PDA

View Full Version : What has happened to Hugh Wallis' website ?



ET in the USA
28-08-2008, 5:28 PM
Has anyone else had this problem ?


I was a frequent user of Hugh Wallis's Genealogical website freepages (http://www.freepages.genealogy.rootsweb.com/~hughwallis/).genealogy.rootsweb.com/~hughwallis/ . I used it to find parish register transcriptions - instead of using Familysearch.org.

Recently, I have have been getting error messages & dire warnings about virus' & mayhem & the site doesn't open. |jedi|

Does anyone have any further information ? Has Hugh been overrun with gremlins ? I miss this site !

Elaine

pipsqueak
28-08-2008, 5:35 PM
It seems to be working for me :)

Jan1954
28-08-2008, 5:37 PM
It seems to be working for me :)And me. :confused:

Marie C..
28-08-2008, 5:43 PM
Works for me too.
M

ET in the USA
28-08-2008, 5:45 PM
This has been happening sporadically for a while. One time it works, the next I get these really scary doom & gloom error messages [to paraphrase - you have been infected & it is sucking your brains out. Possible security violation...]

I'm almost afraid to try it any more.

v.wells
28-08-2008, 5:48 PM
This has been happening sporadically for a while. One time it works, the next I get these really scary doom & gloom error messages [to paraphrase - you have been infected & it is sucking your brains out. Possible security violation...]

I'm almost afraid to try it any more.

|laugh1||laugh1|

I get error messages too, but haven't been there for a while!

Astoria
28-08-2008, 5:48 PM
Can you remember what you were looking at when these messages occurred,
I am willing to go in there I have silver bullets and a stake.

busyglen
28-08-2008, 5:51 PM
I used it yesterday, and I also have just gone and had another look (I keep it in my favourite list so easy to click on the ulr) and everything is fine. I haven't had any `strange' messages either.

Glenys

ET in the USA
28-08-2008, 5:51 PM
I just went into favorites & clicked on the website that I typed below - to open in a new window & it goes into freak mode.
Elaine

v.wells
28-08-2008, 5:54 PM
Seems fine too me. Error on page didn't pop up this time either!

ET in the USA
28-08-2008, 5:54 PM
I just tried again & it was fine. I just wondered if anyone knew if he had been fighting off invaders or something. Too weird because it wasn't just today. As I said, it has been happening for a month or more, but not every time.
Elaine

busyglen
28-08-2008, 5:58 PM
Hi Elaine, I sent you a PM, but checking again, you are using the same approach as me, so don't really know what is happening. Hope it soon sorts itself out for you.

Glenys

v.wells
28-08-2008, 6:01 PM
ET - You should delete the link, refresh the page and re-enter it (find the cookie first and also delete that)

busyglen
28-08-2008, 6:02 PM
ET - You should delete the link, refresh the page and re-enter it (find the cookie first and also delete that)

Good thinking! :)

Glenys

ET in the USA
28-08-2008, 6:05 PM
Thanks all. Yes I got the PM's & we are all using the same link. Mine had ancestry in the URL too, I guess it reset itself when it changed. Anyway, I just won't panic when I get those messages, I'll close the tab & try again. I don't like it when a website message tells me it is going to eat me for lunch |5cups| makes me nervous !

Elaine

Mary Anne
28-08-2008, 6:25 PM
When I first signed in to Hugh's site, using the URL in your post, I did get a warning from my Norton Security that a high-risk intrusion had been blocked from a known *attack* computer. My IE also indicated that somehting was trying to download and executable image file, and when I googled the text of that message, I came to this site, which describes a *fake* Miscorsoft add-on that wants to highjack your IE: http://msmvps.com/blogs/hostsnews/archive/2007/09/13/can-you-spot-the-fake.aspx

Tried the Hugh Wallis site by several other methods (googled it, used my Favourites, etc) and there were no problems with the site, approaching it from that way.

It's like the spam/virus stuff - always there are folks out there *phishing* and they want to highjack your computer...beware, therefore, say I!! (sigh - sad we have to always mistrust...). Keep your security software running and up-to-date!

jane.harrison.9
28-08-2008, 6:39 PM
Been using it all week. Not had any problems.
Jane.

MarkJ
29-08-2008, 12:48 AM
I haven't noticed anything out of the ordinary before, but after spotting this post, I went and checked.

There IS a problem with Hughs page. If you allow scripts to run by default (which most browsers do), you will find yourself connecting to a quite dodgy sounding page.

As most people will know, the search engine outfit, Google, often run something called google-analytics (google-analytics.com) - which is a fairly standard way for websites to see who has been looking at the page and allows the webmaster to analyse stuff such as the browser used etc. All very basic and not really an issue.

However, as well as the perfectly OK google-analytics, there is also a somewhat iffy script for "googleanalitics.net" - which is NOT Google related and is in fact a very dodgy site, hosted in Hong Kong currently which has - in the past (and perhaps now or in the future) hosted trojan malware.

Just because you "don't have any problems" does not mean that your browser is not downloading a trojan in the background. You are safe as long as you have some means of preventing malicious scripts from running - assuming there is currently malicious content on the googleanalitics.net site. But if your browser happily executes javascript and the dodgy site is carrying a malicious payload - you will be infected.

Not sure if anyone has contacted the Hugh Wallis site about this or not - but I shall fire off an email as soon as I finish this post.

I will state this once again in case anyone is missing the message -

If you access the Hugh Wallis site at the moment, there is a chance that you may be infected with malware. Unless you *know* that your browser does not execute javascript without any further input from you - then do not go there for now.

Mark

Edit: I have sent an email to the site about this javascript injection - I will let you all know once I get a response.
In the meantime, please, please don't pop over to "have a look" unless you are familiar with this type of malware and are using sensible precautions to avoid becoming a victim.

Not often I come across such a blatent js problem as this - for us "techies" it is quite exciting! But for "normal" users - it is not something you want to be playing with.

ET in the USA
29-08-2008, 1:24 AM
Glad I sounded the alarm & it wasn't an over reaction.

Mary Anne has quoted the actual warning message pretty closely. I didn't want to go back in & look again to write it down, so paraphrased " you have been infected & it is sucking your brains out. Possible security violation..." :D

Mark -
How do we know "...your browser is not downloading a trojan in the background. You are safe as long as you have some means of preventing malicious scripts from running - assuming there is currently malicious content on the googleanalitics.net site. But if your browser happily executes javascript and the dodgy site is carrying a malicious payload - you will be infected." ??

I have Vista & AVG Free Edition Version 8.0.138 updated Aug 26 08.
Is there somewhere/some file I should look or just trust that getting the warning means that my browser wasn't going along willingly & so all is OK ?

Elaine

oxon57
29-08-2008, 1:40 AM
please don't pop over to "have a look" unless you are familiar with this type of malware and are using sensible precautions to avoid becoming a victim.
Obviously not half as familiar enough as you, Mark, but interested, and confident enough to risk sticking my nose in running Firefox with the very useful "NoScript" extension.
I see what you mean - if I click my little NoScript icon, I can, if I wish, allow both the legitimate "google-analytics.com" script and the potentially dangerous "googleanalitics.net" script. In fact, from previous use, the site runs perfectly well without even allowing the legitimate Google script, so I've never bothered with it and have that blocked too, never mind the other one, which I'd automatically be suspicious of because they can't spell analytics!

As you evidently understand these things properly, though, could you enlighten me on one point?
When I look at the code for the page, the nasty one does not show up. Would I be correct in thinking that it's in the encoded chunk of javascript at the very end, starting:
<!--ab00ecd93a86f0b704ac95cfdda98bf0-><script language=javascript>snexv="%";rfpbn="@3cs@63ript@20@6can@67 ...

?

MarkJ
29-08-2008, 1:51 AM
Ok, let me go into a very quick explanation ;)

First of all, if you use the site via -
freepages.genealogy.rootsweb.ancestry.com/~hughwallis/
(DO NOT CLICK!!!)
you will find there is a malicious javascript there.

If you acces via -
http://freepages.genealogy.rootsweb.ancestry.com/~hughwallis/IGIBatchNumbers.htm
the javascript is not in that part.

I can't help with Microsoft Internet Explorer - I don't (and wouldn't use it).
If you are getting a warning - which you obviously are ET, then that would suggest you have some form of protection via your browser. I believe the latest IE does have built in protection against redirections.
If you are using Firefox, then you are not guarantted to be safe. Malicious scripts can run on any browser unless it has either some form of protection built in (as the latest browsers do) or you have javascript turned off by default. As I use Firefox and so many sites insist on javascript (sorry js fans - it really isn't safe, whatever you claim!), I run an add on called No Script, which allows me to see and allow or deny any scripts - including javascript.

The members who have mentioned seeing a warning about possible redirection/malicious activity were quite safe as long as they didn't over-ride that warning and carry on.
Those who didn't see a warning *may* have accessed the site via the "safe" link (the one which I placed above and is the one Googling the site should give you). If someone went to the first (dodgy) link and didn't see a warning, then chances are that they would have collected a malware problem if one was on the "googleanalitics.net" site at the time. From my research into this site, it seems that malware comes and goes - presumably depending on who pays to host their nasties on that site.

AVG is an anti virus program which - like any other AV program - *may* pick up trojans. Not all trojans are detected by Av programs (because technically they are not viruses), but most are. At the moment, I am not sure what types of malware were/are regulars on the "googleanalitics.net" site, so I can't state categorically that your Av progam will or will not pick them up. But I would be fairly confident that - as long as you heeded the warning - you are fine :)

I wouldn't lie awake worrying - *if* you were infected with something, it would be fairly obvious in most cases. If you notice your PC running really slowly for example, or it seems to be constantly flashing the sending light on your modem or router, then you perhaps need to run a scan. Otherwise, just continue to practice "safe browsing" :)

Mark

MarkJ
29-08-2008, 2:02 AM
Obviously not half as familiar enough as you, Mark, but interested, and confident enough to risk sticking my nose in running Firefox with the very useful "NoScript" extension.
I see what you mean - if I click my little NoScript icon, I can, if I wish, allow both the legitimate "google-analytics.com" script and the potentially dangerous "googleanalitics.net" script. In fact, from previous use, the site runs perfectly well without even allowing the legitimate Google script, so I've never bothered with it and have that blocked too, never mind the other one, which I'd automatically be suspicious of because they can't spell analytics!

As you evidently understand these things properly, though, could you enlighten me on one point?
When I look at the code for the page, the nasty one does not show up. Would I be correct in thinking that it's in the encoded chunk of javascript at the very end, starting:
<!--ab00ecd93a86f0b704ac95cfdda98bf0-><script language=javascript>snexv="%";rfpbn="@3cs@63ript@20@6can@67 ...

?

I am certainly not a javascript expert ;) In fact, I know very little about it to be honest - my wife is the one who is the coder in our house :)

But yes, the piece of code, right at the very bottom and right over on the right of the "page source" seems to be the relevant piece of code.

Like you, I use No Script (and Linux for added security) - hence how I picked up the rather illiterate googleanalitics ;)

I am more of a spam/scam person myself when it comes to security issues. Those are my main interests. I hope Neil Wilson picks up on this thread - he is more of a security minded chap than myself - and can probably decipher the code more quickly than I can. It wouldn't be hard to do I guess looking at it, but it is 3am and I don't fancy it myself ;)

Mark

oxon57
29-08-2008, 2:24 AM
Thanks, Mark, that gives me an idea of what I might be looking for elsewhere if one of my even less techie friends runs into trouble one day - little things like that are always useful to know.

And I'm not going to attempt it at this time of night either - I have a week off work at the moment, so I'm up late, but it's well past my normal bedtime, I think the little grey cells would protest strongly.

A friend once described javascript to me as "the spawn of the Devil" - I take it you wouldn't disagree! Oddly enough, he was Mark too - but solidly based in Weston-super-Mare, not Cornwall.

MarkJ
29-08-2008, 2:33 AM
I had a swift look, but it seems to define a few variables and then, later, converts all the odd bits of code back to hex - but I haven't looked that hard to be honest!

I suspect it does nothing more than uses that js to redirect to the malcious site which we have noted via our No Script :)

I have argued against Javascript for years - despite being told by many people how useful it is.... Mind you, I have a huge list of Satanic Spawn which I would ban for one reason or another - including Flash and other "multimedia" garbage ;)
Javascript stands out on its own as far as risk is concerned in my view though. But I am sure that it has many really great uses ....

Mark (we all think alike ;) )

Mary Anne
29-08-2008, 3:37 AM
As I said, keep your security software up-to-date...I use Norton (and put up with its chugging, from time to time...) for that very reason! then you don't have to understand the *satanic* programming and whether it is pseudo/occasional beneficial Java/Flash/or whatnot, all you need to know is that it has detected an issue!

MarkJ
06-09-2008, 11:28 PM
Update:
I have not heard from Hugh, so I have this evening sent a mail directly to the Rootsweb "Help" desk. Not exactly easy to actually find the correct place to notify them of an issue!

Will post if I get a reply. Meantime, the specified page is still infected - so the same rules apply!

Mark

oxon57
27-09-2008, 11:14 PM
Hmmm... no change - perhaps they don't understand English?
After all, good old Rootsweb is run by you-know-who these days, isn't it? Mention a virus and they probably reach for a tissue to wipe the screen, mention a trojan and they probably go looking for the census of Greece.

MarkJ
27-09-2008, 11:46 PM
I have had several discussions with one of the support guys at Rootsweb about this issue over the last three weeks.
At first, they claimed there was nothing there, then that their "in house" protection systems were perhaps preventing them from seeing the problem at their end. They asked for various bits of info - last I heard from them they requested the actual javascript code - which I sent them (sanitised, but with instructions as to what I had done and how to enable it again if they really really must!). They then asked how the malicious script ended up on the page! How am I suppsed to know how some "haXor" managed that?? I gave them a few suggestions as to how it could be done but since then, I have heard nothing at all. Maybe they think I am the evil haXor or something now! They did say that they had also asked Hugh to look at the problem - but I have also tried that approach and not had any response to my emails as yet.

To be honest, they seem to have no idea about security problems - I am sure they can probably explain how to set up a webpage or something, but how to respond to this issue seems beyond their comprehension.

I would still steer well clear of the "dodgy" access URL to the site. The one which comes up on Google (with BatchNumbers.htm or something at the end) is fine.

Unless I hear more from the Rootsweb guys (or Hugh), I am leaving it at that. My report seems to have been pretty much ignored - despite me explaining the exact issue, sending them the dodgy code when requested to do so etc etc.
Some folks just don't want to know - or simply cannot understand! I have come across similar things in the past and have learned that no matter how hard you try, some folks just don't listen.

As long as B-G members (and the general public) have been made aware of, and avoid the malware URL, then I am happy :)

Mark

ET in the USA
06-10-2008, 3:23 AM
Thanks for your efforts Mark. I shall be sure to enter via the correct door, if I dare enter at all ! For now, I'm searching via Familysearch.org & slogging through all the submitted #$%@. :D

Elaine

Waitabit
06-10-2008, 8:25 AM
Vanessa, very profound your signature,

Elaine, why not try deleting your shortcut, & retyping the URL.

oxon57
06-10-2008, 3:44 PM
I'm searching via Familysearch.org & slogging through all the submitted #$%@....and, yes, that's very often exactly what they are.
Not always though, and, as it is Hugh Wallis's site that we use to check the batch numbers for the extracted entry, this is vaguely relevant to this thread so I will post here something I received yesterday in an e-mail from a friend in London.

Before we go any further, let's finish off Frederick's grandfather, Thomas Wright Archer. Not content with having already served a twenty-three year sentence, he remarried on 15 April 1807, hence the reference to "my new Wife Alice" in his will. She's Alice Sams, baptized Hertford 2 September 1761, daughter of John and Elizabeth, and I had a little surprise with this marriage. The marriage settlement is at HALS, dated 6 April 1807, and they are both of Hertford, but the marriage didn't show up in the Allen index, so I figured that they'd probably married in London. The Vicar General's licence index indicates that a licence was issued on 13 April 1807, and two LDS *submitted* entries claim that the marriage was at St Giles, Cripplegate, which agrees with my thinking that it's probably London, but St Giles, Cripplegate, is supposedly covered then, in batch M025771, and there's no *extracted* entry. So, there I am, thinking that some halfwit has probably mixed up their churches and it will most likely turn up at St Giles in the Fields, but on checking the St Giles, Cripplegate, register, it *is* there, plain as day! He's of Hertford, she's allegedly "of this parish", but the date is as given in those submitted entries, 15 April 1807, it's not a badly faded page, not difficult to read, even has the surnames in large letters in the margin, yet somehow the LDS have contrived to miss it in the extracted batch.So if you have a "submitted" entry, and no "extracted" entry, with Hugh Wallis's site suggesting that if the submitted information was indeed correct, there would be an extracted entry for it, it seems this is not always the case!

Peter Goodey
06-10-2008, 4:08 PM
So if you have a "submitted" entry, and no "extracted" entry, with Hugh Wallis's site suggesting that if the submitted information was indeed correct, there would be an extracted entry for it, it seems this is not always the case!

This highlights yet another problem when trying to use the IGI for proper genealogy. There have been discussions about this matter elsewhere.

If a Mormon submits an entry connected with their religious practices and the data exactly matches an extracted entry, the extracted entry is deleted. This is another example of how the IGI progressively becomes less and less useful as a genealogical tool.

ET in the USA
06-10-2008, 4:22 PM
If a Mormon submits an entry connected with their religious practices and the data exactly matches an extracted entry, the extracted entry is deleted. This is another example of how the IGI progressively becomes less and less useful as a genealogical tool.

|banghead| |banghead| |5cups| |banghead| |banghead|

oxon57
06-10-2008, 4:26 PM
Oh dear. That is, to put it politely, "a bit naughty", making it less easy to distinguish history from bunk. I wasn't aware of that myself and, obviously, neither was he, so I shall pass the message on - thank you, Peter.

v.wells
06-10-2008, 6:01 PM
|banghead| |banghead| |5cups| |banghead| |banghead|

A bit of a misguide then to use it as a "potentially factual" guide :confused:

idredge
10-10-2008, 8:31 AM
Hi I can't get Hugh Wallis now all I get is Rootswebb telling me that they can't find the web address, why when I've always used the same has it suddenly changed. Tried looking for it but still unable to find a Hugh Wallis site. It may not be 100% but at least it gave some idea where to look

Irene

suedent
10-10-2008, 10:10 AM
Hi I can't get Hugh Wallis now all I get is Rootswebb telling me that they can't find the web address, why when I've always used the same has it suddenly changed. Tried looking for it but still unable to find a Hugh Wallis site. It may not be 100% but at least it gave some idea where to look

Irene

I've just tried & got the same:-(
It was fine yesterday evening as I used it a couple of times then.

Marie C..
10-10-2008, 11:09 AM
Same for me too. It wouldn't let me access it last night or today.M

oxon57
10-10-2008, 11:45 AM
It looks as though the Big A, unable to understand plain English and incapable of cleaning up a page which, given access to it, even I could manage after Mark's confirmation of where the trouble lies, have decided that the solution is to remove it.
I expect I will have a call from one rather upset nephew later - he's off to a distant record office first thing tomorrow, and I know he was intending to go through the batches for the county today, to mark those parishes which appear to be covered as low priority in his search.

suedent
10-10-2008, 11:47 AM
I've resorted to doing a google search for "Hugh Wallis" IGI & the name of the County I need. Then I'm clicking on the cached pages. At least that way I can get to see the numbers & then I just copy & paste them into the IGI.

oxon57
10-10-2008, 12:43 PM
Now, there's a good idea if ever there was.
I suspect that not a lot of work will be done here this afternoon (but it's Friday, we aren't supposed to work after lunch on a Friday, are we?) and, armed with a CD which I will save things on to take home, I will be able to astound my nephew this evening by telling him that if he cares to jump in the car and pop over from Hitchin, I can give him the information he needs.
(I won't tell him how to find it himself, of course - I have to maintain the illusion of superior knowledge and intelligence, uncle Jeff knows all the answers!)

suedent
10-10-2008, 1:14 PM
(I won't tell him how to find it himself, of course - I have to maintain the illusion of superior knowledge and intelligence, uncle Jeff knows all the answers!)


Now that's just evil, but I like it!!

ET in the USA
10-10-2008, 2:38 PM
Rats. I only brought it up here to cure it, not kill it !|computer|

Maybe the Boogie Men who attacked it finally messed it up good & proper - or someone important complained, since they didn't seem to care much when "we" did. I had gotten used to using the new URL & coming in through the batch No. page.

MarkJ
11-10-2008, 11:27 AM
A rather drastic reaction from Rootsweb :(
Following my email dialogue with one of their tech people - where I explained the issue, pointed out why they failed to see the problem from behind their corporate firewall, explained what the javascript was doing and even sent them a (sanitised) copy of the malicious script - they seemed to simply give up. I have had nothing from them for a couple of weeks at least now about this issue and today, when I log onto B-G, I discover that the Hugh Wallis pages have been pulled!

Hopefully, they have removed the site temporarily until they clean the javascript - but who can tell! It would seem a little OTT to me - personally, I think they could have either removed the malware themselves or just removed that single page.
Perhaps they tried to contact Hiugh (as I have done several times) but had no reply and thus pulled the pages, pending his response?

I am disappointed that the end result is not what we all expected - I feel Rootsweb have not handled this well at all.

Apologies to all who were using the site - including myself - although I feel that RW did not fully comprehend the problem and this is likely to be a knee jerk reaction.

Mark :(

oxon57
11-10-2008, 11:42 AM
Mark, two things, which I will put in separate messages, because you may wish to use your moderating powers to delete the second one...


Perhaps they tried to contact Hugh (as I have done several times) but had no reply
I suspect that, somewhere along the line, Hugh has failed to update his contact details. I say this because there is a post from him on "another forum" in which he says that Ancestry have not contacted him, so he's still around but evidently did not get their message and, as you've had no reply, didn't get yours either.

oxon57
11-10-2008, 11:47 AM
Now, I don't know if this might offend patriotic "My country right or wrong" citizens of the USA, so you might want to delete it - I think all our American members have a sense of humour, but one never knows.

To lighten the gloom, before setting off on his long drive this morning at the crack of dawn, my nephew sent me an e-mail with his version of what happened at the Big A headquarters...


"Boss, that Limey who keeps bleating about the Wallis site has sent another e-mail, wants to know when we're going to take some action."
"OK, OK, he's not going to go away, is he, guess we'd better do something - anyone got any ideas?"
"Well, he said something about security - maybe we should call the CIA."
"Do it."



"Hello, George Bush Intelligence Center."
"Aw - sorry, bud, I was trying to call the Farm at Langley."
"Listen, pal, this [b]is the Farm at Langley - some jerk politico with a sick sense of humor renamed us, OK? And before you ask, no, there's no "W" in it, even the politicos wouldn't connect the word intelligence with you know who, it's his father we're named after, got it? Now - whaddaya want?"
"Well, we got this genealogy website run by a guy called Hugh Wallis, and it looks like it could be a cover for some terrorist outfit, thought you ought to know - we don't know what to do about it."
"Does it have the Stars and Stripes on?"
"No, according to the contact details we have, the guy's in Canada, but he's not answering."
"OK, probably had his cover blown and gone underground, let me Google this... Hugh Wallis plus Canada plus Genealogy... hmmm... something here on some site called Rootsweb - a message board of some kind, copy of a note signed Hugh Wallis, Ontario, Canada - that the guy?"
"I guess so."
"OK, it's years old, nothing recent - he's definitely gone into hiding. Talks about adding a list of North American numbers though - I don't like the sound of that, what's he up to? Now, let's think about this... Wallis... Wallis... where have I heard that name before? Ah - got it. William Wallis, King of Scotland..."
"Wasn't he W-a-l-l-a-c-e, different spelling?"
"Same thing - they spell everything different over there. Now - I'm seeing a trail here. You say your contact mentioned a virus, yeah? That's, like, chemical warfare, right? Well, get this. This William Wallis went to France. And who tried to stall us when we wanted to wipe out the goddam Eye-rackies? That's right - the French. And Canada is full of Scots, and full of French, and this Hugh Wallis site is some kinda family history thing - bet your life he's a descendant of William Wallis in cahoots with the French Canadians, and we all know they're in the pay of that guy Al Keeder, don't we? That's why we couldn't find the chemical weapons when we got in there - they've hidden them in this website!"
"Wow! This sounds kinda major trouble!"
"Too right it's trouble, buddy. You say it's on a server at your place? Right - quarantine the server, don't touch anything, and don't let anyone in or out of the building until my guys get there - we'll have it sorted in no time, a couple of anti-tank missiles in the right place and that server's toast."

MarkJ
11-10-2008, 12:01 PM
Made me laugh :D

Mark

MarkJ
11-10-2008, 12:10 PM
Mark, two things, which I will put in separate messages, because you may wish to use your moderating powers to delete the second one...


I suspect that, somewhere along the line, Hugh has failed to update his contact details. I say this because there is a post from him on "another forum" in which he says that Ancestry have not contacted him, so he's still around but evidently did not get their message and, as you've had no reply, didn't get yours either.

I was trying to contact Hugh via his OPC email address - which is also the one he had on the Batch Numbers website. So, as you say, it is probably the case that he hasn't updated the contact details - which in turn means he didn't get my emails nor any sent about the issue from the Big A/Rootsweb.
In the message on "another forum", does Hugh indicate that he may know about the problem or is it a post about something else entirely?

If we can get Hugh and Rootsweb together, hopefully they will sort out the problem and get the Batch Numbers back online.

Mark

Marie C..
11-10-2008, 12:29 PM
Hugh knows there is a problem and he says he cannot get through to Ancestry re. some password problem. There may be more to all this than meets the eye.
All I know is it was an excellent source of parish records for me and for all who used it and please someone get it back in service ASAP. Marie

MarkJ
11-10-2008, 12:41 PM
The only people who can fix the problem are Hugh and Ancestry/Rootsweb I suspect.
If Hugh had trouble getting in, then possibly the miscreant who placed the malicious javascript on the site had managed to discover (probably via a brute force automated attack) Hughs password - then the "hacker" could change the password to prevent Hugh from accessing the site and removing their "modifications".
If that is the case, Hugh may have to go through hoops to prove he is the legitimate site ownder I suspect - my dealings with Rootsweb indicated that they have very slow turning wheels!

Mark

oxon57
11-10-2008, 1:38 PM
I'm reluctant to even mention the "other" forum, as someone else who gave a link in an earlier message had that link deleted, but...

1) Somebody posted a response from Rootsweb support, which confirmed that they had tried to get hold of Hugh and failed.
2) Hugh is surprised that they have an old e-mail address for him but has now contacted them himself, so hopefully it will get resolved in time.

...and if you bear in mind that people "chat" a lot on forums, I'm sure you'll be able to work out where we are talking about, read the thread if you want to, and maybe even sign up to post something, as although some action does at last seem in the wind and he may get the message when he and RW get talking, from my reading of it, I don't think he actually realises that it was hacked.

MarkJ
11-10-2008, 1:52 PM
With you ;)

I will hop over and see what the thread says. I recall seeing the mention of someone contacting Rootsweb a while ago - but they didn't seem to quite follow the message from the Rootsweb team about inserting reply between the lines if I have the right one.

I doubt Hugh was aware of the problem himself, unless he followed the stuff which was in the "other forum" thread you mention (and a couple of other similar posts on the same and other sites). Even if he had looked at the source code for his page, unless he actually viewed the single infected page, then scrolled right down and to the right, he wouldn't see it.

Ah well - off to see what I can discover :)

Mark

oxon57
11-10-2008, 1:53 PM
And, for the benefit of other members here, having read the thread elsewhere again (there have been rather a lot of messages since I last looked!), although the "potentially" malicious javascript which Mark discovered seemed to be dormant, not actually doing anything, there are a number of posts there from people saying that on visiting Hugh's site, they got some message saying that they could update their antivirus with "Antivirus 2009".

"Antivirus 2009" is, of course, malware, and I hope nobody on here fell for the scam and clicked on this supposed update, but if you did, you need to get rid of it, pronto, and get your PC disinfected - "Antivirus 2009" is exactly the opposite of what it claims to be.

MarkJ
11-10-2008, 2:05 PM
Hmm... seems Hugh is aware of the issue now. Thanks for the nod oxon57.

As someone mentioned this particular thread on B-G on the Rootschat (to make it clear to others) forum, hopefully Hugh may pop over to see what we are saying.

Hugh - if you wish to see the information about the malicious script and my dealings with the Rootsweb team, please let me know.
Easiest way is to either sign up to B-G and then send me a PM or I am sure that if you use the "Contact the Administrator" linky, Pam will pass on your email to me (if you do it that way, please mention my username and that it is about the Batch Numbers problem).

(Hope that will be OK Pam!)

Anyways, Hugh is apparently in discussion with the Rootsweb folks as we speak :)

It doesn't seem to me that he is quite clear as to the problem itself. On the RootsChat forum, he is stating that the Google Analytics is just a counter thingy (which indeed it is), but he doesn't seem to have noticed the carefully hidden (and confusingly similarly named) googleanalitics.net malware link is on the specific page.

Typically, all the discussion is in the RootsChat forum - and I am not a member there. Hopefully Hugh will note the B-G link in the thread there and pop here to see what we are saying.

Mark

Edit: Just spotted the mention of the malware oxon57 :) Yes, it does seem that several people have been infected by this junk as a result of the redirection caused by the javascript hidden at the bottom of the infected page.

Bill Buchanan
11-10-2008, 3:49 PM
|banghead|

I believe your posting said that LDS member-submissions to the IGI cause extracted records with the same information to be deleted. This is not true. Each record is independent, which is why we get so many duplicate submissions. If a record has been lost it is for some other reason.

v.wells
11-10-2008, 4:26 PM
Seems fine too me. Error on page didn't pop up this time either!

Now it's popping up again! I am at the point that I believe this to be an unreliable site and I don't know how to rectify the problem with it:confused:

ET in the USA
11-10-2008, 5:43 PM
I believe your posting said that LDS member-submissions to the IGI cause extracted records with the same information to be deleted. This is not true. Each record is independent, which is why we get so many duplicate submissions. If a record has been lost it is for some other reason.

Peter said the quote above. My reply was |banghead|

Elaine :D

Peter Goodey
11-10-2008, 5:50 PM
Peter said the quote above.


I did say that...but in a completely different thread.

I don't want to veer off at a tangent but if someone wants to prove me wrong, they just have to produce an example.

MarkJ
11-10-2008, 7:32 PM
Now it's popping up again! I am at the point that I believe this to be an unreliable site and I don't know how to rectify the problem with it:confused:

What is Vanessa? Hugh's site? At the moment, it is down as far as I am aware - pulled presumably by Rootsweb after they failed to contect Hugh.

The malware problem will hopefully be sorted once the site comes back - although I have not been informed or asked anything by Rootsweb/Ancestry for a couple of weeks. I am more than happy to help them if they want it, but until then, I am just waiting for the (cleaned) site to be back up and running. The Batch Numbers stuff was really helpful to most of us I believe and it is a great shame that it is down currently. Hopefull all will be back up soon :)

Mark

Bill Buchanan
12-10-2008, 1:31 AM
Help with the IGI is available for free from the knowledge base at http://productsupport.familysearch.org/supportroot/eng/frameset_products.asp

or by email: support AT familysearch DOT org

or toll-free telephone numbers in most part of the world
e.g. in North America 866-406-1830, in UK 00-800-1830-1830
https://help.familysearch.org/kb/phonelists/en.htm


No, FamilySearch does not know what has happened to Hugh Wallis' site! I am sure they want to know, as it is referenced in the knowledge base. I hope his useful resource will become available again soon.

michaelpipe
12-10-2008, 2:20 AM
Now it's popping up again! I am at the point that I believe this to be an unreliable site and I don't know how to rectify the problem with it:confused:

Yes, Vanessa - I got the problem for the first time around the same time as your posting - message with reference to Antivirus 2009. Have no idea which link it came from as I had just been directed to the Rootsweb page "We're Sorry. The Page etc etc" and it appeared over that page.

Must be some fiddling going on at Rootsweb - wouldn't be the first time:confused::confused:

Michael

MarkJ
12-10-2008, 2:23 AM
No, FamilySearch does not know what has happened to Hugh Wallis' site! I am sure they want to know, as it is referenced in the knowledge base. I hope his useful resource will become available again soon.

I don't think anyone has suggested that FamilySearch knows/may know what has happened.
I can have a pretty good guess, based on my dealings with Rootsweb about this issue and using the info I have picked up from RootsChat today.

As you say, Hugh's site was a great help when it came to locating specific batch numbers for parishes of interest and like everyone else, I hope it comes back online as soon as possible. However, it does need to be clear of any issues - there is no point placing the old page with the malware in it back online.

Mark

MarkJ
12-10-2008, 10:47 AM
Sadly, Hugh doesn't seem to have any idea about the problem itself.

There is a problem on the page which has been mentioned in this thread (the one which ends in his name, not the one with /IGI_Batch_Numbers or whatever it is at the end).
The problem is a piece of javascript which is placed in the botton far right corner of Hughs site code. I am sure Hughs original code does not contain this piece of code - it has been inserted into the page on the Rootsweb server by a third party (i.e a "hacker" or some other means).

There is no "false positive" discovery by AV programs involved - it isn't a virus as such, rather it is a code to make the viewers browser open a malicious website and download whatever piece of malware is on that site at the time. Lately, it has been a piece of junk called "antivirus 2009" . Should someone be unfortunate enough to end up redirected to the malware site and end up downloading (without their knowledge) trojans or other bad stuff, then their AV program may well kick up a stink! But, otherwsie, the only indication most users would see is if their browser uses some form of protection against redirections - e.g IE7 or Firefox with NoScript for example. That is what several B-G members have reported - that the browser warns that there is a problem, rather than any virus.

Because Hugh seems to have not updated his email contact address, all my attempts to contact him have failed. It appears that the attempts of the Rootsweb/Ancestry tech people to contact him also failed for the same reason. Because I - and presumably others - have reported the site to Rootsweb, giving all the technical details etc - they seem to have pulled the site after they received no response from Hugh (due to the old email address).

The problem is that Hugh has not fully understood the problem - partly I suspect due to the fact that some of the reports in RootsChat etc are - to say the least - rather misleading, not intentionally, but because the people mentioning the issue do not understand exactly what the problem itself is. Reporting that there is a "virus" etc is incorrect (although it is what many folks would do - because it is a malware issue). It is a redirection to a malware website - which DOES contain malicious stuff which varies from time to time.
I have also seen Hugh commenting about the Google-Analytics.com stuff - stating (quite correctly) that it is not harmful. However, he is being caught by the deliberate naming of the malware redirection (googleanalitics.net) which does, at first glance seem to be the same place - but it isn't! The use of "i" rather than "y", no hyphen and .net rather than .com are easily missed by the casual viewer. That is deliberate on the part of the miscreants who did this to the site.

Should Hugh wish to see the piece of code I am more than happy to show him both it and my discussions with the Rootsweb tech team :)

Exactly HOW they managed to insert this code I am not 100% sure. RootsChat, if they have the time, logs and ability, could possibly spot an intrusion, but it depends how long this has been going on.
I guess a brute force password guessing job, but I could be wrong. But if it was, then the taking down of the site, cleaning the junk and setting a new password will sort it.

Mark

Neil Wilson
12-10-2008, 11:42 AM
I have just seen the following on the Cornish List;

Hugh Wallis has replied on the Roots Chat site.

"It appears some people have reported getting virus warnings from the site but, unless it is in the stuff ancestry adds, there is no virus there, and certainly not one inserted by me. I suspect ancestry have taken it offline. I also suspect that the anti-virus software that is giving these warnings is over zealous and has applied a heuristic detection algorthm to produce the warnings - and those algorithms are well known for producing occasional "false positives". Most reputable anti-virus software like AVG and Norton report the site as clean (or did until it was taken down by ancestry)

Unfortunately I have no control over it since ancestry do not even provide a means for me to change the password that is necessary to update the site. If some evil hacker has obtained that password somehow I can do nothing about it.

Actually I have not even accessed nor updated the site myself for many months.

Having no time to investigate further I shall be leaving it in the hands of ancestry - but they have not had the courtesy even to contact me so I don't know to what extent they intend to address the issue

Thanks

Hugh"Bo, please could you contact Hugh 'off list' and advise him of this thread and Rootsweb response to MarkJ. It would be a shame if this site goes under.
Cheers

MarkJ
12-10-2008, 1:41 PM
Hopfeully, via a long and tortuous route, my contact details could be heading to Hugh ;)

Mark

Hugh Wallis
12-10-2008, 1:47 PM
Not sure if anyone has contacted the Hugh Wallis site about this or not - but I shall fire off an email as soon as I finish this post.


Edit: I have sent an email to the site about this javascript injection - I will let you all know once I get a response.
In the meantime, please, please don't pop over to "have a look" unless you are familiar with this type of malware and are using sensible precautions to avoid becoming a victim.


Thanks Mark - I never received any e-mails from you so was not aware of your detailed analysis. Perhaps they didn't get through my challenge response spam filter? Some one pointed me to this thread so I can jump in and comment here.

Unfortunately I cannot look for myself now since rootsweb have turned off access to the site and have not yet responded to my e-mails to their support desk (but it is a holiday weekend in the US so maybe Tuesday will bring forth some response)

Any links I put on my pages were to googleanalytics.com purely for hit counter purposes. I never put anything there for the .net address you refer to. So by the sound of it someone has hacked into my account by getting through rootsweb's security. They should be able to check their logs to detemine when and if that happened. Unfortunately there was not AFAIK any means for me to change my password and the one provided by rootsweb was short enough that a brute force attack could eventually bring success, although why rootsweb would not have detection software to catch brute force attacks I don't know. Maybe there was some other technique used - there are all kinds of methods available to steal passwords especially if they are stored in databases unencrypted - who knows what vulnerabilities there are in rootsweb's back end?

It is also pefectly feasible that the bad code was actually inserted into the advertising that rootsweb adds to the page, which might explain why it only cropped up occasionally since that is changed dynamically by the rootsweb servers. Again, I am only speculating here since, like everyone else, I cannot now access the site.

MarkJ
12-10-2008, 2:06 PM
Hi Hugh - many thanks for your input. I think you are quite correct - the similarly named "googleanalitics.net" code was added most likely by a brute force password hack. The malicious code was actually on the page source code - inserted by some ne'er do well via some sort of hack - presumably by getting the password I would think.

I have dropped you an email with a little more detail - although if you have struggled through the several pages in this thread, you probably already have the details :)

Thanks again for giving us a little detail on the problem. We all hope I am sure that the Batch Numbers are soon up and running - it is a great resource for genealogists.

Cheers,
Mark

twist69
12-10-2008, 2:48 PM
I lost it just three days ago, does not seem to be anywhere now.

v.wells
12-10-2008, 2:56 PM
Now I know about the "Antivirus 2009" emails come from. I just delete them and mark them as spam. I know what virus software I run. I will look for the code. Thanks MarkJ. I am now better informed:)

/freepages.genealogy.rootsweb.ancestry.com/~hughwallis/IGIBatchNumbers.htm DOES NOT WORK AVOID

Does any have the CORRECT url to use?

MarkJ
12-10-2008, 3:14 PM
Hi Vanessa,
That page - if Rootsweb hadn't pulled it - would be absolutely fine.
The problem page is very similar - basically, if you took the "IGIBatchNumbers.htm" off the end and hit enter, you would be seeing the problem page.

At the moment, ALL of Hughs pages are not available - Rootsweb have temporarily pulled them from what I can gather. Hopefully, all will be sorted soon - Hugh has backups of the site I expect and those should be fine. It would seem the redirection script had been added by some miscreant who somehow managed to sneak it onto Hughs page - probably by getting the password by naughty means...

Mark

v.wells
12-10-2008, 3:26 PM
Both don't work and it brings up the Rootsweb/ancestry page. I had 2 bookmarks 1 with "IGIBatch...." and the other without. I have deleted both bookmarks now as they are useless. I shall wait and wait and..... for Hugh's backup plan:D

Neil Wilson
12-10-2008, 3:40 PM
You could use the Archive Wayback (http://web.archive.org/web/*/http://freepages.genealogy.rootsweb.com/~hughwallis/) site (hyperlink as Hugh's site selected)and choose from about 2006. That should be safe to use.

ET in the USA
12-10-2008, 4:26 PM
The good news in all this mess is that if Hugh has read the thread, he knows how much we all appreciate his efforts & how much we used the site & miss being without it.

Thanks Hugh. |hug|

v.wells
12-10-2008, 6:14 PM
You could use the Archive Wayback (http://web.archive.org/web/*/http://freepages.genealogy.rootsweb.com/~hughwallis/) site (hyperlink as Hugh's site selected)and choose from about 2006. That should be safe to use.

Thanks Neil. Will try it.:)

ET - We are all crazy|laugh1|That's why we do what we do researching our ancestry:D
|banghead|Unite us.

christanel
12-10-2008, 9:53 PM
You could use the Archive Wayback (http://web.archive.org/web/*/http://freepages.genealogy.rootsweb.com/~hughwallis/) site (hyperlink as Hugh's site selected)and choose from about 2006. That should be safe to use.
Thanks for this Neil, it works. I wasn't having any trouble at all until they pulled the site completely.
Christina

MarkJ
13-10-2008, 9:11 PM
Just an update to say that it appears that Rootsweb have placed the Hugh Wallis site back online.

I have looked and the malicious script is still on the page I mentioned before - so the warning still applies.

Using the site via the IGIBatchNumbers.htm link is perfectly fine. If you use the link I have mentioned before several times - which contains the malicious script - you WILL run a high risk of problems.

Mark

Hugh Wallis
14-10-2008, 1:10 AM
Just an update to say that it appears that Rootsweb have placed the Hugh Wallis site back online.

I have looked and the malicious script is still on the page I mentioned before - so the warning still applies.

Using the site via the IGIBatchNumbers.htm link is perfectly fine. If you use the link I have mentioned before several times - which contains the malicious script - you WILL run a high risk of problems.

Mark

Just got home - got the notice from rootsweb that they have put it back on line. Checked the page and it did have the offending code - I HAVE NOW REMOVED IT AND YOU SHOULD BE OK. Do, however, watch out in case this hacker gets back in again. The page appears to have been changed on July 9th 2008 but, since I do not keep a copy of my password on my computer the intrusion could not have emanated from me.

Thanks for everyone's support

Cheers

Hugh

MarkJ
14-10-2008, 2:05 AM
Great news Hugh - I was just popping onto B-G to let the members know that you have sorted the problem and spotted your reply here.

I am sure I speak for all when I say a huge "thank you" for your efforts in sorting the problem and for your excellent Batch Numbers resource!

Thanks again,
Mark

lcombe
14-10-2008, 6:37 AM
I keep it in my Bookmarks - same as Favorites:
http://freepages.genealogy.rootsweb.ancestry.com/~hughwallis/IGIBatchNumbers.htm
Maybe a different browser would not have so much trouble. I have Firefox. I also have an Apple Mac computer so it is fairly virus proof.
Best of luck
Linda

Pam Downes
14-10-2008, 6:48 AM
Hi Hugh,
Thank you for the update - with the good news. :)
I can only repeat Mark's words, and assure you that people from literally all over the world echo them too.


I am sure I speak for all when I say a huge "thank you" for your efforts in sorting the problem and for your excellent Batch Numbers resource!
Pam

MarkJ
14-10-2008, 9:02 AM
I keep it in my Bookmarks - same as Favorites:
http://freepages.genealogy.rootsweb.ancestry.com/~hughwallis/IGIBatchNumbers.htm (http://freepages.genealogy.rootsweb.ancestry.com/%7Ehughwallis/IGIBatchNumbers.htm)
Maybe a different browser would not have so much trouble. I have Firefox. I also have an Apple Mac computer so it is fairly virus proof.
Best of luck
Linda

Hi Linda,
The problem is sorted now, but regardless of browser, when the problem existed, going to a specific page (not the one you mention) would have attempted to redirect you sneakily to a less pleasant site.
Just to clarify - there was no virus, it was a javascript redirection to another site which contained malware of varying sorts which changed from time to time. Windows, Mac, Linux etc - it wouldn't matter which OS you were using as the redirection was at browser level. If your browser had some sort of warning against redirection (e.g Internet Explorer 7, Firefox with NoScript), then you would spot the attempt. Without any warning tools, the browser would head off to the malware site. Once there, it would attempt to download stuff. The OS then comes into play - as you say,Macs and Linux are not susceptible to Windows viruses and trojans, however most people run Windows, hence the warning at the time of the problem.

I personally run Linux, various browsers (including Firefox 3 with all sorts of add-on security tools) and have a small interest in this kind of thing.

But Hugh has responded quickly to the problem - as soon as he was aware of the issue he began dealing with it and all is now running properly again.

Mark

Pam Downes
14-10-2008, 2:23 PM
I am ashamed to say that I forgot some of my manners this morning. |oopsredfa
I thanked Hugh for his wonderful site.
Then I forgot to say another huge 'thank you' to Mark for all his detective work in finding the problem in Hugh's site. Work which I'm sure proved invaluable in getting things up and running again so quickly.
Mark - thank you. |bowdown|
Pam

MarkJ
14-10-2008, 4:09 PM
I didn't do much Pam - hopefully my contribution helped to get the site cleaned and back up again for us all to use safely.

But your thanks are gratefully received :)

Mark

Ladkyis
14-10-2008, 6:50 PM
Mark from where you are sitting it might not seem like much but from where we are sitting and staring in awe it is one heck of a lot.
We are ever so ever so grateful that you took the time, and that you didn't give up on it at the first obstacle.

Thank you from me and everyone else who thinks the same way as me.

ET in the USA
14-10-2008, 7:07 PM
|bowdown|And especially from me who started the whole thing back in August


Elaine

Hugh Wallis
14-10-2008, 7:54 PM
Mark from where you are sitting it might not seem like much but from where we are sitting and staring in awe it is one heck of a lot.
We are ever so ever so grateful that you took the time, and that you didn't give up on it at the first obstacle.

Thank you from me and everyone else who thinks the same way as me.


Hear hear - big thanks to Mark who tracked down the details of the issue

FWIW you might like to know that Rootsweb have now changed my password and the clean web page is still in place so I hope that it will not get re-edited by whoever hacked in there in the first place

MarkJ
14-10-2008, 8:01 PM
Nice to hear that Hugh! Such a valuable resource and was missed for the day or two it was offline by all.

Many thanks to everyone for their kind comments - they are very much appreciated.

I am sure Hugh is aware of how much everyone in the genealogy community appreciates his site - without it, searching the IGI can be quite a chore! So it is great news to have it back again - and thanks for building it in the first place Hugh :)

Mark