Welcome to WebmasterWorld Guest from 54.144.243.34

Forum Moderators: incrediBILL & martinibuster

Virus on ads

   
9:39 pm on Jun 6, 2010 (gmt 0)

5+ Year Member



I publish AdSense, Microsoft pubCenter and ValueClick ads on my web site. I get more and more visitors complain about virus on my website. I have a feeling heh virus coems from one of ads. How can I know where it comes from? How can I prevent it. Please help.
10:02 pm on Jun 6, 2010 (gmt 0)

WebmasterWorld Senior Member lame_wolf is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



How can I prevent it.

remove the adverts. ;)
11:05 pm on Jun 6, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Ask you webhost to do a complete scan of your website.
11:21 pm on Jun 6, 2010 (gmt 0)



Check your source code in your browser to see if something is there that should not be. Usually it is only inserted in the index page...no guarantee of this though!
12:29 am on Jun 7, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I went to your site and it appears one of your many advertisers is hosting some hacked content.

Saw the following happen:
a) one time it wanted me to download a "plug-in" to view ad content (yeah, right)
b) another time it wanted to open a "pop-up" window that contained iframe injector code
c) last time it redirected me to a site, away from yours, that was wired to keep me there

Looked at the source code, it wasn't infected.

I would get rid of a couple of advertisers.
12:51 am on Jun 7, 2010 (gmt 0)

5+ Year Member



Hi icrediBILL,

Thank you for the reply. Could you please give me more details which advertisers may cause those problems. Can I assume those image ads may have virus?
1:10 am on Jun 7, 2010 (gmt 0)



give me more details which advertisers may cause those problems

Click on the ads. When your AV starts screaming at you it'll be a pretty good clue.

j/k - sort of anyway...
1:16 am on Jun 7, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Could you please give me more details which advertisers may cause those problems.


Not sure as it was a 3rd party ad server that was associated such as "ad.example.com" but it didn't come from Google, that much I'm sure about.

I simply reloaded one of the pages multiple times until something hit the browser, it wasn't happening every time and it was different each time.

The hackers appear to be using a cookie to keep track of what hit the page.

Click on the ads.


No need, it was attempting to open itself.
12:45 pm on Jun 7, 2010 (gmt 0)

10+ Year Member



If you are using an older verion of openx to serve your various networks this could very well be the cause.
1:02 pm on Jun 7, 2010 (gmt 0)

5+ Year Member



One more information. My Web site also uses Google search. Sometimes when I use google search, it also redirect to a website.
2:21 pm on Jun 7, 2010 (gmt 0)

WebmasterWorld Senior Member lame_wolf is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



chicagotech, have you scanned your PC for any viri etc ?
2:42 pm on Jun 7, 2010 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



Lame_Wolf, exactly my thinking, too. It could, of course, be a combination of both local and online. Start by checking your own computer.
4:16 pm on Jun 7, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Guys, I got things popping up from third party networks.

It wasn't his local or I wouldn't have seen it, it wasn't OpenX as he isn't using that.

If I have more time later I'll see if I can't diagnose it but it wasn't Google, that's the only thing I'm sure of.
4:40 pm on Jun 7, 2010 (gmt 0)

5+ Year Member



Yes, I have scanned my computer many times. I have Symantec Endpoint with definition June 6 (I just checked it).
4:43 pm on Jun 7, 2010 (gmt 0)

10+ Year Member



The bright ad network appears to be blocked on my connection, hence I am not seeing any popups or redirects on/from the (assumed) web site.
6:09 pm on Jun 7, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Load up FireFox and NoScript and then look at the number of scripts running on your site.

You'll find your page(s) load no more than 12 scripts of which I'd rule out doubleclick, googlesyndication, google-analytics and probably msn.

That leaves 8 other ad networks, some 3rd party networks change each time the page loads, and any one of those could be the source.

What's going on is nested ad networks and somewhere along the way it would appear that one of the ad networks is loading ads from an infected 3rd party ad server.

However, today I didn't see anything suspect, maybe I didn't view enough pages to find it, maybe it was already caught?

Hard to say.

However I've seen this garbage before and it's why you should avoid the lower tier ad networks that allow 3rd party ad serving.
3:13 am on Jun 8, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Interestingly, yesterday after reading this thread, more out of curiosity than anything I was Googling "Saveloy Recipes".

On the second page in Google Search I hit on a site and for the first time ever, my AV program went "ballistic".

I don't believe it was the site itself, just some advertiser.

Google gave no warning.

FWIW

[EDIT] I don't suggest for one second it was an AdSense ad. Sorry if I inadvertently caused any confusion.
3:37 am on Jun 8, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Google gave no warning.


That's because Google typically only warns you of directly infected sites.

Infected ad networks are a real beast to catch because the ad network rotates the ads so you may never see where it came from a second time.

If I didn't earn off advertising I'd say this problem is almost a good enough reason to run AdBlock and NoScript to everyone.
3:58 am on Jun 8, 2010 (gmt 0)

5+ Year Member



Today when I opened this page I got a popup. But when I visited it second time, the popup doesn't show up. I may just keep AdSense and Microsoft pubCenter so that we can focus on it.

[edited by: incrediBILL at 4:07 am (utc) on Jun 8, 2010]
[edit reason] removed URL, no specifics please [/edit]

11:54 am on Jun 9, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



We had this same problem recently. Narrowed it down to TribalFusion. When i contacted them they confirmed one of their ad server IPs was accidently flagged by AVG. They told me it was fixed with an update and to tell my visitors to update their AVG to fix the problem. Yeah right, like I'm going to try and tell a million visitors "hey if you avg please update it so you can use our site".

I told them why not just get a new IP for the ad server in question. They never responded. I removed their ad network about 3 months ago and relpaced it with Google image ads.

Funny thing is, G image ads out performed the old ad network. So we should have tested an replaced the ad network a long time ago.
1:27 pm on Jun 9, 2010 (gmt 0)

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I've been seeing this now for quite a few months, ever since I purchased MalwareBytes. I've been sending folks (that I know) messages when I run across Malicious IP Warnings. They tell me they're not worried about it. Problem is, MB won't let me visit the site unless I turn it off - and I'm not doing that. I'd say that 1 out of 25 sites I visit these days on a regular basis has a Malicious IP Warning and it's nice to see a confirmation on where these may be coming from.

Thank you MB!
5:25 pm on Jun 9, 2010 (gmt 0)

5+ Year Member



The problem with malicious IP detection is that many sites are on shared hosting these days--what happens if your host allots you an IP that is (unknown to you) also shared by a site that's been hacked? Your site is now also flagged with a malicious IP warning.
5:58 pm on Jun 9, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



One other bit to consider is that ads using flash will make your users vulnerable to the Adobe vulnerability discussed in this thread:

Adobe Alerts Of Flash Player and Adobe Reader Vulnerability [webmasterworld.com]


If an advertiser is hacked (or less than honerable), then the door is open to get at the visitors of any website displaying their ads.
7:09 pm on Jun 9, 2010 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



what happens if your host allots you an IP that is (unknown to you) also shared by a site that's been hacked?


That's the least of your worries on shared hosting, being hacked is the worst ;)
8:21 pm on Jun 9, 2010 (gmt 0)

5+ Year Member



Malwarebytes Corporation has no phone no address on the site and probably outsources don't use them. Maybe they will fix but new problems will come...
6:44 am on Jun 10, 2010 (gmt 0)

5+ Year Member



I started seeing virus impregnated ads back in November and quickly built a quite large list of networks to block in my hosts file.

Malwarebytes Corporation has no phone no address on the site and probably outsources don't use them.

Please investigate before you post. I spent some time working on virus cleaning of PCs and Malwarebytes was by far the best program out there.

Sometimes when I use google search, it also redirect to a website.

Check your hosts file. Your website may have infected you. A good program for checking your hosts file is HostsXpert. You should only have 1 entry in the file which is '127.0.0.1 localhost' unless you have made additions. An IP not 127.0.0.1 will redirect the domain listed to that ip.
8:55 pm on Jun 10, 2010 (gmt 0)

5+ Year Member



wow now the site Malwarebytes Corporation say's, "We are currently looking to open a centralized office location in the San Jose, California area" nice address and what more research do I need to do?
HostsXpert? Where is there address? Funkytoad
11:40 pm on Jun 11, 2010 (gmt 0)

10+ Year Member



Malwarebytes has fixed a few pcs for me lately.
3:55 am on Jun 12, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



but it wasn't Google, that's the only thing I'm sure of.


I wouldn't be so sure. It might not be AdSense, but third party networks ads are served from other domains. So you would see something like ad.somedomain.com, not googlesyndication or doubleclick. The ad block frame entirely redirects to a third party domain.

I'm having the same problem:

[webmasterworld.com...]

And I don't show anything other than Adsense (with image ads) and in-house (hardcoded) ads.
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month