What has happened to Hugh Wallis' website ?

[michaelpipe]

Now it's popping up again! I am at the point that I believe this to be an unreliable site and I don't know how to rectify the problem with it

Yes, Vanessa - I got the problem for the first time around the same time as your posting - message with reference to Antivirus 2009. Have no idea which link it came from as I had just been directed to the Rootsweb page "We're Sorry. The Page etc etc" and it appeared over that page.

Must be some fiddling going on at Rootsweb - wouldn't be the first time

Michael

[MarkJ]

No, FamilySearch does not know what has happened to Hugh Wallis' site! I am sure they want to know, as it is referenced in the knowledge base. I hope his useful resource will become available again soon.

I don't think anyone has suggested that FamilySearch knows/may know what has happened.
I can have a pretty good guess, based on my dealings with Rootsweb about this issue and using the info I have picked up from RootsChat today.

As you say, Hugh's site was a great help when it came to locating specific batch numbers for parishes of interest and like everyone else, I hope it comes back online as soon as possible. However, it does need to be clear of any issues - there is no point placing the old page with the malware in it back online.

Mark

[MarkJ]

Sadly, Hugh doesn't seem to have any idea about the problem itself.

There is a problem on the page which has been mentioned in this thread (the one which ends in his name, not the one with /IGI_Batch_Numbers or whatever it is at the end).
The problem is a piece of javascript which is placed in the botton far right corner of Hughs site code. I am sure Hughs original code does not contain this piece of code - it has been inserted into the page on the Rootsweb server by a third party (i.e a "hacker" or some other means).

There is no "false positive" discovery by AV programs involved - it isn't a virus as such, rather it is a code to make the viewers browser open a malicious website and download whatever piece of malware is on that site at the time. Lately, it has been a piece of junk called "antivirus 2009" . Should someone be unfortunate enough to end up redirected to the malware site and end up downloading (without their knowledge) trojans or other bad stuff, then their AV program may well kick up a stink! But, otherwsie, the only indication most users would see is if their browser uses some form of protection against redirections - e.g IE7 or Firefox with NoScript for example. That is what several B-G members have reported - that the browser warns that there is a problem, rather than any virus.

Because Hugh seems to have not updated his email contact address, all my attempts to contact him have failed. It appears that the attempts of the Rootsweb/Ancestry tech people to contact him also failed for the same reason. Because I - and presumably others - have reported the site to Rootsweb, giving all the technical details etc - they seem to have pulled the site after they received no response from Hugh (due to the old email address).

The problem is that Hugh has not fully understood the problem - partly I suspect due to the fact that some of the reports in RootsChat etc are - to say the least - rather misleading, not intentionally, but because the people mentioning the issue do not understand exactly what the problem itself is. Reporting that there is a "virus" etc is incorrect (although it is what many folks would do - because it is a malware issue). It is a redirection to a malware website - which DOES contain malicious stuff which varies from time to time.
I have also seen Hugh commenting about the Google-Analytics.com stuff - stating (quite correctly) that it is not harmful. However, he is being caught by the deliberate naming of the malware redirection (googleanalitics.net) which does, at first glance seem to be the same place - but it isn't! The use of "i" rather than "y", no hyphen and .net rather than .com are easily missed by the casual viewer. That is deliberate on the part of the miscreants who did this to the site.

Should Hugh wish to see the piece of code I am more than happy to show him both it and my discussions with the Rootsweb tech team

Exactly HOW they managed to insert this code I am not 100% sure. RootsChat, if they have the time, logs and ability, could possibly spot an intrusion, but it depends how long this has been going on.
I guess a brute force password guessing job, but I could be wrong. But if it was, then the taking down of the site, cleaning the junk and setting a new password will sort it.

Mark

[Neil Wilson]

I have just seen the following on the Cornish List;

Hugh Wallis has replied on the Roots Chat site.

"It appears some people have reported getting virus warnings from the site but, unless it is in the stuff ancestry adds, there is no virus there, and certainly not one inserted by me. I suspect ancestry have taken it offline. I also suspect that the anti-virus software that is giving these warnings is over zealous and has applied a heuristic detection algorthm to produce the warnings - and those algorithms are well known for producing occasional "false positives". Most reputable anti-virus software like AVG and Norton report the site as clean (or did until it was taken down by ancestry)

Unfortunately I have no control over it since ancestry do not even provide a means for me to change the password that is necessary to update the site. If some evil hacker has obtained that password somehow I can do nothing about it.

Actually I have not even accessed nor updated the site myself for many months.

Having no time to investigate further I shall be leaving it in the hands of ancestry - but they have not had the courtesy even to contact me so I don't know to what extent they intend to address the issue

Thanks

Hugh"

Bo, please could you contact Hugh 'off list' and advise him of this thread and Rootsweb response to MarkJ. It would be a shame if this site goes under.
Cheers

[MarkJ]

Hopfeully, via a long and tortuous route, my contact details could be heading to Hugh

Mark

[Hugh Wallis]

Not sure if anyone has contacted the Hugh Wallis site about this or not - but I shall fire off an email as soon as I finish this post.


Edit: I have sent an email to the site about this javascript injection - I will let you all know once I get a response.
In the meantime, please, please don't pop over to "have a look" unless you are familiar with this type of malware and are using sensible precautions to avoid becoming a victim.

Thanks Mark - I never received any e-mails from you so was not aware of your detailed analysis. Perhaps they didn't get through my challenge response spam filter? Some one pointed me to this thread so I can jump in and comment here.

Unfortunately I cannot look for myself now since rootsweb have turned off access to the site and have not yet responded to my e-mails to their support desk (but it is a holiday weekend in the US so maybe Tuesday will bring forth some response)

Any links I put on my pages were to googleanalytics.com purely for hit counter purposes. I never put anything there for the .net address you refer to. So by the sound of it someone has hacked into my account by getting through rootsweb's security. They should be able to check their logs to detemine when and if that happened. Unfortunately there was not AFAIK any means for me to change my password and the one provided by rootsweb was short enough that a brute force attack could eventually bring success, although why rootsweb would not have detection software to catch brute force attacks I don't know. Maybe there was some other technique used - there are all kinds of methods available to steal passwords especially if they are stored in databases unencrypted - who knows what vulnerabilities there are in rootsweb's back end?

It is also pefectly feasible that the bad code was actually inserted into the advertising that rootsweb adds to the page, which might explain why it only cropped up occasionally since that is changed dynamically by the rootsweb servers. Again, I am only speculating here since, like everyone else, I cannot now access the site.

[MarkJ]

Hi Hugh - many thanks for your input. I think you are quite correct - the similarly named "googleanalitics.net" code was added most likely by a brute force password hack. The malicious code was actually on the page source code - inserted by some ne'er do well via some sort of hack - presumably by getting the password I would think.

I have dropped you an email with a little more detail - although if you have struggled through the several pages in this thread, you probably already have the details

Thanks again for giving us a little detail on the problem. We all hope I am sure that the Batch Numbers are soon up and running - it is a great resource for genealogists.

Cheers,
Mark

[twist69]

I lost it just three days ago, does not seem to be anywhere now.

[v.wells]

Now I know about the "Antivirus 2009" emails come from. I just delete them and mark them as spam. I know what virus software I run. I will look for the code. Thanks MarkJ. I am now better informed

/freepages.genealogy.rootsweb.ancestry.com/~hughwallis/IGIBatchNumbers.htm DOES NOT WORK AVOID

Does any have the CORRECT url to use?

[MarkJ]

Hi Vanessa,
That page - if Rootsweb hadn't pulled it - would be absolutely fine.
The problem page is very similar - basically, if you took the "IGIBatchNumbers.htm" off the end and hit enter, you would be seeing the problem page.

At the moment, ALL of Hughs pages are not available - Rootsweb have temporarily pulled them from what I can gather. Hopefully, all will be sorted soon - Hugh has backups of the site I expect and those should be fine. It would seem the redirection script had been added by some miscreant who somehow managed to sneak it onto Hughs page - probably by getting the password by naughty means...

Mark