# Google Warning for IAP



## jeff (Jun 24, 2012)

Google is reporting that our site is infected with a virus. I have looked into this issue from every possible angle and the site appears to be clean to me. Our host admins agree. 

Here is the Google warning detail page. Note that although it says that "the site is listed as suspicious and may harm your computer", it also says ZERO pages resulted in malicious code downloads.

I'm continuing to look into this. I need to leave the site up so that Google can rescan it. That may take a couple days. Grrrr.


----------



## pensbydesign (Jun 24, 2012)

had this warning had a had time getting my computer to open this site


----------



## OKLAHOMAN (Jun 24, 2012)

Early this morning I tried to log on and got this warning on my lap top and ignored it. By passed and logged on anyway. Don't know if this caused it or not but my lap-top crashed. I tried to reboot the laptop to a previous day and it won't let me. My PC seems fine and my lap top in the shop seems fine.


----------



## Gregf (Jun 24, 2012)

My antivirus, AVG, is also reporting a threat. Black Hole Exploit Kit.
Just on the home page.


----------



## tbroye (Jun 24, 2012)

I have no problem using IE9, but when using Google it asked me to log on and also shows lthe warning if I go through the Google search.  Looks like someone is playing games.


----------



## GoatRider (Jun 24, 2012)

I'm getting the error too, on google chrome on a Mac.


----------



## Texatdurango (Jun 24, 2012)

My experience.........

IE 8 - no problem, logs right in, obvious since I'm writing this.

Safari - Says it's a threat and blocks it

Firefox - throws up a big red warning box saying it's an ATTACK PAGE


----------



## Carl Fisher (Jun 24, 2012)

I get the big red screen from Chrome when I visit now too.  I wasn't a few weeks back when everyone else reported the problem.

Seems that the IP address your server is on has been flagged as a source for malicious content.  Might want to talk to the ISP and see if they would be willing to allocate you a new IP address.  It's likely not IAP specifically, but if you are on a shared IP somehow it got flagged into the blacklist databases.


----------



## penmaker1967 (Jun 24, 2012)

i have had no trouble getting into the site except for when it said it was down due to virus problems. that was this afternoon i got in this morning with no problems and just got back on it now.


----------



## jeff (Jun 24, 2012)

Problem solved. Details later.


----------



## ed4copies (Jun 24, 2012)

I have had no warnings, but I never use the front page.  Come in through the side door??


----------



## nativewooder (Jun 24, 2012)

When I read the Google notice this morning and they could not state that there was anything wrong, it made me think that Google is practicing their ""Bullying" tactics.


----------



## OKLAHOMAN (Jun 24, 2012)

As I stated eairlir I had my lap top crash but was able to delete a program that was down loaded this morning called something like "platinium protection", now alls well


----------



## Displaced Canadian (Jun 24, 2012)

Because the site was down this morning I had to go out to the shop and work on pens. :biggrin:


----------



## Seer (Jun 24, 2012)

I got the same thing as Roy took me a little while to fix it but all is good now


----------



## PTsideshow (Jun 24, 2012)

No warnings no nothing out of the ordinary. I am using win7 64 bit firefox with Avast and microsuc security software nothing.
:clown:


----------



## Akula (Jun 24, 2012)

This is what I was getting.


----------



## tbroye (Jun 24, 2012)

After my earlier post I went church, took wife to brunch.  Came home watched the Race from down road, cleaned up the back yard and changed water in an Aquarium and now I am here.  Day wasn't a complete waste.  It could have been if the car didn't start and the Cable went out.


----------



## Longfellow (Jun 24, 2012)

I got a warning on Firefox. I am on IE now.


----------



## jeff (Jun 24, 2012)

There should be no warning from Google or any virus/malware scanners. If you are getting any kind of warning at all, please let me know.


----------



## leehljp (Jun 24, 2012)

Jeff,

In "some" cases, it is not Google or this site, it is the parameters of some browers settings themselves that set off something in Google that then returns the same page you displayed on the 1st page of this thread.

That dialog from Google started appearing on some sites for me a couple of years ago. These sites were ones that were trusted to the 'nth' degree for me. Through some checking with very tech savvy (read VERY HIGH security) folks, I was told to go to preferences and see if I had a button clicked "On" that said "Warn when visiting a fraudulent web site." I had. This immediately caused some sites that are not fraudulent in the least to trigger my browser to do a search on Google for possible fraudulent sites to which Google would send an automatic message (the one you posted) as a response. 

Basically it was like some medical tests that send back "false positives".

I don't want to say that this was the whole problem with this but that warning system in people's browsers ("Warn when visiting a fraudulent web site.") does trigger false positives with Google on some sites but not others.


----------



## Joe Burns (Jun 24, 2012)

Im using FireFox and Norton's Internet Security and have had no issues with the site.

Joe


----------



## RSidetrack (Jun 25, 2012)

There are a great many reasons why this occurs to perfectly fine sites.  To start off with - I was happy to see the site was back up and running.  Earlier in the day I was a bit disappointed as the site was taken down and I was looking forward to see some great new creations.

Anyway - as a software engineer with a primary focus in web application development - there are a great many reasons why this occurs.  We have had to deal with this with the company I work for, and it is quite frustrating.

First and foremost - a lot of browsers and virus softwares look at reliable sources for any potentially unsafe sites.  This is why some browsers and virus software set off red flags.  If google marks a page as potentially unsafe, they are considered a "reliable" source.

Now - I noticed that the "issue" was not presented in this thread yet, so I cannot expand on what actually happened here, but the top 5 reasons why this occurs:  (please note, this is for people who have their own sites and can be helpful.  The fantastic administrators have already resolved the issue here :good

1.  Code spoofing (Someone interjected network code when perhaps a google crawler was reading data setting off an alarm)  There is no way to avoid this unless a site went entirely through SSL.

2.  Someone posts, has a link to, or provides some form of content that is related to another page which has been flagged as well.  An example, my photos I host on my own web server.  If my website got flagged as a result of code interjection, it is possible that this site would get flagged too, just because of an image.

3.  An uploaded file has a threat within it.  (Unlikely for this site as they are mostly images, but on other sites it can be a big issue)

4.  Code interjection - Someone managed to interject code within the site.  This is easily doable on sites that run on a database back-end and don't have safeties in place.  Someone can type into say - a thread post box, and include code that would put something within the database, that when displayed on an html browser would cause issues.  This is typically javascript.  I will not attempt to demonstrate.

5.  Third party software - This is a big one, though rare now as most people host things on their own servers now.  Visitor counters, plugins, etc. that run on third party servers are an issue.  If those servers get infected it can infect your own page, or be linked back and red flag your page.  It is best to never run third party software that is on another server.


Now - the great part - there is a such thing as "too secure" and "too safe".  I believe IAP was a victim of this.  Google reported, as in the first thread post, that nothing whatsoever was found, yet it was flagged.  IMO - flagging a site with 0 reported issues is not exactly in the best interest of the community.  Then with virus scanners and browsers looking at sources such as google for malware sites and then reporting it to users would concern them.  If my site that was responsible for my business which was dependent on sales - business would hurt... bad.  I know that someone else in this community suffered from this.  The worst part is Google just says it will take a couple days before it is rescanned and goes away - a couple days could mean big bucks.  

Now that I am done educating and venting - stay safe, don't be fooled and turn great pens!


----------



## MesquiteMan (Jun 25, 2012)

There was something injected into the front page of IAP.  I run NOD32 antivirus and do NOT get false positives, ever.  NOD32 shut closed the session when I tried to go to the front page with the following warning:

6/24/2012 3:07:27 PM    HTTP filter    file    IAP Home    JS/Iframe.EF trojan    connection terminated - quarantined    CURTISDESKTOP\Curtis    Threat was detected upon access to web by the application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe.


----------



## Xander (Jun 25, 2012)

I run AVG (which I pay $60 a year for, not the free edition) and I have never had a warning on this site. I always use IE. However, I don't come in through the Home page, I have the forum on my Favorites list and come straight in. Also, I am always logged in and never have to enter user name / password.

Thanks to the great people (Curtis) at IAP for keeping this site save for us all.


----------



## rherrell (Jun 25, 2012)

I tried getting on yesterday and all h#@$ broke loose, SOMETHING was wrong.


----------



## jeff (Jun 25, 2012)

Here's the issue: Our Content Management System, vBAdvanced (the code that formats the front page by pulling stuff from the database) had a vulnerability in the file that shows member birthdays. That vulnerability was exploited and the code for an iFrame trojan (as Curtis described) was injected. This is a well-known trojan and any malware scanner with even reasonably current signatures caught it. This occurred around 8:15 yesterday morning.

As of 5:30 last night, the issue has been repaired and the site is now squeaky clean.

The reason only some of you saw a virus scanner alert was that the birthdays box is only shown on the front page. If you come in through the forum home page or somewhere else, you never saw the warning because those pages were clean. This is what made it so hard to find. It was not immediately clear why only some people saw it. Because it was clear something was going on, I shut the site down around 10am and it did not come back up until about 5:30pm. 

The way this exploit was conducted was very difficult to diagnose. The hackers left no clear trail of their work, and even with hours of sifting through the thousands of server files it takes to run the site, we could find no evidence of tampering. At one point we were somewhat convinced that one of our servers was somehow infected at the operating system level, even though scans said otherwise. So, I contacted a friend of mine who is pretty highly connected in the network security world for the banking industry, and he put me in touch with someone who had the advanced Linux and vBulletin skills necessary to solve the problem. 

After several intense hours, the problem was uncovered and fixed. 

The silver lining here is that we now have an extremely competent and vigilant security professional at our disposal, and he's provided me with a list of actions that will help us thwart this sort of attack in the future, and I'm going to implement every recommendation. No server on the Internet is completely safe from attack, but we have and will continue to beef up the locks on our doors. 

This is one of the unfortunate realities of life on the Internet. There are evil people doing evil things either because they are paid to do so by other evil people or just for their own perverse satisfaction of annoying good people. I'm listening to NPR as I write this and there's a story about an attack on LinkedIn. No site is totally safe, even those with armies of security people working around the clock. 

I apologize for the inconvenience of having the site down all day. I think that was the longest outage we've had for an issue like this, but it was necessary.

Remember, your defense against Internet malware of all types is to run a reputable protection package on every machine you use, and keep its signature database up to date. 

Thanks again for your patience and support.


----------



## RSidetrack (Jun 25, 2012)

Wow - an actual virus that got injected.  I actually have not run into that - but have heard about it.  I am glad you got things cleared up and found a great resource to use for any further issues or questions regarding security.


----------



## GoodTurns (Jun 25, 2012)

I keep getting a different message... pretty sure it is accurate....


----------



## Grampy122 (Jun 25, 2012)

*Same thing*

This is the same thing that has been going on since the beginning of the month. I can now turn on the AVG tool bar without getting a message. It would happen if I went into the home page and select a thread to open in a tab and then select that tab, I would get the virus message.


----------



## asyler (Jun 25, 2012)

just wanted to leave a great big THANK YOU for all your work in keeping a great site up and running,,


----------



## jeff (Jun 25, 2012)

GoodTurns said:


> I keep getting a different message... pretty sure it is accurate....



Let's be perfectly clear that Jon is being humorous. :biggrin:


----------



## OKLAHOMAN (Jun 25, 2012)

Jon, humorous....no not straight laced Jon


Jeff said:


> GoodTurns said:
> 
> 
> > I keep getting a different message... pretty sure it is accurate....
> ...


----------



## Jim Burr (Jun 25, 2012)

I think someone is just P***ed that this is a cool site...others pale in comparison.:biggrin:


----------



## asyler (Jun 25, 2012)

but, if my wife saw Jon's warning ,, she would agree!!!


----------



## Haynie (Jun 25, 2012)

GoodTurns said:


> I keep getting a different message... pretty sure it is accurate....



So If you clicked "Continue, I understand the risks"  Would it contact your wife with the grand total of all your orders?


----------

