Google just said LQ was an "attack site".
 

I just clicked on my bookmark to get into LQ and a big google warning come up telling me LQ was an attack site. I've seen this a couple of times with various small forums and each of them went offline for about a week. Just thought I'd let you know.

i got red warning too, as i used direct link i think it comes from firefox.

Yep just had the same claiming there is malware..

Looking at our Google Webmaster Tools account, this is definitely a mistake and LQ is not currently serving malware. I'm looking into it further now. Thanks for the heads up.

--jeremy

I had this warning on another site, I think someone broke the internet. :)

I got this too.
Strange though, reading the diagnostic page it says:
"Of the 616 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software..
Over the past 90 days, www.linuxquestions.org/questions did not appear to function as an intermediary for the infection of any sites.
this site has not hosted malicious software over the past 90 days."

I'm seeing this as well..

and people wonder why internet users will ignore warnings...bogus 'warnings' like this are a lot of the reason why.

This is just one of the dangers of having a global super corporation with it's tracking "features" built into three of the four major web browsers and enabled by default.

I think it's a Google problem as many sites I vist regualrly gave me this warning this morning.

Google and Firefox both issue this warning, but no issues with Bing.

Don't know whether this will help. Got this from trying to access the homepage just now from a non-logged in firefox session.
I also saw a "Additional plugins required" notification pop up, which is unusual because I didn't think LQ generally allows flash ads (though I may be mistaken)

Thanks jeremy for looking into this. Even i got the same warning.

It's google for crying out loud.
They've never made a mistake.
</sarcasm>

but then again, pewp happens.

It seams that openx.org, d1.rumbaypelo.com, and/or aboelaraby.com are culprits. So not the LQ directly but third-party links.

I got Safe Browsing page (on Serbian :( ) with following:

Google translation:

"Tip provided by Google
Safe Browsing
Diagnostic page for www.linuxquestions.org

What is the current status on the list for www.linuxquestions.org?

Site is listed as suspicious - visiting this web site may harm your computer.

In the last 90 days, part of this site was listed for suspicious activity 2 time (s).

What happened when Google visited this site?

Of the total number of pages we tested on the site over the past 90 days (925), the malicious software being downloaded and installed without user consent on the following number of pages: 42 Google last visited this site 2013-02-04, and suspicious content was the last time we found him on 2013-02-03.

The number of domains in which malicious software is hosted 2, including the openx.org /, d1.rumbaypelo.com /.

The number of domains, which appear to function as intermediaries for distributing malware to visitors of this site is 1, including the openx.org /.

The number of networks on which this site is hosted 2, which include AS36351 (SoftLayer), AS15169 (Google Internet Backbone).

Has this site acted as an intermediary resulting in further distribution of malware?

It seems that www.linuxquestions.org the last 90 days function as an intermediary for the infection sites (1), including the aboelaraby.com /.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which leads us to show the warning message.

Next Steps:

Return to the previous page.
If you are the owner of this website, you can request a review of your site using Google Webmaster Tools. More information about the review process can be found in the center of the Google Webmaster Help.

Updated 5 with

© Google - Google Home"

Original text:

"Савет доставља Google
Безбедно прегледање
Страница за дијагнозу за www.linuxquestions.org

Који је актуелни статус на листи за www.linuxquestions.org?

Сајт је наведен као сумњив – посета овом веб сајту може нанети штету вашем рачунару.

У протеклих 90 дана, део овог сајта је наведен због сумњиве активности 2 пут(а).

Шта се десило када је Google посетио овај сајт?

Од укупног броја страница које смо тестирали на сајту у протеклих 90 дана (925), злонамеран софтвер је преузет и инсталиран без пристанка корисника на следећем броју страница: 42. Google је последњи пут посетио овај сајт 2013-02-04, а сумњив садржај смо последњи пут пронашли на њему 2013-02-03.

Број домена на којима се хостује злонамеран софтвер је 2, међу којима су и openx.org/, d1.rumbaypelo.com/.

Број домена за које се чини да функционишу као посредници за дистрибуцију малвера посетиоцима овог сајта је 1, међу којима су и openx.org/.

Број мрежа на којима је овај сајт хостован је 2, међу којима су и AS36351 (SOFTLAYER), AS15169 (Google Internet Backbone).

Да ли се овај сајт понашао као посредник што је довело до даље дистрибуције малвера?

Изгледа да је www.linuxquestions.org у протеклих 90 дана функционисао као посредник за инфицирање сајтова (1), међу којима су и aboelaraby.com/.

Да ли је овај сајт хостовао малвер?

Не, овај сајт није хостовао злонамеран софтвер у протеклих 90 дана.

Како је до овога дошло?

У неким случајевима, треће стране могу да додају злонамеран кôд на легитимне сајтове, што нас наводи да прикажемо поруку упозорења.

Следећи кораци:

Вратите се на претходну страницу.
Уколико сте власник овог веб сајта, можете да затражите преглед сајта уз помоћ Google алатки за вебмастере. Више информација о процесу прегледања можете да пронађете у Google центру за помоћ за вебмастере.

Ажурирано пре 5 с

© Google - Google почетна"

And that indeed is the problem. It's not the first time ad networks served malware or PUA but openx.{org,net} reputation is especially bad.

*Just for fun this is a diff of checking Google itself:
As you can see it considers itself "not suspicious" even though it listed itself as suspect for about 30 out of 90 past days ;-p

I was about to say that I guessed it was a link somewhere. Usually these warnings are because there's a post somewhere that's managed an XSS attack or something though I suspect here it may even just be somebody posting malicious links.

By the above I mean that I don't see this as a false positive and won't until I see it confirmed. Whilst I'm not entirely comfortable that Firefox using Google's listings isn't invading my privacy somehow, and I certainly don't trust or like Google much I don't think warning like this are a bad thing. I've seen enough legitimate sites host malicious code and/or links to prefer that "the man in the street" is warned of these things.

Does someone who maintains these forums know about this yet?

Yes:

http://www.acurazine.com/forums/images/smilies/doh.gif my bad. i guess i missed that post. thanks

I see I am not alone.... saw it earlier but it cleared up. Now it's doing it again.

As an update: I can confirm that LQ was not serving malware and that this was the result of one of our ad providers (OpenX). We've stopped using them to serve ads while they clear this up and have notified Google of this.

--jeremy

Still warnings with Firefox, but none with Midori.

Does anyone know what OS the malware was targeted at?

Thank You
Bob W

As mentioned, LQ was at no time serving malware.

--jeremy

http://www.google.com/safebrowsing/d...-492384/&hl=en

For information regarding the error.

That why I use Opera. It never gave me false alarms.

It's not a "false alarm" though. It was a legitimate warning that this site was serving pages from a compromised site.
In fact, were it not for the warning, it could be argued that nobody would have noticed until compromised adverts were hosted, making it much worse.
(Opera is a good browser though, I have to say)

I'd consider it a false alarm in that LQ never served malware via the site in question, as we do not use the OpenX marketplace or allow any unknown third parties to serve ads at LQ. For them to block every site that uses an ad network because of a small number of rogue ads somewhere in the network seems extreme, especially considering how long it's taking to get LQ unlisted.

--jeremy

Sorry I hadn't realised it was a third-party of a third-party. Perhaps, then, google ought to spend more of their billions being a little more careful.
I wasn't suggesting that LQ were in any way responsible for malware, by the way, just that using adverts from someone who has been compromised at least lets you look at hosting their adverts again. It may cost you a lot of time and effort but if this isn't the first time they've been a problem at least it gives you a heads-up that they're perhaps not that great.

The IT people in my company today "blocked LQ" since FortiGuard reported it as a malware site. :(
I guess I'll have to talk to them now!

Post 20 shows a new smilie BTW! ;-)

Suggestion for a suggestion
 

If LQ is clean, but a third-party hired by a third-party is not, why does Firefox say LQ is patient zero?

Shouldn't it be some sort of "yellow warning" indicating that a third-party site is doing something unusual?

Outsourcing might be always good from a business perspective, but definitely not from a technical one. And to mitigate its bad side effects, shouldn't we suggest a patch for a Firefox "yellow warning" instead of a red one telling me basically LQ is some sort of cholera x variola x ebola?

It doesn't:

and

--jeremy

Far as I can tell the Google warning was helpful. Of course they could do better to help Jeremy but as far as protecting the users I think the false positive was worth it. The internet is too full of XSS and other attacks to be blasé about this. A site which LQ uses to serve adverts was compromised.
New users to the internet ought to be told that these warnings are real as a fire alarm. Personally I'm sick of SPAM and other rubbish because not enough sites are reported and people don't take these things seriously enough.

The part that's extra frustrating in this case is that openx.org is already de-listed and we're not. I can see blocking an LQ pageview that has openx.org-related code on it, but IMHO we should not have been listed separately (we certainly shouldn't still be listed) and removing all openx.org related code should be enough for us to immediately not be impacted.

--jeremy

I knew that LQ is safe and I continue to enter the site. I figure it was an error on google or something. Anyway, I ran clamav on my home directory and the /tmp folder. I had zero infested files in both directories.

That is bad.
I also think the warning ought to mention that "this site has been known to link to a site which causes problems".
Good idea, poorly executed I think. Sadly.
Thanks for the hard work Jeremy.

Anyway of helping LinuxQuestions knock these down quicker?

I saw it this morning when I had just finished a new install of Debian Testing with a full blown Gnome DE. I was working on the bloat and needed to tweak the desktop. I did a google search and it popped up in the search results showing LQ as a possible bad site.

FWIW I trust LQ more than google, so I knew it had to be a ad somewhere.

I guess the best thing is to post when this is seen, but I was thinking about as a "third party viewer" if there was anything we as members of LQ could do to help.

Just my :twocents:

Unfortunately, no. It's just a waiting game now as "A review for this site is still being processed".

--jeremy

Greetings,

Well, for those that have encountered this with Chrome/Chromium, here's what I did to deal with it:

1. First, I checked across Google's search engine for what exact hosts the links for openx.org, rumbaypelo.com & aboelaraby.com showed up on LQ using:
   
   Code:

   ---

   site:linuxquestions.org <questionable domain>

   ---

   and got hits for d1.openx.org, d1.rumbaypelo.com and community.ca.dc.openx.org. Unfortunately, I didn't get any hostname hits for aboelaraby.com. (But, that might be expected from what was stated above about it being a 3rd party link off the openx.org link.)
2. Then, I added d1.openx.org, d1.rumbaypelo.com and aboelaraby.com, with an alias for community.ca.dc.openx.org into my /etc/hosts file as follows:
   
   Code:

   ---

   127.0.0.1      d1.rumbaypelo.com
127.0.0.1      d1.openx.org    community.ca.dc.openx.org
127.0.0.1      aboelaraby.com

   ---

3. Then I went back to LQ.org via Chromium, clicked on the little "Advanced" link next to the "Go Back" button.
4. That link expands to two links when you click on it; "Details about problems on this website" and "Proceed at your own risk".
5. Clicked on "Proceed at your own risk" and here I am, posting this for others to use.

And as far as:
Maybe this will shed a little light on that:
So, since openx.org is using Googlemail as (at least) one of their mail servers, that's probably why they got de-listed so quickly. :-/ Not sure that it's right, but it does seem to be what it is (at least according to SBCGlobal's DNS).

HTH.

I didn't think so (although I briefly thought I had a malware site pretending to be LQ), and I assume most people didn't. But if LQ were infected with malware, wouldn't exclusive Linux users (not Linux/Windows dual-boot users) have less to worry about than Windows users?

No more warnings here. Is LQ off the list now, or I just broke my browsers? :)

@ newbiesforever

http://en.wikipedia.org/wiki/Linux_malware

This appears to be mostly squared away...

Just checked from a Google search in Chromium and got straight here, however there was an additional link below the Search result, like this:
So, a little more to go, but direct access is restored.

HTH.

I'm still showing that "A review for this site is still being processed. Please check back later." BUT, I can confirm that a default Chrome/FF install is no longer blocking the site.

--jeremy

...and http://safebrowsing.clients.google.c...xquestions.org has been updated to indicate:

Thanks for the patience, this has certainly been a frustrating experience.

--jeremy

Thank you. I've never had it straight in my mind whether virus or malware infections in Linux are nonexistent or extremely rare. This still says what I read when I researched Linux malware a few years ago--that the viruses rarely or never existr outside laboratories (it hedges a bit).

You're welcome newbiesforever,

Even though viruses and malware is rare in linux, I ran clamav on my home directory and tmp folder just to be sure because files can be hidden in image files. So far, no infected files found :)

FYI: On a search I did a few minutes ago I'm seeing the same message that generated the original post in this thread.

Prior to today I've not seen that for LQ ever.

It is clear now on my PCs without any changes to FF/Iceweasel-Chomium-Opera.
Jeremy you don't have to thank us these things happen, instead it is us that should thank you for providing LQ for us to use.