# Firefox says EN World is an attack site?



## RangerWickett

So now every time I try to click a page on EN World, I get a red warning from Firefox that www.enworld.org/forum is a reported attack site. When I click for more information, it posts this:



> Safe Browsing
> Diagnostic page for www.enworld.org/forum
> 
> What is the current listing status for www.enworld.org/forum?
> 
> This site is not currently listed as suspicious.
> 
> What happened when Google visited this site?
> 
> Of the 19 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-01-20, and the last time suspicious content was found on this site was on 2010-12-30.
> 
> Malicious software includes 4 trojan(s).
> 
> Malicious software is hosted on 1 domain(s), including cuorcuyg.co.cc/.
> 
> 1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including rldzzlfl.co.cc/.
> 
> This site was hosted on 1 network(s) including AS30221 (T3COM).
> 
> Has this site acted as an intermediary resulting in further distribution of malware?
> 
> Over the past 90 days, www.enworld.org/forum did not appear to function as an intermediary for the infection of any sites.
> 
> Has this site hosted malware?
> 
> No, this site has not hosted malicious software over the past 90 days.
> 
> Next steps:
> 
> * Return to the previous page.
> * If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.




Anyone know what's up?


----------



## Nikosandros

I don't know what's up, but I'm having the same problem.


----------



## RangerWickett

The problem literally just started in the past 15 minutes. I could access the site fine as of 8:09 Eastern Standard Time.

I don't have a problem when using IE. 

It seems to be tied to this site: StopBadware - Welcome to StopBadware I'm guessing the Firefox Google toolbar is tied to that.

According to Wikipedia, Stop Badware is a legit company. It might be that there's actually a trojan that got slipped through EN World via one of the ad scripts or something. I don't know enough about how it all works.


----------



## scruffygrognard

I'm getting the same error and have to repeatedly click "ignore this warning" to navigate the site.


----------



## Walking Dad

Same here. Makes it impossibel to post anything. I'm currently using explorer


----------



## Nikosandros

Walking Dad said:


> Same here. Makes it impossibel to post anything. I'm currently using explorer



You can disable the notifications in tools -> Options-> Security -> Block reported attack sites, but this is a general setting, it applies to all sites.


----------



## Holy Bovine

Yup - happening to me as well!  Also using Firefox latest build.


----------



## Darkness

Holy Bovine said:


> Yup - happening to me as well!  Also using Firefox latest build.



I'm in the same boat.


----------



## eamon

Took a little longer, but now both Chrome and Firefox are showing a security warning for enworld.org. It's not unreasonable to assume something's been hacked...


----------



## UnknownAtThisTime

IE just plugs along....

Maybe Firefox has been reading the WotC hate threads and is just calling a spade a spade?


----------



## Dungeoneer

I'm also experiencing this.  Anyone know if there's a way whitelist of sites in Firefox I can add ENWorld to?

In other news, I had to post this from IE because the Firefox warnings were making it impossible to post from that browser.  This problem may be more widespread but impacting people's ability to report it.


----------



## eamon

I get a slightly longer list of malware domains than RangerWickett. Unfortunately, it's rather difficult for a third party to determine what's wrong; you can't use the Google Webmaster Tools for a third-party-site.

Google Safe Browsing diagnostic page for enworld.org says:


> Of the 33 pages we tested on the site over the past 90 days, 18 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-01-21, and the last time suspicious content was found on this site was on 2011-01-21.
> 
> Malicious software includes 6 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
> 
> Malicious software is hosted on 3 domain(s), including rldzzlfl.co.cc/, cuorcuyg.co.cc/, epvkobxb.co.cc/.
> 
> 1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including rldzzlfl.co.cc/.
> 
> This site was hosted on 1 network(s) including AS30221 (T3COM).




Good luck!


----------



## wedgeski

It's probable Google does a bit more than just act on user reports. Most likely something unpleasant has actually slipped onto the site, perhaps via a banner ad.


----------



## Piratecat

I've flagged this for [MENTION=1]Morrus[/MENTION] and [MENTION=52905]darjr[/MENTION], our excellent technical admin. They'll sort it out. In the mean time, it appears that the warning is in error, but I'm sure it's technically possible; make sure your malware software is up to date (good advice anyways). I'll be swapping to Explorer until we sort this out.


----------



## Walking Dad

Dungeoneer said:


> I'm also experiencing this. Anyone know if there's a way whitelist of sites in Firefox I can add ENWorld to?
> 
> In other news, I had to post this from IE because the Firefox warnings were making it impossible to post from that browser. This problem may be more widespread but impacting people's ability to report it.




After my last post, IE also popped up a warning, but no longer.

Online Link Scan - Virus, Trojan, Adware and Malware Scanner, says:




> --------- LINK SCAN SUMMARY --------- URL scanned: http://www.enworld.orgPhisTank say's: Service not available. AVG say's: Service not available. SiteTruth say's: This site is safe. Google Safe Browsing say's: This site is safe. Threat Name: *No Threat FOUND*Threat Definitions: 878016Engine Version: 0.96.5Host IP: *68.68.204.20*Link Status: *Clean*File Size: 78.56 KBTime Finished: 6.07 secsOverall result: This site is secure.


----------



## NewJeffCT

I got the same message from Firefox.  On IE now


----------



## Dungeoneer

The madness is spreading!

(although IE is still warning free for me)


----------



## jonesy

I'm on Opera 11 and it says "This site has not been reported as harmful or fraudulent."

So nothing to report on the Netcraft/PhisTank/TRUSTe front.

But I do see a Google safebrowsing alert if I try to search for this site through them.


----------



## Stumblewyk

Glad to see I'm not the only one reporting this.  I thought my Chrome install had gone all kablooey.

Hope you can get this corrected ASAP.  I can't even remember the last time I used IE for anything other than confirming my CSS was cross-browser compliant. I'd hate to have to use it *just* for ENWorld.


----------



## Velmont

Same here with Firefox. Nothing with IE for the moment.


----------



## drothgery

Got warnings in the latest FF/Win. In the IE9 Beta (absolutely no toolbars installed), it looks fine.


----------



## darjr

Thank you guys for the extra data and heads up.


----------



## Morrus

I'll also email Ed Healy, just on the offchance it's an ad that's doing it.


----------



## masshysteria

Looks like ENWorld.org got on the StopBadware list. It's now propagating through all the systems that use StopBaware.

Firefox and Google partner with StopBadware, so that's probably why Firefox and Chrome are showing the error. Not sure if IE uses the service, so it might work in the mean time, without having to create any loophole.

A review will need to be requested to get the site off the blacklist. Details are here: StopBadware - Request a Review


----------



## Scotley

I'm unable to get on to the site from Firefox as well, but IE works fine. Both fully up to date. I'm running various anti-spyware and anti-virus tools to see if I've actually picked up anything from the site.


----------



## Morrus

masshysteria said:


> Looks like ENWorld.org got on the StopBadware list. It's now propagating through all the systems that use StopBaware.
> 
> Firefox and Google partner with StopBadware, so that's probably why Firefox and Chrome are showing the error. Not sure if IE uses the service, so it might work in the mean time, without having to create any loophole.
> 
> A review will need to be requested to get the site off the blacklist. Details are here: StopBadware - Request a Review




I'm getting zero results for this domain when searching that list.  How can you tell it's that list which is causing it?


----------



## StreamOfTheSky

IE's working fine for me.  People always want to trash teh IE, and yet, here we are.   

I love IE, it's the best.


----------



## jonesy

Morrus said:


> I'm getting zero results for this domain when searching that list.  How can you tell it's that list which is causing it?



I'm not getting anything either, but:

"Note that if a site was recently identified as badware, it might take up to a few hours to appear in our Clearinghouse. Please check back a bit later."

http://www.stopbadware.org/home/reportsearch


----------



## Scott DeWar

StreamOfTheSky said:


> IE's working fine for me.  People always want to trash teh IE, and yet, here we are.
> 
> I love IE, it's the best.




you know, that may indicate that the security settings may not be as good as Fire fox and chrome.


----------



## AdmundfortGeographer

Safari has been also reporting the message. Safari uses a Google service for identifying bad websites.

"Don't Be Evil."


----------



## Dungeoneer

Eric Anondson said:


> Safari has been also reporting the message. Safari uses a Google service for identifying bad websites.
> 
> "Don't Be Evil."



 I think you're onto something.  Morrus, try casting 'detect evil' on the site.


----------



## Morrus

It's interesting that both CM and ENW are having the same issue - but are on different servers.  

Is it possible for someone to maliciously report such a thing?


----------



## AdmundfortGeographer

Getting your site off Google's Blacklist.

Serpguard gives some more links to Google's tools here.


----------



## Sorrowdusk

Yeeeep I noticed it too and went huh? Everything was fine the other day, and when I looked things up I was surprised.

Thing is-how did you get on the black list in the first place?


----------



## Dungeoneer

Morrus said:


> It's interesting that both CM and ENW are having the same issue - but are on different servers.
> 
> Is it possible for someone to maliciously report such a thing?



Do they get their ads from the same place?  That would still be my prime suspect.

In this case the Google report seems to indicate that Google's bots actually found something or got infected with something on a trawl through the site.  I don't know the details of their system but I imagine that's hard to fake.


----------



## jonesy

Morrus said:


> It's interesting that both CM and ENW are having the same issue...



They are? If I search for ENW on Google I see the warnings, but nothing when I do the same for CM.


----------



## Bacris

I had this happen on a site I manage.

Use the Google Webmaster Tools that StopBadware lists.  When you go through the process of activating through the GWT, it should show you where the problem cropped up.  On my site, one time, it was that the host had been hacked and code injected into all the index files.  Another time, it was a .js file that had code injected into it.

However, it's also possible, as mentioned, that it is ads causing the problem.  See what the GWT specifies, that should help clear it up.  Then once you've found the source and cleaned it, request a new review - takes about 24-48 hours.


----------



## jonesy

Enworld is now showing on StopBadware:

StopBadware - enworld.org

The Google report links to the Google Safe Browsing diagnostic, which now appears to have higher values for malicious software downloads than before (61 as opposed to the 18 it showed before):

Google Safe Browsing diagnostic page for enworld.org


----------



## Pseudonym

I got the warning on Chrome, but I'd just installed the latest Tor build so was wondering if it was on my end. Sorry that its happening, but good to know it isn't just me.


----------



## mach1.9pants

trechriron said:
			
		

> A couple days ago, without my ad blocker enabled, an advert at ENWorld hijacked my work computer big time. That virus scanner thing. It was hell.
> 
> Ad Blocker for firefox is your friend!  Also, Spybot Immunize.




That is a quote from RPGNet thread about this... best you look into the banner ads guys!


----------



## Kafen

Opera works - Although, Opera uses its own malware list, maybe. 

I know the browser does not download many types of malware because of coding which maybe why there is no danger from some types of scripts.


----------



## Relique du Madde

[MENTION=1]Morrus[/MENTION]
I think I know what's up... If it's not a co-opt ad, then there's a chance its the TAPATALK Injector exploit.  This explains why both CMS and ENWorld is giving off the warnings.


----------



## Morrus

Relique du Madde said:


> @Morrus
> I think I know what's up... If it's not a co-opt ad, then there's a chance its the TAPATALK Injector exploit. This explains why both CMS and ENWorld is giving off the warnings.




Is there a new exploit?  There are none that I'm aware of in the current update of Tapatalk.  Varous updates fixed various potential exploits.


----------



## Ysgarran

Piratecat said:


> I've flagged this for [MENTION=1]Morrus[/MENTION] and [MENTION=52905]darjr[/MENTION], our excellent technical admin. They'll sort it out. In the mean time, it appears that the warning is in error, but I'm sure it's technically possible; make sure your malware software is up to date (good advice anyways). I'll be swapping to Explorer until we sort this out.




Make sure all of your browser plug-ins are up to date.   Not keeping Adobe flash up to date is a good way to get burned by a virus.  

I'm paranoid and fired up a windows virtual machine before ignoring the google virus warning.


----------



## Mithreinmaethor

*ENWorld showing up as attack page*

Here is a link to the reasons it is showing up ..... LINK


----------



## Silverblade The Ench

wow 
wondered why all of a sudden I was having problems googling to a page, here :/


----------



## Xeterog

so, why did it start showing up today?


----------



## Dannyalcatraz

No warning on my iTouch which uses Safari...but Safari DID give a warning on a MacBook Pro.


----------



## Scott DeWar

Thought: I have heard of a virus that is bing injected in many places.

1) allows the hacker to gain a back door kinda thing and gives complete access to the infected machine.

2) it is 'contageous' and spreads form one machine to the next.

3) pure speculation, but an Indonesian Islamic organization is being blamed for this attack, as they have take responsibility for some other hacks from last week.


----------



## Scott DeWar

see also this thread:

http://www.enworld.org/forum/meta/300035-firefox-says-en-world-attack-site.html


----------



## jbear

I also just received this message. Should we be worried?


----------



## Uber Dungeon

*Browser issues*

I have on idea where this would go. 
just today my browser on both my computers have been saying that this sight is contains malware and is unsafe... of course I ignore it, but I was wondering what gives all of a sudden? does it have to do with the recent changes?


----------



## shadzar

There is a thread in another forum about it and the notice about it was above the forums. It is being looked into, but google reported something like 76 of 80 visits resulted in malware in the last 90 days.


----------



## Piratecat

I've done multiple malware scans and have found nothing on my own machine. You should obviously do the same! We've found a plugin that looks weird and have neutralized it, but I don't yet know if we were infected and/or spreading malware. Either way we should be okay now with that code removed, but definitely err on the side of making sure you're protected against infections.

As soon as we know more, we'll holler.


----------



## Scott DeWar

you might want to post a link to this reply of yours in the top banner, and make it the color of like hunter orange as there have been another thread on this same issue started.


----------



## KarinsDad

Just a thought. This might not be something that just started happening today. For the first time, I got 4 trojans on my work system in the last week and as a general rule, the only non-intranet related sites that I go to at work are hotmail and enworld. The internal sites should be fairly clean due to our InfoSec group, so the most likely culprit would be enworld (I assume that hotmail would have more extensive protection than enworld).


----------



## vagabundo

Bingo, showing up in stop badware

StopBadware - enworld.org

Maybe the recent spate of ant-wotc ill feeling and badness has coalesce into something malevolent, something that's lurking in the forum and now tries to spread itself via your browser.


----------



## DracoSuave

It isn't the browsers detecting bad doing it, basically any browser that gets reports from google (Firefox, Chrome obv) are simply relaying that report.

The report itself says that it's specific sites being linked, but that enworld itself is not transmitting the malicious code.

Yeah, it's probably an ad that's infected.


----------



## Relique du Madde

DracoSuave said:


> Yeah, it's probably an ad that's infected.




Considering the number of Chinese MMORPGs I've seen advertised in the last week I'm betting one of them is viral.


----------



## Dungeoneer

Hey, I'm not seeing the warnings this morning.  This is good!


----------



## darjr

Google cleared us some time this morning.


----------



## Aldern Foxglove

Its not cleared for me on firefox, I just tried reapplying the block in tools and got EnWorld coming up as an attack site still.


----------



## Dungeoneer

I'm using firefox too.  You probably just need to flush your cache and close and reopen your browser.


----------



## renau1g

yeah I'm using FF as well and it's all good. Well done [MENTION=52905]darjr[/MENTION]


----------



## Cyronax

Scott DeWar said:


> Thought: I have heard of a virus that is bing injected in many places.
> 
> 3) pure speculation, but an Indonesian Islamic organization is being blamed for this attack, as they have take responsibility for some other hacks from last week.




Do you know if they were pro-4e or PF? We need to establish intent here.


----------



## Dungeoneer

darjr said:


> Google cleared us some time this morning.



So what was the issue?


----------



## Umbran

Duplicate threads merged.


----------



## jaerdaph

It's good to be back (in Firefox)! 

Using IE9 makes me feel like I'm having unprotected sex with strangers...


----------



## (Psi)SeveredHead

It wasn't fine an hour ago, but is now.

By the way, it was really hard to get good info on this problem while it lasted. I found there's an ENWorld livejournal, but it hasn't been updated since 2009.

If EnWorld gets "hacked" again, where can we go for info?


----------



## Morrus

(Psi)SeveredHead said:


> By the way, it was really hard to get good info on this problem while it lasted. I found there's an ENWorld livejournal, but it hasn't been updated since 2009.




I don't know what that is, but it's nothing to do with us.  I wasn't even aware of it until you mentioned it.



> If EnWorld gets "hacked" again, where can we go for info?




My twitter feed is a good place, as is Circvs Maximvs.

There wasn't really much info to give out, though, other than "We're working on it". We didn't know any more tha you did until we managed to find the problem and fix it.


----------



## Scott DeWar

Wahoo! the blind fold is off of the security guard!!


----------



## Knightfall

I'm glad the issue has been resolved. I needed my EN World fix.


----------



## blargney the second

(Psi)SeveredHead said:


> By the way, it was really hard to get good info on this problem while it lasted. I found there's an ENWorld livejournal, but it hasn't been updated since 2009.
> 
> If EnWorld gets "hacked" again, where can we go for info?



For what it's worth, I'd love to have an official rally point in times of trouble.  During previous problems, that Livejournal has actually been helpful finding out what's going on.  This time around, there wasn't anything so I had to dig a little deeper.

I found something that _almost_ worked: *twitter feeds with the #enworld tag*.  There were folks asking questions, but no particular responses.  If that loop were completed, it would be a fantastic fallback spot.  Updates as simple as "'we're working on it" are actually valuable information.
-blarg


----------



## carborundum

Thanks for getting it sorted out so quickly folks. Glad to be back and browsing


----------



## Morrus

blargney the second said:


> For what it's worth, I'd love to have an official rally point in times of trouble.  During previous problems, that Livejournal has actually been helpful finding out what's going on.  This time around, there wasn't anything so I had to dig a little deeper.
> 
> I found something that _almost_ worked: *twitter feeds with the #enworld tag*.  There were folks asking questions, but no particular responses.  If that loop were completed, it would be a fantastic fallback spot.  Updates as simple as "'we're working on it" are actually valuable information.
> -blarg




As I said, my twitter feed is official and said exactly that. The Livejournal thing is nothing to do with me.

If folks want to ask me a question on twitter, I'm sure they know to put [MENTION=1]Morrus[/MENTION] in it if they want me to see it.


----------



## jaerdaph

darjr said:


> Thank you guys for the extra data and heads up.




I just wanted to thank you once again for everything you do to keep EN World up an running!


----------



## blargney the second

Morrus said:


> If folks want to ask me a question on twitter, I'm sure they know to put [MENTION=1]Morrus[/MENTION] in it if they want me to see it.



For what it's worth I didn't know, so I couldn't ask.  More importantly, Google doesn't know that either.  When I asked it about the malware problem, it pointed me at #enworld, which was _very nearly_ a useful solution.  If that tag were put to use, anybody could find it using existing search engines.


----------



## Morrus

blargney the second said:


> For what it's worth I didn't know, so I couldn't ask.  More importantly, Google doesn't know that either.  When I asked it about the malware problem, it pointed me at #enworld, which was _very nearly_ a useful solution.  If that tag were put to use, anybody could find it using existing search engines.




I'd never even heard of an #enworld tag, just like I'd never heard about the Livejournal page.


----------



## TheAuldGrump

Morrus said:


> I don't know what that is, but it's nothing to do with us.  I wasn't even aware of it until you mentioned it.



It appears to be a journal that someone started on one of the occasions that EN World was down. So it is _about_ you, but not _by_ you.

The Auld Grump


----------



## Relique du Madde

Morrus said:


> I'd never even heard of an #enworld tag, just like I'd never heard about the Livejournal page.




Oh god...  EN World has become sentient and is acting on it's own accord!! /Panic.


----------



## Scott DeWar

[MENTION=54010]Deus Ex Machina[/MENTION]? Wasnt there an enworldie by that name at one time? maybe before the big crash?


----------



## Sorrowdusk

Relique du Madde said:


> Considering the number of Chinese MMORPGs I've seen advertised in the last week I'm betting one of them is viral.





World of LordCraft, Kingory, Evony, Civony, Caesary, Hickory, D***kory....


----------



## weem

Sorrowdusk said:


> Kingory,Evony,Civony,Caesary, Lord of Worldcraft, D***kory....




I was using #enworld on Twitter for a while, but have used #enw instead recently.


----------



## Cyronax

Relique du Madde said:


> Oh god...  EN World has become sentient and is acting on it's own accord!! /Panic.




/panic.

Does anyone have the flashdrive with the Sword of a Thousand Truths? We need a deterrent against future attacks.


----------



## eamon

darjr said:


> Google cleared us some time this morning.



Out of curiosity - do you have any idea what happened?  Was it an ad, a hack, or a false positive?

Congrats on the fast fix: I didn't expect things to move so quickly.

_*Edit*_: never mind, found http://www.enworld.org/forum/news/300065-hacking-malware-warnings.html


----------



## wingsandsword

Morrus said:


> As I said, my twitter feed is official and said exactly that. The Livejournal thing is nothing to do with me.
> 
> If folks want to ask me a question on twitter, I'm sure they know to put [MENTION=1]Morrus[/MENTION] in it if they want me to see it.



I remember using that LJ community years ago during some ENWorld downtime, trying to figure out why it was down.  I don't know who started it, but a lot of ENWorld regulars have posted there.

To be honest, I'd forgotten about it because I haven't used LJ regularly in about a year, Facebook pretty much overtook it in terms of keeping up with people and things.


----------



## Piratecat

weem said:


> I was using #enworld on Twitter for a while, but have used #enw instead recently.



I tend to use #enworld, but is there a move to switch to #enw? Fewer characters = more shining pearls of wisdom shoved uncomfortably into a tweet.


----------



## darjr

You should tweet that.


----------



## Dannyalcatraz

BTW, thank you all y'all who sussed out and fixed the problemo.


----------



## Scott DeWar

i think that was  Dar jr. (mr. Tech man!)


----------



## Scott DeWar

Darjr, how many xp do you give per rep? 6 or 8?


----------

