Horrible redirect advertisement

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

Agent Orange

Horrible redirect advertisement

Unread post by Agent Orange » 2017-01-25, 20:02

When I visited http://linux.palemoon.org/download/installer/ with my adblocker disabled,

I was presented with this:
Image
Additionally, an alert was displayed stating:
****Dont Restart Your Computer ****
The Following information was found on this error:


Code:
00xO4C08


Discription
An unsupported or invalid partition type was detected.

The Infections detected, indicate some recent downloads on the computer which in turn has created problems on the computer.Call technical support +1 888-748-8676 and share this code B2957E to the Agent to Fix This.



…absolutely horrifying and unacceptable. This ad partner should be dropped immediately.

The JavaScript which inserts this has been obfuscated: (code fetched via curl for transparency purposes)

Code: Select all

$ curl -sLv https://linux.palemoon.org/download/installer/ | grep -C1 s\'\+\'cript
*   Trying 104.20.61.158...
* Connected to linux.palemoon.org (104.20.61.158) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 704 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: *.palemoon.org (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: OU=Domain Control Validated,OU=PositiveSSL Wildcard,CN=*.palemoon.org
* 	 start date: Mon, 07 Nov 2016 00:00:00 GMT
* 	 expire date: Tue, 07 Nov 2017 23:59:59 GMT
* 	 issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
> GET /download/installer/ HTTP/1.1
> Host: linux.palemoon.org
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 25 Jan 2017 20:03:52 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d02632c04707637d28e58975cf20c752f1485374631; expires=Thu, 25-Jan-18 20:03:51 GMT; path=/; domain=.palemoon.org; HttpOnly
< X-Powered-By: PHP/5.6.30
< Set-Cookie: CMSSESSID1d7a7734=qaqbdprraccf0qqo6o0qskg142; path=/
< Expires: Mon, 26 Jul 1997 05:00:00 GMT
< Last-Modified: Wed, 25 Jan 2017 20:03:52 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Cache-Control: post-check=0, pre-check=0
< Pragma: no-cache
< Server: cloudflare-nginx
< CF-RAY: 326e54b9ed18380a-ATL
< 
{ [732 bytes data]
* Connection #0 to host linux.palemoon.org left intact
<script type="text/javascript"><!--
document.write('<s'+'cript type="text/javascript" src="//adgiant.io/show.php?z=26&pl=2417&j=1&code='+new Date().getTime()+'"></s'+'cript>'); 
// --></script>
$ 
and, to further add to the "spook factor", the page's CSS attempts to hide the cursor. :shifty:

The only add-ons I have are Encrypted Web, Greasemonkey, and Adblock Latitude.
The only plugins I have are IcedTea's Java and Google's Flash, both of which are not enabled by default.
Last edited by Agent Orange on 2017-01-25, 20:20, edited 1 time in total.

half-moon

Re: Horrible redirect advertisement

Unread post by half-moon » 2017-01-25, 20:06

Agent Orange wrote:…absolutely horrifying and unacceptable. This ad partner should be dropped immediately.
Agreed. Funny though how those malware sites can't recognize a linux system. :lol:

hobbledehoy899

Re: Horrible redirect advertisement

Unread post by hobbledehoy899 » 2017-01-27, 19:45

This same bullshit happened to me when getting the latest unstable build last week!

Fedor2

Re: Horrible redirect advertisement

Unread post by Fedor2 » 2017-01-27, 20:54

Hey how you got this? How about some independent site checker, because i thing windefender is untrustworthy, there is no error without it. However aside palemoon.org it is something with cloudflare.com which i block, treat it as untrustworthy too.

One important notice forggoten to point at: I always use javascript disabled, when i enabled it, for testing, i have seen then adgion.io connection attempt. Than i have checked it on www.virustotal.com and no any virus was found.

Agent Orange

Re: Horrible redirect advertisement

Unread post by Agent Orange » 2017-01-27, 23:52

Fedor2 wrote:Hey how you got this?
I got it just by loading that webpage.
It's not a virus, but if you click anywhere it will try to get you to download one.
It looks like it does not appear to everyone; there is only a small random chance of getting it.
Fedor2 wrote:How about some independent site checker, because i thing windefender is untrustworthy, there is no error without it. However aside palemoon.org it is something with cloudflare.com which i block, treat it as untrustworthy too.

One important notice forggoten to point at: I always use javascript disabled, when i enabled it, for testing, i have seen then adgion.io connection attempt. Than i have checked it on http://www.virustotal.com and no any virus was found.
Yes, you'll only get a virus if you actually got the ad redirect, DOWNLOADED, and then RAN the virus. They can't "just hijack your computer".

There is no need for an independent site checker, since we can discuss this issue with Moonchild right here in this very thread. It was a horrible mistake, but not something malicious.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Horrible redirect advertisement

Unread post by Moonchild » 2017-01-28, 04:41

That kind of ad is strictly forbidden by the ad network I use on that domain (AdGiant). I'll shoot them a message.
They may just be a broker for other ad networks but I won't allow this kind of BS.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Horrible redirect advertisement

Unread post by Moonchild » 2017-01-28, 05:36

For the time being, I swapped them out for Google Adsense to keep visitors safe.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked