Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News Editorials & Other Articles General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

Liberal In Texas

(15,745 posts)
Sat Dec 21, 2024, 07:46 PM Dec 2024

Malwarebytres does not like some of the posts I click on!

Website blocked due to compromised
Most recently: https://www.democraticunderground.com/100219841342

Any idea why this is happening?
29 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
Malwarebytres does not like some of the posts I click on! (Original Post) Liberal In Texas Dec 2024 OP
I posted that OP and there are a number of replies. There's a Ron Filipkowski tweet in my OP and highplainsdem Dec 2024 #1
That doesn't tell me why I'm getting this alert from Malwarebytes. Liberal In Texas Dec 2024 #3
Do you remember if the other times were my threads? Here are a few more to check: highplainsdem Dec 2024 #5
Nothing comes up on those. Liberal In Texas Dec 2024 #8
I get this message also and it is always in a thread where sheshe2 brer cat Dec 2024 #7
And Sheshe2 replied on that most recent post. Liberal In Texas Dec 2024 #9
I'm pretty confident that is right. We are both on MIRT this term, brer cat Dec 2024 #10
And it has nearly 600 views, over a dozen replies and more than 20 recs from other DUers. highplainsdem Dec 2024 #2
Starting to wonder if some web security companies just want to limit our access to certain types of information. Attilatheblond Dec 2024 #4
In this case, it is something much more benign. eggplant Dec 2024 #29
I get that frequently. There is always a post by sheshe2 brer cat Dec 2024 #6
The folks replying in this thread have made a decent guess, but I'm not sure it's correct EarlG Dec 2024 #11
Thank you for looking into this. Liberal In Texas Dec 2024 #12
Is it the exact same message? EarlG Dec 2024 #13
MalwareBytes won't let me copy and paste...so it took me awhile... Liberal In Texas Dec 2024 #14
I'm somewhat baffled EarlG Dec 2024 #15
I was on the one in the OP. Liberal In Texas Dec 2024 #19
Gloriafeldt.com is same domain as the pic from sheshe2's sig line sl8 Dec 2024 #16
I just got it again when I came back to THIS post. Liberal In Texas Dec 2024 #17
I think that's the answer then EarlG Dec 2024 #22
You are correct, this is what I get with gloriafeldt.com... Liberal In Texas Dec 2024 #25
I'll delete the sig pic from my post. sl8 Dec 2024 #24
I stopped seeing it on this post. Liberal In Texas Dec 2024 #26
OK, I tried opening the sig pic in a new tab... Liberal In Texas Dec 2024 #18
Interesting. sl8 Dec 2024 #21
Are you sure that ip is only associated with a VPN? sl8 Dec 2024 #20
Yeah I think you're right EarlG Dec 2024 #23
Thanks folks for all the input on this. Liberal In Texas Dec 2024 #27
Some further research eggplant Dec 2024 #28

highplainsdem

(58,751 posts)
1. I posted that OP and there are a number of replies. There's a Ron Filipkowski tweet in my OP and
Sat Dec 21, 2024, 07:53 PM
Dec 2024

a YouTube video from Sky News Australia in one of the replies, but no other links.

Liberal In Texas

(15,745 posts)
3. That doesn't tell me why I'm getting this alert from Malwarebytes.
Sat Dec 21, 2024, 08:00 PM
Dec 2024

This isn't the only time it's happened. I was just wondering if the admin knew of why it might be.

Liberal In Texas

(15,745 posts)
8. Nothing comes up on those.
Sat Dec 21, 2024, 10:29 PM
Dec 2024

I don't remember the others I've seen. I was pretty much ignoring it as it was only now and then and didn't seem to be doing any damage, but this time I thought I probably should ask someone who knows how the nuts and bolts of the site work.
I suspect it might not be your OP but one of the replies.

brer cat

(27,178 posts)
7. I get this message also and it is always in a thread where sheshe2
Sat Dec 21, 2024, 09:21 PM
Dec 2024

has posted. I think the gif in her sig line is the problem.

brer cat

(27,178 posts)
10. I'm pretty confident that is right. We are both on MIRT this term,
Sat Dec 21, 2024, 11:08 PM
Dec 2024

and that is where it started happening. It was easy for me to look for the common posts since there are way fewer people on MIRT than on the whole forum.

Attilatheblond

(7,559 posts)
4. Starting to wonder if some web security companies just want to limit our access to certain types of information.
Sat Dec 21, 2024, 08:01 PM
Dec 2024

I get an occasional 'warning' from Microsoft that a site could be dangerous. When I go via a more secured browser I have, the site is fine.

Thinking corporate censorship of our internet use might be a thing now.

eggplant

(4,114 posts)
29. In this case, it is something much more benign.
Tue Dec 24, 2024, 11:29 PM
Dec 2024

The web server hosting one of the images in sheshe2's signature is on a blacklist because some *unrelated* website on the same server has nastiness on it.

malwarebytes checks these blacklists and stops you before you can connect to that server. Different antimalware tools may use different blacklists, so the server won't be blocked.

brer cat

(27,178 posts)
6. I get that frequently. There is always a post by sheshe2
Sat Dec 21, 2024, 09:16 PM
Dec 2024

in the thread. I am assuming that the gif in her sig line is the issue.

EarlG

(23,217 posts)
11. The folks replying in this thread have made a decent guess, but I'm not sure it's correct
Sun Dec 22, 2024, 12:23 PM
Dec 2024

When you're browsing DU, the information that you're viewing is not all hosted on DU. When members link to media that is hosted on other sites -- for example, YouTube videos, tweets, and images --- that media is not lifted from the host site and then re-hosted on DU's servers. It remains on the host site, and DU's software simply displays it as is.

Therefore, when you're browsing DU, each page is really a mix of content from different sources. The vast majority of that content is hosted on DU's servers (eg. the entire page layout, user-written text, etc.), but some of it isn't (eg. images that are linked to from elsewhere).

Generally speaking, viewing mixed content is considered "safe" (although that probably depends on your view of network security), and modern browsers will alert the user if the browser thinks that any content which it is about to load is "dangerous."

A lot of the time -- and especially on DU, because we only allow a few types of outside content to be linked to -- this happens because the page contains an image with an http:// prefix instead of an https:// prefix. The former (http) is the original standard protocol for Internet data transfer, whereas the latter (https) is a more modern, secure version which encrypts the data that is exchanged between a website and a browser.

These days, the vast, vast majority of websites use the https protocol, but some still use the old version, and it also possible to retrieve an image from an https site by using the http prefix. I have seen situations where people's browsers throw errors because they load a DU page which contains an http image prefix.

Since you suspected sheshe2's post as being the possible culprit, I checked those and and the images in her sigline all use the https protocol. I did find one image on the page that does not -- the image in lindysalsagal sig line has an http prefix. But I'm not sure that's the issue in this particular case.

This may be the answer:

The error message in your OP is an "outbound" error, and the website that it is blocking is located at 104.207.254.75. That is NOT a DU IP address. Instead it belongs to "Liquid Web L.L.C" which provides VPN services.

Are you using a VPN? If so, that is probably the issue. When you use a VPN, you connect to your target server (in this case, DU) by connecting to another server first, which then connects to the target server. This obscures your personal IP address from the target server, because the target server can only record the IP address of the VPN server, not your personal IP address. People do this legitimately, for privacy reasons.

In this case, it appears that MalwareBytes thinks that the VPN server -- the one you are connecting to before you connect to DU -- is compromised.

If you are using a VPN, my advice would be to either try disabling it and visiting DU to see if the error persists, or force your VPN program to connect to a different server by changing the location.

If you are not using a VPN, we will have to continue the conversation...

Liberal In Texas

(15,745 posts)
12. Thank you for looking into this.
Sun Dec 22, 2024, 01:38 PM
Dec 2024

The only VPN I'm using is the built-in "Microsoft Edge Secure Network." I went into Edge settings and turned it off. Unfortunately, the MalwarelBytes message still comes up even after refreshing the post.

EarlG

(23,217 posts)
13. Is it the exact same message?
Sun Dec 22, 2024, 01:59 PM
Dec 2024

Just curious to know if the IP address changed or if it reported a different error.

EarlG

(23,217 posts)
15. I'm somewhat baffled
Sun Dec 22, 2024, 03:17 PM
Dec 2024

It's the same IP address -- the Liquid Web L.L.C VPN server. Except this time there's a domain attached to it.

Do you happen to know which thread you were on when you got this particular error?

sl8

(16,927 posts)
16. Gloriafeldt.com is same domain as the pic from sheshe2's sig line
Sun Dec 22, 2024, 03:40 PM
Dec 2024

Do you get the same message if you open the pic directly?

===
On edit: deleted sig pic.
===

You may want to try opening it in a new tab.

That domain name is on at least one blacklist. That doesn't necessarily mean it's a "bad" site.

Liberal In Texas

(15,745 posts)
17. I just got it again when I came back to THIS post.
Sun Dec 22, 2024, 05:15 PM
Dec 2024

gloriafeld t.com
104.207.254.75
That pic in your post 16 looks like a broken icon.
I don't get it when I'm replying to the post just now...until I post and go back to the full OP and replies.

EarlG

(23,217 posts)
22. I think that's the answer then
Sun Dec 22, 2024, 06:11 PM
Dec 2024

Malwarebytes doesn't like gloriafeldt.com for some reason and is blocking your connection to that domain. That would explain why you're seeing the message, and also why you're not seeing the image in the post (it's being blocked). It explains why Malwarebytes throws an error on every DU page which contains that image.

You should be able to add an exception somewhere in Malwarebytes to tell it to load content from gloriafeldt.com (assuming you're comfortable doing that -- I don't see anything unusual about the Gloria Feldt website, it could be Malwarebytes generating a false positive).

Just out of curiosity, have you tried going directly to gloriafeldt.com? (My guess is that Malwarebytes won't let you.)

sl8

(16,927 posts)
24. I'll delete the sig pic from my post.
Sun Dec 22, 2024, 06:17 PM
Dec 2024

I'll bet you'll stop seeing the alerts for this thread (you may need to refresh)

Liberal In Texas

(15,745 posts)
18. OK, I tried opening the sig pic in a new tab...
Sun Dec 22, 2024, 05:24 PM
Dec 2024

and I don't get the Malwarebytes alert.
But I just got it composing this reply.

sl8

(16,927 posts)
21. Interesting.
Sun Dec 22, 2024, 06:08 PM
Dec 2024

Caveat - I used be somewhat well versed in this sort of thing, but I'm pretty rusty now. Take my input with a grain of salt.

Also, please see my reply to EarlG.

For what it's worth, most of the public blacklists I checked don't list gloriafeldt.com. One that did said the reason was due to it being a source of spam, not malware or such. I also think that, even if that ip was correctly identified as a source of spam, it may not have originated from gloriafeldt.com.

I hesitate to tell anyone not to worry about a possible security concern, but, personally, this wouldn't concern me. Again, "grain of salt".

The safest thing would be to ask Malwarebytes about it.

sl8

(16,927 posts)
20. Are you sure that ip is only associated with a VPN?
Sun Dec 22, 2024, 05:53 PM
Dec 2024

I'm also seeing that the ip is part of a block of 8192, which, as you said, belongs to Liquid Web, which is a website hosting company.

The DNS HINFO record shows that ip associated with "cloudhost-180693.us-midwest-1.nxcli.net" (per CentralOps.net).

The sig picture is on host gloriafeldt.com. I wonder if that host is actually a virtual server provided by Liquid Web and is using a shared ip? If that's the case, gloriafeldt.com might not even be the cause for the ip being blacklisted.

EarlG

(23,217 posts)
23. Yeah I think you're right
Sun Dec 22, 2024, 06:13 PM
Dec 2024

The first error message (the one in the OP) didn't specify gloriafeldt.com, but the second one did, so if the image in sheshe2's sig line is hosted on that domain, I'm 99% sure that's what must be causing it.

eggplant

(4,114 posts)
28. Some further research
Tue Dec 24, 2024, 06:47 PM
Dec 2024

After further research, the (shared) IP address associated with the site is flagged on https://www.abuseipdb.com/check/104.207.254.75

I would assume that some evil site is sharing the hosted IP and thus the cause. Which means either adding it to malwarebytes' allow list or putting up with the warnings. I'm choosing to put up with the warnings rather than expose the risk, but it's your choice.

Latest Discussions»Help & Search»DU Community Help»Malwarebytres does not li...