Author Topic: Malicious URL warning on GH page (Read 3897 times)

noisyturtle · « **on:** Thu, 10 October 2013, 15:06:39 »

URL: http: SLASH SLASH st4.divshare.com/launch.php?f
URL:Mal

every time I go to this page: http://geekhack.org/index.php?topic=6874.1560

mkawa · « **Reply #1 on:** Thu, 10 October 2013, 16:25:55 »

not seeing the url in macos chrome. what platform/browser are you using? (if someone managed to embed javascript, it could be possible that only some platforms and browsers are affected).

NOTE: you are not supposed to be able to embed interpretable javascript into posts. it would indicate a huge vulnerability, so yes, i'm treating this as an extremely big deal.

Tym · « **Reply #2 on:** Thu, 10 October 2013, 16:29:09 »

Not getting anything my end in Firefox.

esoomenona · « **Reply #3 on:** Thu, 10 October 2013, 16:29:48 »

http://geekhack.org/index.php?action=profile;u=30046

This guys signature picture is the source. I don't get any notice though.

mkawa · « **Reply #4 on:** Thu, 10 October 2013, 16:52:41 »

i have cleared the offending signature. (god i keep losing posts..). it may have been a drive-by attack on XP and early vista era machines via their jpg2000 parser. it's far from a zero day, and if you're running one of those platforms you've already been infected by something else anyway.

noisyturtle · « **Reply #5 on:** Thu, 10 October 2013, 19:33:16 »

Quote from: mkawa on Thu, 10 October 2013, 16:25:55

not seeing the url in macos chrome. what platform/browser are you using? (if someone managed to embed javascript, it could be possible that only some platforms and browsers are affected).

NOTE: you are not supposed to be able to embed interpretable javascript into posts. it would indicate a huge vulnerability, so yes, i'm treating this as an extremely big deal.

It's a warning via Avast in Aurora

Rayne · « **Reply #6 on:** Thu, 10 October 2013, 19:43:09 »

i got the same thing as OP, using Avast! and chrome

Photoelectric · « **Reply #7 on:** Thu, 10 October 2013, 19:44:02 »

Unrelated, but I'll take this opportunity to note that being redirected through viglink is annoying as hell. It's fast on a desktop, but significantly delays following links on wireless. I wish GH didn't use viglink =/

mkawa · « **Reply #8 on:** Thu, 10 October 2013, 20:27:27 »

Unfortunately, viglink pays a small portion of the bills here, and we would have to replace that revenue for the forum if we lost it.

Anyway, the signature in question was just a malformed URL, and not anything serious to worry about. The user in question copied and pasted the divshare url a bit wrong, and pasted the php query instead of the actual jpg. the 'mal' warning was that the url was wildly malformed, and that the data returned was garbage, not that it was confirmed malware (ie, a file that matched a malware signature). The user has put the proper url in his or her signature and is now showing dat alps pride again.

Morwrath · « **Reply #9 on:** Thu, 10 October 2013, 20:34:02 »

I asked IRC about it some time ago, no one answered though :/ Atleast it wasn't any serious problems.

mkawa · « **Reply #10 on:** Thu, 10 October 2013, 20:46:42 »

please report any post or thread that triggers your malware scanner (unless it's ridiculously obvious that it's a false positive). i'm quite happy to look into these things to at least a first order.

Morwrath · « **Reply #11 on:** Sun, 13 October 2013, 11:36:49 »

This happened to me right now aswell. Not sure what thread it was on since I just opened a lot of threads that had received new replys :S

mkawa · « **Reply #12 on:** Sun, 13 October 2013, 13:13:45 »

dante ironically posted an innocuous link that was red flagged by google for other reasons (the image hosting site doesn't have strong enough anti-malware measures apparently). i confirmed it was a false positive and rehosted the image on our server, so it has been cleared.

the ironic thing is the dante posted it and then reported the google warning to me without knowing that he accidentally caused it. lol! nbd dude. anyways, all cleared up now.

if you're still getting a red flag from google, please post the url here.

microsoft windows · « **Reply #13 on:** Mon, 14 October 2013, 14:53:10 »

I tried clicking that URL link but the site won't load in Internet Explorer 6.

Yet another excellent display of IE6's seamless security integration!

Belfong · « **Reply #14 on:** Sun, 25 May 2014, 03:34:09 »

Hi,

Today I see a consistent Malware detection page by Chrome every time I visit the "Post Your Clack" page. Other threads are ok.

Here's the screenshot.

madhias · « **Reply #15 on:** Sun, 25 May 2014, 03:57:06 »

For me the same, when browsing to the 'Post your clacks!' thread - cdn.memegenerator.net seems to be the problem?

Alessandro · « **Reply #16 on:** Sun, 25 May 2014, 04:00:30 »

Yep, just got it too, it's on the very first page.

rowdy · « **Reply #17 on:** Sun, 25 May 2014, 04:55:03 »

I've been using Chrome on Mac on and off all day and not seen this.

rowdy · « **Reply #18 on:** Sun, 25 May 2014, 05:15:37 »

Ok, I got this now, on the first page of the Post your Clacks thread.

phoenix1234 · « **Reply #19 on:** Sun, 25 May 2014, 05:24:19 »

Confirmed, I saw the warning too.
There are several cdn dot memegenerator dot net links in the page and they seem to be the reason. We also should not quote it to avoid Google block this page again.

infiniti · « **Reply #20 on:** Sun, 25 May 2014, 06:07:35 »

Thanks for the heads-up.

I broke the image tags and image link on purpose as a band-aid solution.

rowdy · « **Reply #21 on:** Sun, 25 May 2014, 15:18:41 »

Quote from: infiniti on Sun, 25 May 2014, 06:07:35

Thanks for the heads-up.

I broke the image tags and image link on purpose as a band-aid solution.

Thanks! Clack page loads fine for me now

News:

Author Topic: Malicious URL warning on GH page (Read 3897 times)