Jump to content

Malware warning

NoBanStan

By NoBanStan
in Feedback and Support

Recommended Posts

NoBanStan Prolific Contributor

NoBanStan

Posted
Posted

More of an FYI than anything. Maybe a compromised vendor advert or someones link/avatar.

 

Browsed the following thread

 

http://www.tngunowners.com/forums/topic/60700-in-house-workbench-finally-done/page-2

 

Google chrome gave me the following alert:

 

 

 
Warning: Something's Not Right Here!
www.tngunowners.com contains content from www.errnum.com, a site known to distribute malware. Your computer might catch a virus if you visit this site.
Google has found malicious software may be installed onto your computer if you proceed. If you've visited this site in the past or you trust this site, it's possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.
We have already notified www.errnum.com that we found malware on the site. For more about the problems found on www.errnum.com, visit the Google Safe Browsing diagnostic page.
Go back
If you understand that visiting this site may harm your computer, proceed anyway.
Help improve detection of malware by sending additional data to Google about si

 

 

Link to comment
  • Replies 12
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

MacGyver
MacGyver

Man, that's a pain to deal with!  Makes you want to find the people responsible and take them out to the woodshed doesn't it?

Guest Lester Weevils

Guest Lester Weevils

Posted
Posted (edited)

That is my site that got hacked with a redirect. About 10 days ago I wiped all the hacked html and php and only left the picture folder and a couple of private data folders. The whole site is just 404 non-responsive at the moment, locked down tight, except it will serve my pictures. Shouldn't be any risk.

 

Very annoying. Had been planning to replace the html with simpler stuff anyway. The site only had one script, but maybe that is how the intruder got in. Ain't gonna use any scripts from now on, just plain old ugly html. Its just a place to park files and ain't got time to make it fancy.

 

I've just been daily watching the ftp and access logs to monitor for any more intrusion attempts. Only had a couple since I cleaned it up, and they failed.

Edited by Lester Weevils
Link to comment
  • Admin Team
MacGyver Postus Maximus

MacGyver

Posted
  • Admin Team
Posted

I just don't understand the fasination some people have with screwing with the internet sites.

 

You'd think they were politicians.

 

It really doesn't have anything to do with screwing with sites for the heck of it anymore - at least very rarely.

 

It has all to do with organized criminal groups serving unsuspecting visitors to a site keystroke loggers and the like that can later be used to commit identity theft/steal from you and/or make your computer their unwitting zombie to be used in spam, DDOS attacks and other stuff like that.

 

The days of the Kevin Mitnick "let's see if I can get in for the heck of it" types are unfortunately long gone.

Link to comment
Guest Lester Weevils

Guest Lester Weevils

Posted
Posted

Man, that's a pain to deal with!  Makes you want to find the people responsible and take them out to the woodshed doesn't it?

 

Nuclear weapons would not be overkill. :)

 

The little site is hosted on one of the big webhosting companies and they presumably have their virtual servers locked down pretty good. There are levels of the system innards I can't access as "owner" of the site. For instance if I wanted to install a "non-supported" package such as the apache subversion code sync utility, I'd be SOL unless I could beg or pay the company to configure the package for me. But I don't want the responsibility of knowing enough to keep a server safe and in operation, and the site is inexpensive with liberal data allotments. They have a lot of "common" packages, content management, forum software, blog software, that can be nearly "1 click" installed, but I don't use any of those packages at the moment.

 

Just saying, if my site was hacked at levels that I don't even have permissions to access, then there is not much I can do about it. That is PROBABLY unlikely though.

 

Maybe the password was guessed, but it wasn't especially guessable. Maybe the password was stolen but can't think of a route for the theft. After discovering the hack I changed the password to a long string of random chars.

 

Am ignorant of anything except the bare basics of web hosting but from the reading I've done, the remaining avenues of attack I have been able to think of (because the site was so stupid-simple and sparse)-- Either an sql injection or access via the sole little javascript that was on the site. A year or two ago had installed joomla to play with, but didn't like it and deleted the entire package. No databases left on the site, but maybe the sql engine could still have been accessed and overcome in some fashion. The one little javascript was just a "contact me" feature, allowing anonymous people to type in a message and get it forwarded to my email. It was a few lines of code offered for use by the webhosting company that I pasted into a form page.

 

I have a static IP at home, so I can easily ID all of my accesses in the logs. Watching the takeover "in retrospect" on the ftp logs, they replaced the .htaccess file, added a default.php that wasn't there previously, then downloaded all my html files, added one redirect line to each file and re-uploaded. The IP of all these changes was "constantly changing" in the ftp log, using IP's from all over the world, so whoever did the hack either has a big stable of slave machines, or has some other method of spoofing IP addresses.

Link to comment
Raoul Postus Maximus

Raoul

Posted
Posted

That is my site that got hacked with a redirect. About 10 days ago I wiped all the hacked html and php and only left the picture folder and a couple of private data folders. The whole site is just 404 non-responsive at the moment, locked down tight, except it will serve my pictures. Shouldn't be any risk.

 

Very annoying. Had been planning to replace the html with simpler stuff anyway. The site only had one script, but maybe that is how the intruder got in. Ain't gonna use any scripts from now on, just plain old ugly html. Its just a place to park files and ain't got time to make it fancy.

 

I've just been daily watching the ftp and access logs to monitor for any more intrusion attempts. Only had a couple since I cleaned it up, and they failed.

 

Been there. Makes you go cross-eyed after a while.

Link to comment
Guest Lester Weevils

Guest Lester Weevils

Posted
Posted

What is the site for? Do your users pass any information to it? File uploads maybe?

 

Hi Stan

 

The main practical use of the site is for my personal offsite storage of programming files, and occasional transfer to co-workers by sending them direct download links to the files. "Because it is there" it is also used to hold pictures I might embed in forum messages, lots less annoying than fooling with a third-party picture hosting service. I am the only user with write access to the site, and the only user that the site "knows about" for that matter.

 

When I first got the site years ago, intended to eventually post assorted articles and some code snippets, but never had time to fool with it. Became one of those "websites that time forgot". The only public html was read-only access for some songs I recorded long ago to give away because they don't have (and never had) any commercial potential. There are lots of music hosting services but it is the same deal as picture hosting sites. Easier to park the music someplace that belongs to me rather than fool with some third-party. And of course the package has an email so as long as I keep the site alive, I don't have to rely on gmail or whatever ISP I use for the home connection, for an email address.

 

The only anonymous user entry possible was a "contact me" webform containing a few lines of javascript. Maybe that was exploitable to gain entry but that page is gone now. There are no databases but maybe the sql or php engine was hackable somehow. I've locked that up as much possible and might see if the web company can disable them entirely on my virtual server.

 

It took awhile to get around to putting up a couple of html files after cleaning the site, so I could submit it to google. They won't check a site that doesn't have a homepage. I don't mind ugly and have decided to put up nothing but bare-bones html 1.0 from now on.

 

Well, for one thing, "gui web creation toolkits" come and go. One might create some pages with one of the many gui packages or content management systems, and then a couple of years later the toolkits are no longer supported or have developed security issues. Those web development tools litter a page with so much "difficult for a human to read" crap code that it isn't real feasible to meaningfully text-edit an old page if the creation toolkit is no longer extant. That's one reason I never added much content to the site in prior years. Too much hassle wading thru all that machine-generated crap automatically inserted to make the page format pretty.

 

So I just put up the song lists again in raw html, and might get around to adding some other content in raw html one of these days.

 

My wife just had a malware warning pop up a few minutes ago. She is using her Kindle fire.

 

Dolomite

 

Hi Dolomite

 

If the warning is from one of my pictures embedded in a thread, it is annoying but spurious, because the site has been clean for 10 days and anyway the pictures are not infected.

 

Sorry for the annoyance but the warnings should go away today or tomorrow, for most part. I submitted the site for review to google yesterday and they sent the following reply-- "Status of the latest badware review for this site: A review for this site has finished. The site was found clean. The badware warnings from web search are being removed. Please note that it can take some time for this change to propagate."

 

So it isn't flagged by google any more but it might take awhile for every browser on the planet to find out about it. The main browsers likely to have warned about downloading a picture from the flagged site, would be chrome and firefox.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing

TGO HELPFUL LINKS

Outside of TGO...

TRADING POST NOTICE

Before engaging in any transaction of goods or services on TGO, all parties involved must know and follow the local, state and Federal laws regarding those transactions.

TGO makes no claims, guarantees or assurances regarding any such transactions.

THE FINE PRINT

Tennessee Gun Owners (TNGunOwners.com) is the premier Community and Discussion Forum for gun owners, firearm enthusiasts, sportsmen and Second Amendment proponents in the state of Tennessee and surrounding region.

TNGunOwners.com (TGO) is a presentation of Enthusiast Productions. The TGO state flag logo and the TGO tri-hole "icon" logo are trademarks of Tennessee Gun Owners. The TGO logos and all content presented on this site may not be reproduced in any form without express written permission. The opinions expressed on TGO are those of their authors and do not necessarily reflect those of the site's owners or staff.

TNGunOwners.com (TGO) is not a lobbying organization and has no affiliation with any lobbying organizations.  Beware of scammers using the Tennessee Gun Owners name, purporting to be Pro-2A lobbying organizations!

×
×
  • Create New...

Important Information

By using this site, you agree to the following.
Terms of Use | Privacy Policy | Guidelines
 
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.