Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Some shady script in Phoronix opening shady ad in new tab

  1. #1
    Join Date
    Jan 2014
    Location
    Tallahassee, FL 32304
    Posts
    89

    Default Some shady script in Phoronix opening shady ad in new tab

    While in a home page, I wanted to read the article about SystemD 215 and while about 7:45 AM, some script opened a new tab in Google Chrome, which leads to Warning! Do not enter if you under 18 years old! (that warning is all in a title bar. I'm unsure if that website popped up in a new tab came from this:
    Code:
    http://www.adcash.com/script/pop_packcpm.php?k=53b693d4323fe1432407.2307047&h=88c71ad26a6a4efe110f6b01121816e81db32496&id=0&ban=1432407&r=250305&ref=h&data=&subid=&iid=11447498031404474324668587592&new=1&dx=%3D%3DwD
    I am VERY SUSPICIOUS and I would be happy to sign up for a premium just to be rid of, but I don't mind legitimate advertisers as long as it does not cause any problems like this such as malware infections and executing shady scripts that would impede Internet surfing. Plus, I don't have the kind of disposable income right now but at least I will get a job after a four-week training period.

  2. #2
    Join Date
    Sep 2013
    Posts
    150

    Default

    Quote Originally Posted by GraysonPeddie View Post
    ...I am VERY SUSPICIOUS and I would be happy to sign up for a premium just to be rid of, but I don't mind legitimate advertisers as long as it does not cause any problems like this such as malware infections and executing shady scripts that would impede Internet surfing. Plus, I don't have the kind of disposable income right now but at least I will get a job after a four-week training period.
    Kind of the opposite of how I view it. If Phoronix is indeed willingly allowing such advertisements to those who don't pay up, I'll just fire up a free adblocker. Shouldn't have to pay to avoid malicious sites...

    But in any case, I'm sure it's just a mistake, and hopefully will be dealt with.

  3. #3
    Join Date
    Jan 2014
    Location
    Tallahassee, FL 32304
    Posts
    89

    Default

    It happened again!



    thefreecamsecret dot com is a porn site.

    I think this adcash.com stuff started to occur beginning July 2nd, which is last week. As far as I know, this only happened while browsing Phoronix website.

    Honestly, I don't feel safe without AdBlock and no I don't have any viruses in my Ubuntu machine. I love being at Phoronix website and I would be happy to pay for the premium whenever I get a job.

  4. #4
    Join Date
    Jan 2014
    Location
    Tallahassee, FL 32304
    Posts
    89

    Default

    Okay. The good news is Phoronix is not the problem, but something must be happening in my end, so I think this thread goes to Off-Topic Discussion. I was browsing DSLReports.com with AdBlock enabled for their site and it looks like something must be triggered in my end and not the problem with DSLReports.com and Phoronix.com.

    Now to track down the problem that is happening in Linux and Google Chrome...

    I have enabled AdBlock Plus for Phoronix, but for such a problem that I have described above, I have disabled AdBlock Plus in Google Chrome for Phoronix's website.
    Last edited by GraysonPeddie; 07-08-2014 at 09:05 PM.

  5. #5
    Join Date
    Sep 2007
    Location
    Connecticut,USA
    Posts
    953

    Default

    Does this problem occur on Windows and has it triggered a virus warning for Windows users? Perhaps Michael should check to see where the problematic banner is coming from if it comes in intermittently and if there is a problem he should notify that particular ad service. Lately a lot of ad servers have been compromised according to some reports floating around.

  6. #6
    Join Date
    Jan 2014
    Location
    Tallahassee, FL 32304
    Posts
    89

    Default

    Linux only for me, so no Windows in my computer. Not even a dual-boot.

    I've done a search for adcash.com chrome linux but during Internet surfing, it's not really a popup ad per se, but some script in adcash.com opens up tab(s) waiting for me to click in a tab to see what's in there, but it turned out to be malicious websites.

    If ad servers have became compromised, I'm going to start enforcing adblocking as a safety net.

  7. #7
    Join Date
    May 2013
    Posts
    480

    Default This is confirmed malicious, usually involves malicious browser extensions

    http://malwaretips.com/blogs/adcash-com-virus-removal/ shows that a number of "free" software programs available for Windows are using malicious browser extensions to open adcash.com windows that normally appear as popups. Their exact words are "If you are seeing pop-up ads from Adcash.com whenever you are opening a new tab within Internet Explorer, Firefox and Google Chrome, then your computer is infected with an adware or a potentially unwanted program." Not what I expect to see researching a story from a Linux forum!

    Similar stories appear on a number of other Windows security sites.

    Apparently in Linux builds of Firefox these ads appear as new tabs. Presumably any executables would be limited to javascript programs , etc if they run on platforms other than Windows, The adserver itself is not supposed to be source of the extra tabs/popups, but rather malicious extensions serve them. Check ALL your extensions, remove any that you did not know you had. Hell, what's to stop someone from making a fake adblocker or Youtube downloader that includes something like this or even a keylogger? Never install extensions from untrusted sources, and never let a web page install one you did not expect.

    If this is showing up-EVER-with a default install of Firefox with no extensions on a live disk or other known clean operating system, there is another problem. I haven't heard stories of Phoronix using pop-up or new tab ads. Popups in general were supposed to be obsolete nearly a decade ago due to near-universal blocking of popup ads by browser default installs. If Phoronix is using the adcash site directly, this can create false alarms as the ad site is widely used by scam artists and criminals. How are people supposed to verify that a website sent them the ads and not malicious software in their own machine?

    After an incident like this, I'd shitcan my entire .mozilla directory, reopen the browser while offline, reset all preferences, etc for any non-security critical computer. For a plain websurfer or public computer with no sensitive information on it, never used for banking, with credit cards, or with sensitive encyption passphrases this would be enough. It's a good thing we don't surf root on Linux as this means removing the old .mozilla directory is usually enough to clean Firefox. If you are really worried throw out your .local, .config, and .cache directories and reconfigure your desktop. Something running from Firefox can't write to anything outside /home/$USER or /tmp without a privilige escalation attack, unlike someone on Windows logged in as administrator. On a default older Windows install machine, every time you go online it's just like running "sudo firefox," thus the infestation of Windows attackware.

    On the other hand, something like this on one of my machines that handles encrypted material would make me shit a brick. I would consider the mysterious appearance of something associated with malicious browser extensions on one of those to be a very serious security incident, enough to force me to roll back my OS to a snapshot predating the problem, maybe even re-key every disk I have.

  8. #8
    Join Date
    Jan 2014
    Location
    Tallahassee, FL 32304
    Posts
    89

    Default

    Okay. I primarily use Google Chrome at home and I'm not using public computers at all. I will have to backup my google-chrome directory even though none of the extensions cause a problem. It is annoying, but oh well.

    Michael, I would like to apologize for the false alarm that I have caused. I'm unsure if this adcash.com popup affects anyone browsing Phoronix but I've started to realize it is just me that turns out to be the problem..

  9. #9
    Join Date
    Nov 2010
    Posts
    54

    Default

    Hello,
    Some time ago (in Feb 2011) I got a message that someone logged in to my Facebook account from Opera on WinXP, though I didn't use Opera since ages.
    I was using exclusively Linux these times. I thought that was likely a cracker because there are virtually no viruses on Linux so it had to be by hand.

  10. #10
    Join Date
    Nov 2010
    Posts
    54

    Default

    Do You have any ideas on what could have caused the breach?
    I had only the SQLite Manager installed and it looked legitimate (likely I have installed it after the breach).
    There was no other suspicious activity, no EXE and ELF files on my disk were modified.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •