J
John Devereux
Guest
Johann Klammer <klammerj@NOSPAM.a1.net> writes:
for visiting scam websites for sure
--
John Devereux
for visiting scam websites for sure
--
John Devereux
D
DemonicTubes
Guest
On Wednesday, May 30, 2018 at 9:45:55 PM UTC-6, Tom Del Rosso wrote:
You misunderstand the problem. The search result shows the real site on the link. If you hover the link, your browser shows the correct site. When you click the link, however, you get sent to the scam site. If you type the correct site into the address bar this does not happen, proving the corruption is on the search engine.
You misunderstand the problem. The search result shows the real site on the link. If you hover the link, your browser shows the correct site. When you click the link, however, you get sent to the scam site. If you type the correct site into the address bar this does not happen, proving the corruption is on the search engine.
Guest
so this is a great concern..
everyone knows not to click links in emails because they may be spoofs
when I want to go to paypal for example and be sure it is not a spoof,
I would use google, type paypal and and click the search result.
I guess what this means is that this is no longer a secure method to assure you are not at a spoof.
this means i must type https
aypal.com into the browser window to be sure?mark
Guest
On Thursday, May 31, 2018 at 1:16:02 PM UTC-4, gnuarm.del...@gmail.com wrote:
I guess I posted too soon. Looks like Martin figured it out.
Rick C.
On Thursday, May 31, 2018 at 12:27:09 PM UTC-4, mako...@yahoo.com wrote:
You misunderstand the problem. The search result shows the real site on the >link. If you hover the link, your browser shows the correct site. When you >click the link, however, you get sent to the scam site. If you type the >correct site into the address bar this does not happen, proving the >corruption is on the search engine.
so this is a great concern..
everyone knows not to click links in emails because they may be spoofs
when I want to go to paypal for example and be sure it is not a spoof,
I would use google, type paypal and and click the search result.
I guess what this means is that this is no longer a secure method to assure you are not at a spoof.
this means i must type https
mark
I'm not sure this is anyone "grabbing" your link rather than a means of generating revenue by selling your search list placement. I have seen this plenty of times though and it bugs me. I have not seen any sign it is being used to cause problems.
Rick C.
I guess I posted too soon. Looks like Martin figured it out.
Rick C.
Guest
On Thursday, May 31, 2018 at 12:27:09 PM UTC-4, mako...@yahoo.com wrote:
I'm not sure this is anyone "grabbing" your link rather than a means of generating revenue by selling your search list placement. I have seen this plenty of times though and it bugs me. I have not seen any sign it is being used to cause problems.
Rick C.
You misunderstand the problem. The search result shows the real site on the >link. If you hover the link, your browser shows the correct site. When you >click the link, however, you get sent to the scam site. If you type the >correct site into the address bar this does not happen, proving the >corruption is on the search engine.
so this is a great concern..
everyone knows not to click links in emails because they may be spoofs
when I want to go to paypal for example and be sure it is not a spoof,
I would use google, type paypal and and click the search result.
I guess what this means is that this is no longer a secure method to assure you are not at a spoof.
this means i must type https
mark
I'm not sure this is anyone "grabbing" your link rather than a means of generating revenue by selling your search list placement. I have seen this plenty of times though and it bugs me. I have not seen any sign it is being used to cause problems.
Rick C.
M
Martin Brown
Guest
On 31/05/2018 17:27, makolber@yahoo.com wrote:
It is a moderate concern. Thanks to help from an internet wizard I now
have chapter and verse on the compromised sites. The vulnerability is in
a script language PHP version 5.x with x<6 and a frightening number of
sites and hosting services are still running that old legacy code by
default. Worth checking what version you have on your platform.
Sticking this in a file called version.php ought to do the trick
<?php
echo 'PHP Version :' . phpversion();
?>
PHP is currently at version 7. And 5.2 means immediate danger.
The method used was an injection attack that rewrote the .htaccess file
and added a bogus index.php file to the root directory.
Once this is done the index.php gets first bite at the cherry and tells
spiders to go one way and users to go another if the referrer is one of
the major search engines. The nasty code is surprisingly short.
I found that by opening site in a new window you could see the true URL
momentarily before the script rewrote it with fake goods emporium #1.
It certainly means you cannot entirely take results from search engines
at face value. It also means that occasionally you should search for
your own site and click through the resulting links to see that you do
in fact land on your site and not on some dodgy hijack location.
If you do find a site with questionable behaviour this site seems to dig
the dirt and at least warns of malware for some of the dodgy ones (it
has given me false negatives though so not foolproof):
https://sitecheck.sucuri.net/results/
eg.
https://sitecheck.sucuri.net/results/www.bestevidence.org.uk
--
Regards,
Martin Brown
It is a moderate concern. Thanks to help from an internet wizard I now
have chapter and verse on the compromised sites. The vulnerability is in
a script language PHP version 5.x with x<6 and a frightening number of
sites and hosting services are still running that old legacy code by
default. Worth checking what version you have on your platform.
Sticking this in a file called version.php ought to do the trick
<?php
echo 'PHP Version :' . phpversion();
?>
PHP is currently at version 7. And 5.2 means immediate danger.
The method used was an injection attack that rewrote the .htaccess file
and added a bogus index.php file to the root directory.
Once this is done the index.php gets first bite at the cherry and tells
spiders to go one way and users to go another if the referrer is one of
the major search engines. The nasty code is surprisingly short.
I found that by opening site in a new window you could see the true URL
momentarily before the script rewrote it with fake goods emporium #1.
everyone knows not to click links in emails because they may be spoofs
when I want to go to paypal for example and be sure it is not a spoof,
I would use google, type paypal and and click the search result.
I guess what this means is that this is no longer a secure method to assure you are not at a spoof.
this means i must type https
It certainly means you cannot entirely take results from search engines
at face value. It also means that occasionally you should search for
your own site and click through the resulting links to see that you do
in fact land on your site and not on some dodgy hijack location.
If you do find a site with questionable behaviour this site seems to dig
the dirt and at least warns of malware for some of the dodgy ones (it
has given me false negatives though so not foolproof):
https://sitecheck.sucuri.net/results/
eg.
https://sitecheck.sucuri.net/results/www.bestevidence.org.uk
--
Regards,
Martin Brown
M
Martin Brown
Guest
On 31/05/2018 18:18, gnuarm.deletethisbit@gmail.com wrote:
You could copy and paste it from a trusted local text file I suppose.
You can't trust search engine results to take you where they claim at
the moment although things will improve when more sites upgrade their
security. Bigger sites should be OK since they have support people
making sure things are properly secure against the latest hacks.
One problem is that consumer website services have allowed everyone and
their dog to have a website but not provided basic security for them!
A guy called Mark figured it out this morning I merely acted on his
advice and have relayed what he told me.
--
Regards,
Martin Brown
On Thursday, May 31, 2018 at 1:16:02 PM UTC-4,
gnuarm.del...@gmail.com wrote:
On Thursday, May 31, 2018 at 12:27:09 PM UTC-4, mako...@yahoo.com
wrote:
this means i must type https
to be sure?
You could copy and paste it from a trusted local text file I suppose.
You can't trust search engine results to take you where they claim at
the moment although things will improve when more sites upgrade their
security. Bigger sites should be OK since they have support people
making sure things are properly secure against the latest hacks.
One problem is that consumer website services have allowed everyone and
their dog to have a website but not provided basic security for them!
A guy called Mark figured it out this morning I merely acted on his
advice and have relayed what he told me.
--
Regards,
Martin Brown
P
Phil Hobbs
Guest
On 05/31/18 12:27, makolber@yahoo.com wrote:
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC / Hobbs ElectroOptics
Optics, Electro-optics, Photonics, Analog Electronics
Briarcliff Manor NY 10510
http://electrooptical.net
http://hobbs-eo.com
You misunderstand the problem. The search result shows the real site on the >link. If you hover the link, your browser shows the correct site. When you >click the link, however, you get sent to the scam site. If you type the >correct site into the address bar this does not happen, proving the >corruption is on the search engine.
so this is a great concern..
everyone knows not to click links in emails because they may be spoofs
when I want to go to paypal for example and be sure it is not a spoof,
I would use google, type paypal and and click the search result.
I guess what this means is that this is no longer a secure method to assure you are not at a spoof.
this means i must type https
mark
You don't do that already?
Cheers
Phil Hobbs
--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC / Hobbs ElectroOptics
Optics, Electro-optics, Photonics, Analog Electronics
Briarcliff Manor NY 10510
http://electrooptical.net
http://hobbs-eo.com
D
Dimitrij Klingbeil
Guest
On 31.05.2018 09:24, John Devereux wrote:
Confirmed, same results here (accessing from Germany, Vodafone network).
Confirmed, same results here (accessing from Germany, Vodafone network).
J
Jasen Betts
Guest
On 2018-05-31, pcdhobbs@gmail.com <pcdhobbs@gmail.com> wrote:
Well, no, it depends how you arrive on their home page.
If I come from the google handbag search you end up in China.
If I go straight to ther page, or from a search for bouncy castles
I get their home page.
coming from the handbag search I get a HTTP redirect instead of
their home page. I haven't figured how they are doing it.
--
ŘŞ
Well, no, it depends how you arrive on their home page.
If I come from the google handbag search you end up in China.
If I go straight to ther page, or from a search for bouncy castles
I get their home page.
coming from the handbag search I get a HTTP redirect instead of
their home page. I haven't figured how they are doing it.
--
ŘŞ
J
Jasen Betts
Guest
On 2018-05-31, Martin Brown <'''newspam'''@nezumi.demon.co.uk> wrote:
or you can just look at the HTTP headers to see the PHP version.
Script bug or PHP bug? does it have a CVE number? I avoid having WWW
pages writeable by the WWW server process.
--
ŘŞ
or you can just look at the HTTP headers to see the PHP version.
Script bug or PHP bug? does it have a CVE number? I avoid having WWW
pages writeable by the WWW server process.
--
ŘŞ
M
Martin Brown
Guest
On 01/06/2018 07:34, Jasen Betts wrote:
I have although it helps to have access to a site that is affected.
There is malware on the site that intercepts references to the site and
looks to see if the referrer was a major search engine and if so it
rewrites the URL with a temporary redirect. If you open the google link
into a new window you get just enough delay time to see the geniune URL
being trashed by the script running on the webhosting platform.
The Cromore Castles site is curious because it does not show as having
detectable malware using online diagnostics whereas the others do.
If you appear to get the site if you input:
root_URL/index.php
Or get a script timeout then there is a good chance that the site has
been compromised. There is clearly a javascript equivalent that is
harder to detect since one infected site which came out clear was using
javascript only. PHP 5.2 appears to be the common factor for the others.
--
Regards,
Martin Brown
I have although it helps to have access to a site that is affected.
There is malware on the site that intercepts references to the site and
looks to see if the referrer was a major search engine and if so it
rewrites the URL with a temporary redirect. If you open the google link
into a new window you get just enough delay time to see the geniune URL
being trashed by the script running on the webhosting platform.
The Cromore Castles site is curious because it does not show as having
detectable malware using online diagnostics whereas the others do.
If you appear to get the site if you input:
root_URL/index.php
Or get a script timeout then there is a good chance that the site has
been compromised. There is clearly a javascript equivalent that is
harder to detect since one infected site which came out clear was using
javascript only. PHP 5.2 appears to be the common factor for the others.
--
Regards,
Martin Brown
M
Martin Brown
Guest
On 01/06/2018 07:41, Jasen Betts wrote:
A vulnerability in PHP 5.2 where it is apparently easily exploited. I
don't know any more than I have posted beyond that 5.6 might be OK.
My tame internet wizard told me what sort of thing to look for after
Telneting to the site pretending to be Google and he was spot on.
The hosting company was annoyingly unhelpful and just tried to sell me
extra services to fix a problem caused by them still running PHP 5.2. I
have forced an upgrade to PHP 7 now. Their attitude was your website you
sort it out. Which I can do[*]. But how many bouncy castle rental
companies or painters and decorators will have the necessary skills?
<cynic>
They seem to see letting websites get infected with malware as a
business opportunity to sell services to the hapless site owners.
</cynic>
[*] Admittedly by calling in a favour with an old friend. My first level
internet wizard was similarly baffled by the search engine symptoms but
is mainly a transport protocol guy so not all that web hijack savvy.
I'm open to suggestions for ways to hobble any future PHP injection
attacks since I don't actually use PHP on the site I maintain at all.
I am no Unix wizard so the .htaccess file isn't very complex.
--
Regards,
Martin Brown
A vulnerability in PHP 5.2 where it is apparently easily exploited. I
don't know any more than I have posted beyond that 5.6 might be OK.
My tame internet wizard told me what sort of thing to look for after
Telneting to the site pretending to be Google and he was spot on.
The hosting company was annoyingly unhelpful and just tried to sell me
extra services to fix a problem caused by them still running PHP 5.2. I
have forced an upgrade to PHP 7 now. Their attitude was your website you
sort it out. Which I can do[*]. But how many bouncy castle rental
companies or painters and decorators will have the necessary skills?
<cynic>
They seem to see letting websites get infected with malware as a
business opportunity to sell services to the hapless site owners.
</cynic>
[*] Admittedly by calling in a favour with an old friend. My first level
internet wizard was similarly baffled by the search engine symptoms but
is mainly a transport protocol guy so not all that web hijack savvy.
I'm open to suggestions for ways to hobble any future PHP injection
attacks since I don't actually use PHP on the site I maintain at all.
I am no Unix wizard so the .htaccess file isn't very complex.
--
Regards,
Martin Brown
T
Tom Del Rosso
Guest
Martin Brown wrote:
Yeah right, I don't know how DNS works.
You don't seem to understand the difference between a question and a
comment.
So what if I didn't know they sell jungle gyms or whatever they're
called. You didn't *say* they don't sell handbags.
FU
Yeah right, I don't know how DNS works.
You don't seem to understand the difference between a question and a
comment.
So what if I didn't know they sell jungle gyms or whatever they're
called. You didn't *say* they don't sell handbags.
FU
J
Johann Klammer
Guest
On 05/31/2018 11:57 AM, Steve Wilson wrote:
canonical is not the problem.
It's just that I don't like firefox telling it to the search engine
Anyone know how to turn that off?
[OT]
canonical is not the problem.
It's just that I don't like firefox telling it to the search engine
Anyone know how to turn that off?
C
Clifford Heath
Guest
On 31/05/18 19:57, Steve Wilson wrote:
Use VirtualBox and arrange to restart from a snapshot every
time, and you can do that with any OS... even Windoze.
Host-only networking means it's unlikely to get corrupted
anyhow. User documents get saved on the host machine, of
course.
I just moved my machines from VMWare Fusion to VirtualBox,
with the images stored on an external SSD drive, so I can
run them on any computer with USB and VirtualBox. No noticable
slow-down, and it only takes ten seconds to plug and wake.
Clifford Heath.
Use VirtualBox and arrange to restart from a snapshot every
time, and you can do that with any OS... even Windoze.
Host-only networking means it's unlikely to get corrupted
anyhow. User documents get saved on the host machine, of
course.
I just moved my machines from VMWare Fusion to VirtualBox,
with the images stored on an external SSD drive, so I can
run them on any computer with USB and VirtualBox. No noticable
slow-down, and it only takes ten seconds to plug and wake.
Clifford Heath.
Guest
On Wednesday, May 30, 2018 at 11:30:30 AM UTC-4, John Larkin wrote:
"Why don't big ISPs sniff packets and refuse to carry malware?"
Because we live in a country that is supposed to protect privacy and allow free speech and protect it's citizens against non-warrantless searches. If you allow them to "sniff the packet stream" then they know what is going through their connections.
This in turn could make it incredibly easy for Joe Shmoe who doesn't care about working for his cable company or is working unscrupulously for them to easily retrieve info like passwords, website data, end point IP addresses (essentially where you live), encrypted channels that he could then decrypt for credit card info, etc. etc.
We've already done half their work by all signing up for a centralized info store like Facebook, lets not give the last little bit of power we have which is keeping the government out of our open internet away too.
It is more difficult to protect in this day and age but, as an IT person yourself, I'm sure you would agree that there are also a multitude of ways to protect, prevent and surveil your own website to the point of not having DDOS attacks or defacing. The older internet had none of these things, it was a free for all..
Just saying - we should fight for a free and open internet ran as open source as possible to make it robust and updated as possible. We are slowly losing this fight to arguments such as yours saying "but it would make it so much easier!" It would, but it would also make it less out of our hands and more into power we can't control and don't know or understand.
Just my 2 cents. Not trying to blow this up into an argument. If you don't agree with what I said I do invite discourse, I understand it's technology so I could be out of the loop and not getting what you're saying. I hope you have a nice Sunday, peace.
"Why don't big ISPs sniff packets and refuse to carry malware?"
Because we live in a country that is supposed to protect privacy and allow free speech and protect it's citizens against non-warrantless searches. If you allow them to "sniff the packet stream" then they know what is going through their connections.
This in turn could make it incredibly easy for Joe Shmoe who doesn't care about working for his cable company or is working unscrupulously for them to easily retrieve info like passwords, website data, end point IP addresses (essentially where you live), encrypted channels that he could then decrypt for credit card info, etc. etc.
We've already done half their work by all signing up for a centralized info store like Facebook, lets not give the last little bit of power we have which is keeping the government out of our open internet away too.
It is more difficult to protect in this day and age but, as an IT person yourself, I'm sure you would agree that there are also a multitude of ways to protect, prevent and surveil your own website to the point of not having DDOS attacks or defacing. The older internet had none of these things, it was a free for all..
Just saying - we should fight for a free and open internet ran as open source as possible to make it robust and updated as possible. We are slowly losing this fight to arguments such as yours saying "but it would make it so much easier!" It would, but it would also make it less out of our hands and more into power we can't control and don't know or understand.
Just my 2 cents. Not trying to blow this up into an argument. If you don't agree with what I said I do invite discourse, I understand it's technology so I could be out of the loop and not getting what you're saying. I hope you have a nice Sunday, peace.
R
Rick C
Guest
On Sunday, November 10, 2019 at 10:49:18 AM UTC-5, kle...@gmail.com wrote:
I'm pretty sure it's not that easy to decrypt encrypted channels. So your point of security is not valid. There are plenty of other traffic that could be monitored, but even that is pretty unimportant to most people or they wouldn't give away the rights for web sites to track their data, etc.
A hazard I'm more concerned about is false positives. JL is the sort of person who sees the world in simplistic ways. He thinks in black and white, good and evil. It's not so easy to tell who the good guys are.
I use a programming tool that is often reported as a virus when installed. If JL's idea is implemented and the typical tools were used to report viruses, this tool could never be downloaded. It is open source and the developers have tried many things to figure out what changed that it started to be reported as a false positive, but no luck. The AVS developers usually don't want to cooperate as they consider everyone to be a virus writer and interested in how the AVS tools work.
No, a universal, one size fits all, Internet traffic virus blocker is not a good thing.
--
Rick C.
- Get 1,000 miles of free Supercharging
- Tesla referral code - https://ts.la/richard11209
I'm pretty sure it's not that easy to decrypt encrypted channels. So your point of security is not valid. There are plenty of other traffic that could be monitored, but even that is pretty unimportant to most people or they wouldn't give away the rights for web sites to track their data, etc.
A hazard I'm more concerned about is false positives. JL is the sort of person who sees the world in simplistic ways. He thinks in black and white, good and evil. It's not so easy to tell who the good guys are.
I use a programming tool that is often reported as a virus when installed. If JL's idea is implemented and the typical tools were used to report viruses, this tool could never be downloaded. It is open source and the developers have tried many things to figure out what changed that it started to be reported as a false positive, but no luck. The AVS developers usually don't want to cooperate as they consider everyone to be a virus writer and interested in how the AVS tools work.
No, a universal, one size fits all, Internet traffic virus blocker is not a good thing.
--
Rick C.
- Get 1,000 miles of free Supercharging
- Tesla referral code - https://ts.la/richard11209