Join 3,572 readers in helping fund MetaFilter (Hide)

Malware warning on almost all links including contact form
February 3, 2013 8:30 PM   Subscribe

Just an FYI, anything I click link-wise, although NOT the new-post button, returns this warning in chrome.

I intended to submit this via the contact form, but I'm wondering there's not a sql injection going on or something, and it's too late for me to investigate it.
posted by TomMelee to Bugs at 8:30 PM (62 comments total)

Or, well, anything I click on metafilter...not like...everything on the web.
posted by TomMelee at 8:30 PM on February 3, 2013


I'm not seeing that in Chrome at all - it's probably a good time for you to scan your own system while we see if anyone else is getting this.
posted by restless_nomad (staff) at 8:32 PM on February 3, 2013


Not seeing it here, running Chrome 21.0.1180.90.
posted by Kadin2048 at 8:33 PM on February 3, 2013


Running Chrome 25.0.1364.58 beta-m and I am not seeing anything.
posted by KokuRyu at 8:44 PM on February 3, 2013


Here are some reports from other folks with the same error on other mainstream sites.
posted by Drinky Die at 8:45 PM on February 3, 2013


I'm getting it too on Chrome 24.0.1312.57 on MacOS 10.6.8 when I go to the search results page.

The domain it complains about is www.qcksrv.com.
posted by ShooBoo at 8:48 PM on February 3, 2013


And a report from a user being redirected to qcksrv.com when trying to use their bank site.
posted by Drinky Die at 8:49 PM on February 3, 2013


No, no SQL injection happening. Everything is checking out ok on this end.

You might try disabling your browser add-ons and then enabling them one by one. It could be a problem with an extension, or yeah, potentially some malware on your system somewhere injecting that into the page.
posted by pb (staff) at 8:49 PM on February 3, 2013


I'm not seeing it on Chrome 24.0.1312.52 on Win7 either.
posted by Blue Jello Elf at 10:09 PM on February 3, 2013


We received an email from someone else seeing it on Mefi, but this is happening all over at different sites, for some people. Someone on the Google Chrome forum is vewy upset they can't get to breitbart news, fer example:

So I recently got a malware site warning that requires me to jump through several hoops in order to see a site I KNOW for a fact is safe. I understand that you are a bunch of ballwashing leftist morons, why do you think my Google+ account goes unused? I can see how Breitbart News( www.breitbart.com )makes you uncomfortable, but guess what? This ISN'T China, or The Soviet Union, or North Korea and your lame attempt at censorship has not gone un-noticed...

I'm on Chrome, fwiw, but not getting this, either.
posted by taz (staff) at 10:13 PM on February 3, 2013 [17 favorites]


A malware report from Google doesn't show any problems.
posted by Pronoiac at 10:14 PM on February 3, 2013


Breitbart Dude needs to use a nice capitalist browser like IE and dump commie-leftist Chrome. I guess the ballwashing feature is pretty hard to give up though.
posted by Drinky Die at 10:15 PM on February 3, 2013 [9 favorites]


Oh: copying and pasting links into a new tab might work, when clicking on the link doesn't. Or vice versa.
posted by Pronoiac at 10:16 PM on February 3, 2013


Briebart gives me malware warnings in both Chrome (24.0.1312.57 m) and Firefox, but no warnings on any MeFi related sites.
posted by Confess, Fletch at 10:31 PM on February 3, 2013


Not sure about your technical skill level, so initial steps towards diagnosis: try another browser first. If you have the same problem with FF or Safari or IE, you've got an OS-level malware thing going on. If it's only Chrome, then the malware is Chrome-only.

Grab a copy of Spybot or the equivalent. That may be enough to identify and possibly fix the problem.
posted by stavrosthewonderchicken at 10:41 PM on February 3, 2013


I've run Spybot and nothing has showed up on my computer (where it is happening on various sites). Given that this is showing up all over the place (it even showed up going into this thread) either somebody's got a hell of a day-0 exploit going, or something has been incorrectly blacklisted on Chrome.
posted by solarion at 10:50 PM on February 3, 2013


Also on Chrome; also no issues.
posted by LionIndex at 10:55 PM on February 3, 2013


We received an email from someone else seeing it on Mefi

*Raises hand* Yea, that was me. I got the normal thorough/helpful/damn near instantaneous mod response to my email blast, thanks for that as always. Best five bucks I've ever spent.

Yea, I'm open to helping y'all troubleshoot if there's interest but I figure it's Google and/or Chrome (the former being the company, the latter being my browser/install/instance/machine) in the wrong here.

FWIW, I run the following security related Chrome extensions when I'm not using Firefox, which I'm slowly transitioning away from: WOT, Adblock Plus (sorry mathowie), and FlashBlock. The innocuous ones are Decreased Productivity and Send to Instapaper.
posted by RolandOfEld at 11:13 PM on February 3, 2013


fwiw, the domain is hosting an OpenX ad server, and the one Google result I can find in this domain has an OpenX server path.

OpenX is a popular malware target because you get as many sites as OpenX is serving ads to for the price of one compromise; and OpenX is free to download and use, so there are plenty of neglected, unpatched installations out there.

Having endured an OpenX compromise a few years ago, I can attest to just how much havoc this can wreak with any sites that had any link to the infected domain, even if they didn't serve any malware. And Google's been sort of hairtrigger lately, see what happened to all of iSocket's customers a few weeks ago.

It wouldn't be a huge surprise if this domain was blacklisted after being compromised, and that the problem is a bit further up the chain with Chrome (or rather, Google's anti-malware backend) incorrectly identifying which sites are truly associated with this domain.
posted by mph at 11:20 PM on February 3, 2013 [1 favorite]


Probably the Chinese messing with you again.
posted by unliteral at 3:38 AM on February 4, 2013


Noticed this yesterday on the +1's computer (Windows, Chrome) but assumed it had something to do with the wireless we were using at a B&B at the time.
posted by sciencegeek at 3:46 AM on February 4, 2013


Not getting it on MeFi in Chromium, but am getting it on all sorts of other sites that are reputable and have always been fine. Seems like an issue with Google's blacklisting more than anything else.
posted by Dysk at 4:23 AM on February 4, 2013


I just got it on the latimes.com site while using Chrome 24.0.1312.57 m and I could open the site just fine in IE. (sigh)

I'm really curious to know what's going on with the blacklist.
posted by kimberussell at 4:40 AM on February 4, 2013


So I recently got a malware site warning that requires me to jump through several hoops in order to see a site I KNOW for a fact is safe. I understand that you are a bunch of ballwashing leftist morons, why do you think my Google+ account goes unused? I can see how Breitbart News( www.breitbart.com )makes you uncomfortable, but guess what? This ISN'T China, or The Soviet Union, or North Korea and your lame attempt at censorship has not gone un-noticed...


Oh God this is amazing I can't breathe.

(New FOSS project - a web browser containing only lines of code written by members of the Tea Party. The constant crashes and malware infestations may slow their mobilization, but the benefits in freedom from gummint surveillance and ideological impurity surely justify a little pain.

Don't retreat - restart!)
posted by running order squabble fest at 4:52 AM on February 4, 2013 [3 favorites]


I had this on a completely innocuous site the other day -- Safari and Google both blacklisted Mackie's website, but Google also reported it had been malware free for 90 days.
posted by unSane at 5:11 AM on February 4, 2013


guys just click through to that qcksrv site it's fine nothing to worry about everything is so much clearer now join us join us join us join us join us join us join us join us join us join us join us join us join us join us join us jo
posted by EndsOfInvention at 5:16 AM on February 4, 2013 [5 favorites]


I've been getting a few chrome malware alerts this morning around the otherwise-safeish internet. Chrome complains about content from cmi.netseer.com inside of a few pages I've been to, including the infamous weather.com
posted by Phredward at 6:08 AM on February 4, 2013


MetaFilter: a bunch of ballwashing leftist morons
posted by Rock Steady at 6:08 AM on February 4, 2013


only lines of code written by members of the Tea Party

OMG, TeaSource! Eeeeeeeeeee (inhale) eeeeeeeeeeee!!!

...OK, OK, OK, I'm alright. I'm OK.

Right. Now then, how do we get this thing started? GitHub is obviously communist, so that's not going to work, and hell if my server is going to host it, but c'mon, this is so obviously brilliant it's going to kill me.

Partway through, we roll out a new feature that lets members flag code sections for impurity, followed by the feature that lets members flag other members for impurity, followed by a feature that requires a vote before anything can be committed but only those with sufficient purity scores can vote.

(giggles like a child)
posted by aramaic at 6:08 AM on February 4, 2013 [2 favorites]


Oh man, I had some little fragment of a dream this morning where there was a malware error on like a CSI computer but I knew it was a weird problem so I was like "no, it's bullshit, just keep doing [whatever, probably building a GUI in Visual Basic to track the killer's IP address]".

I think that's the dream that my cat vomiting on the bedroom floor woke me up from.
posted by cortex (staff) at 7:15 AM on February 4, 2013 [2 favorites]


Breitbart Guy: "bunch of ballwashing leftist morons"

So, he prefers his balls to remain unwashed?





Ewwwwwwwwwww.
posted by notsnot at 7:24 AM on February 4, 2013 [2 favorites]


Possibly ball-washing is part of the international Communist conspiracy to sap and impurify all our precious bodily fluids.
posted by running order squabble fest at 7:48 AM on February 4, 2013


EndsOfInvention: "guys just click through to that qcksrv site it's fine nothing to worry about everything is so much clearer now join us"

"what should we do once we browse to qcksrc dot com?"

"just click around with your anti-virus disabled"
posted by boo_radley at 8:08 AM on February 4, 2013


Breitbart Dude needs to use a nice capitalist browser like IE and dump commie-leftist Chrome. I guess the ballwashing feature is pretty hard to give up though.

Breitbart Dude actually needs the extensions if you catch my drift.
posted by BrotherCaine at 8:12 AM on February 4, 2013


And now I just had a malware warning on the Discover magazine site. I'm guessing Chrome is on a hair trigger today.
posted by BrotherCaine at 8:13 AM on February 4, 2013


Breitbart Dude needs to use a nice capitalist browser like IE and dump commie-leftist Chrome. Xanax.

FTFY
posted by Kid Charlemagne at 8:18 AM on February 4, 2013 [1 favorite]


So, he prefers his balls to remain unwashed?

How else can you get out fromunder?
posted by srboisvert at 8:32 AM on February 4, 2013


Thanks. I am (among other things) a PC technician, it's not me. :)

Glad all is well.
posted by TomMelee at 8:35 AM on February 4, 2013


This appears to be a Chrome thing not a Metafilter thing.
posted by 2bucksplus at 8:41 AM on February 4, 2013


Malware warning citing Netseer blocks Google Chrome users from media websites
SAN JOSE -- Malware warnings were halting Internet users from visiting popular sites across the Internet on Monday morning, including the Mercury News, after a Silicon Valley advertising company had it website hacked. The company said Monday that according to Twitter users, sites such as The New York Times, The Huffington Post, Los Angeles Times, Washington Post and many others were being blocked by Google's (GOOG) Chrome browser with warnings about possible malware emanating from Netseer.

"Content from cm.netseer.com, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your computer with malware," a Chrome message said Monday morning when a user attempted to visit www.mercurynews.com.
So it looks like one of the big ad networks got tricked into deploying some malware. Might have been doubleclick.
posted by jenkinsEar at 9:39 AM on February 4, 2013 [2 favorites]


Ballwashing? Is this... a thing people (gibbering right wingers) say as some kind of insult, or is it just one man's frothing neologism?

Also, Chrome in OSX here not seeing any unusual warnings at all.
posted by cmoj at 10:13 AM on February 4, 2013


Good find jenkinsEar. I figured it was either some sort of DNS attack or someone else's vulnerability. Thanks.
posted by TomMelee at 10:23 AM on February 4, 2013


So just to confirm, it wasn't a false positive on the part of Chrome, it was a legitimate flag but was inconsistent as the malware payload wasn't on Metafilter's site or pages, but on a 3rd-party CDS or ad server and only appeared to some users?

Or was Metafilter's CDS / ad content never an issue and Chrome just flagged the domain?
posted by Kadin2048 at 10:35 AM on February 4, 2013


This security vulnerability has been listed in the Common Vulnerabilities and Exposures list as the Netseer/Google Chrome Leftist Ballwashing Attack.
posted by It's Raining Florence Henderson at 10:38 AM on February 4, 2013 [3 favorites]


Or was Metafilter's CDS / ad content never an issue and Chrome just flagged the domain?

That's a great question for Google. I'm not sure we have enough information to answer that question.

According to some reports, people got the malware warning on visiting the contact form. The contact form pages have no ads on them at any time.
posted by pb (staff) at 10:42 AM on February 4, 2013


I just love how a bug report thread has turned into ball washing and Tea Party hijinks. You are my people.
posted by arcticseal at 10:44 AM on February 4, 2013 [1 favorite]


I didn't understand what they meant by ballwashing either. Here's Urban Dictionary's take:
giving someone excessive flattery. Recently popularized by the Petros and Money show on Fox Sports Radio.

John Madden has been ball-washing Brett Favre for years.
posted by benito.strauss at 10:54 AM on February 4, 2013 [1 favorite]


According to the netseer report, the ad network 'infected' was netseer. They claim their corporate site was hacked and infected but not any of their ad serving servers. Google's virus scanners detected the malware on their corporate site and blacklisted the entire domain. Again, the company's claim is that their ad servers were not affected so the warning can theoretically be ignored.

It seems OP's original report cites a different domain. Googling seems to indicate a lot of people are finding it associated with various browser extensions. Those experiencing the issue might start disabling extensions one by one and seeing if that resolves the problem.

I just want to note that ballwashing does not seem to be an effective remedy.
posted by rocketpup at 11:00 AM on February 4, 2013


Clean balls are a mitigation, not a workaround.
posted by It's Raining Florence Henderson at 11:05 AM on February 4, 2013


So including my balls in my daily washing routine is what makes me a pinko commie. Why didn't I realize that before?

It's so obvious now!
posted by double block and bleed at 11:32 AM on February 4, 2013 [1 favorite]


It depends on what you're doing with that pinkie...
posted by aramaic at 11:44 AM on February 4, 2013 [1 favorite]


I downloaded some Flash-disably thing recently and my malware stuff quarantined it. I got rid of it with AppCleaner without even bothering to install it. I'm wondering if it is FlashBlock plus the netseer factor that makes it all go waheenie shaped on Metafilter for some folks?

I'm running MacOS 10.6.8 and Chrome 24.0.1312, and I have no issues at all on Mefi, FWIW.
posted by misha at 11:58 AM on February 4, 2013


I didn't understand what they meant by ballwashing either.

Routine right-wing gay-baiting.

As of now, the NetSeer malware warning has been fixed, the company reports. It remains unclear if there is a connection to the qcksrv.com issue, but affected users here may want to check in about that.
posted by dhartung at 12:06 PM on February 4, 2013


I got that message at work this morning trying to access the obituary sites.
posted by St. Alia of the Bunnies at 1:47 PM on February 4, 2013


Every time you guys say "ballwashing" I just picture that fixture on the golf course, where you insert your balls and pump and pump and I guess what I'm saying is I think that would hurt a lot because those brushes looked rough.
posted by maryr at 3:55 PM on February 4, 2013 [2 favorites]


Think more like Jesus in The Big Lebowski.
posted by stebulus at 5:49 PM on February 4, 2013


I think that would hurt a lot because those brushes looked rough
It does and they are. Um, so I've heard.
posted by dg at 7:33 PM on February 4, 2013 [2 favorites]


I'm running Chrome 547.5.6 with full temporal-filters turned on, and I'm seeing things you wouldn't believe!
posted by blue_beetle at 8:08 AM on February 5, 2013 [2 favorites]


Liveblogs on fire off the shoulder of The Onion?
posted by cortex (staff) at 9:51 AM on February 5, 2013 [3 favorites]


Livestream and Twitter in the Starbucks near the house of sir Gates.
posted by It's Raining Florence Henderson at 10:23 AM on February 5, 2013 [1 favorite]


> I just love how a bug report thread has turned into ball washing and Tea Party hijinks. You are my people.

Plus something to link fondly back to next time there's a "Metafilter is full of leftist meanies" "No it isn't, it's all in your mind" roundy-round.
posted by jfuller at 1:00 PM on February 5, 2013


All those Geocities will be lost in time... like tweets in rain... Time to flame out.
posted by EndsOfInvention at 8:53 AM on February 6, 2013 [4 favorites]


« Older How many people have used it, ...  |   I understand the post was ... Newer »

You are not logged in, either login or create an account to post comments