Deceptive site!

[highway man]

Computer Virus

This is a real Arse-Hole of a Virus, Someone is very Jealous of the "Site, a Member,
a Ute that is up to Shit, or just dont like the "Moderators Eye Colour", and just wishes to shit on our Forum and cause damage to our enjoyment!

There was a time I could have it cleared in 12 hours, and one bottle of Whisky,
but after "Three Stokes" I am as "useless as "Tits on a bull" and would offer no advice, other then a "complete Reboot" and a Email sent to all Members giving
a Date to Rejoin the Forum after all this was done!

Experience: about five years ago when a "Live Steam Railway Forum" had a
very similar annoyance hit us and then, I could jump in and help with the required
Programing to get us back on track, but now, That is about all I can remember to
advise anyone to do!

The fact that none of us has had any residue attacks, suggests to me this may
well be a bit of scare mongering, as I implied in the beginning of my post, and also the "Lines of Virus" could be found on the front page, Please send me a copy of that alone and let me have a go, I'm not much use for much else!

Ask my Wife! LoL

 

[Old.Tony]

I can't get hold of the front page yet. Once I have access to the site, I'll be digging immediately in the place where I suspect the problem exists and should resolve it (it's to do with Apache redirects).

 

[highway man]

Forum Condition

This is a real Arse-Hole of a Virus, Someone is very Jealous of the "Site, a Member,
a Ute that is up to Shit, or just dont like the "Moderators Eye Colour", and just wishes to shit on our Forum and...

 

[happy john]

Laugh it off, I note 200 visitors on average every day.
Up to you Dylan, the areas Tony has to work in are your responsibilities.

 

[Old.Tony]

I've been in contact with Dylan and now have the "keys to the castle" - well, at least the front door and inner courtyard. I have scanned the entire contents of the site. The only place that my scanner found any viruses was in attachments sent to bogus email accounts on the server - and Google wouldn't touch them in a lookup, so there's no problem there (but I have deleted them all anyway).

What's left are links. Someone makes a post on this site and includes a link (perhaps in a sig) and Google checks the link, finds it goes to a bad place (which might be a good place that's been compromised) and downrates OUR site. I'm working on this now.

When I'm finished, Dylan will request a re-check of our site so that it can be up-rated again. It's an exhaustive task and means I have to (re-)read a ton of posts, so it might take me a few days to do (because I've got some real life stuff that happens to get in the way too).

Anyway, I'm making progress!

 

[terryc]

Fixed

No red page or warning today 22/10/17, so it must be "fixed".
after last visit, I found the pagethere you can say "Nahh, itys okay mate" and filled it in. No idea if it helped.
I still get the "inmsecure stuff" but that is related to not using HTTPS.

 

[ericcs]

still the red page for me!

 

[Old.Tony]

Still working on it. Since the forum's been going for a long time, there are lots of places things could have been hidden. These are drying up, I've changed some of the primary configuration to prevent that in the future and added a few little hidden features to assist with detection. Hopefully I'll deal with the problems before Google even figures them out.

Google will have to re-scan the site. I have no idea how long before they return the site to normal status.

 

[MANNING]

Still working on it..

 

[tony d22]

I'm getting the same.
Took me ages just to get the page back up.

 

[doug696]

:i just got on here without the deceptive site warning coming up, i'm guessing a huge thankyou to at least Tony, and probably a few others
cheers doug

 

[Old.Tony]

I don't think it's over. I've gone through all the configuration, I've scanned all of the files, deleted a heap of garbage, added a bunch of recommended patches, changed some of the options and can't do much more than that for now - we're now waiting for Google to "review" the site.

 

[tony d22]

I just got the page again, it is still there.

 

[doug696]

yeah i've got it back

 

[Kd0603]

Im the lucky one i get a different message , mine says
AVG ANTIVIRUS HAS THIS SITE AS A MALWARE SITE
I cant work out how to post a pic from my tablet ,soon as i do i will put one up
Stupid thing is my trend micro security isnt picking up any malware

 

[Old.Tony]

There isn't any malware on the site itself.

Google had listed a couple of threads as potentially malicious and I went into those threads and edited every post with a URL in it and destroyed the URL. I also found a number of emails sent to the admin of the site (and not available to a web browser anyway) which had attachments that were suspicious. I deleted these after checking that they weren't real (none were kept).

I guess I could also jump on the database and do a search through signatures for any url, then slowly examine the urls to see if there are any misleading ones. Sometimes we get users creating accounts with spammy signatures, and I nab those and delete the accounts (or ban them) so they don't affect the forum.

I might go do that database search now.

 

[Kd0603]

Thanks to my 12 yr old i can now do it i forgot where to find the pagec....Anyway heres what i get......

 

[Kd0603]

Thanx Tony its my free internet security thats picking it up ,just did a full system scan using trend micro and it picked up nothing.....so its just like a politician ,pretending to be something its not

 

[Old.Tony]

AVG might be getting malware source lists from Google too. Who knows what information is shared behind the scenes. I only know that it's Google down-rating the site and putting the warning up.

I've started the search for "bad" signatures. I've found 1132 primary ones - I'm going to start banning/deleting/editing accounts now.

If anyone has a URL in their signature, I will examine it - and if it looks suspicous I'll edit/remove it. If the signature is entirely bogus (designed to draw the person to some deceptive site) then that account is about to be toasted.

Most of the real members here won't have a problem, but some of our Russian members (yeah the guys with links to "Da Latest Softwareski") will find my boot in their ass in a few minutes' time.

 

[Old.Tony]

Update: I've been working on the accounts for the last 3 hours and edited/deleted quite a few. I've found a few old accounts that had posted seemingly sensible stuff but had bad links in their signatures. These accounts (and the posts) are now gone.

I will continue working on this later. I have some things to attend to at home, but will be back on the case in a few hours.