X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

Delisted from Google's blacklist, but still has "Reported Attack Page" in Firefox 18.0.1

Posted

A site of mine was delisted from Google's blacklist, but still has "Reported Attack Page" even though I have updated to Firefox 18.0.1. (Refer bug 820283 - https://bugzilla.mozilla.org/show_bug.cgi?id=820283)

Chosen solution

This looks like an issue with the referrer.
It doesn't happen if the referrer is disabled, so it looks that your server is still infected and redirects if it detects a Google referrer.

Forcing the referrer to Google and force a reload already causes the redirect. http://www.google.com.my/url?sa=t&rct=j&q=%22minda%20jaya%20language%20center%22&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fmj.edu.my

You will have to contact the hosting company to look into this.


http://mj.edu.my/

GET / HTTP/1.1
Host: mj.edu.my
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com.my/url?sa=t&rct=j&q=%22minda%20jaya%20language%20center%22&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fmj.edu.my%2F&ei=zYkHUcn7BO-k0AXS1oCwBg&usg=AFQjCNFk9gMFEWhR1Sb6huleXTJlop0lOw
Cookie: fff58b804557285b9ce67d60b784a3d9=fee645cf421d30ecdacd55bb0798e922; s5_qc=6346dc723395e1ee8ef57f4883be4cb4a4xn
Connection: keep-alive

HTTP/1.1 302 Moved Temporarily
Server: Apache
X-Powered-By: PHP/5.2.17
P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Location: http://0001.2waky.com
Content-Length: 0
Keep-Alive: timeout=3, max=10
Connection: Keep-Alive
Content-Type: text/html

http://mj.edu.my/

GET / HTTP/1.1
Host: mj.edu.my
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: fff58b804557285b9ce67d60b784a3d9=fee645cf421d30ecdacd55bb0798e922; s5_qc=6346dc723395e1ee8ef57f4883be4cb4a4xn
Connection: keep-alive

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.17
P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: s5_qc=3416a75f4cea9109507cacd8e2f2aefca4xn
Last-Modified: Tue, 29 Jan 2013 08:37:43 GMT
Keep-Alive: timeout=3, max=10
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Read this answer in context 0

Additional System Details

Installed Plug-ins

  • Next Generation Java Plug-in 10.11.2 for Mozilla browsers
  • Shockwave Flash 11.5 r502
  • Pando Web Plugin
  • RealPlayer(tm) LiveConnect-Enabled Plug-In
  • RealPlayer Download Plugin
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.01
  • GEPlugin
  • RealNetworks(tm) RealDownloader Chrome Background Extension Plug-In
  • RealNetworks(tm) RealDownloader PepperFlashVideoShim Plug-In
  • RealNetworks(tm) RealDownloader HTML5VideoShim Plug-In
  • RealDownloader Plugin
  • Google Update
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Google Talk Plugin Video Accelerator version:0.1.44.23
  • Version 3.10.2.10212
  • 5.1.10411.0
  • Unity Player 3.5.0f6
  • DivX Plus Web Player version 2.2.0.52
  • DivX VOD Helper Plug-in
  • mCash Plugin 1.0
  • Office Plugin for Netscape Navigator

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0

More Information

Question owner

The site is http://mj.edu.my, if it's important. What can I do about it?

Thanks all in advance.

cor-el
  • Top 10 Contributor
  • Moderator
10738 solutions 96600 answers

Works fine here with Firefox 18.0.1

Try to set the Integer pref urlclassifier.max-complete-age to 0 on the about:config page.

Modified by cor-el

Question owner

Hi cor-el, many thanks for your reply. Still prevalent after trying at my side... let me elaborate more, this does not happen if I directly load the site. It only happens if the site is searched from Google (google.com.my) with keywords "Minda Jaya Language Center".

As mj.edu.my is listed at the top of search, once clicking it redirects to the attack site. Doesn't happen in Chrome and IE, and the site is confirmed safe to browse by Google Diagnostics. Hmmmm.....

cor-el
  • Top 10 Contributor
  • Moderator
10738 solutions 96600 answers

Chosen Solution

This looks like an issue with the referrer.
It doesn't happen if the referrer is disabled, so it looks that your server is still infected and redirects if it detects a Google referrer.

Forcing the referrer to Google and force a reload already causes the redirect. http://www.google.com.my/url?sa=t&rct=j&q=%22minda%20jaya%20language%20center%22&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fmj.edu.my

You will have to contact the hosting company to look into this.


http://mj.edu.my/

GET / HTTP/1.1
Host: mj.edu.my
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com.my/url?sa=t&rct=j&q=%22minda%20jaya%20language%20center%22&source=web&cd=1&cad=rja&ved=0CC0QFjAA&url=http%3A%2F%2Fmj.edu.my%2F&ei=zYkHUcn7BO-k0AXS1oCwBg&usg=AFQjCNFk9gMFEWhR1Sb6huleXTJlop0lOw
Cookie: fff58b804557285b9ce67d60b784a3d9=fee645cf421d30ecdacd55bb0798e922; s5_qc=6346dc723395e1ee8ef57f4883be4cb4a4xn
Connection: keep-alive

HTTP/1.1 302 Moved Temporarily
Server: Apache
X-Powered-By: PHP/5.2.17
P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Location: http://0001.2waky.com
Content-Length: 0
Keep-Alive: timeout=3, max=10
Connection: Keep-Alive
Content-Type: text/html

http://mj.edu.my/

GET / HTTP/1.1
Host: mj.edu.my
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: fff58b804557285b9ce67d60b784a3d9=fee645cf421d30ecdacd55bb0798e922; s5_qc=6346dc723395e1ee8ef57f4883be4cb4a4xn
Connection: keep-alive

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP/5.2.17
P3p: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: s5_qc=3416a75f4cea9109507cacd8e2f2aefca4xn
Last-Modified: Tue, 29 Jan 2013 08:37:43 GMT
Keep-Alive: timeout=3, max=10
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

Question owner

Many thanks for the information, I will provide updates once I get any response from the hosting team.

cor-el
  • Top 10 Contributor
  • Moderator
10738 solutions 96600 answers

You're welcome.

Question owner

Update: I have managed to find a few more files that were still infected, which has codes that redirects to the attack site if it's a search engine referrer (thanks cor-el). Now the problem no longer exists. Thanks!

cor-el
  • Top 10 Contributor
  • Moderator
10738 solutions 96600 answers

You're welcome