InformAction Forums

Apologies if this is not the right place to post this query but any help unraveling this would be most appreciated.

I am pretty sure there must be something nasty on my own website because a few days ago NoScript showed a warning and asked if I wanted to allow a domain ending in .ru (the specific domain has changed at least twice I think and is now showing as "way-one.ru" http://www.whois.net/whois/way-one.ru )

• This was using SeaMonkey.
  
  I got the same results with NoScript on FireFox.

Same result with both browsers loading the index file from my computer. Same results loading all the other pages on my site too.

I was just about to move the website to a different server when this happened and when I tried to access the ftp and the "site manager" on the original server, to check the .htaccess file, my password was not recognised. So it looks pretty likely that something nasty has got in.

I could give myself a good slap because at this point I only checked the .htaccess file on my computer, none of the other files. As the .htaccess file was OK, I assumed that the others were all OK too. (Probably wrong there!)

I have moved the site to the new server by uploading the files from my computer and the new server admin people checked that the .htaccess file was OK.

Now, although NoScript still flags the probably malicious script on the index page, the other pages all seem to be fine (for now, at least).

I am a bit out of my depth with this and was reading around about how to find out where the problem might be and how to solve it.

I came across a recommendation to scan the site with Sucuri Sitecheck, did it, and no problems were found: http://sitecheck.sucuri.net/results/www.salt-mine.net

This made me wonder if the problem was something to do with my browser so I accessed the site with:

• Google Chrome with "NoScript-type" addons: nothing detected
  
  Safari with "Noscript-type" addon: nothing detected
  
  Camino: nothing detected

There obviously is something wrong with the site, probably with the index page, which has got all sorts of stuff on it, some of which I should probably junk. Or is it that Firefox and SeaMonkey have been affected by a script and the other browsers have not? (Yet!)

Also, although I cannot see anything to do with this site or script on the index page and NoScript does not flag anything, I watched the status bar as the page was loading and saw a mention of this site flash by: http://whos.amung.us/

I need to get the site down in case there is something nasty there but would very much appreciate any advice as I am getting more confused the more I try to understand what might be going on!

(Using Mac Leopard OSX 10.5.8)

Best wishes,
Liz

ps. There is nothing at all wrong with the link to the Orwell.ru site - it is legit - very good and helpful person with useful website accessibility tools and advice on his site.

pps. Good grief! This might be the problem! There are only two "sign up" forms on the page - one for a Yahoo email list and and one to submit comments - using Jotform. I removed that from a "test" version of the index file on my computer and NoScript stopped flagging the problem - so I searched for any known issues with . . . weird, the second instance of that word is even triggering the spam filter on the forum so I will try spelling it like this: J-o-t-f-o-r-m

CrlyWrly wrote:This made me wonder if the problem was something to do with my browser so I accessed the site with:

• Google Chrome with "NoScript-type" addons: nothing detected
  
  Safari with "Noscript-type" addon: nothing detected
  
  Camino: nothing detected

There obviously is something wrong with the site, probably with the index page, which has got all sorts of stuff on it, some of which I should probably junk. Or is it that Firefox and SeaMonkey have been affected by a script and the other browsers have not? (Yet!)

None of those other "Noscript-type" add-ons come anywhere close to NoScript's detection and blocking capabilities.

(Which gives their users a false sense of security, which is worse than none at all.)

Clearly, only NS detected the threat and protected Fx and SM users. Users of the other browsers, well...

It would really make it easier for us to see what is wrong with your web site if we could visit it.

If for some reason the URL needs to be kept private, please PM it to me, in strictest confidence.

Hi Tom,

Many thanks for your reply.

It's not secret - there was a reference to it in my first post, but not that obvious as it was part of the sitecheck url:
http://sitecheck.sucuri.net/results/www.salt-mine.net

So the site is here: www.salt-mine.net

Some content is not directly linked and I need to fix some links that have broken with the move from the old server, where the main site was sltnorth.org.uk and salt-mine.net was the alias (now it is the other way around).

If you can find anything that would help me to get rid of this thing I would be most grateful.

I have removed the jotform css and html from the index page already but there is still a NoScript warning - though this has now changed to insuranceit.ru !

http://www.whois.net/whois/insuranceit.ru

Best wishes,

Liz

> has got all sorts of stuff on it
> which I should probably junk

That's what I thought when I looked at the page.
All kinds of junk.

I too see insuranceit.ru.
But it only showed up after allowing "all sort of stuff" on your site.
It did not show when I allowed salt-mine.net alone.

After I allowed salt-mine, I then Temporary Allow All & that picked up whatever was seen at that time (the +'d items below), & with that done, it was then that your .ru (& others) showed up (the -'s below). So it would appear that your .ru is coming in by way of one of those "probably junk" sites.
Just because something is from .ru does not necessarily mean there is anything "wrong" or "bad" about it. No more so then any other domain.

@TheRube - Thank you - that's great!

Thank you too for the critique - I already agree with you, so no offence taken

I suspect, from that, that this one might be the culprit: http://paper.li/salt_mine

or possibly one of the Tweetgrid widgets as I think they sometimes include adverts?

Phew! What a relief!!!

Many thanks again,

Best wishes,

Liz
ps. Where did you get that list of codes from?

CrlyWrly wrote:ps. Where did you get that list of codes from?

See changelog, and find 2.2.9. (cough) (cough)

It's also in the FAQ: "What Is A Trusted Site?", although a bit buried in a wall of text, as the addition was rather recent.

Thanks Tom (cough!)

Unfortunately it looks as if there is something nasty on my site - got a Google malware warning ;-(
http://www.google.com/interstitial?url= ... th.org.uk/

This is after I moved it to a new server - oh dear!

Hmmm! Don't think this should be right at the top of the code in the header - very suspicious:
<script src="http://beta.publitweet.com/track.php?fe ... "></script>

CrlyWrly wrote:Thanks Tom (cough!)

You're welcome, and my throat is now better -- hope yours clears up soon.

Unfortunately it looks as if there is something nasty on my site - got a Google malware warning ;-(
http://www.google.com/interstitial?url= ... th.org.uk/

There is a known issue with phpBB forum software: that long URLs get truncated; hence mangled, even though they preview successfully - *once*. Even previewing a second time may trigger this. But if you preview once, then click "submit", what happened to your link above ... happens.

There's a topic on it, but no need to read. Just wrap all URLs (except perhaps very short ones) in tags, or code tags.
Please re-post the above URL using one of those methods?

Hmmm! Don't think this should be right at the top of the code in the header - very suspicious:
<script src="http://beta.publitweet.com/track.php?fe ... "></script>

I should think not.

I visited http// beta dot publ etc.

The Simplest Way to Publish Twitter on your Website

Make your Twitter Content available for non-Twitter users.
Publish your curated tweets in a comprehensive way for your readership.

Clicked "FAQ". (Inserted asterisks to foil text-based search engines from counting these listings in their popularity rankings.)

Message bar:
Wow, our Russian friends again! Dos vedanya, Comrades! ...

(With all due respect to therube, who is quite knowledgeable, certain countries do host or send a statistically-significantly higher proportion of spam, malware, etc. Russian Federation, Ukraine, and China among them. Of course there are plenty of legitimate sites in those countries, but showing up on an English-language web site makes one wonder ... )

This forum used to be plagued with Russian spam. I suggested to Giorgio that he simply ban the Cyrillic alphabet. Done. Cyrillic (Russian/Ukrainian-language) spam gone.

Clicked "The document has moved here".
(Trained security professional with ultra-locked-down machine in a laboratory deep beneath a building disguised as an ICBM nuclear missile silo. DO NOT TRY THIS AT HOME!)

Got a JavaScript link to Clicked that. (I like to live on the edge.) Got a ton of JS links, and the tab heading now reads "Windows Antivirus 2012", which I don't have.

A search quickly identified Win AV 2012 as a trojan-type virus.

Now, please excuse me while I spray my machine with pesticides, antibiotics, retrovirals, immunoglobulins, etc.

very suspicious:
<script src="http://beta.publitweet.com/track.php?fe ... "></script>

very suspicious:. An understatement.

> redirect to http://hand-po***ise.ru/

Exactly.

This is after I moved it to a new server - oh dear!

Either they are just infested servers, so time to find a new host, or the source is starting with you, your computer?

As a start scan with, oh, you're on a Mac?

Are you by any chance, PARKING your website? If so that is the reason you see that, most if not all of the parking pages have some kind of ads and since they have much less regulation, they might serve something nasty. If not the case and you have a legitimate content site, then if you are using any third party CMS or online editor, they might be inserting it in the code, suggest you hard modify your code and upload via FTP instead to avoid that. That's what I can think of off the top of my head how you got it in there, short of accusing you of putting it there yourself

GOSH! Tom T - you are very brave - that was just like something out of James Bond!!

Sorry about the broken link in the previous post, it is all sorted now but the warnings were (screenshots - couldn't work out how to get the actual images to do the thing:

http://www.flickr.com/photos/53828336@N ... /lightbox/
and
http://www.flickr.com/photos/53828336@N ... /lightbox/

@GµårÐïåñ: There is no "parked page" although I guess the domain flagged in the screenshots is "parked" to the extent that it is just an alias.

The problem - the redirect to the nasty .ru site - was on my other domain - salt-mine.net - for which sltnorth is an "alias".

@therube: It was something nasty that had got onto my computer, rather than the servers at the nice, new hosting place. And the problem was, as Tom found - due to publitweet. I only got rid of the problem on salt-mine.net on the server by deleting every file on my computer that turned up if I searched for "publitweet". (Until I did that, every time I cleaned up the files on the server the nasty redirect kept reappearing on the server even though I did not re-upload the files - I think!).

I use CLAM antivirus and it did find something for the first time ever and quarantined it so I suppose that might be the thing that got in. I guess because I had allowed Publitweet in NoScript? Is that what would have let it in?

Once the site was all clear, I could not get the Google warning removed from the alias sltnorth - the only way, theoretically, that I could get it reviewed was by putting something (can't remember what now) as an extra field in the DNS record to proved I owned the domain. It didn't work and someone on the Google webmaster forum suggested that I contact http://www.stopbadware.org - they were wonderful and got the warning removed really quickly. Three cheers for those guys as well as you all here!

I feel like I should put an advert for NoScript and stopbadware on my site now. I have helped a few people set up their browsers (frightening thought, isn't it, but I have the widest geek-streak of all my mates!) and I always put NoScript on for them but it worried me that people without that protection might have visited my site and got redirected to the nasty .ru site.

I know that .ru sites are not all bad as years ago really nice Russian bloke called Dag on http://forums.htmlhelp.com/ helped me to do the css for my site - some nice tips and tools on his site http://orwell.ru/test/ - the main site is all about George Orwell. However, I also knew that unexpected requests for permissions for .ru sites were unlikely to be good news ;-/

I hope this is all sorted out now.

I will be replacing that horrid landing page on http://www.salt-mine.net - I was getting lazy with the hand-coding and using Kompozer from time to time and now I have capitulated entirely and have started setting up a Wordpress site instead (needed to grab all my content from Posterous anyway).

Have spent ages looking for an accessible theme that works and is not too tricky to set up - this one is not perfect (I need to modify it to have links underlined automatically plus stop all the full-size images appearing on the home page) but it is better - not linked to the landing page as I am still messing about with it and when it is right will probably set it as the landing page http://www.salt-mine.net/blog/

Thank you all for your help, advice and funny-bone accounts of adventures into the dark side of cyber-space

Best wishes,

Liz

CrlyWrly wrote:GOSH! Tom T - you are very brave - that was just like something out of James Bond!!

Rats! My covert-ops, secret-agent cover-identity is blown!

Sorry about the broken link in the previous post, it is all sorted now but the warnings were (screenshots - couldn't work out how to get the actual images to do the

Code: Select all

[img][/img]

thing:

I couldn't, either. Seems each image-hosting site has its own protocol, but most have the photo type (extension) in the link: .png, .gif, .jpg, etc. Yours didn't, but we got there. So please excuse me for not investigating that.

@therube: It was something nasty that had got onto my computer, rather than the servers at the nice, new hosting place. And the problem was, as Tom found - due to publitweet. I only got rid of the problem on salt-mine.net on the server by deleting every file on my computer that turned up if I searched for "publitweet". (Until I did that, every time I cleaned up the files on the server the nasty redirect kept reappearing on the server even though I did not re-upload the files - I think!).

I use CLAM antivirus and it did find something for the first time ever and quarantined it so I suppose that might be the thing that got in. I guess because I had allowed Publitweet in NoScript? Is that what would have let it in?

I didn't get an AV alarm after allowing Publitweet, but clicking the FAQ gave a *different* redirect this time, to Which, if clicked, etc. eventually ends up with dozens of JS links running "optimizer-scanner" or some such garbage.

I imagine that at some time, one of these malicious sublinks of Publitweet was allowed somewhere. I wonder whether it's deliberate by Publitweet, or the site has been compromised? (See XSS FAQ for more about that, if interested.) It seems there is never an *actual* FAQ at their FAQ link. If you're curious, e-mail them, ask what happened to the FAQ?

... btw, if you email this suspect site, use "plain-text" email, not "rich text" or "text and graphics", which contains additional markup code that can be ... misused. If they answer in rich text, convert before replying, or before opening, depending on your particular email capabilities.

Also, IIUC, Clam runs only on demand -- email scanning, scheduled scans, etc. Probably should add a full-time, real-time AV that constantly monitors. IOW, as said above, I did that investigation, fairly confident that any attempt to load malware would sound alarms. (The rest of that confidence comes from the ICBM missile-silo lockdowns on this machine. )

Some popular makers of real-time AV products that are free for home use include (alphabetically) Avast, AVG, and Avira.

I feel like I should put an advert for NoScript and stopbadware on my site now.

By all means, feel free! A link to NoScript home page, and/or to
Firefox Add-ons download site, https://addons.mozilla.org/en-US/firefo ... /noscript/.

Also, feel free to post a review of NS at the review portion of that page.

I have helped a few people set up their browsers (frightening thought, isn't it, but I have the widest geek-streak of all my mates!)

I was going to say that before seeing the end of the sentence. Clearly, waaay above the average, non-tech home user... and now, even more aware.

and I always put NoScript on for them but it worried me that people without that protection might have visited my site and got redirected to the nasty .ru site.

Possibly, but I had to do a good bit of clicking on strange links to get there. Most would probably either be frightened away or just give up -- fortunately.

I know that .ru sites are not all bad...

I once bought a sw product that had US offices, but HQ in Russia. Very fine product. (No plugs, sorry!)

George Orwell.

... who is unfortunately being proven to be prophetic, although with the downfall of the USSR, it's taking a little longer than the 36 years he predicted (1948 > "1984".) (O/T)

However, I also knew that unexpected requests for permissions for .ru sites were unlikely to be good news ;-/

True enough, although unexpected requests for permissions to any site unrelated to the parent (home) site, or unknown to the user or the general public, are always worth looking at closely. Have you checked out RequestPolicy add-on?

When your final version is up and running, post back and let us check it out!

Thank you all for your help, advice and funny-bone accounts of adventures into the dark side of cyber-space

Best wishes,

Liz

You're very welcome.

I do enjoy the detective-aspect of this, but alas, it isn't funny for those who get to the dark side without massive shields of armor.

Cheers,
-Tom