T w e n t y S i d e d
As I mentioned last Friday, this site was compromised. A friend (thank you so much Peter!) jumped in and we tried to unravel the mess. And when I say “we” I mean, “Peter did most of the heavy lifting and my job consisted mostly of remembering things.” Since I know some of you will be curious about it, I thought I’d share the results.
In looking at the problem, we had several goals and questions:
- Is the machine actually infected? If so, with what?
- Remove the infection.
- Figure out how the infection occurred.
- Secure the machine to prevent future infections.
Let’s look at the results:
Is the machine actually infected? If so, with what?
Yes, it was infected with Flash ‘EITest', which seeks to spread by infecting reputable sites. (According to that website, it’s also infected sites like The Department of Statistics at Carnegie Mellon University.)
It presents a flash file to visitors and exploits some weakness in Flash + Internet Explorer + Windows 7 to get some sort of malware onto the user’s machine.
I must say that infections are getting more socially clever. Sure, a lot of them had technological cleverness to spare. A hacker would find and exploit any number of obscure weaknesses, and write sophisticated code to accomplish amazing wonders on the victim’s machine. But they were always so brute-force and idiotic when it came to the human element. Infections were brazen, aggressive, and obvious. You could often see right away that you were infected. Yes, a few people were oblivious enough that they didn’t realize all those porn popus from CNN.com meant their computer was hacked, but those people are not the norm. The malicious programs would attack early, attack often, and would make themselves very obvious. It’s like a guy in a ski mask walking down the street in broad daylight and attempting to mug every single person they pass, even if it’s a kid, a hobo, or a policeman. That crime spree isn’t going to last long.
This particular devil was a little smarter. It wouldn’t present itself unless you were running Windows 7 and using Internet Explorer, since you needed both of those to be vulnerable. It kept a record of visitors, and would never attack the same person (IP address) twice. After all, after the first attack you’re either infected or immune, so why bother attacking again?
This made the thing tough to track down.
Remove the infection.
The infection was focused on two main files. The first was templater.php, which resided in the root of the blog directory. Templater.php isn’t a normal part of WordPress, but that directory is full of PHP files. There were two clues that this file didn’t belong: 1) All proper WordPress files begin with “wp-“, so it should have been named “wp-templater.php”. 2) The file was frigging huge. The typical WordPress source file is a few hundred bytes. This thing was 38 kilobytes. The text of the file was mostly gibberish like this:
<?php $ttbfckdqfa = '5c%x78256<pd%x5c%x7825w6Z6... (continues for a hundred pages) .../epreg_replaceefqvzwsatb'; $nbwiiqbipb = explode(chr((155-111)),'5322,50,8008,29,6622,67,4334,20,9933,52,3670,59,6882,... (another page of crap) ...,5987,20,6371,46'); $ibhulntvxz=substr($fnfnheabvb<( sizeof($grsaktoxtd)/2);$fnfnheabvb++) { $szifljfgnf .= substr($zxtzeeqjap, $grsaktoxtd[($fnfnheabvb*2)], $grsaktoxtd[($fnfnheabvb*2)+1]); } return $szifljfgnf; };} $jwwectgvwb="\x20\... (You get the idea.) |
We figured it’s probably binary data, encoded into a string, and then un-packed when needed. The sad thing is that that isn’t even the most unreadable PHP file I’ve ever seen, and this one was obfuscated on purpose.
The other troublesome file was “error_log”, which looked like an error log and contained stuff you would expect to find in an error log, but is not part of WordPress proper.
Both of these files had promiscuous file permissions set and were owned by “nobody” instead of being properly owned by my hosting account, as would be normal for files on my website. They were both created on August 4, which suggests that this is when the infection took place. (At the time, I was busy dealing with this.) No other WordPress files (or any files) were created on or around that date.
We checked for other files created after August 4th. Nothing had been touched outside of the WordPress folder.
It seemed pretty easy to remove these offending files, but in the end this “surgical strike” approach seemed too risky. What if this thing had inserted bits of itself into other parts of WordPress? WordPress is huge. It has hundreds of files spread out over dozens of nested directories. Properly inspecting them all would be impossible.
So we did a complete re-install of WordPress. This is why some site features vanished. Those were plugins that need to be re-installed. Over the next couple of days I’ll restore comment editing and “check here if you’re not a spammer”.
Figure out how the infection occurred.
My FTP site was using a password that’s as old as this blog. However, I don’t think that was the attack vector. If the FTP had been used, the attacker would have been able to hide things much better. (The infected files would have been owned by me.)
Several file permissions were far too permissive, and I think that was the opening that let the attacker in. The WordPress folder was set so that anyone on the machine could write to that directory. So if stupidcrap.com and shamusyoung.com are hosted on the same machine, and if stupidcrap.com got hacked, the hacker would also be able to put files in my WordPress directory.
This vulnerability has probably been around for AGES. Back in the early days of this site, I was pretty careless. I didn’t know the danger, I didn’t quite get how permissions worked, I didn’t envision this blog as something that needed to be built to last, and I didn’t care what happened to it. If Linux file permissions gave me trouble, I just added permissions until it stopped. I figure I was probably working on one of the early plugins or the theme that now drives the site and wanted to do something fancy. I changed permissions while I was working, and then neglected to change them back when I was done.
So it was probably my fault. The other possibility – that the machine itself was compromised – is technically possible but far less likely. I’m willing to bet this was a mistake I made ages ago.
Secure the machine to prevent future infections.
We cleansed the filesystem of all files not owned by me. (Those two were the only troublemakers.) Directory permissions were locked down again. Passwords were changed.
Wrapping up.
Remember that you’re only at risk if you’re on Windows 7 and using unpatched Internet Explorer 11 with Flash enabled. I imagine if you’re using Internet Explorer then it’s because you have to and not because you want to. Do make sure to keep it up to date. Attacks like this can come from anywhere, so sticking to “safe” sites isn’t enough.
Hopefully you didn’t catch anything on account of me. Everything should be solid now. Thanks for your patience.
The Disappointment Engine
No Man's Sky is a game seemingly engineered to create a cycle of anticipation and disappointment.
Megatextures
A video discussing Megatexture technology. Why we needed it, what it was supposed to do, and why it maybe didn't totally work.
Secret of Good Secrets
Sometimes in-game secrets are fun and sometimes they're lame. Here's why.
Shamus Plays WOW
Ever wondered what's in all those quest boxes you've never bothered to read? Get ready: They're more insane than you might expect.
Hardware Review
So what happens when a SOFTWARE engineer tries to review hardware? This. This happens.
“I must say that infections are getting more socially clever.”
I was talking about this a few months back,asking why malware is so stupid.So I guess its better (worse?) now.Thats uhhhh….thats sure a thing.
The most clever thing I’d ever had to deal with before this was viruses that give antivirus type warning messages and make your life miserable if you fall for them. They got more and more persistent too. Tactics changed as they proceeded. Eventually whenever our users got one of these, you just had to wipe and reinstall the computer. Those attacks relied on attacking bulks of users with the knowledge that at least a few would be gullible.
My mom got one a couple years ago that was pretending to be an antivirus, and it actually looked quite a lot like the built-in antivirus on her machine. She would have fallen for it, too, but she couldn’t find the credit card to “renew” her subscription and called me in for help.
First time dealing with a virus, and I stared at it for like 5 minutes before concluding, no, that may look the same, but that is not the name of the antivirus you use. Googled it. Eight hours later, I finally declared it clean, and she hasn’t had a problem since. Though I doubt she would notice if she did.
I’ve never met one of those that Combofix wouldn’t clean.
Combofix was a godsend. Also kind of a pain because you always have to download a new copy and run it over (But thats what makes it awesome as well) and we have a huge complex.
Actually there were one of two variation that so overwhelmed the machine with notifications about viruses that you couldn’t get Combofix on the machine to fix anything.
Got especially funny when they started reporting that things like “taskmgr.exe” and “regedit” were viruses.
A few of these hooked into the registry so that it ran itself every time you tried to run any exe.
I had one of those. Any diagnostics/fixing tools I tried to run were interrupted by the malware.
After trying to remove it using a boot disk, it kept coming back – I guess it had embedded itself somewhere ‘unfindable’. Luckily I have many backups, so I just went back until I found a clean one.
Then my PC power supply died and took the motherboard with it…
It’s a little like “there’s no such thing as a perfect crime.”
Well, that seems optimistic. But we *do* know that we’ve never *caught* anybody in the middle of committing a perfect crime, only crimes that were perfect until we stumbled onto them mid-way :-)
If there are very clever viruses, we probably haven’t caught most of them.
One can always get lucky and stumble upon a perfect crime.Its not likely,but it could happen.
Plus,theres a whole spectrum of competence between crap and perfect that should be seen if perfect viruses do exist.So most likely very intelegent viruses are not a thing,or if they are theres very few(as in less than 10) of them.
I’m reminded here of Stuxnet, which was really designed to be good at this. It had one purpose, and while it spread it was designed to be dormant on everything but the specifically targeted machines for specifically targeted purposes (specifically, destroying Siemens manufactured centrifuges in Iran). Had it not been for a very minor bug, it could have really been the perfect virus.
But somehow (I can’t dig up the details, for some reason when a machine in Belarus got infected, the virus did not hide quietly, but started actively attacking the machine and reproducing itself, which is how it got caught.
The perfect crime is really hard…
Apparently it had an error in the replication controls. It didn’t actually attack anything except the targets, but if a worm spreads to too many computers eventually someone will notice that it’s not supposed to be there.
Many attacks purposefully look stupid because the perpetrator wants to rule out attacking people who are paying attention. That goes doubly for scams and such but also for viruses.
Many worms will not try to infect something if they see that the odds are against it, since that would tell people that there was an attack, that it failed, and allow them to reconstruct where it came from. The 0,1% of least attention are still enough to run a nice virus epidemic, and are much safer places for a virus to be than, say, the lab of some antivirus company.
If you add good social engineering to a well-designed virus, the possibilities are terrible…
This is like the email scams. They’re not written in poor English with transparently evil motives because the scammers are stupid, they’re deliberately intended to only target legitimate targets–that is, people who are dumb, gullible, or technology-illiterate enough to actually fall for the scam. That way, they don’t have to waste their time trying to convince people to send them money… they focus on the people who are already more likely to send them money.
Which, oddly enough, has led to a small group of people who “cooperate” with the scammers specifically to draw out their time and effort without actually handing over any money. I forget the term they used for it.
Wouldn’t recommend actually doing that, though. It’s a little risky.
Sounds like you’re talking about “scam baiting“, a.k.a. 419 baiting (derived from the criminal code in Nigeria for email scams).
I’d also guess that some of the stupid malware exists mainly as camouflage for the more clever stuff.
If the stupid attacks disappeared, everyone would look more closely at things trying to spot any attacks (we all know there will be attacks). But as long as there is some obvious attacks that are easily defeated by whatever protection most people have, it’s tempting to just believe your protection is working fine and leave it at that.
And to think it was Microsoft Security Essentials that actually picked it up.
What a strangle little virus that is. I don’t know much about internet security, but is it likely it got those files there through a brute forcing bot program, or that a person ‘hacked’ in to add the files.
Anyways, glad to see you got it figured out, certainly wasn’t what I was expecting when reading the first post on the topic, I thought it was going to just be some IE11 weirdness.
I imagine that most people who don’t use Microsoft Security Essentials also wouldn’t use Internet Explorer so their computer would never be offered the file and therefore their security program wouldn’t be able to spot it.
It was almost certainly added by some form of automated attack. Doing it manually wouldn’t really be worth the time. It might have been added by blindly bombarding possible targets, or it might download something that uploads the attack to sites the user visits.
Infections were brazen, aggressive, and obvious.
You make them sound like Fabio on the cover of a bodice-ripper. Mind you, that might help sales of “Removing Computer Viruses for Dummies,” I think.
Depending on your host’s particular flavor of Linux and how it’s configured, Apache is most likely running as user “nobody.” The purpose of “nobody” is that it doesn’t own any files and can’t log in, so if the HTTP server process gets compromised and controlled by an attacker, they still have limited access to the system, making it harder to, say, add their own PHP scripts. That is, unless you’ve allowed global write permissions on your directories, allowing “nobody” to write files. If “nobody” owns a file anywhere on a system, something went wrong either in configuration or as the result of an attack.
Yep. This would be my guess. They used a file insertion attack to get apache to add those files to your base directory. It may not have even been an attack on your site and was just an attack on anyone else that was hosted then threw the files on any unprotected directory. You should ping your hosting site and let them know so they can check anyone else hosted on the box. Most likely do a search for files owned by nobody. Fixing your root directory and all code directories to disallow any writes will stop that. If you want to allow creating error logs and such, make a directory just for that and throw everything there.
You know. I only use IE11 at work for testing purposes but its actually a lot better than previous versions. Their dev tools are decent, even has one feature I wish Chrome’s had, the computed styles section will tell you which rule is applying, a little faster than hunting down the rule in the regular styles section.
True the rules shouldn’t normally be messy enough for that to be a problem but I work in Sharepoint.
does it still take three seconds to open a new empty tab?
I do like the coloured tab groups, though. I do not like the fact that it will tell you by default that the Mozilla website was a dangerous place, and none of their downloads can be trusted. Not having their ssl certificate in store is not a nice thing to do and deserves punishment.
I didn’t know they did that. And I don’t know about their new tab behavior, I’m always launching new tabs with links via “Open in New Tab”
At least this version lets you drag and drop tabs, split, remerge. I remember not so long ago when I had a version of IE that had tabs but not the flexibility that other tabbed browsers had. We had to use IE8 at work for a while and before that IE6 for stupidly long. I’m convinced some people in my office would still be using IE6 if Microsoft hadn’t finally pulled the plug on XP.
While I agree that IE has been getting steadily better (IE9 being the first “usable” IE in awhile; and incremental improvements from there in 10 and 11); Chrome *does* have the computed styles feature, and it does tell you what rule is applying.
It does tell you but you have to hunt through all the rules that could apply to the selected element. Not that hard most of the time but sometimes I wish I could just flip over to Computed Styles and have it only show the rules that is applying that style attribute to that element.
I still end up using Chrome DevTools though because its overall better, more responsive, even has useful suggestions on how to improve code. I was really impressed when it offered to compress my images for me.
Maybe I missed something. I taught myself DevTools mostly by fiddling. Basically how I taught myself all the skills I currently use. Good and bad in that.
The “computed styles” thing is in a separate tab, and you can expand the particular style you’re looking for and see all the rules affecting it (with the one actually being applied at the top).
Alternatively, you can type the style you’re looking for in the “Find in Styles” box at the bottom, and will collapse any of the rules that don’t define that particular style.
I agree. I use IE11 almost exclusively, mostly because I have no personal problems with IE and I’ve never seen the particular draw of Firefox or Chrome. However, before IE9 came out I almost switched over to Firefox because it was obviously superior in every way. Then IE9 came out and brought IE up to snuff in terms of tabs and ease of browsing, so I stuck with it. Since then I’ve mostly gotten frustrated when I have to use Chrome or Firefox because I don’t know them as well. (Also I hate how Chrome is constantly doing things in the background, even when I’ve closed the browser. When I close something I want it closed, I’m done with it, stop running processes without my permission! Also Google Update is dang clingy, I can’t get it to stop running without my say so.)
For anyone who doesn’t know, you can make Chrome behave and shut down properly with a setting:
Settings -> Show Advanced Settings
Scroll to the System heading, it’s near the bottom.
Uncheck “Continue Running Background Apps…”
Thanks for the tip.
I do think Internet Explorer is now a fully usable piece of software, but I’d still never use it.
The problem is the majority of users (particularly vunerable users) will always use IE
So for it’s always most efficient to try and find exploits in internet explorer. Firefox and Chrome have the same standard of security updates but they’re marginally smaller targets because of their audience sizes.
I am massively excited because we’re switching to IE11 at work. I work on our web dev team (both internal apps and our website), so I’ve acquired Chrome for my actual browsing needs (wait, I mean testing! Totally for testing purposes only. And nothing else.), but the vast majority of people in the company still use IE8. It’ll be nice to finally not have to make stuff work in IE8 anymore.
“I only use IE11 at work for testing purposes but its actually a lot better than previous versions.”
Yeah,but thats like saying “This piece of shit is less smelly than other pieces of shit”.
Ok,thats not fair,ie has not been a piece of shit for quite some time now.But the thing is that it is still way behind other browsers.They are in the 2014,while ie is only now entering 2010.
You know, I always get a lot of flak from my buddies for still using IE almost exclusively, but none of them have been able to give me a solid reason why Firefox or Chrome is superior. They just say that they’re better and everyone knows it. So really, I’d like to know: how is IE 11 four years behind?
Html5 support would be the most obvious answer.Ie11 lags behind even older versions of other browsers when it comes to this.
Then there is the refusal of microsoft to allow their browser to work on anything other than windows.And yet,despite this,its still amongst the most vulnerable of browsers.
Now,granted,its speed has improved substantially since the previous versions,even surpassing others.So it is doing something right.
IE’s developer tools are more than decent, it’s the one thing which it actually better than the competition in my opinion.
If there's a proper way to handle this in PHP, I've never found it.
I think this is an inherent limitation of OS file permissions. On Linux, the usual way to handle this is:
– Allow “work” files to be created in “/var/….”. For example, “/var/log/{applicatin name}” for logs. The application should work even if these are deleted.
– Config files in “/etc”. These should be rarely changed.
– Binary files and other executables in “/opt” or “/usr” (may be others too, depending on system and type of application). These are only changed when installing/updating the application.
So you can give the application write access to “/var/{application name}…”, and be *reasonably* safe that the files there can be deleted without problem.
Aye. His “aside” block says “way to handle this in PHP” but the file/directory permission thing isn’t part of PHP, but rather part of how *n*x handles permissions (short of full ACLs, though, is there a better permission system?)
Side note: that isn’t a dis on Shamus. I don’t think he is stupid for confusing the two. It’s just more of that ‘experience matters’ thing from the posting on game languages. Of course, all Linux programmers know that’s how Linux permissions work, and isn’t specific to PHP, but Shamus is here trying to play with Word Press code, which is a major library/content management system written in PHP (which means some percent of the problems Shamus thinks are PHP issues are issues with the WP library and not part of the language it’s written in), which goes through Apache (apparently on a server he doesn’t even have full access to?) which is probably not one of his skill sets, either (and he probably thinks PHP has some issues which are really to do with the particulars of his Apache set up, which he can’t modify? and probably doesn’t even have permission to read?), and it all runs on Linux (and he’s spent the last 25-30 years learning Windows programming). And I didn’t even mention the database, which is probably not something he can directly play with, either, and whose table layout is very … WordPressy – those cats have their own style which makes sense to them, but WP is a nightmare to me. As experienced as I am with Linux, Apache, MySQL, and PHP – I’ve never touched WordPress and I would be nearly as unhelpful as that doorknob over there when it comes to working on Shamus’ problems.
Ultimately, Linux can be as baffling to Windows programmers as vice-versa.
I would make all kinds of newbie mistakes trying to do write a windows thingy. Worse if I wanted to do graphics. He could probably go through a similar list of libraries built on libraries dependent on libraries that go into his every little Windows app, like I did to get from Word Press to Linux. Shamus can toss off a ‘window open start rendering something basic in 3d’ in half an hour, and it would take me years of learning stuff just to get to the part of the program where I’m doing the stuff I want to do – and I’d blame half my problems in Windows when they’re really part of the XfooX graphics engine or something.
About the only better way to do this that I can think of would be to create the particular file beforehand and make it writable, then hope that the php code is not specifying O_CREAT|O_EXCL on the open() call when it filters down to the system call level. And that the php code doesn’t just unlink the file at random itself.
But yes, write access to the directory means you can create and delete any filename. (Well, unless it’s sticky. Then you can create anything but only delete stuff that you own. That doesn’t help here.)
Even ACLs don’t help if what you’re trying to do is only allow creating one specific filename… you’d need some other kind of security policy for that. (grsecurity used to have something, maybe ten years ago. Don’t remember what it was called though. I bet selinux has something but I’m not about to try to figure out how to use it, nor suggest turning it on on this host…)
“unless the directory is sticky” – I thought that just made any new file chgrp itself to the group of the directory. If you’re in the group, you can still do whatever you want (on my platform I use directory-sticky to prevent myself from making a file my coworker can’t edit. All the dev dirs are sticky, group ‘dev’ and we’re both in it)
There’s dragons here, because very few things about “sticky” and setuid/setgid (which was the original flavor of “sticky”) are the same or even close to the same across *NIX operating systems. The “make the ownership match that of the directory” is the behavior of the setgid on directories on *most* (but not all) *NIX systems. That’s not the same thing as “sticky”, even though it’s (usually) represented with an “s” (or “S”) in “eXecute” columns the display of permissions. Real “sticky” in the implementation talked about where ownership of files in the directory must be correct shows up as “t” (or “T”) on the last position of the permissions display. And the case changes to upper when eXecute is not in place, because we’ve already overloaded the display… It’s a fscking mess and has been a fscking mess for literally 40 years…
As a matter of trivia, the site favicon hasn’t been appearing in the latest version of Safari for months. Suddenly, it’s working again.
Oh so it is!
Hurrah!
Shamus, don’t you have some kind of version control software in place to keep track of the site? Git, Mercurial, SVN or the like?
With any of those you’d be able to tell immediately if any changes happened, discard unwanted changes, etc. Make an account in github or bitbucket and you’d even have off-site backup and an additional line of defense. Reinstalling the site (except for the data, which needs to be backed up separately) would then just involve wiping the current install and cloning it again.
I was going to make the same proposal.
You can then even put the changed files in a new branch, reset to a known clean state (if you work of a local repository) and then analyse what has changed. Which with mercurial or git is easy by just creating a diff between the clean and the dirty state.
If you can work out how the changes have been made, you fix it and commit that new safe state into the clean branch.
Also: You can use this
https://github.com/wpscanteam/wpscan
Scroll a bit down to get the readme. Your WordPress installation can have several weak points you’re not aware. This tool might help you find them. Let it run against your installation and work through the output.
If you want to keep safe you should check your own site on a regular basis since the vulnerability database will get updates.
You should also check the database, sometimes they enter additional users with admin privileges. Your most likely attack vector, btw, is just any one of the wordpress vulnerabilities that have been going around recently.
“The sad thing is that that isn't even the most unreadable PHP file I've ever seen, and this one was obfuscated on purpose.”
You always bring a smile to my face with your programming anecdotes, Shamus! Whenever I get discouraged with my chosen career, you always reminds me just how hard the job is, and how satisfying it is to keep going and get over the metaphorical walls.
Glad you got it sorted Shamus. This sort of problem solving can be fun, but not when it’s because a live site was compromised.
Good job getting this stuff cleared up!
Good thing they were only apparently able to deposit files belonging to the web user on your install. Had they root access, then the line about “We checked for other files created after August 4th. Nothing had been touched outside of the WordPress folder.” would be meaningless.
Your decision to dust off and nuke from orbit (the only way to be sure) was smart, though – because it would be “socially clever” to make a hack that leaves obvious traces that it is an incompetent hack easily removed, while subtly backdating files with more insidious issues elsewhere.
There are some amazingly clever and sly programs out there. Best one i came across infected a combiniation of a vulnerable switch and any machine attached to it. All traffic went via a single machine, and the DNS was changed. Most traffic was sent back out to the normal DNS server upstream, but any banking was sent via easten europe to some well crafted fake sites. Because of the DNS change, the sites seemed to have all of the correct security. We only found it because that particular switch started sending too much traffic through one port (and before anyone actually lost anything thank goodness).
I can’t help but think that the effort people put into this could earn them more in an honest living. This is not “easy” money.
I’m glad you dug this one out.
Ah, DNS. My networking class has taught me that most internet protocols are comically insecure, and DNS is no exception. Basically, the request goes out and then the system accepts the next incoming message that matches the request. Now, there is an identification field that needs to match. It is sixteen bits long. It’s entirely possible to send messages with every possible value for that field in less time than it takes for the real response to arrive. Particularly if you triggered the query in the first place.
And, of course, very few of the protocols are secure if the attacker controls the connection.
Heads up, you’ve got a few new broken pages, like http://www.shamusyoung.com/twentysidedtale/?page_id=16458
Yikes. O.o But thanks for that very comprehensive explanation, Shamus. I think I’m quite safe. On my home computer, I run Windows 7 and Chrome, while the only other computer I sometimes browse your site on is at work, which runs Windows 8 (possibly the only time I’m grateful to be using that awful OS) and Chrome, but for a long period of time I did use IE on it as well. I THINK it was prior to August that I made the switch to Chrome on my work PC, but in either case, my work machine should be safe too.
Apologies for bringing this late to the party, but it APPEARS that Shamus’ issue is the same one described here:
http://arstechnica.com/security/2014/12/some-100000-or-more-wordpress-sites-infected-by-mysterious-malware/
I’m basing that on the description of the symptoms being similar and the reference to templater.php in both places.
If nothing else, seems like you’re in good company.
sounds like this which was being built in 2004. https://www.youtube.com/watch?v=k2mdUcOXW6I#t=1423
Thanks MrGuy that link is infected. DO NOT CLICK ON IT… and have as nice day :) (Avast blocked it trying to install something when i clicked on it… :/)
The thing I find more surprising is that the stupidcrap.com domain is not being used.