cancel
Showing results for 
Search instead for 
Did you mean: 
JackYan
Level 8
Report Inappropriate Content
Message 1 of 20

Red in the add-on bar, but green on the SiteAdvisor page

Hi everyone:

The above sums it up. McAfee SiteAdvisor shows our site (lucire.com) to be a “red” one in the Add-on bar in Firefox, but when I click through, it reports that we are clean (https://www.siteadvisor.com/sites/http://lucire.com). Every link to our site in search results, Facebook, etc. also has a red X next to it.

Background: hackers did get in to our ad server on April 6. We fixed this immediately. Hence, the ad server (ads.jyanet.com) is reported as a green site (rightly). We never had any malware though for a few hours on the 6th, the hack tried to link our site to one that hosted malware. I should note that the hackers used what appeared to be Google Adsense code.

Why McAfee is showing lucire.com as red, I do not know. StopBadware.org and Sucuri all show us to be clean, and Google eventually put things right last week, too.

Regards,

Jack

19 Replies
JackYan
Level 8
Report Inappropriate Content
Message 2 of 20

Re: Red in the add-on bar, but green on the SiteAdvisor page

Note the bottom of the window:
Red link at McAfee.png

And now note the SiteAdvisor page:

McAfee says Lucire is clean.png

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 3 of 20

Re: Red in the add-on bar, but green on the SiteAdvisor page

Probably there's a delay in setting or re-setting the site rating across the multiple servers SiteAdvisor uses. I'll investigate a bit later.

Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 4 of 20

Re: Red in the add-on bar, but green on the SiteAdvisor page

I've just spotted a red icon on a site that hasn't even been assessed yet, so I think maybe the servers are acting up.

JackYan
Level 8
Report Inappropriate Content
Message 5 of 20

Re: Red in the add-on bar, but green on the SiteAdvisor page

Hayton and Peter, thank you both. Hope it can get sorted soon (the red is still there). Interestingly, McAfee gave us green until Thursday or Friday, even though we were clean by then. It was only last Saturday (the 6th) that we had the hack.

Highlighted
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 6 of 20

Re: Red in the add-on bar, but green on the SiteAdvisor page

I see SiteAdvisor gives your site a Green rating, and all the links to it that SiteAdvisor knows about are also Green.

TrustedSource also shows the site and its links are Green.

When I visited the site there was a black banner at the top of the webpage notifying that some external (third-party) content had been blocked. Sure enough, on the right-hand side about half-way down there was a shaded box with a do-not-enter symbol.

The Alt text for this box reads as follows (I have highlighted the important parts of the message)

URL http://ads.creafi-online-media.com/st?ad_type=iframe&ad_size=300x250&section=1951182 is blocked

iframes are inherently suspect from a security point of view because they permit malware to be inserted dynamically into a web page. I doubt that the iframe itself is the reason for the block, though. NoScript in Firefox blocks this iframe and also another one some way above it (along with an extensive list of third-party content). I haven't found any reason for creafi-online-media to be singled out for blocking by SiteAdvisor, so it must be that the content of the iframe was analysed and decided to be suspect, and so was blocked.

That is not the only place I see this problem on the site, but in all cases it appears to be content from creafi-online-media that is being blocked. It's difficult to see exactly what the blocked content is, because I have AdBlock and DoNotTrackMe running, and my security settings are restrictive. I can see 8 or 9 advertising companies on various webpages which are blocked from tracking me on your site. On some pages the blocked content is invisible - it is not allowed to display at all.

Nevertheless it seems likely that the blocked iframe is attempting to deliver a Flash advertisement, and SiteAdvisor believes the content of this iframe to be unsafe. Until you can get that Flash advertisement declared safe (and find out where exactly it comes from), perhaps you should just temporarily remove the link from your webpages.

You might also want to correct something on your site that is causing a couple of security warning when Sucuri scans it -

http://sitecheck.sucuri.net/scanner/?scan=lucire.com

JackYan
Level 8
Report Inappropriate Content
Message 7 of 20

Re: Red in the add-on bar, but green on the SiteAdvisor page

Hi Hayton: thank you. That’s a really good clue—in the past, we’ve noticed SiteAdvisor block the odd Doubleclick one, but not Creafi. They all display for me but it’s likely it’s a geo-targeted ad that has been deemed dodgy. I can mention it to the guys there and see if we can get that sorted, or remove them as you say.

Do you think that would cause the red warning in my browser though? I’m still seeing it in my browser but if I click through, everything is green.

Those two pages that Sucuri deems unsafe do not exist (I have just checked), so I am not sure what it’s referring to. I’ll have our web dev check through them.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 8 of 20

Re: Red in the add-on bar, but green on the SiteAdvisor page

On a Google search for your site some of the results were flagged Red, while most are Green.

I called up half a dozen of the Red pages and looked to see what was being blocked. In all cases the Red rating is caused by that one advertisement from creafi-online-media. If you take that out, I would expect your site to show Green in all Google searches.

SiteAdvisor and TrustedSource give your site a Green rating on their site pages because what's being flagged is this is dynamic content - and also external content - and the block is being done as the page is scanned during download. I assume that the Red flags in Google searches are the result of feedback to Google from SiteAdvisor when the content is first flagged.

If you override a SiteAdvisor blocking page and decide to go to a webpage that SiteAdvisor is warning you about, SiteAdvisor will add that webpage to a whitelist, so you won't get blocked again. The SiteAdvisor icon in the browser will still show Red (or Yellow) though.

***

fwiw -

As an experiment I called up one of the Red-flagged pages in Chrome (without SiteAdvisor) and disabled a number of blocking filters in order to get this advertisement to display. It didn't look like a Flash advertisement, just an image (with Creafi's name and some other text overlaid).

I then right-clicked on it to inspect its make-up and see what was so special about it.

Google Chrome crashed immediately.

I think that says something, but I'm not sure what.

Aw Snap - Lucire page.JPG

Message was edited by: Hayton on 15/04/13 02:27:26 IST
JackYan
Level 8
Report Inappropriate Content
Message 9 of 20

Re: Red in the add-on bar, but green on the SiteAdvisor page

Wow. Hayton, this is going above and beyond. Thank you—this is fantastic. I’ll remove as many of the Creafi ads as I can, so that’ll be step one. I haven’t got in touch with the Creafi guys yet but I’m going to refer them to this page. In the meantime, I’ll do as you advised for the pages I’m seeing as red-flagged here.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 10 of 20

Re: Red in the add-on bar, but green on the SiteAdvisor page

I submitted the URL of this advertisement to JSUNPACK for analysis. The result returned was "Benign". That doesn't prove there's nothing suspect about this advertisement, but it does at least provide some more information. JSUNPACK have another report on one of their advertisements, if you care to look for it.

See http://jsunpack.jeek.org/?report=96077e398ffb2404889db8fc2e0b47e1e5ffc9e9

See also

http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&domain=ads.creafi-online-media...

I find references to Creafi-media-online in quite a number of malware incident reports (ThreatExpert reports, discussions on Ubuntu forums and many other places). They always seem to be tangentially involved rather than prime culprits, but their name occurs rather too often. Perhaps their server security isn't as good as it should be.

Message was edited by: Hayton on 15/04/13 04:07:54 IST