Social Print Experiment?

[gordo]

I went to visit the Social Print website today - they don't seem to be doing very well - and got the following Google warning:
"Safe Browsing
Diagnostic page for socialprintexperiment.com
What is the current listing status for socialprintexperiment.com?
Site is listed as suspicious - visiting this web site may harm your computer."

"What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-14, and the last time suspicious content was found on this site was on 2010-09-14."

This is not sounding good. There doesn't seem to be a way of contacting those folks without going to their website. Anyone know what's going on?

thx, gordon p

 

[PDL]

Gordo - Without wanting to run the risk of visiting that site I believe I found that Rackspace Hosting is the company hosting and administrating the site. Here's the Wiki on them Rackspace - Wikipedia, the free encyclopedia. They may be able to help you. - peter

 

[lfelton]

They may have been hacked, XSS is still a major issue for web sites run by the inexperienced. I seem to remember they had a method for leaving comments, which makes them a prime XSS hack candidate if they haven't coded to prevent this.

If someone on the forum knows them, they should let them know about this asap.

XSS hacks can be really nasty, so don't go to this site until it's fixed.

 

[mattbeals]

It appears to be a word press exploit using an invisible frame who's site goes back to Russia. If you've got a content filter on your network then you can block crazymasya )dot( com , inlovebot )dot( com , truevds.com or better yet 94.127.69.168 entirely.

It's odd that Chrome and FireFox report the site as containing malware but IE8 does not.

 

[gordo]

It's odd that Chrome and FireFox report the site as containing malware but IE8 does not.

Maybe because IE8 is a Microsoft product? (sorry, couldn't resist)

Maybe someone in the San Diego area could let them know. I tried going through their Facebook, Linkedin, and Twitter pages to let them know...but their was no possibility of sending them a message through any of those means. A lesson perhaps? If you use social media you should make sure that people have a way to contact you.

best, gordon p

 

[WiseGuy]

I know them there... I'll send them a message about this.

Michael

 

[socialprintexp]

Thanks for the heads up!

Thanks for the heads up!

I've been out sick for two days, and now spending time with Rackspace to clear this hacker out of here. This would be the second time this year we've had issues with our entire server being hit (19 sites).

Should be up soon, pending Google's approval that it's cleared up.

Thanks,
Andrew
Social Print Experiment
[email protected]

 

[Ultimate]

FYI, several ligit sites have the same experience worldwide since Tuesday. Google has changed some criterias in which their "analytics" consider a page/site to be a security issue.

More information on the subject is starting to popup today on numerous sites... so I guess a solution will soon be identified.

Hope this helps,

Ray Duval
Ultimate Technographics

P.S. Since the famous Google/YouTube attack last July, Google has increased parameters in which sites using/displaying certain links to YouTube videos (from their Website) might be flagged to contain potential harmful elements. The Google Webmaster tools provide more details on this.

 

[mattbeals]

@ray - That's all true. But there is still the invisible iframe that goes back to a Russian controlled server known to infect computers. Not sure how much WordPress magic might need to be worked to clean that up or if it's the server itself.

TraceRoute to 94.127.69.168 [crazymasya.com]
Hop (ms) (ms) (ms) IP Address Host name
1 50 74 88 72.249.0.65 -
2 69 65 47 206.123.64.81 -
3 95 69 60 4.69.145.115 ae-72-70.ebr2.dallas1.level3.net
4 24 57 47 4.69.137.122 ae-3-3.ebr2.newyork1.level3.net
5 65 71 54 4.69.137.122 ae-3-3.ebr2.newyork1.level3.net
6 96 109 54 4.69.134.65 ae-61-61.ebr1.newyork1.level3.net
7 99 187 157 4.69.137.65 ae-41-41.ebr2.london1.level3.net
8 136 144 Timed out 4.69.139.105 ae-2-52.edge3.london1.level3.net
9 254 228 269 212.113.15.178 unknown.level3.net
10 220 248 275 217.106.0.106 spb-dsr0-ae0-0.rt-comm.ru
11 259 186 182 195.161.158.22 -
12 261 220 260 85.235.198.42 85.235.198.42.ptspb.ru
13 203 201 214 85.235.198.42 85.235.198.42.ptspb.ru
14 219 257 243 94.127.64.201 -
15 243 229 283 94.127.65.33 -
16 212 229 235 94.127.69.168 s094127069168.m.truevds.ru
Trace complete

For any website you visit with IE8 if you go under the view menu you can choose "webpage privacy policy" and you can see all the connections on that site. You can tell that printplanet.com has a lot of connections hosted by Amazon's Cloud Front service. Which makes me wonder if slicehost.com (where printplanet.com appears to be hosted) is actually using Amazon's servers.

What does it all mean? There are a lot of connections that websites make that we don't always recognize as having happened. And most of the connections on socialprintexperiment.com seem harmless. Except for the one causing all the problems. But... It is possible to block the one bad address and still surf the site depending on how you are set up. It may or may not be safe, you'll have to decide for yourself, to do it that way though. After I blocked the .ru IP address the page works fine and I can't find any hint of malware on my computer. But I am finding blocked data on my content filter.

Content filters/proxy servers/firewalls aren't just for enterprises or paranoid bosses. They're good business for any business (or home).

 

[Ultimate]

Thanks Matt. I am sure the combined information here will help a few more people.