{"id":25340,"date":"2014-12-12T03:08:49","date_gmt":"2014-12-12T08:08:49","guid":{"rendered":"http:\/\/www.shamusyoung.com\/twentysidedtale\/?p=25340"},"modified":"2014-12-12T21:20:36","modified_gmt":"2014-12-13T02:20:36","slug":"haq","status":"publish","type":"post","link":"https:\/\/www.shamusyoung.com\/twentysidedtale\/?p=25340","title":{"rendered":"Haq?"},"content":{"rendered":"<p><strong>EDIT: Should be fixed now. I&#8217;ll have another post following up on this once I&#8217;m sure it&#8217;s gone. Let me know if you see anything fishy that isn&#8217;t an actual fish. <\/strong><\/p>\n<p>So for a couple of months now I&#8217;ve been getting these really strange reports from a small group of people<span class='snote' title='1'>Less than five-ish?<\/span> that my site had been &#8220;hacked&#8221;. Here is one:<\/p>\n<blockquote><p>Microsoft Security Essentials blocked content on this website<\/p>\n<p>qwe.systemsviensows.asia<br \/>\nHosted by: http:\/\/www.shamusyoung.com<\/p>\n<p>Microsoft Security Essentials blocked this site because it might contain threats to your PC or your privacy.<\/p><\/blockquote>\n<p>And one more:<\/p>\n<blockquote><p>Got another one. &#8220;qwe.arteriosclerosisobliteranas.net&#8221;<\/p>\n<p>Also: I dropped my laptop and killed my hard drive a few days ago. I just got a new one installed and just now got the OS and everything updated and running. So it&#39;s not a virus or malware on my end that&#39;s doing it, this is a totally new hard drive and your website was just about one of the first ones I went to (after gmail and facebook, and I don&#39;t thinking I&#39;m getting malware from them.)<\/p><\/blockquote>\n<p>It&#8217;s very temping to say, &#8220;With so few reports, this can&#8217;t be a problem on my end.&#8221; But I want to be thorough. Furthermore, maybe scammers have gotten smarter and have invented malware that goes dormant in some cases instead of relentlessly attacking. &#8220;But it seems to work fine for me!&#8221; is perhaps the greatest shield a virus can have. It&#8217;s effectively a real-world implementation of the <a href=\"http:\/\/en.wikipedia.org\/wiki\/Somebody_Else%27s_Problem#Fiction\" title=\"Somebody Else's Problem\">SEP invisibility field<\/a>. <\/p>\n<p>Some facts: <!--more--><\/p>\n<ol>\n<li>I have no idea what the attack looks like. We only have Microsoft Security Essentials to go by here. Again, Microsoft isn&#8217;t exactly your go-to company for security, but for the sake of this exercise we&#8217;re going to assume MSE is correct.<\/li>\n<li>All reports involve a similar text, but with a different external URL. Always in the form of <tt>qwe.[randomwords].net<\/tt>.\n<li>I use Chrome, and I viewed the site normally logged in as admin, anonymously (using the incognito feature) and using IE 11. Using all three, I&#8217;ve searched the resulting page source and have never found any URL&#8217;s of the offending form, or anything else suspicious. However, this doesn&#8217;t mean the site is safe, because&#8230;\n<li>This site runs on WordPress, which runs on PHP. If bad code was installed on my site somehow, then PHP could be showing it in some cases and not others. This might sound far-fetched, but&#8230;\n<li>My wife used to keep a blog. She tapered off after a while and forgot about it. It languished for a year or more, neglected. Then she noticed this goofy-ass link right in the middle of <a href=\"http:\/\/www.shamusyoung.com\/\" title=\"It looked like this, basically.\">get free pills online bullshiturl.com<\/a> a sentence, just like this one. Either her webhost got hacked, or her super-old, unpatched, neglected WordPress install got hacked. In either case, her theme had been corrupted to insert these bogus links &#8220;sometimes&#8221;.\n<p>However, she was using a super-common built-in theme, which made her an easy target. Even if someone did gain access to my server, they would need to craft an attack specific to my site, because my theme is custom-built and is pretty unorthodox. I&#8217;m not saying it&#8217;s impossible, but this isn&#8217;t the kind of easy generalized target that hackers would go for. Heck, if you can hack my theme and hide the hack from me, then you&#8217;re wasting your time with this malware bullshit. Just get some contract work untangling horrific PHP catastrophes. The pay and the job security are better, and nobody will throw you in prison for it. <\/p>\n<p>Again, this suggests we&#8217;re not dealing with a real threat. Except&#8230;<\/p>\n<li>I&#8217;ve typed bit of this into Google, and come up completely empty. That&#8217;s unheard of. If you search for &#8220;Why did my peanut butter and jelly sandwich catch fire&#8221; you&#8217;ll probably find links to a 2010 forum thread where a bunch of people had the same problem. But these searches come up with nothing. This is probably the most interesting piece of evidence so far, and has me leaning towards thinking that the problem is real. After all, if MSE was throwing false-flags, you can bet we&#8217;d be up to our eyebrows in analysis, apologists, suggestions to &#8220;LOL GET LINUX&#8221;, and godawful workarounds.\n<\/ol>\n<p>I am so stumped at this point that I have no choice but to crowdsource this. Have you gotten warnings from MSE? Can you share a screenshot? When did the problem first appear? Do you run a website, and have you gotten these kinds of reports? <\/p>\n","protected":false},"excerpt":{"rendered":"<p>EDIT: Should be fixed now. I&#8217;ll have another post following up on this once I&#8217;m sure it&#8217;s gone. Let me know if you see anything fishy that isn&#8217;t an actual fish. So for a couple of months now I&#8217;ve been getting these really strange reports from a small group of peopleLess than five-ish? that my [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[111],"tags":[],"class_list":["post-25340","post","type-post","status-publish","format-standard","hentry","category-notices"],"_links":{"self":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/25340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=25340"}],"version-history":[{"count":0,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/25340\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=25340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=25340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=25340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}