What has happened to Hugh Wallis' website ?

[MarkJ]

Ok, let me go into a very quick explanation

First of all, if you use the site via -
freepages.genealogy.rootsweb.ancestry.com/~hughwallis/
(DO NOT CLICK!!!)
you will find there is a malicious javascript there.

If you acces via -
https://freepages.genealogy.rootsweb....tchNumbers.htm
the javascript is not in that part.

I can't help with Microsoft Internet Explorer - I don't (and wouldn't use it).
If you are getting a warning - which you obviously are ET, then that would suggest you have some form of protection via your browser. I believe the latest IE does have built in protection against redirections.
If you are using Firefox, then you are not guarantted to be safe. Malicious scripts can run on any browser unless it has either some form of protection built in (as the latest browsers do) or you have javascript turned off by default. As I use Firefox and so many sites insist on javascript (sorry js fans - it really isn't safe, whatever you claim!), I run an add on called No Script, which allows me to see and allow or deny any scripts - including javascript.

The members who have mentioned seeing a warning about possible redirection/malicious activity were quite safe as long as they didn't over-ride that warning and carry on.
Those who didn't see a warning *may* have accessed the site via the "safe" link (the one which I placed above and is the one Googling the site should give you). If someone went to the first (dodgy) link and didn't see a warning, then chances are that they would have collected a malware problem if one was on the "googleanalitics.net" site at the time. From my research into this site, it seems that malware comes and goes - presumably depending on who pays to host their nasties on that site.

AVG is an anti virus program which - like any other AV program - *may* pick up trojans. Not all trojans are detected by Av programs (because technically they are not viruses), but most are. At the moment, I am not sure what types of malware were/are regulars on the "googleanalitics.net" site, so I can't state categorically that your Av progam will or will not pick them up. But I would be fairly confident that - as long as you heeded the warning - you are fine

I wouldn't lie awake worrying - *if* you were infected with something, it would be fairly obvious in most cases. If you notice your PC running really slowly for example, or it seems to be constantly flashing the sending light on your modem or router, then you perhaps need to run a scan. Otherwise, just continue to practice "safe browsing"

Mark

[MarkJ]

Obviously not half as familiar enough as you, Mark, but interested, and confident enough to risk sticking my nose in running Firefox with the very useful "NoScript" extension.
I see what you mean - if I click my little NoScript icon, I can, if I wish, allow both the legitimate "google-analytics.com" script and the potentially dangerous "googleanalitics.net" script. In fact, from previous use, the site runs perfectly well without even allowing the legitimate Google script, so I've never bothered with it and have that blocked too, never mind the other one, which I'd automatically be suspicious of because they can't spell analytics!

As you evidently understand these things properly, though, could you enlighten me on one point?
When I look at the code for the page, the nasty one does not show up. Would I be correct in thinking that it's in the encoded chunk of javascript at the very end, starting:
<!--ab00ecd93a86f0b704ac95cfdda98bf0-><script language=javascript>snexv="%";rfpbn="@3cs@63ript@2 0@6can@67 ...

?

I am certainly not a javascript expert In fact, I know very little about it to be honest - my wife is the one who is the coder in our house

But yes, the piece of code, right at the very bottom and right over on the right of the "page source" seems to be the relevant piece of code.

Like you, I use No Script (and Linux for added security) - hence how I picked up the rather illiterate googleanalitics

I am more of a spam/scam person myself when it comes to security issues. Those are my main interests. I hope Neil Wilson picks up on this thread - he is more of a security minded chap than myself - and can probably decipher the code more quickly than I can. It wouldn't be hard to do I guess looking at it, but it is 3am and I don't fancy it myself

Mark

[oxon57]

Thanks, Mark, that gives me an idea of what I might be looking for elsewhere if one of my even less techie friends runs into trouble one day - little things like that are always useful to know.

And I'm not going to attempt it at this time of night either - I have a week off work at the moment, so I'm up late, but it's well past my normal bedtime, I think the little grey cells would protest strongly.

A friend once described javascript to me as "the spawn of the Devil" - I take it you wouldn't disagree! Oddly enough, he was Mark too - but solidly based in Weston-super-Mare, not Cornwall.

[MarkJ]

I had a swift look, but it seems to define a few variables and then, later, converts all the odd bits of code back to hex - but I haven't looked that hard to be honest!

I suspect it does nothing more than uses that js to redirect to the malcious site which we have noted via our No Script

I have argued against Javascript for years - despite being told by many people how useful it is.... Mind you, I have a huge list of Satanic Spawn which I would ban for one reason or another - including Flash and other "multimedia" garbage
Javascript stands out on its own as far as risk is concerned in my view though. But I am sure that it has many really great uses ....

Mark (we all think alike )

[Mary Anne]

As I said, keep your security software up-to-date...I use Norton (and put up with its chugging, from time to time...) for that very reason! then you don't have to understand the *satanic* programming and whether it is pseudo/occasional beneficial Java/Flash/or whatnot, all you need to know is that it has detected an issue!

[MarkJ]

Update:
I have not heard from Hugh, so I have this evening sent a mail directly to the Rootsweb "Help" desk. Not exactly easy to actually find the correct place to notify them of an issue!

Will post if I get a reply. Meantime, the specified page is still infected - so the same rules apply!

Mark

[oxon57]

Hmmm... no change - perhaps they don't understand English?
After all, good old Rootsweb is run by you-know-who these days, isn't it? Mention a virus and they probably reach for a tissue to wipe the screen, mention a trojan and they probably go looking for the census of Greece.

[MarkJ]

I have had several discussions with one of the support guys at Rootsweb about this issue over the last three weeks.
At first, they claimed there was nothing there, then that their "in house" protection systems were perhaps preventing them from seeing the problem at their end. They asked for various bits of info - last I heard from them they requested the actual javascript code - which I sent them (sanitised, but with instructions as to what I had done and how to enable it again if they really really must!). They then asked how the malicious script ended up on the page! How am I suppsed to know how some "haXor" managed that?? I gave them a few suggestions as to how it could be done but since then, I have heard nothing at all. Maybe they think I am the evil haXor or something now! They did say that they had also asked Hugh to look at the problem - but I have also tried that approach and not had any response to my emails as yet.

To be honest, they seem to have no idea about security problems - I am sure they can probably explain how to set up a webpage or something, but how to respond to this issue seems beyond their comprehension.

I would still steer well clear of the "dodgy" access URL to the site. The one which comes up on Google (with BatchNumbers.htm or something at the end) is fine.

Unless I hear more from the Rootsweb guys (or Hugh), I am leaving it at that. My report seems to have been pretty much ignored - despite me explaining the exact issue, sending them the dodgy code when requested to do so etc etc.
Some folks just don't want to know - or simply cannot understand! I have come across similar things in the past and have learned that no matter how hard you try, some folks just don't listen.

As long as B-G members (and the general public) have been made aware of, and avoid the malware URL, then I am happy

Mark

[ET in the USA]

Thanks for your efforts Mark. I shall be sure to enter via the correct door, if I dare enter at all ! For now, I'm searching via Familysearch.org & slogging through all the submitted #$%@.

Elaine

[Waitabit]

Vanessa, very profound your signature,

Elaine, why not try deleting your shortcut, & retyping the URL.