The Gooner Ramble: Match Report

Join gzagee and guests in the weekly Gooner Ramble podcast.

Re: The Gooner Ramble: Match Report

Postby Tony_Adams » Sun Jan 05, 2014 10:33 am

Ellimist wrote:Posting that here will also classify this site as unsafe.


Any ideas what the problem could be?
Image
User avatar
Tony_Adams
SE13
SE13
 
Posts: 34835
Joined: Fri Mar 13, 2009 7:03 pm

Re: The Gooner Ramble: Match Report

Postby Ellimist » Sun Jan 05, 2014 10:47 am

Those Viagra selling sites spam their links everywhere. The links produced this way aren't legitimate, and this is considered by some to be "black-hat" SEO. The anti-virus should ideally block access to the site that engage in such practices, but it's erroneously blocking access to the sites which are spammed. I think that text with those links were posted as a comment on one of the Gooner Ramble blog posts, which probably has been removed by now. But the anti-virus still throws up warnings.

Which is the reason why those links should not be posted here. Some myopic anti-virus may just decide that this site is dangerous.


On closer inspection, that site really is infected. The infection is appending this at the end of the html closing tag.

Code: Select all
<div id='hideMeya'> Just log in such as their interest the peace of urgent pay day loans <a href="http://wpaydayloanscom.com" title="urgent pay day loans">urgent pay day loans</a> around a recipe for extra cost prohibitive. Often there would be on quick confirmation of identification http://wcialiscom.com/ <a href="http://wcialiscom.com" title="http://wcialiscom.com/">http://wcialiscom.com/</a> and instant approval rate that means. Social security disability checks of lender a repayment on http://viagra-9online.com/ <a href="http://viagra-9online.com" title="http://viagra-9online.com/">http://viagra-9online.com/</a> these unforeseen expenditures and loan allows. Remember that proof of run into buy cheap viagra <a href="http://wviagracom.com" title="buy cheap viagra">buy cheap viagra</a> these qualifications for funds. Bad credit because our representatives if http://cialis-4online.com/ <a href="http://cialis-4online.com" title="http://cialis-4online.com/">http://cialis-4online.com/</a> unable to almost instantly. Perhaps the good news to military members or won viagra lawsuits in may of 2010 <a href="http://viagra-9online.com" title="won viagra lawsuits in may of 2010">won viagra lawsuits in may of 2010</a> getting payday cash than a. Life is expensive interest charge greater interest or http://wviagracom.com/ <a href="http://wviagracom.com" title="http://wviagracom.com/">http://wviagracom.com/</a> available online borrowing from minors or. These establishments can help reduce the thousands of everyday cialis <a href="http://cialis-4online.com" title="cialis">cialis</a> people choose the website for any person. Unfortunately borrowing for each paycheck to use a checking levitra <a href="http://levitra-3online.com" title="levitra">levitra</a> the availability of you feeling down? Borrowing money for borrows with absolutely no complications that all cialis <a href="http://wcialiscom.com" title="cialis">cialis</a> information regarding your friends so that time.  </div><script type='text/javascript'>if(document.getElementById('hideMeya') != null){document.getElementById('hideMeya').style.visibility = 'hidden';document.getElementById('hideMeya').style.display = 'none';}</script>        


Whoever is managing that site (probably golfinguy) needs to take care of it ASAP.
Bitcoin - 1Lu7GztP9YyJdt9Zt3hEaXjcAkgQZNuVLC
User avatar
Ellimist
Charlie George
Charlie George
 
Posts: 582
Joined: Sat Oct 16, 2010 3:15 pm

Re: The Gooner Ramble: Match Report

Postby Tony_Adams » Sun Jan 05, 2014 11:20 am

Cheers, I'll avoid it until he does!!!
Image
User avatar
Tony_Adams
SE13
SE13
 
Posts: 34835
Joined: Fri Mar 13, 2009 7:03 pm

Re: The Gooner Ramble: Match Report

Postby Ellimist » Sun Jan 05, 2014 11:24 am

The infection does nothing else apart from spamming a bunch of invisible links. It's probably safe to visit.
Bitcoin - 1Lu7GztP9YyJdt9Zt3hEaXjcAkgQZNuVLC
User avatar
Ellimist
Charlie George
Charlie George
 
Posts: 582
Joined: Sat Oct 16, 2010 3:15 pm

Re: The Gooner Ramble: Match Report

Postby Tony_Adams » Sun Jan 05, 2014 11:24 am

Cheers
Image
User avatar
Tony_Adams
SE13
SE13
 
Posts: 34835
Joined: Fri Mar 13, 2009 7:03 pm

Re: The Gooner Ramble: Match Report

Postby Zedie » Sun Jan 05, 2014 11:29 am

Ellimist wrote:That site is infected.

Whoever is managing that site (probably golfinguy) needs to take care of it ASAP.


Thanks for the heads up, I will refrain from posting any direct links until sorted!

Cant catch a break!
Image
User avatar
Zedie
SE13
SE13
 
Posts: 33041
Joined: Mon Oct 25, 2010 12:09 pm
Location: in the man cave

Re: The Gooner Ramble: Match Report

Postby golfinguy » Sun Jan 05, 2014 4:30 pm

Ellimist wrote:Those Viagra selling sites spam their links everywhere. The links produced this way aren't legitimate, and this is considered by some to be "black-hat" SEO. The anti-virus should ideally block access to the site that engage in such practices, but it's erroneously blocking access to the sites which are spammed. I think that text with those links were posted as a comment on one of the Gooner Ramble blog posts, which probably has been removed by now. But the anti-virus still throws up warnings.

Which is the reason why those links should not be posted here. Some myopic anti-virus may just decide that this site is dangerous.


On closer inspection, that site really is infected. The infection is appending this at the end of the html closing tag.

Code: Select all
<div id='hideMeya'> Just log in such as their interest the peace of urgent pay day loans <a href="http://wpaydayloanscom.com" title="urgent pay day loans">urgent pay day loans</a> around a recipe for extra cost prohibitive. Often there would be on quick confirmation of identification http://wcialiscom.com/ <a href="http://wcialiscom.com" title="http://wcialiscom.com/">http://wcialiscom.com/</a> and instant approval rate that means. Social security disability checks of lender a repayment on http://viagra-9online.com/ <a href="http://viagra-9online.com" title="http://viagra-9online.com/">http://viagra-9online.com/</a> these unforeseen expenditures and loan allows. Remember that proof of run into buy cheap viagra <a href="http://wviagracom.com" title="buy cheap viagra">buy cheap viagra</a> these qualifications for funds. Bad credit because our representatives if http://cialis-4online.com/ <a href="http://cialis-4online.com" title="http://cialis-4online.com/">http://cialis-4online.com/</a> unable to almost instantly. Perhaps the good news to military members or won viagra lawsuits in may of 2010 <a href="http://viagra-9online.com" title="won viagra lawsuits in may of 2010">won viagra lawsuits in may of 2010</a> getting payday cash than a. Life is expensive interest charge greater interest or http://wviagracom.com/ <a href="http://wviagracom.com" title="http://wviagracom.com/">http://wviagracom.com/</a> available online borrowing from minors or. These establishments can help reduce the thousands of everyday cialis <a href="http://cialis-4online.com" title="cialis">cialis</a> people choose the website for any person. Unfortunately borrowing for each paycheck to use a checking levitra <a href="http://levitra-3online.com" title="levitra">levitra</a> the availability of you feeling down? Borrowing money for borrows with absolutely no complications that all cialis <a href="http://wcialiscom.com" title="cialis">cialis</a> information regarding your friends so that time.  </div><script type='text/javascript'>if(document.getElementById('hideMeya') != null){document.getElementById('hideMeya').style.visibility = 'hidden';document.getElementById('hideMeya').style.display = 'none';}</script>         


Whoever is managing that site (probably golfinguy) needs to take care of it ASAP.



I can't find that tag anywhere. We've had a few spam comments but the ones I just looked at (in the trash bin) don't look like this either, and they always get taken down quickly and automatically by akismet.

Avast doesn't have issues with it. The only adds on there are via google and I can't imagine they would let something like that happen, and thousands of sites would have it if that were the case.

Not sure what else to do. If other people are really still seeing something please let me know.
__________________________________________________________
I've gone to find myself. If I get back before I return, keep me here.
User avatar
golfinguy
Tony Adams
Tony Adams
 
Posts: 2056
Joined: Fri Jan 09, 2009 7:07 pm
Location: The Wrong Fairway

Re: The Gooner Ramble: Match Report

Postby Ellimist » Sun Jan 05, 2014 5:07 pm

I'm not sure you understand the severity of it or the meaning of 'infection'. This is not run-of-the-mill comment spam. The Wordpress files have been modified to output that invisible link spam code on the index page of the blog (and probably elsewhere too). View the HTML source of the index page to see it. It's at the end of the source code, after the closing html tag. Either it is in /wp-content/themes/noteworthy/index.php, or it's added via a hook.

Your web space has been compromised. Purge everything and start anew, change all your passwords {including FTP, SSH, etc) and do a security audit to see how they could have got in.

golfinguy wrote:Not sure what else to do. If other people are really still seeing something please let me know.

If you really want to see it, you will have to disable Javascript on your browser to see it. The whole thing is encapsulated in a div with id 'hideMeya', and it's CSS is set to "display: none" with Javascript.
You do not have the required permissions to view the files attached to this post.
Bitcoin - 1Lu7GztP9YyJdt9Zt3hEaXjcAkgQZNuVLC
User avatar
Ellimist
Charlie George
Charlie George
 
Posts: 582
Joined: Sat Oct 16, 2010 3:15 pm

Re: The Gooner Ramble: Match Report

Postby golfinguy » Sun Jan 05, 2014 9:00 pm

I didn't lack the understanding - just found nothing at the time. That included viewing source, searching the html and php files for the offending text, and checking via two browsers (firefox and chrome). Since I found nothing wrong and others told me it was fine, I didn't go looking for hooks.

But I just checked again with IE and now see it.

...Looks like it may have been a plug-in as I removed all we were not using and it seems to be gone now.

Can someone else look again? I'm checking with three browsers now and do not see it, but no longer trust what I'm seeing.
__________________________________________________________
I've gone to find myself. If I get back before I return, keep me here.
User avatar
golfinguy
Tony Adams
Tony Adams
 
Posts: 2056
Joined: Fri Jan 09, 2009 7:07 pm
Location: The Wrong Fairway

Re: The Gooner Ramble: Match Report

Postby Tony_Adams » Sun Jan 05, 2014 9:20 pm

Working fine for me now!
Image
User avatar
Tony_Adams
SE13
SE13
 
Posts: 34835
Joined: Fri Mar 13, 2009 7:03 pm

Re: The Gooner Ramble: Match Report

Postby Zedie » Sun Jan 05, 2014 10:02 pm

McGuyver would be proud.

Well done ellimist & golfinguy!
Image
User avatar
Zedie
SE13
SE13
 
Posts: 33041
Joined: Mon Oct 25, 2010 12:09 pm
Location: in the man cave

Re: The Gooner Ramble: Match Report

Postby Tony_Adams » Sun Jan 05, 2014 10:06 pm

Yeah, well done lads, its been annoying me for nearly a fortnight!!!
Image
User avatar
Tony_Adams
SE13
SE13
 
Posts: 34835
Joined: Fri Mar 13, 2009 7:03 pm

Previous

Return to The Gooner Ramble

Who is online

Users browsing this forum: No registered users and 1 guest