Yes, Vanessa - I got the problem for the first time around the same time as your posting - message with reference to Antivirus 2009. Have no idea which link it came from as I had just been directed to the Rootsweb page "We're Sorry. The Page etc etc" and it appeared over that page.
Must be some fiddling going on at Rootsweb - wouldn't be the first time
Michael
Results 61 to 70 of 87
-
12-10-2008, 2:20 AM #61
-
12-10-2008, 2:23 AM #62MarkJGuest
I don't think anyone has suggested that FamilySearch knows/may know what has happened.
I can have a pretty good guess, based on my dealings with Rootsweb about this issue and using the info I have picked up from RootsChat today.
As you say, Hugh's site was a great help when it came to locating specific batch numbers for parishes of interest and like everyone else, I hope it comes back online as soon as possible. However, it does need to be clear of any issues - there is no point placing the old page with the malware in it back online.
Mark
-
12-10-2008, 10:47 AM #63MarkJGuest
Sadly, Hugh doesn't seem to have any idea about the problem itself.
There is a problem on the page which has been mentioned in this thread (the one which ends in his name, not the one with /IGI_Batch_Numbers or whatever it is at the end).
The problem is a piece of javascript which is placed in the botton far right corner of Hughs site code. I am sure Hughs original code does not contain this piece of code - it has been inserted into the page on the Rootsweb server by a third party (i.e a "hacker" or some other means).
There is no "false positive" discovery by AV programs involved - it isn't a virus as such, rather it is a code to make the viewers browser open a malicious website and download whatever piece of malware is on that site at the time. Lately, it has been a piece of junk called "antivirus 2009" . Should someone be unfortunate enough to end up redirected to the malware site and end up downloading (without their knowledge) trojans or other bad stuff, then their AV program may well kick up a stink! But, otherwsie, the only indication most users would see is if their browser uses some form of protection against redirections - e.g IE7 or Firefox with NoScript for example. That is what several B-G members have reported - that the browser warns that there is a problem, rather than any virus.
Because Hugh seems to have not updated his email contact address, all my attempts to contact him have failed. It appears that the attempts of the Rootsweb/Ancestry tech people to contact him also failed for the same reason. Because I - and presumably others - have reported the site to Rootsweb, giving all the technical details etc - they seem to have pulled the site after they received no response from Hugh (due to the old email address).
The problem is that Hugh has not fully understood the problem - partly I suspect due to the fact that some of the reports in RootsChat etc are - to say the least - rather misleading, not intentionally, but because the people mentioning the issue do not understand exactly what the problem itself is. Reporting that there is a "virus" etc is incorrect (although it is what many folks would do - because it is a malware issue). It is a redirection to a malware website - which DOES contain malicious stuff which varies from time to time.
I have also seen Hugh commenting about the Google-Analytics.com stuff - stating (quite correctly) that it is not harmful. However, he is being caught by the deliberate naming of the malware redirection (googleanalitics.net) which does, at first glance seem to be the same place - but it isn't! The use of "i" rather than "y", no hyphen and .net rather than .com are easily missed by the casual viewer. That is deliberate on the part of the miscreants who did this to the site.
Should Hugh wish to see the piece of code I am more than happy to show him both it and my discussions with the Rootsweb tech team
Exactly HOW they managed to insert this code I am not 100% sure. RootsChat, if they have the time, logs and ability, could possibly spot an intrusion, but it depends how long this has been going on.
I guess a brute force password guessing job, but I could be wrong. But if it was, then the taking down of the site, cleaning the junk and setting a new password will sort it.
Mark
-
12-10-2008, 11:42 AM #64Neil
www.claycross.org.uk
-
12-10-2008, 1:41 PM #65MarkJGuest
Hopfeully, via a long and tortuous route, my contact details could be heading to Hugh
Mark
-
12-10-2008, 1:47 PM #66Hugh WallisGuest
Thanks Mark - I never received any e-mails from you so was not aware of your detailed analysis. Perhaps they didn't get through my challenge response spam filter? Some one pointed me to this thread so I can jump in and comment here.
Unfortunately I cannot look for myself now since rootsweb have turned off access to the site and have not yet responded to my e-mails to their support desk (but it is a holiday weekend in the US so maybe Tuesday will bring forth some response)
Any links I put on my pages were to googleanalytics.com purely for hit counter purposes. I never put anything there for the .net address you refer to. So by the sound of it someone has hacked into my account by getting through rootsweb's security. They should be able to check their logs to detemine when and if that happened. Unfortunately there was not AFAIK any means for me to change my password and the one provided by rootsweb was short enough that a brute force attack could eventually bring success, although why rootsweb would not have detection software to catch brute force attacks I don't know. Maybe there was some other technique used - there are all kinds of methods available to steal passwords especially if they are stored in databases unencrypted - who knows what vulnerabilities there are in rootsweb's back end?
It is also pefectly feasible that the bad code was actually inserted into the advertising that rootsweb adds to the page, which might explain why it only cropped up occasionally since that is changed dynamically by the rootsweb servers. Again, I am only speculating here since, like everyone else, I cannot now access the site.
-
12-10-2008, 2:06 PM #67MarkJGuest
Hi Hugh - many thanks for your input. I think you are quite correct - the similarly named "googleanalitics.net" code was added most likely by a brute force password hack. The malicious code was actually on the page source code - inserted by some ne'er do well via some sort of hack - presumably by getting the password I would think.
I have dropped you an email with a little more detail - although if you have struggled through the several pages in this thread, you probably already have the details
Thanks again for giving us a little detail on the problem. We all hope I am sure that the Batch Numbers are soon up and running - it is a great resource for genealogists.
Cheers,
Mark
-
12-10-2008, 2:48 PM #68twist69Guest
I lost it just three days ago, does not seem to be anywhere now.
-
12-10-2008, 2:56 PM #69v.wellsGuest
Now I know about the "Antivirus 2009" emails come from. I just delete them and mark them as spam. I know what virus software I run. I will look for the code. Thanks MarkJ. I am now better informed
/freepages.genealogy.rootsweb.ancestry.com/~hughwallis/IGIBatchNumbers.htm DOES NOT WORK AVOID
Does any have the CORRECT url to use?Last edited by v.wells; 12-10-2008 at 3:07 PM. Reason: adding comments
-
12-10-2008, 3:14 PM #70MarkJGuest
Hi Vanessa,
That page - if Rootsweb hadn't pulled it - would be absolutely fine.
The problem page is very similar - basically, if you took the "IGIBatchNumbers.htm" off the end and hit enter, you would be seeing the problem page.
At the moment, ALL of Hughs pages are not available - Rootsweb have temporarily pulled them from what I can gather. Hopefully, all will be sorted soon - Hugh has backups of the site I expect and those should be fine. It would seem the redirection script had been added by some miscreant who somehow managed to sneak it onto Hughs page - probably by getting the password by naughty means...
Mark
Helping you trace your British Family History & British Genealogy.
All times are GMT. The time now is 7:45 AM.
Powered by vBulletin® Version 4.2.5
Copyright © 2024 vBulletin Solutions Inc. All rights reserved.
Bookmarks