Malicious Code Injection [Archive]

September 15th, 2011, 03:13 am

Everyone, Google has reported Ichigos as housing malicious code as of today (14 SEP 2011) involving the following web addresses:

samsun2013.in (208.116.44.51)
samsun2014.in (208.116.44.51)
kapranchak.cx.cc (89.208.34.116)
mariko7.in (123.252.193.141)

The exact google message is as follows:

14251

This was last updated approximately 2100h EDT. I was on this site around 0600h this morning without this marking, so the alleged attack has occurred within today.

This severity is likely just a fluke (as I've yet to find any javascript or other hack scripts in the rendered HTML), but I wish to bring it to the administrators attention that there may be a file that had a virus uploaded to the server.

Yoshi8765

September 15th, 2011, 04:29 am

Confirmed. I just encountered it too.

Gave me quite a scare. :)

Neko Koneko

September 15th, 2011, 05:32 am

*pokes Gand*

Gekkeiju

September 15th, 2011, 10:18 am

I was just about to make this thread. eek. Firefox was all like 'LOL NO. WE'RE NOT LOOKING AT -THAT- WEBPAGE' to me D:

Taemond

September 15th, 2011, 12:31 pm

As Neko said/did, Gand....................

Hopefully this gets fixed soon, I was extremely confused. @_@

Neko Koneko

September 15th, 2011, 08:30 pm

Gand fixed it and also upgraded vBulletin \o/

animefans12

September 15th, 2011, 09:41 pm

Hurray! That's good news to hear! :) *\o/*

Equisix

September 16th, 2011, 12:22 am

Although I'm still getting bad site firefox screen :P

Nyu001

September 16th, 2011, 01:51 am

I also got a warning just right now.

Equisix

September 16th, 2011, 04:48 am

I also got a warning just right now.
Nyu, I thought you were inactive...

Neko Koneko

September 16th, 2011, 09:53 am

I was cheering too soon, it ain't fixed yet. He did mention he submitted the site to Google to review so I guess we'll have to wait for that.

Gekkeiju

September 16th, 2011, 09:53 pm

Im scared now D:

September 17th, 2011, 05:26 am

September 17th, 2011, 05:44 am

Is this a misinterpretation of benign source code? I'm a bit curious to what is going on and how it started. Also, Google Chrome kept trying to tell me not to come here and the anti-mal software on my boyfriend's pc just said a threat was detected and blocked.

~*~ the more you know ~*~

It's a XSS (http://en.wikipedia.org/wiki/Cross-site_scripting) vulnerability from vBulletin. Apparently the update (http://www.vbulletin-faq.com/forum/showthread.php?16461) is supposed to fix this, but the Google report still sees it as a problem (last scan was done about 4 hours ago).

PorscheGTIII

September 17th, 2011, 06:57 am

And yet internet explorer has told me nothing. Makes this picture look even more true:

http://data.whicdn.com/images/13530002/1689d1311597927-chrome-vs-firefox-ie-eats-glue-chrome_vs_ff_ie-jpg_large.

KaitouKudou

September 17th, 2011, 07:02 am

I just ignored the warning when I first saw it thinking it was a glitch but I received a few messages through youtube saying how they received warnings that Ichigos is a malicious site when they tried to come here. I think this does show that Ichigos has grown a whole lot bigger of the years...enough to set off a google warning lol.

Just trying to look at the bright side of things lol.

Gand

September 17th, 2011, 05:16 pm

Ok this is finally fixed. Google should be reviewing it now and removing the block.

Gekkeiju

September 17th, 2011, 08:35 pm

Still here three hours after that post Gand.. D:

Taemond

September 17th, 2011, 11:08 pm

Just logged on now and everything seems to be fixed. Using Firefox and no warning message. :)

Nice work Gand.:)

Equisix

September 17th, 2011, 11:59 pm

I got it again.

September 18th, 2011, 12:19 am

Site has been unmarked as not suspicious on Google since 1600 EDT today (17 SEP 2011). It appears to be fixed. Thanks Gand.

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://forums.ichigos.com

Ander

September 18th, 2011, 05:24 pm

Finally... I didn't get that BIG RED sign saying that this place is malicious. First it was only the forum.. then the whole website. anyways... i guess the treatment is working.

animefans12

September 20th, 2011, 09:42 pm

Then this time a proper timing of cheering? ._.

Nyu001

September 21st, 2011, 03:06 am

Yes, I was. I will be active again in a few days. :P

Gekkeiju

September 23rd, 2011, 07:25 pm

Getting the flag page again guys..

September 23rd, 2011, 10:42 pm

Same here.

Equisix

September 23rd, 2011, 11:48 pm

Got it again. This time on chrome

KaitouKudou

September 24th, 2011, 01:09 am

Just got it again on firefox. I'm on a mac right now.

sperion

September 24th, 2011, 01:56 am

Using Internet Explorer earlier today, something on the website attempted to load up java (?) and copy some malicious .exe file on my computer running Vista (Users\Username\ and AppData\Local\ ), and adding the exe to the registry (Run and userinit). I am no expert at computers at all so I am not sure what is going on, or if it is really due to Ichigo's, but I got the java + bad exe twice today when visiting here. Kinda scary?

DunNotCome

September 24th, 2011, 02:42 am

Might wanna check the source code out, according to my computer, i found some new DLL (Via process explorer) running, but i cacled it to remove it from my computer and block it from running should it reinstall permanently. It still tells me of the attack sight. If what Google said was true, 10 new processes found means the DLLs may be the problem, or the scripts in Java is in question. You might wanna check out the PHP source codes too as it might indirectly run the Java script. I have a feeling this is an hacking attempt by some idiot who haf no love for the music forum.

Equisix

September 24th, 2011, 02:55 am

If this persists and cannot be fixed, maybe a switch from vB to Invision would help.

Taemond

September 24th, 2011, 09:01 am

Started getting the warning again. :\

September 24th, 2011, 12:42 pm

If this persists and cannot be fixed, maybe a switch from vB to Invision would help.

Invision is a lot worse with hacking than vB. Last I checked SMF so far is the most secure, but also the most limited, forum software. For better or worse, I pretty sure we're going to keep using vB; it's what the big guns use in industry.

Victor Seven

September 24th, 2011, 01:27 pm

When I try to connect here with Firefox appears the message of "WARNING! THIS IS A ATTACKING SITE!"
So I think the prolbem is not totally fixed.

sperion

September 24th, 2011, 01:31 pm

After disabling Java (as in the applet, not javascript) addon, I no longer get anything bad onto my computer, but on loading a forum page I get warning about something failing to run (which I assume to be the malicious stuff being called by some scripts?).

Here is a screenshot of an iframe loading in the logout page...

Neko Koneko

September 25th, 2011, 10:10 am

If this persists and cannot be fixed, maybe a switch from vB to Invision would help.

Invision is rubbish. I'd rather go to phpBB then.

And yes, the message is back :(

Taemond

September 25th, 2011, 02:26 pm

I've requested a re-review of the site from both the linked company of the warning and Google. Hopefully this nonsense will get sorted out in time.

Gand

September 26th, 2011, 01:23 am

Fixed; the error should be disappearing in the next 24 hours.

I found the root issue too and it was been resolved. It had nothing to do with vBulletin.