Announcement

Collapse
No announcement yet.

Some shady script in Phoronix opening shady ad in new tab

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Some shady script in Phoronix opening shady ad in new tab

    While in a home page, I wanted to read the article about SystemD 215 and while about 7:45 AM, some script opened a new tab in Google Chrome, which leads to Warning! Do not enter if you under 18 years old! (that warning is all in a title bar. I'm unsure if that website popped up in a new tab came from this:
    Code:
    http://www.adcash.com/script/pop_packcpm.php?k=53b693d4323fe1432407.2307047&h=88c71ad26a6a4efe110f6b01121816e81db32496&id=0&ban=1432407&r=250305&ref=h&data=&subid=&iid=11447498031404474324668587592&new=1&dx=%3D%3DwD
    I am VERY SUSPICIOUS and I would be happy to sign up for a premium just to be rid of, but I don't mind legitimate advertisers as long as it does not cause any problems like this such as malware infections and executing shady scripts that would impede Internet surfing. Plus, I don't have the kind of disposable income right now but at least I will get a job after a four-week training period.

  • #2
    Originally posted by GraysonPeddie View Post
    ...I am VERY SUSPICIOUS and I would be happy to sign up for a premium just to be rid of, but I don't mind legitimate advertisers as long as it does not cause any problems like this such as malware infections and executing shady scripts that would impede Internet surfing. Plus, I don't have the kind of disposable income right now but at least I will get a job after a four-week training period.
    Kind of the opposite of how I view it. If Phoronix is indeed willingly allowing such advertisements to those who don't pay up, I'll just fire up a free adblocker. Shouldn't have to pay to avoid malicious sites...

    But in any case, I'm sure it's just a mistake, and hopefully will be dealt with.

    Comment


    • #3
      It happened again!



      thefreecamsecret dot com is a porn site.

      I think this adcash.com stuff started to occur beginning July 2nd, which is last week. As far as I know, this only happened while browsing Phoronix website.

      Honestly, I don't feel safe without AdBlock and no I don't have any viruses in my Ubuntu machine. I love being at Phoronix website and I would be happy to pay for the premium whenever I get a job.

      Comment


      • #4
        Okay. The good news is Phoronix is not the problem, but something must be happening in my end, so I think this thread goes to Off-Topic Discussion. I was browsing DSLReports.com with AdBlock enabled for their site and it looks like something must be triggered in my end and not the problem with DSLReports.com and Phoronix.com.

        Now to track down the problem that is happening in Linux and Google Chrome...

        I have enabled AdBlock Plus for Phoronix, but for such a problem that I have described above, I have disabled AdBlock Plus in Google Chrome for Phoronix's website.
        Last edited by GraysonPeddie; 07-08-2014, 09:05 PM.

        Comment


        • #5
          Does this problem occur on Windows and has it triggered a virus warning for Windows users? Perhaps Michael should check to see where the problematic banner is coming from if it comes in intermittently and if there is a problem he should notify that particular ad service. Lately a lot of ad servers have been compromised according to some reports floating around.

          Comment


          • #6
            Linux only for me, so no Windows in my computer. Not even a dual-boot.

            I've done a search for adcash.com chrome linux but during Internet surfing, it's not really a popup ad per se, but some script in adcash.com opens up tab(s) waiting for me to click in a tab to see what's in there, but it turned out to be malicious websites.

            If ad servers have became compromised, I'm going to start enforcing adblocking as a safety net.

            Comment


            • #7
              This is confirmed malicious, usually involves malicious browser extensions

              http://malwaretips.com/blogs/adcash-com-virus-removal/ shows that a number of "free" software programs available for Windows are using malicious browser extensions to open adcash.com windows that normally appear as popups. Their exact words are "If you are seeing pop-up ads from Adcash.com whenever you are opening a new tab within Internet Explorer, Firefox and Google Chrome, then your computer is infected with an adware or a potentially unwanted program." Not what I expect to see researching a story from a Linux forum!

              Similar stories appear on a number of other Windows security sites.

              Apparently in Linux builds of Firefox these ads appear as new tabs. Presumably any executables would be limited to javascript programs , etc if they run on platforms other than Windows, The adserver itself is not supposed to be source of the extra tabs/popups, but rather malicious extensions serve them. Check ALL your extensions, remove any that you did not know you had. Hell, what's to stop someone from making a fake adblocker or Youtube downloader that includes something like this or even a keylogger? Never install extensions from untrusted sources, and never let a web page install one you did not expect.

              If this is showing up-EVER-with a default install of Firefox with no extensions on a live disk or other known clean operating system, there is another problem. I haven't heard stories of Phoronix using pop-up or new tab ads. Popups in general were supposed to be obsolete nearly a decade ago due to near-universal blocking of popup ads by browser default installs. If Phoronix is using the adcash site directly, this can create false alarms as the ad site is widely used by scam artists and criminals. How are people supposed to verify that a website sent them the ads and not malicious software in their own machine?

              After an incident like this, I'd shitcan my entire .mozilla directory, reopen the browser while offline, reset all preferences, etc for any non-security critical computer. For a plain websurfer or public computer with no sensitive information on it, never used for banking, with credit cards, or with sensitive encyption passphrases this would be enough. It's a good thing we don't surf root on Linux as this means removing the old .mozilla directory is usually enough to clean Firefox. If you are really worried throw out your .local, .config, and .cache directories and reconfigure your desktop. Something running from Firefox can't write to anything outside /home/$USER or /tmp without a privilige escalation attack, unlike someone on Windows logged in as administrator. On a default older Windows install machine, every time you go online it's just like running "sudo firefox," thus the infestation of Windows attackware.

              On the other hand, something like this on one of my machines that handles encrypted material would make me shit a brick. I would consider the mysterious appearance of something associated with malicious browser extensions on one of those to be a very serious security incident, enough to force me to roll back my OS to a snapshot predating the problem, maybe even re-key every disk I have.

              Comment


              • #8
                Okay. I primarily use Google Chrome at home and I'm not using public computers at all. I will have to backup my google-chrome directory even though none of the extensions cause a problem. It is annoying, but oh well.

                Michael, I would like to apologize for the false alarm that I have caused. I'm unsure if this adcash.com popup affects anyone browsing Phoronix but I've started to realize it is just me that turns out to be the problem..

                Comment


                • #9
                  Hello,
                  Some time ago (in Feb 2011) I got a message that someone logged in to my Facebook account from Opera on WinXP, though I didn't use Opera since ages.
                  I was using exclusively Linux these times. I thought that was likely a cracker because there are virtually no viruses on Linux so it had to be by hand.

                  Comment


                  • #10
                    Do You have any ideas on what could have caused the breach?
                    I had only the SQLite Manager installed and it looked legitimate (likely I have installed it after the breach).
                    There was no other suspicious activity, no EXE and ELF files on my disk were modified.

                    Comment


                    • #11
                      Browser extensions are cross-platform

                      Originally posted by Mat2 View Post
                      Do You have any ideas on what could have caused the breach?
                      I had only the SQLite Manager installed and it looked legitimate (likely I have installed it after the breach).
                      There was no other suspicious activity, no EXE and ELF files on my disk were modified.
                      That's the thing: a browser extension that does not use native operating system executables at all and simply runs in browser should be as OS-agnostic as a Flash game. If I had a machine stolen and didn't know what OS the thieves had installed but could push a program to it by a known IP address, that's exactly how I would do it. A browser extension that keylogs passphrases entered into websites, for instance, is a monetizable cross-platform attack that could target not only your online accounts but your bank accounts too if you ever bank online! Also, for that malicious login don't forget plain old phishing, man in the middle attacks on wifi access points-even with WPS if a weak passphrase is used, all the usual stuff.

                      Comment


                      • #12
                        My computer has not been stolen and hasn't been used by anyone except me. These are the extensions that I currently use in Google Chrome:
                        • "Top Stories" Section Remover
                        • Adblock for Youtube™
                        • Adblock Plus
                        • Better History
                        • Chromebleed
                        • chromeIPass
                        • Flashcontrol
                        • Google Apps Script
                        • Google Docs
                        • Google Drawings
                        • Google Voice (by Google)
                        • Google+ Notifications
                        • High Contrast
                        • Image Properties Context Menu
                        • KnowURL: Expand tiny short links
                        • NetBeans Connector
                        • NotScripts (like NoScript for Firefox but in Google Chrome)
                        • Password Peek
                        • Personal Blocklist (by Google)
                        • Plus Minus (For showing/hiding anyone/group in the main stream, but does not work with new Google+ and still worked on by developer)
                        • Radium (EPUB reader for Chrome)
                        • Responsive Web Design Tester (for testing to see if a website will fit well with a mobile device)
                        • Scientific Calculator
                        • Secure Shell
                        • Take me to my Youtube™ Subscriptions (Automatically redirects you to Uploads only of your subscriptions.)
                        • User-Agent Switcher for Chrome

                        And that's about it. I don't think any of the extensions would trigger adcash.com to open up a malicious site, so I'm out of ideas now. Well, at least I did not see any tabs showing up with porn/malicious site today while surfing the Internet.

                        Comment


                        • #13
                          Is anyone else seeing Adcash while using Phoronix?

                          Originally posted by GraysonPeddie View Post
                          My computer has not been stolen and hasn't been used by anyone except me. These are the extensions that I currently use in Google Chrome:
                          • "Top Stories" Section Remover
                          • Adblock for Youtube™
                          • Adblock Plus
                          • Better History
                          • Chromebleed
                          • chromeIPass
                          • Flashcontrol
                          • Google Apps Script
                          • Google Docs
                          • Google Drawings
                          • Google Voice (by Google)
                          • Google+ Notifications
                          • High Contrast
                          • Image Properties Context Menu
                          • KnowURL: Expand tiny short links
                          • NetBeans Connector
                          • NotScripts (like NoScript for Firefox but in Google Chrome)
                          • Password Peek
                          • Personal Blocklist (by Google)
                          • Plus Minus (For showing/hiding anyone/group in the main stream, but does not work with new Google+ and still worked on by developer)
                          • Radium (EPUB reader for Chrome)
                          • Responsive Web Design Tester (for testing to see if a website will fit well with a mobile device)
                          • Scientific Calculator
                          • Secure Shell
                          • Take me to my Youtube™ Subscriptions (Automatically redirects you to Uploads only of your subscriptions.)
                          • User-Agent Switcher for Chrome

                          And that's about it. I don't think any of the extensions would trigger adcash.com to open up a malicious site, so I'm out of ideas now. Well, at least I did not see any tabs showing up with porn/malicious site today while surfing the Internet.
                          If this shows up surfing Phoronix from a live disk, the problem is at Phoronix or at an adserver used by Phoronix. If this is so a lot of users should see it, at least in a single geographic area using the same browser.

                          If one user only see this and it does not reappear when using a live disk, but DOES reappear on the main OS, than the problem is on that computer. If the problem does not reappear at all, diagnosis after the fact is quite beyond me.

                          I cannot evaluate the listed extensions as I do not have Chrome installed due to distrust of Google. It's a lot of extensions overall, you might do a Startpage search checking each extension one at a time to see if any malicious updates have been reported. There have been several cases in Firefox where an originally safe extension was subsequently monetized by the addition of adware to it, waiting for users to update to the malicious versions. Also, is it possible in Chrome for the author of a malicious extenson to hide it from being listed?

                          If you don't want to use adblocking extensions or want to whitelist sites for other adservers, you might want to 127.0.0.1 out adcash.com in your /etc/hosts file to prevent ever connecting to them again.

                          Comment


                          • #14
                            Yeah, I'm going to 127.0.0.1 them out. Thanks.

                            Comment


                            • #15
                              Originally posted by Luke View Post
                              There have been several cases in Firefox where an originally safe extension was subsequently monetized by the addition of adware to it, waiting for users to update to the malicious versions.
                              The problem of extention monetization was in Chrome, not in Firefox (it was some kind of an RSS reader AFAIR).

                              Comment

                              Working...
                              X