advertisement acts like virus, how to fix and prevent security bug? Topic is solved
Moderator: trava90
Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
advertisement acts like virus, how to fix and prevent security bug?
A page's usual javascript advertisement opened a new tab, but this time what it loaded acted like a virus. What is the correct way to undo it, and how to prevent this from happening?
Since I took screenshots, I have Detail:
The new tab first shows a url of hxxp://secure.calch.gdn/performance/bdv_rd.dbm?enparms2=
followed by a lot of comma delimited numbers that goes off the right side.
The popup says:
Authentication Required
A username and password are being requested by hxxp://138.197.4.141. The site says: "Internet Security Alert: Your Computer Might be Infected by Harmful VirusesnCall Windows Technical Support: (Toll Free) (866) 564-0233 (Toll Free)"
/end popup message.
If I press Cancel, it proceeds to load a page. If I press X to close the app, it ignores me. The only way to stop it was to kill it from a terminal.
Next it opens a page that plays an audio file that thankfully isn't with an indian accent like I get on the telephone, but the sales pitch is familiar. I think the fraudsters are expanding their reach... but back to the facts:
The page it loads is url: hxxp://138.197.4.141/as/?c59aedd2db77fa0ftfn1d59aedd2db783e=(866) 564-0233
including that parenthesis and space not auto-included in the A href tag. and again the popup with the Authentication Required title.
My concern is next the popup, is it a safety stop by the browser, or since cancel PROCEEDED to this second page, is is actually being generated by the page, and is a fraudulent deception?
After killing the browser, and restarting it, the 2nd page auto-reloads, but I don't want this!! It again has the popup, and does not allow me to click anywhere else.
I need to find the command line way to start in safe mode, since the help provided so far by google search requires a setting while the browser is open, which is not an option in this case.
Is this a security hole? Please investigate and advise.
edit: I found the -safe-mode option, so I answered that question myself.
Version is:
Debian 8 Linux , palemoon package 27.4.2~repack-1
Since I took screenshots, I have Detail:
The new tab first shows a url of hxxp://secure.calch.gdn/performance/bdv_rd.dbm?enparms2=
followed by a lot of comma delimited numbers that goes off the right side.
The popup says:
Authentication Required
A username and password are being requested by hxxp://138.197.4.141. The site says: "Internet Security Alert: Your Computer Might be Infected by Harmful VirusesnCall Windows Technical Support: (Toll Free) (866) 564-0233 (Toll Free)"
/end popup message.
If I press Cancel, it proceeds to load a page. If I press X to close the app, it ignores me. The only way to stop it was to kill it from a terminal.
Next it opens a page that plays an audio file that thankfully isn't with an indian accent like I get on the telephone, but the sales pitch is familiar. I think the fraudsters are expanding their reach... but back to the facts:
The page it loads is url: hxxp://138.197.4.141/as/?c59aedd2db77fa0ftfn1d59aedd2db783e=(866) 564-0233
including that parenthesis and space not auto-included in the A href tag. and again the popup with the Authentication Required title.
My concern is next the popup, is it a safety stop by the browser, or since cancel PROCEEDED to this second page, is is actually being generated by the page, and is a fraudulent deception?
After killing the browser, and restarting it, the 2nd page auto-reloads, but I don't want this!! It again has the popup, and does not allow me to click anywhere else.
I need to find the command line way to start in safe mode, since the help provided so far by google search requires a setting while the browser is open, which is not an option in this case.
Is this a security hole? Please investigate and advise.
edit: I found the -safe-mode option, so I answered that question myself.
Version is:
Debian 8 Linux , palemoon package 27.4.2~repack-1
Last edited by Moonchild on 2017-09-05, 21:14, edited 1 time in total.
Reason: Links killed to prevent fanatic clickers from hitting the trap -- http -> hxxp
Reason: Links killed to prevent fanatic clickers from hitting the trap -- http -> hxxp
-
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: advertisement acts like virus, how to fix and prevent security bug?
Unfortunately evil trap sites like this abuse normal browser actions (in this case looping a basic http auth request). This is generated by the server you are directed to. Pressing cancel would normally return an "authentication failed" page, but the people who set up this site clearly abuse custom error pages to have you be redirected right back to the page you were on, repeating the process.
You can safely force-close the browser to get out of this mess.
If you close the browser forcefully, it will generally restart one time with the same windows and tabs automatically and will reload everything (unfortunately including the page that trapped you). If you force close it a second time when this happens, it will give you a session restore window where you can uncheck the "windows alert" tab so it will not be restored.
What you should do is contact the abuse department for 138.197.4.141 and inform them of this issue and that it is being abused to try and phish for people's credentials with fake scare tactics.
According to whois, this is abuse@digitalocean.com (a commonly abused virtual server provider). Provide them with the exact information you've given in this thread.
You can safely force-close the browser to get out of this mess.
If you close the browser forcefully, it will generally restart one time with the same windows and tabs automatically and will reload everything (unfortunately including the page that trapped you). If you force close it a second time when this happens, it will give you a session restore window where you can uncheck the "windows alert" tab so it will not be restored.
What you should do is contact the abuse department for 138.197.4.141 and inform them of this issue and that it is being abused to try and phish for people's credentials with fake scare tactics.
According to whois, this is abuse@digitalocean.com (a commonly abused virtual server provider). Provide them with the exact information you've given in this thread.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: advertisement acts like virus, how to fix and prevent security bug?
If you're quick enough, you can close the tab with CTRL+W right after dismissing the authentication request by clicking on Cancel.
Re: advertisement acts like virus, how to fix and prevent security bug?
So it seems modifying history is part of HTML5, and calling history.pushState(0,0,uglyLongString) (and extending uglyLongString every loop for a hundred million times) is not a security flaw, I guess I'll drop it as a non issue.
Last idea then, there should be some means of killing a tab that has that authentication window up, just to make this a non-issue for the future.
Last idea then, there should be some means of killing a tab that has that authentication window up, just to make this a non-issue for the future.
-
- Fanatic
- Posts: 134
- Joined: 2014-09-09, 12:15
- Location: Tennessee
Re: advertisement acts like virus, how to fix and prevent security bug?
May want to watch what you download. I found the following which may help.
http://www.deletevirus.net/secure-calch ... us-remove/In case your web browser is permanently getting redirected to the secure.calch.gdn domain, then it is quite likely that you have an adware application installed on your computer.
-
- Project Contributor
- Posts: 903
- Joined: 2015-08-01, 18:33
Re: advertisement acts like virus, how to fix and prevent security bug?
That''s not impossible in Linux, but much, much more rare than in a certain other OS.josephd wrote:May want to watch what you download. I found the following which may help.
http://www.deletevirus.net/secure-calch ... us-remove/In case your web browser is permanently getting redirected to the secure.calch.gdn domain, then it is quite likely that you have an adware application installed on your computer.
-
- Lunatic
- Posts: 400
- Joined: 2015-06-22, 19:48
- Location: USA (North Springfield, Vermont)
Re: advertisement acts like virus, how to fix and prevent security bug?
Looks like typical malvertising.
Or you clicked on a fake download button... Whoever came up with those download buttons, deserves to be executed!!
Or you clicked on a fake download button... Whoever came up with those download buttons, deserves to be executed!!
Re: advertisement acts like virus, how to fix and prevent security bug?
I have downloaded hosts.zip from this site: http://winhelp2002.mvps.org/hosts.htm
Right-click and choose Open archive. Select the file HOSTS and readme.txt, and Extract. (the other stuff is windoze)
Copy the top lines from your old /etc/hosts, and add them to HOSTS, it is vital that the first uncommented line contains: 127.0.0.1 localhost (mine reads 127.0.0.1 localhost puppypc)
Rename /etc/hosts to /etc/old-hosts. (tiny file, leave it there, bothers nobody)
Right-click HOSTS and save-as /etc/hosts.
You have now blocked almost 15000 addresses from unloading their stuff in your browser.
Not perfect, but it feels good!
Right-click and choose Open archive. Select the file HOSTS and readme.txt, and Extract. (the other stuff is windoze)
Copy the top lines from your old /etc/hosts, and add them to HOSTS, it is vital that the first uncommented line contains: 127.0.0.1 localhost (mine reads 127.0.0.1 localhost puppypc)
Rename /etc/hosts to /etc/old-hosts. (tiny file, leave it there, bothers nobody)
Right-click HOSTS and save-as /etc/hosts.
You have now blocked almost 15000 addresses from unloading their stuff in your browser.
Not perfect, but it feels good!
Re: advertisement acts like virus, how to fix and prevent security bug?
You know you can do the same thing with Ublock too right?doffen wrote:I have downloaded hosts.zip from this site: http://winhelp2002.mvps.org/hosts.htm
Right-click and choose Open archive. Select the file HOSTS and readme.txt, and Extract. (the other stuff is windoze)
Copy the top lines from your old /etc/hosts, and add them to HOSTS, it is vital that the first uncommented line contains: 127.0.0.1 localhost (mine reads 127.0.0.1 localhost puppypc)
Rename /etc/hosts to /etc/old-hosts. (tiny file, leave it there, bothers nobody)
Right-click HOSTS and save-as /etc/hosts.
You have now blocked almost 15000 addresses from unloading their stuff in your browser.
Not perfect, but it feels good!
You do not have the required permissions to view the files attached to this post.
-
- Board Warrior
- Posts: 1277
- Joined: 2017-06-06, 07:38
Re: advertisement acts like virus, how to fix and prevent security bug?
Yes, that's a good solution for a single browser. But blocking domains with /etc/hosts trick affects applications system-wide.
-
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: advertisement acts like virus, how to fix and prevent security bug?
An important side note is that using an excessively large hosts file WILL slow down all your network traffic. It's not designed to be used as a blocklist, and looking through the hosts file domain list every time a DNS lookup is made makes the DNS lookup client in Windows very slow when thousands of entries are present.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Forum staff
- Posts: 1885
- Joined: 2011-09-08, 11:27
Re: advertisement acts like virus, how to fix and prevent security bug?
That can be ameliorated by disabling the DNS Client Service (or if your network requires the use of the DNS Client Service, by using one of the workarounds listed from about halfway down):Moonchild wrote:An important side note is that using an excessively large hosts file WILL slow down all your network traffic. It's not designed to be used as a blocklist, and looking through the hosts file domain list every time a DNS lookup is made makes the DNS lookup client in Windows very slow when thousands of entries are present.
I use HostsMan to control both the hosts + lists updating and the DNS Client, trying to split the load with the browser; hosts blocking against mostly malicious sites and servers and protecting Windows and software connections, with uBlockO (updated by uBlock Origin Updater) mostly dealing with the advertising and browser annoyances - though there is a huge amount of overlap dependent on which lists are in use.
Re: advertisement acts like virus, how to fix and prevent security bug?
I feel a bit stupid here: I forgot to tell you that I use the Windoze hosts list in /etc/hosts in my Puppylinux Lucid 5.2.8.7, and I have not noticed any slowdown. I have modified my about:config a lot, so I may have prevented a slow down by eliminating some functions. I don't use bookmarks or history, and I delete all cookies and everything that can be deleted, on closing PaleMoon. I usually close PaleMoon between topics. And, no, I am not paranoid!
And Thehandyman1957, thank you for the uBlock tip!
(well: This add-on is not compatible with your version of Firefox.)
Just joking, I see they have a PaleMoon recommendtion.
The size of my /etc/hosts file is now 488K, and I see that hpHosts file is BIG: hosts.zip (5.08MB) Why? That is a serious increase in size!
doffen
And Thehandyman1957, thank you for the uBlock tip!
(well: This add-on is not compatible with your version of Firefox.)
Just joking, I see they have a PaleMoon recommendtion.
The size of my /etc/hosts file is now 488K, and I see that hpHosts file is BIG: hosts.zip (5.08MB) Why? That is a serious increase in size!
doffen
Last edited by doffen on 2017-09-27, 04:32, edited 1 time in total.
-
- Board Warrior
- Posts: 1322
- Joined: 2014-02-02, 22:15
- Location: Chicagoland
Re: advertisement acts like virus, how to fix and prevent security bug?
You can download/install the firefox.xpi version of uBlock Origin from here ...doffen wrote:And Thehandyman1957, thank you for the uBlock tip!
(well: This add-on is not compatible with your version of Firefox.)
https://github.com/gorhill/uBlock/releases/tag/1.14.10
... and then also install this extension to keep uBlock Origin up to date:
https://addons.palemoon.org/addon/ublock0-updater/
Nichi nichi kore ko jitsu = Every day is a good day.
Re: advertisement acts like virus, how to fix and prevent security bug?
I'll think about it!
BTW, I added some line to my previous post while you made your post.
Oh, and the hpHosts file is 26MB unpacked, with some 766000 entries. I think I'l stay with my 488K file! Last week, the file had only 4 entries, now there are 15000...
doffen
BTW, I added some line to my previous post while you made your post.
Oh, and the hpHosts file is 26MB unpacked, with some 766000 entries. I think I'l stay with my 488K file! Last week, the file had only 4 entries, now there are 15000...
doffen
-
- Astronaut
- Posts: 652
- Joined: 2015-07-30, 20:29
- Location: Vaughan, ON, Canada
Re: advertisement acts like virus, how to fix and prevent security bug?
The problem with the universal hosts files is that they attempt to cover every ad site that everybody has ever hit anywhere on the planet. Hence the huge numbers. I have a different strategy. I go after just the ad sites that I actually get, like so...
There was one Wordpress site I often visit that would, at times, grind the Pale Moon to a halt. "top" would show from 135% to 150% cpu load; OUCH! Slashdot was another painful site. With less than 200 sites blocked. I can get away with having 4 or 5 websites open SIMULTANEOUSLY IN SEPARATE INSTANCES OF PALE MOON and the computer and Pale Moon are responsive. The ad sites that you run across will be different than the ad sites that I run across, so our lists will differ.
- Shut down Pale Moon and any other network-connecting program
- Wait several minutes for the TCP connections to age out
- Open up Pale Moon at a web forum that I often visit
- Open a new tab in the same window
- Go to about:networking in the new tab
There was one Wordpress site I often visit that would, at times, grind the Pale Moon to a halt. "top" would show from 135% to 150% cpu load; OUCH! Slashdot was another painful site. With less than 200 sites blocked. I can get away with having 4 or 5 websites open SIMULTANEOUSLY IN SEPARATE INSTANCES OF PALE MOON and the computer and Pale Moon are responsive. The ad sites that you run across will be different than the ad sites that I run across, so our lists will differ.
There's a right way
There's a wrong way
And then there's my way
There's a wrong way
And then there's my way
-
- Forum staff
- Posts: 1885
- Joined: 2011-09-08, 11:27
Re: advertisement acts like virus, how to fix and prevent security bug?
You don't have to use generic hosts files, you can select specific block lists to suit your needs and usage; maybe malware, exploit and hijack sites in your hosts file to protect all your connections, with ad/tracking, misleading marketing and PUPs in your adblocking lists inside your browser(s).
Se also the list options available in uBlockO, which can also be used in a hosts file or other blocking file/add-on.http://hosts-file.net/?s=Download
Note: If you are using programs such as HostsMan, APK, uMatrix, AdBlock Plus, uBlock Origin, please consider switching from the hosts.txt file, to the individual classification files. These are both smaller, and more importantly, updated far more frequently (daily as opposed to monthly for hosts.txt). You can find the list of classification files on the hpHosts downloads page under "Individual Classifications".
-
- Astronaut
- Posts: 652
- Joined: 2015-07-30, 20:29
- Location: Vaughan, ON, Canada
Re: advertisement acts like virus, how to fix and prevent security bug?
Here's an idea I've been kicking around for filtering. Rather than filtering by host name, howsabout filtering by IP address range? I assume that sites like doubleclick deliberately fiddle around with adserver names, e.g. a.doubleclick.net, b.doubleclick.net, c.doubleclick.net, abc.doubleclick.net, etc. etc. And they probably randomly rotate and rename their adservers via an automated script. This is deliberately done to get past hostfile-based blocking.
I was thinking of setting up IP-address-range blocklists. No amount of screwing around with subdomain names, or even the main domain name, will get past that. Also, you'll only need one range/CIDR entry to cover what is is now umpteen adserver names. Given the scarcity of IPV4 addresses, jumping around to different address ranges is more difficult. I had originally envisioned this as a set of iptables rules, i.e. linux-specific. But on second thought, Windows users could benefit too. Is there a way to import a list of IPV4 ranges, or CIDRs, into the Windows firewall?
I was thinking of setting up IP-address-range blocklists. No amount of screwing around with subdomain names, or even the main domain name, will get past that. Also, you'll only need one range/CIDR entry to cover what is is now umpteen adserver names. Given the scarcity of IPV4 addresses, jumping around to different address ranges is more difficult. I had originally envisioned this as a set of iptables rules, i.e. linux-specific. But on second thought, Windows users could benefit too. Is there a way to import a list of IPV4 ranges, or CIDRs, into the Windows firewall?
There's a right way
There's a wrong way
And then there's my way
There's a wrong way
And then there's my way
-
- Board Warrior
- Posts: 1277
- Joined: 2017-06-06, 07:38
Re: advertisement acts like virus, how to fix and prevent security bug?
Instead of that, it would be better to quickly disable hostnames based on wildcard matching using dnsmasq. But then you may argue that it requires running an extra process?Walter Dnes wrote:Rather than filtering by host name, howsabout filtering by IP address range? I assume that sites like doubleclick deliberately fiddle around with adserver names, e.g. a.doubleclick.net, b.doubleclick.net, c.doubleclick.net, abc.doubleclick.net, etc. etc. And they probably randomly rotate and rename their adservers via an automated script. This is deliberately done to get past hostfile-based blocking.