• A few of the most common links here on the forums for newbies and guests!
  • The TUGBBS forums are completely free and open to the public and exist as the absolute best place for owners to get help and advice about their timeshares for more than 30 years!

    Join Tens of Thousands of other Owners just like you here to get any and all Timeshare questions answered 24 hours a day!
  • TUG started 31 years ago in October 1993 as a group of regular Timeshare owners just like you!

    Read about our 31st anniversary: Happy 31st Birthday TUG!
  • TUG has a YouTube Channel to produce weekly short informative videos on popular Timeshare topics!

    Free memberships for every 50 subscribers!

    Visit TUG on Youtube!
  • TUG has now saved timeshare owners more than $24,000,000 dollars just by finding us in time to rescind a new Timeshare purchase! A truly incredible milestone!

    Read more here: TUG saves owners more than $24 Million dollars
  • Sign up to get the TUG Newsletter for free!

    Tens of thousands of subscribing owners! A weekly recap of the best Timeshare resort reviews and the most popular topics discussed by owners!
  • Our official "end my sales presentation early" T-shirts are available again! Also come with the option for a free membership extension with purchase to offset the cost!

    All T-shirt options here!
  • A few of the most common links here on the forums for newbies and guests!
  • The TUGBBS forums are completely free and open to the public and exist as the absolute best place for owners to get help and advice about their timeshares for more than 30 years!

    Join Tens of Thousands of other Owners just like you here to get any and all Timeshare questions answered 24 hours a day!

Google blocking access to TUG

We, and our server host, have knocked ourselves out trying to find anything amiss here, and we can't.

But some of these bad guys are clever as [heck] at disguising their infections. And since they are written to not affect every login and/or access, catching the actual problem so that it can be investigated is very difficult.

Repeating the Google/Whoever 'this site is dangerous' notice that allows you to click through it doesn't help us much in tracking this down, as they are just based on a reported infection that gets us on a list, not on that particular access encountering malware.

What WOULD be of great help would be reporting any error reported by your actual antivirus software installed on your computer which gives the details of the malware it has intercepted/blocked. If you run into something like this, a report of the full text of that notice would be much appreciated.

And, meanwhile, be darned sure you have a good antivirus program installed, is configured to check every file you receive, and is kept completely up to date.
 
Last edited:
Laurie said:
I pretty much do that daily (clear everything), and nothing has changed.

I'm not totally blocked - just shows site as dangerous and allows me to proceed if I want to live dangerously. So something has been tagged as problematic by McAfee SiteAdvisor, and not untagged.

I'll report back if/when that goes away - but wondered about the URL that must go directly to the server, or one of them, assuming that's what an ISP in the URL means.

Or maybe McAfee is still on the lam. :)
Click to expand...

My McAfee SiteAdvisor has been reporting TUG as a dangerous site now for weeks. Long before Google ever said a thing. This however is different from the recent Google warning that people have been seeing. Right now SiteAdvisor is showing a red colored icon on TUG, usually it is green. I added TUG to the trusted sites list to avoid the warning page when trying to visit.
 
Here is the site report that I can view with McAfee SiteAdvisor.
 
dioxide45 said:
Here is the site report that I can view with McAfee SiteAdvisor.
Click to expand...

Thanks. When I click on your link, this is what I see:
mcafee212912.png

.. which says we're clear of any problems. Perhaps this has been updated since you posted it. Do you still see problems listed?
 
Htoo0 said:
For the first time today besides the regular warning I also got this from my antivirus. Hope it helps.

URL: http://xifehisome.changeip.name/xoh1m6zx...
Process: C:\Program Files (x86)\Mozilla Firefox\f...
Infection: URL:Mal
Click to expand...
I appreciate the effort, but, actually, no it doesn't help. The URL you've posted appears an invalid URL. As a result, when I click on the link it is doesn't go anywhere. While changeip.name is a valid server name, it has no xifehisome.changeip.name registered there.
 
Last edited:
Makai Guy said:
Thanks. When I click on your link, this is what I see:
mcafee212912.png

.. which says we're clear of any problems. Perhaps this has been updated since you posted it. Do you still see problems listed?
Click to expand...

I still see a red SiteAdvisor icon on my browser toolbar, but when I go to the site profile, I see the same thing you do. If I go to other sites such as Yahoo or Google, I see a green SiteAdvisor icon instead of the red.

ETA: If I remove TUGBBS from my list of trusted sites, I still get a warning splash page when I try to visit TUG. I will try to post an image.
 
Last edited:
Project1_zpsc3f420f0.jpg


Notice the green Site Advisor icon (M) in the upper right of the screen. When I am on TUG, that is always red.
 
dioxide45 said:
I still see a red SiteAdvisor icon on my browser toolbar, but when I go to the site profile, I see the same thing you do. If I go to other sites such as Yahoo or Google, I see a green SiteAdvisor icon instead of the red.

ETA: If I remove TUGBBS from my list of trusted sites, I still get a warning splash page when I try to visit TUG. I will try to post an image.
Click to expand...

Try clearing your browser cache -- the warning may be coming from a cached copy already on your machine. Might also help to exit your browser, then reload it and try to come to tugbbs.com.
 
My antivirus quarantined a something called care2PetitionHelper yesterday am on start-up, not sure how to share that or if it would be helpful

Makai Guy said:
What WOULD be of great help would be reporting any error reported by your actual antivirus software installed on your computer which gives the details of the malware it has intercepted/blocked. If you run into something like this, a report of the full text of that notice would be much appreciated.

And, meanwhile, be darned sure you have a good antivirus program installed, is configured to check every file you receive, and is kept completely up to date.
Click to expand...
 
Makai Guy said:
Try clearing your browser cache -- the warning may be coming from a cached copy already on your machine. Might also help to exit your browser, then reload it and try to come to tugbbs.com.
Click to expand...

Have done all that. When I go back to TUGBBS, I get the warning. Not sure why since the Site Report indicates all is well. As soon as I opt to "Visit Anyway" it adds TUGBBS to the trusted sites list and I no longer get the warning.
 
dioxide45 said:
Have done all that. When I go back to TUGBBS, I get the warning. Not sure why since the Site Report indicates all is well. As soon as I opt to "Visit Anyway" it adds TUGBBS to the trusted sites list and I no longer get the warning.
Click to expand...
I have a feeling they may only update their problem site list periodically, as a batch job, such that it may take a while after the analysis shows a site to be clean for it to drop off the list. Don't really know, but that seems to fit the facts.
 
Warning -- what follows has a high probability of making your eyes glaze over ....

Makai Guy said:
I appreciate the effort, but, actually, no it doesn't help. The URL you've posted appears an invalid URL. As a result, when I click on the link it is doesn't go anywhere. While changeip.name is a valid server name, it has no xifehisome.changeip.name registered there.
Click to expand...

More on this --
Changeid.name is a server where you can take out a free subdomain name that will be redirected to a different domain of your choice. So in the original malware warning from Htoo0, his antivirus detected malware in a link to xifehisome.changeip.name, which actually redirected to someplace else -- wherever the bad guys that took out the xifehisome subdomain had it go to. By the time I saw his message, the xifehisome.changeip.name subdomain had already been taken down and thus was invalid.

From what I've been reading on these exploits, they continually shift the link addresses around, making it very difficult to track them down.
 
Last edited:
There's a discussion about e-mails being sent with rogue links at the google forums at https://productforums.google.com/forum/#!msg/gmail/HM2Ujgu9OD4/4KeUUlmeNqsJ

The title of the discussion is: "Is this a virus or fishing attempt?"

In my case, after going through the warning about TUG being a dangerous site, a set of e-mails was sent to all my contacts containing links to

http://"some changing web site URL"/components/com_ag_google_analytics2/google.html

The latter part seemed to stay constant. That might be related to the issue seen here where the base address only exists for a short time. I don't know enough about Google to know if the last part of the URL has any significance in the Google world of analytics.

No record of the e-mails sent remains on my computer or my Google mail account. I only found out after a few of the addresses bounced, and then some friends mentioned getting something suspicious from me. As far as I can tell, nothing has happened again after I recovered my Google account following their instructions. I had also cleared all my history, caches, and cookies.

The two Macs that could have done something like this were asleep, but on. It happened around 1:30 am when I myself was asleep. I supposed one of my iPads or iPhone could have also done something, since the browsers are set up to access my Google mail.

Was anything specific found and cleaned up by the TUG administrators? Have they done anything beyond contacting Google and McAfee to get off their blacklist? I would like to know if there was some virus that has been fixed, and if so, what it was, so I can try to chase the issue down on my end. If I got infected, I want to make sure I find a way to disinfect my machine.
 
Here is the Norton warning I received a few minutes ago. A similar one came up on December 24. The ip address shown in the report is within a range of addresses I have blocked on the site I run.

tug1-norton.jpg
 
according to our host security people, google, every "scanner" we can find....the site is clean.

we have been scouring the server since this was reported...and can find nothing.
 
I had been getting the Google warning every time I went to this site, but the problem disappeared within the past couple days.
 
An intrusion attempt by cicero.changeip.name was blocked
Click to expand...
A check at changeip.name shows that the cicero.changeip.name subdomain name is available, meaning the bad guys have already abandoned this intermediate forwarding address and moved on to something else.

[Edited to add:] Some of the descriptions I've read on this exploit say it only injects the code for people who come to the site via a search engine link, and not for people who are logged into the site. (I'm talking about the actual injection of the harmful code which results in a warning of something being blocked by the antivirus program on your computer, NOT the generic warnings that the site has been reported). Do you recall how you came to TUGBBS when you received that warning?
 
Last edited:
I always visit from bookmarks in my browser linked to the Starwood and Hawaii forums.
 
Makai Guy said:
A check at changeip.name shows that the cicero.changeip.name subdomain name is available, meaning the bad guys have already abandoned this intermediate forwarding address and moved on to something else.

[Edited to add:] Some of the descriptions I've read on this exploit say it only injects the code for people who come to the site via a search engine link, and not for people who are logged into the site. (I'm talking about the actual injection of the harmful code which results in a warning of something being blocked by the antivirus program on your computer, NOT the generic warnings that the site has been reported). Do you recall how you came to TUGBBS when you received that warning?
Click to expand...

I have the "New Posts" bookmarked, and that is always how I come to the site.

I'm on the road now and accessing the site via my laptop instead of my desktop since Friday. I have not gotten any warnings using my laptop.
 
pacodemountainside said:
After logging on to site got following blocked virus warning:

222.186.57.166 Port 137

I have McAfee!!
Click to expand...
That gives us the IP (in China, surprise, surprise) from which the malware was being downloaded, but unfortunately it doesn't give any indication of what on OUR site is causing the download in the first place.
 
You must log in or register to reply here.
Top