Not long ago, I was browsing in this domain htxp://tieba.baidu.com/, which is baidu forum.
When I was in htxp://tieba.baidu.com/p/3658693347, this warning not from avast popup up
Warning: Malicious javascript detected on this domain.
There is a "OK" button to click in the popup.
What does this mean?
Is baidu being hacked? Or Is this message fake?
This warning arise from the ads baidu put on the site (not sure which specific one as there is about 3 - 5 ads on one page)
It is related to a redirection to the following two sites
This only popup when you go to site that have baidu ads AND you are not in mainland China.
Confirmed by the Chinese: htxp://zhidao.baidu.com/question/1575638718749399340.html (not suggest to go to baidu website now)
I didn’t screenshot the popup. It just happen randomly in htxp://tieba.baidu.com/
Edit: Additional information: The following JS, htxp://hm.baidu.com/h.js, have been hijacked by something to launch a DDOS attack to github.com
Oops… clicked the quote button instead of the edit button
You certainly stumbled upon something there, this here is revealing info: http://insight-labs.org/?p=1682
The ssl connection is not hijacked - the http connection was. Info credits: ← BadIRET漏洞利用
After 113 hours of being under constant ddos attack Github defenses are holding. The attacks were aimed to make certain content unavailable. Probably so-called “scrubbers” from various scrubbing centers in London, Hong Kong, San Jose, California, Ashburn, Virginia, Frankfurt, Germany and Tokyo, Japan could alleviate these attacks to normalize traffic again with dedicated bandwidth.
I remember in the last incarnation of the avast forum, when looking at the bottom of the index.php page you could see members logged in, Guests and Spiders.
Well if my memory serves me well, baidu used to feature heavily in the numbers of search engine spiders. When the likes of Google, Yahoo, Microsoft used to have one or two spiders, baidu had in the region of 90.
I don’t know if there are settings to prevent spiders or if they just aren’t reported.
Regrettably, most spiders that cause trouble here feature their robots.txt specs only in Chinese, Japanese, Russian, or Korean.
Also I assume Baidu spider and Great Firewall authorities work hand in foot. ;D
See: http://bgp.he.net/AS55967#_prefixes (for Baidu IP-ranges).
It is best to block all baidu scripts until this massive DDoS threat can be resolved. Use an extension such as NoScript or NotScripts.
Donovan
I have installed NoScript to disable all baidu script as well as to see which site are running baidu statistic script. I observe a interesting trend through, most of the site that use “cnzz statistic script” have change to use “baidu statistic script”. 7k7k games (http://www.7k7k.com/) is one of the example, which I get the malicious script ran before getting Noscript.
Sadly, I can’t find any of the tool simular to NoScript for IE. Using IE, It does that again in the baidu forum in the thread “p/3668178421” (Well you know the domain as I give it out at the very beggining). Doesn’t know why it doesn’t happen on every baidu page, and going to the same site again doesn’t run the malicious script.
Did a scan in urlquery for htxp://tieba.baidu.com/p/3668178421/ but the scan locked up for about 30 minutes already. Very sure that it is because of the JS script.
Any suggestion for tool that I can use for blocking baidu script in IE?