homepage Welcome to WebmasterWorld Guest from 54.197.111.87
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Google / Google AdSense
Forum Library, Charter, Moderators: incrediBILL & jatar k & martinibuster

Google AdSense Forum

    
Virus on ads
chicagotech




msg:4147831
 9:39 pm on Jun 6, 2010 (gmt 0)

I publish AdSense, Microsoft pubCenter and ValueClick ads on my web site. I get more and more visitors complain about virus on my website. I have a feeling heh virus coems from one of ads. How can I know where it comes from? How can I prevent it. Please help.

 

Lame_Wolf




msg:4147843
 10:02 pm on Jun 6, 2010 (gmt 0)

How can I prevent it.

remove the adverts. ;)

andrewshim




msg:4147862
 11:05 pm on Jun 6, 2010 (gmt 0)

Ask you webhost to do a complete scan of your website.

HuskyPup




msg:4147867
 11:21 pm on Jun 6, 2010 (gmt 0)

Check your source code in your browser to see if something is there that should not be. Usually it is only inserted in the index page...no guarantee of this though!

incrediBILL




msg:4147896
 12:29 am on Jun 7, 2010 (gmt 0)

I went to your site and it appears one of your many advertisers is hosting some hacked content.

Saw the following happen:
a) one time it wanted me to download a "plug-in" to view ad content (yeah, right)
b) another time it wanted to open a "pop-up" window that contained iframe injector code
c) last time it redirected me to a site, away from yours, that was wired to keep me there

Looked at the source code, it wasn't infected.

I would get rid of a couple of advertisers.

chicagotech




msg:4147904
 12:51 am on Jun 7, 2010 (gmt 0)

Hi icrediBILL,

Thank you for the reply. Could you please give me more details which advertisers may cause those problems. Can I assume those image ads may have virus?

wyweb




msg:4147916
 1:10 am on Jun 7, 2010 (gmt 0)

give me more details which advertisers may cause those problems

Click on the ads. When your AV starts screaming at you it'll be a pretty good clue.

j/k - sort of anyway...

incrediBILL




msg:4147918
 1:16 am on Jun 7, 2010 (gmt 0)

Could you please give me more details which advertisers may cause those problems.


Not sure as it was a 3rd party ad server that was associated such as "ad.example.com" but it didn't come from Google, that much I'm sure about.

I simply reloaded one of the pages multiple times until something hit the browser, it wasn't happening every time and it was different each time.

The hackers appear to be using a cookie to keep track of what hit the page.

Click on the ads.


No need, it was attempting to open itself.

Dave_B




msg:4148111
 12:45 pm on Jun 7, 2010 (gmt 0)

If you are using an older verion of openx to serve your various networks this could very well be the cause.

chicagotech




msg:4148120
 1:02 pm on Jun 7, 2010 (gmt 0)

One more information. My Web site also uses Google search. Sometimes when I use google search, it also redirect to a website.

Lame_Wolf




msg:4148144
 2:21 pm on Jun 7, 2010 (gmt 0)

chicagotech, have you scanned your PC for any viri etc ?

engine




msg:4148152
 2:42 pm on Jun 7, 2010 (gmt 0)

Lame_Wolf, exactly my thinking, too. It could, of course, be a combination of both local and online. Start by checking your own computer.

incrediBILL




msg:4148210
 4:16 pm on Jun 7, 2010 (gmt 0)

Guys, I got things popping up from third party networks.

It wasn't his local or I wouldn't have seen it, it wasn't OpenX as he isn't using that.

If I have more time later I'll see if I can't diagnose it but it wasn't Google, that's the only thing I'm sure of.

chicagotech




msg:4148222
 4:40 pm on Jun 7, 2010 (gmt 0)

Yes, I have scanned my computer many times. I have Symantec Endpoint with definition June 6 (I just checked it).

vrtlw




msg:4148225
 4:43 pm on Jun 7, 2010 (gmt 0)

The bright ad network appears to be blocked on my connection, hence I am not seeing any popups or redirects on/from the (assumed) web site.

incrediBILL




msg:4148279
 6:09 pm on Jun 7, 2010 (gmt 0)

Load up FireFox and NoScript and then look at the number of scripts running on your site.

You'll find your page(s) load no more than 12 scripts of which I'd rule out doubleclick, googlesyndication, google-analytics and probably msn.

That leaves 8 other ad networks, some 3rd party networks change each time the page loads, and any one of those could be the source.

What's going on is nested ad networks and somewhere along the way it would appear that one of the ad networks is loading ads from an infected 3rd party ad server.

However, today I didn't see anything suspect, maybe I didn't view enough pages to find it, maybe it was already caught?

Hard to say.

However I've seen this garbage before and it's why you should avoid the lower tier ad networks that allow 3rd party ad serving.

IanCP




msg:4148575
 3:13 am on Jun 8, 2010 (gmt 0)

Interestingly, yesterday after reading this thread, more out of curiosity than anything I was Googling "Saveloy Recipes".

On the second page in Google Search I hit on a site and for the first time ever, my AV program went "ballistic".

I don't believe it was the site itself, just some advertiser.

Google gave no warning.

FWIW

[EDIT] I don't suggest for one second it was an AdSense ad. Sorry if I inadvertently caused any confusion.

incrediBILL




msg:4148580
 3:37 am on Jun 8, 2010 (gmt 0)

Google gave no warning.


That's because Google typically only warns you of directly infected sites.

Infected ad networks are a real beast to catch because the ad network rotates the ads so you may never see where it came from a second time.

If I didn't earn off advertising I'd say this problem is almost a good enough reason to run AdBlock and NoScript to everyone.

chicagotech




msg:4148586
 3:58 am on Jun 8, 2010 (gmt 0)

Today when I opened this page I got a popup. But when I visited it second time, the popup doesn't show up. I may just keep AdSense and Microsoft pubCenter so that we can focus on it.

[edited by: incrediBILL at 4:07 am (utc) on Jun 8, 2010]
[edit reason] removed URL, no specifics please [/edit]

maximillianos




msg:4149549
 11:54 am on Jun 9, 2010 (gmt 0)

We had this same problem recently. Narrowed it down to TribalFusion. When i contacted them they confirmed one of their ad server IPs was accidently flagged by AVG. They told me it was fixed with an update and to tell my visitors to update their AVG to fix the problem. Yeah right, like I'm going to try and tell a million visitors "hey if you avg please update it so you can use our site".

I told them why not just get a new IP for the ad server in question. They never responded. I removed their ad network about 3 months ago and relpaced it with Google image ads.

Funny thing is, G image ads out performed the old ad network. So we should have tested an replaced the ad network a long time ago.

pageoneresults




msg:4149629
 1:27 pm on Jun 9, 2010 (gmt 0)

I've been seeing this now for quite a few months, ever since I purchased MalwareBytes. I've been sending folks (that I know) messages when I run across Malicious IP Warnings. They tell me they're not worried about it. Problem is, MB won't let me visit the site unless I turn it off - and I'm not doing that. I'd say that 1 out of 25 sites I visit these days on a regular basis has a Malicious IP Warning and it's nice to see a confirmation on where these may be coming from.

Thank you MB!

WesleyC




msg:4149820
 5:25 pm on Jun 9, 2010 (gmt 0)

The problem with malicious IP detection is that many sites are on shared hosting these days--what happens if your host allots you an IP that is (unknown to you) also shared by a site that's been hacked? Your site is now also flagged with a malicious IP warning.

john_k




msg:4149841
 5:58 pm on Jun 9, 2010 (gmt 0)

One other bit to consider is that ads using flash will make your users vulnerable to the Adobe vulnerability discussed in this thread:

Adobe Alerts Of Flash Player and Adobe Reader Vulnerability [webmasterworld.com]


If an advertiser is hacked (or less than honerable), then the door is open to get at the visitors of any website displaying their ads.

incrediBILL




msg:4149894
 7:09 pm on Jun 9, 2010 (gmt 0)

what happens if your host allots you an IP that is (unknown to you) also shared by a site that's been hacked?


That's the least of your worries on shared hosting, being hacked is the worst ;)

webastronaut




msg:4149952
 8:21 pm on Jun 9, 2010 (gmt 0)

Malwarebytes Corporation has no phone no address on the site and probably outsources don't use them. Maybe they will fix but new problems will come...

Drag_Racer




msg:4150242
 6:44 am on Jun 10, 2010 (gmt 0)

I started seeing virus impregnated ads back in November and quickly built a quite large list of networks to block in my hosts file.

Malwarebytes Corporation has no phone no address on the site and probably outsources don't use them.

Please investigate before you post. I spent some time working on virus cleaning of PCs and Malwarebytes was by far the best program out there.

Sometimes when I use google search, it also redirect to a website.

Check your hosts file. Your website may have infected you. A good program for checking your hosts file is HostsXpert. You should only have 1 entry in the file which is '127.0.0.1 localhost' unless you have made additions. An IP not 127.0.0.1 will redirect the domain listed to that ip.

webastronaut




msg:4150778
 8:55 pm on Jun 10, 2010 (gmt 0)

wow now the site Malwarebytes Corporation say's, "We are currently looking to open a centralized office location in the San Jose, California area" nice address and what more research do I need to do?
HostsXpert? Where is there address? Funkytoad

gpilling




msg:4151502
 11:40 pm on Jun 11, 2010 (gmt 0)

Malwarebytes has fixed a few pcs for me lately.

bcc1234




msg:4151552
 3:55 am on Jun 12, 2010 (gmt 0)

but it wasn't Google, that's the only thing I'm sure of.


I wouldn't be so sure. It might not be AdSense, but third party networks ads are served from other domains. So you would see something like ad.somedomain.com, not googlesyndication or doubleclick. The ad block frame entirely redirects to a third party domain.

I'm having the same problem:

[webmasterworld.com...]

And I don't show anything other than Adsense (with image ads) and in-house (hardcoded) ads.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google AdSense
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved