professional (Information Systems Specialist/Systems Integration) I have had to deal with similar issues on a regular basis. The link Karda points to is just about useless and appears to blame the people that experience the problem and not address the problem itself. Logical troubleshooting is the key here. If the problem TRUELY only appears while viewing this website then common sense would indicate that the problem lies here. Not having access to BladeForums source code, advertisers list, complete tracking list, or how they link their advertisements I cannot solve the issue going on here. Some of the advertisers here also place ads at porn sites as well as here - anybody see a connection here? I am pretty confident that BladeForums is not doing doing this on purpose. I can tell you that Facebook, Google Analytics and Quantcast are some of the companies that ARE being used to track you here. You know what they do with your information. I have them and over 600 other tracking companies, blocked.

The best advice I can give anybody experiencing this problem is to first have a paid for and up to date anti-virus program. In my opinion, the best of the lot is from Symantec. If you have VERY deep pockets (thousands of dollars), go for the Enterprise version of their Internet Protection program. I have installed and used this program on thousands of computers (PC and Mac) on very large networks and it works VERY well. For the rest of us, Norton (owned by Symantec) Internet Protection is the way to go. Cheap and effective. There are of course, other AV vendors but I can't speak to their quality or effectiveness. I have been using and providing support for Symantec products for over 20 years and know them well.

No single product will protect your computer from everything though and you should consider things like DoNotTrackMe (this is a good one), AdBlocker Plus and a few others to supplement your protection. Many of them are free. Do not install a dozen different programs on top of one another thinking that more is better. They often interfere with each other and will choke your system up. Be aware that some of these programs will cause problems if you want to post pictures on places like FB or attach files to emails. At that point, they must be disabled long enough to get the job done and then re-enabled.

Porn? If you simply MUST visit their sites and look at it you are taking chances that will bite you right in the a$$. They are notorious for hosting all kinds of viruses, bots, Trojans, worms, trackers and the like. From the very beginning of web site use these have been unsafe to go to and in all probability, will continue be. Honesty, integrity and safety are not the norm there. Use at your own risk!! Once I was sitting at the computer with my four daughters and did a Google search for gardening tools for the wife's birthday. Specifically looking for a garden hoe. I had to get the girls to leave the room until I corrected the problem that popped up. I'm sure you can imagine what the problem was. Search engines are not all they're cracked up to be. They can't read your mind.

I wish I could offer a simple solution that would solve everybody's bug problem but the problem is NOT simple and requires trying different remedies. Best of luck.