Strange Problem - DNS Cache Poisoning?
up vote
6
down vote
favorite
I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:
About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.
I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.
Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.
And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.
AV software doesn't report any issues.
Any ideas? And what should I do to prevent this?
EDIT:
In response to questions:
It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.
Visiting the same site again just opens the normal site.
Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to:
http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2I am in Estonia
The browsers and machines are completely different. Even the router and ISPs have changed between issues.
EDIT 2
The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/
dns dns-spoofing
asked Aug 23 at 14:01
Gleno
1336
|
show 1 more comment
up vote
6
down vote
favorite
I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:
About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.
I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.
Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.
And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.
AV software doesn't report any issues.
Any ideas? And what should I do to prevent this?
EDIT:
In response to questions:
It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.
Visiting the same site again just opens the normal site.
Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to:
http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2I am in Estonia
The browsers and machines are completely different. Even the router and ISPs have changed between issues.
EDIT 2
The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/
dns dns-spoofing
asked Aug 23 at 14:01
Gleno
1336
13
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
– Steffen Ullrich
Aug 23 at 14:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
– hft
Aug 23 at 15:12
when I open some website: this is an indication that the say website is hosting some script that load the same stuff.
– mootmoot
Aug 23 at 15:54
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
– Krishna Pandey
Aug 23 at 16:34
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
– SecurityDoctor
Aug 23 at 18:47
|
show 1 more comment
up vote
6
down vote
favorite
up vote
6
down vote
favorite
I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:
About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.
I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.
Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.
And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.
AV software doesn't report any issues.
Any ideas? And what should I do to prevent this?
EDIT:
In response to questions:
It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.
Visiting the same site again just opens the normal site.
Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to:
http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2I am in Estonia
The browsers and machines are completely different. Even the router and ISPs have changed between issues.
EDIT 2
The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/
dns dns-spoofing
asked Aug 23 at 14:01
Gleno
1336
I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:
About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.
I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.
Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.
And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.
AV software doesn't report any issues.
Any ideas? And what should I do to prevent this?
EDIT:
In response to questions:
It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.
Visiting the same site again just opens the normal site.
Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to:
http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2I am in Estonia
The browsers and machines are completely different. Even the router and ISPs have changed between issues.
EDIT 2
The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/
dns dns-spoofing
dns dns-spoofing
asked Aug 23 at 14:01
Gleno
1336
asked Aug 23 at 14:01
Gleno
1336
edited Aug 24 at 13:58
asked Aug 23 at 14:01
Gleno
1336
asked Aug 23 at 14:01
Gleno
1336
asked Aug 23 at 14:01
Gleno
1336
1336
13
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
– Steffen Ullrich
Aug 23 at 14:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
– hft
Aug 23 at 15:12
when I open some website: this is an indication that the say website is hosting some script that load the same stuff.
– mootmoot
Aug 23 at 15:54
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
– Krishna Pandey
Aug 23 at 16:34
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
– SecurityDoctor
Aug 23 at 18:47
|
show 1 more comment
13
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
– Steffen Ullrich
Aug 23 at 14:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
– hft
Aug 23 at 15:12
when I open some website: this is an indication that the say website is hosting some script that load the same stuff.
– mootmoot
Aug 23 at 15:54
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
– Krishna Pandey
Aug 23 at 16:34
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
– SecurityDoctor
Aug 23 at 18:47
13
13
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
– Steffen Ullrich
Aug 23 at 14:12
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
– Steffen Ullrich
Aug 23 at 14:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
– hft
Aug 23 at 15:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
– hft
Aug 23 at 15:12
when I open some website : this is an indication that the say website is hosting some script that load the same stuff.– mootmoot
Aug 23 at 15:54
when I open some website : this is an indication that the say website is hosting some script that load the same stuff.– mootmoot
Aug 23 at 15:54
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
– Krishna Pandey
Aug 23 at 16:34
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
– Krishna Pandey
Aug 23 at 16:34
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
– SecurityDoctor
Aug 23 at 18:47
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
– SecurityDoctor
Aug 23 at 18:47
|
show 1 more comment
2 Answers
2
active
oldest
votes
up vote
9
down vote
accepted
I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.
Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.
Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.
answered Aug 23 at 14:35
Matt G
1444
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
– mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
– Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
– Matt G
Aug 25 at 16:00
add a comment |
up vote
1
down vote
There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.
The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.
If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).
If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.
Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.
answered Aug 23 at 16:34
jcaron
44529
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
– Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
– jcaron
Aug 24 at 15:21
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
accepted
I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.
Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.
Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.
answered Aug 23 at 14:35
Matt G
1444
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
– mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
– Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
– Matt G
Aug 25 at 16:00
add a comment |
up vote
9
down vote
accepted
I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.
Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.
Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.
answered Aug 23 at 14:35
Matt G
1444
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
– mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
– Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
– Matt G
Aug 25 at 16:00
add a comment |
up vote
9
down vote
accepted
up vote
9
down vote
accepted
I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.
Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.
Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.
answered Aug 23 at 14:35
Matt G
1444
I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.
Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.
Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.
answered Aug 23 at 14:35
Matt G
1444
answered Aug 23 at 14:35
Matt G
1444
answered Aug 23 at 14:35
Matt G
1444
answered Aug 23 at 14:35
Matt G
1444
1444
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
– mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
– Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
– Matt G
Aug 25 at 16:00
add a comment |
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
– mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
– Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
– Matt G
Aug 25 at 16:00
4
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
– mootmoot
Aug 23 at 16:02
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
– mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
– Gleno
Aug 24 at 10:40
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
– Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
– Matt G
Aug 25 at 16:00
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
– Matt G
Aug 25 at 16:00
add a comment |
up vote
1
down vote
There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.
The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.
If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).
If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.
Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.
answered Aug 23 at 16:34
jcaron
44529
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
– Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
– jcaron
Aug 24 at 15:21
add a comment |
up vote
1
down vote
There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.
The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.
If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).
If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.
Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.
answered Aug 23 at 16:34
jcaron
44529
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
– Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
– jcaron
Aug 24 at 15:21
add a comment |
up vote
1
down vote
up vote
1
down vote
There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.
The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.
If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).
If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.
Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.
answered Aug 23 at 16:34
jcaron
44529
There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.
The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.
If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).
If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.
Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.
answered Aug 23 at 16:34
jcaron
44529
edited Aug 24 at 0:20
answered Aug 23 at 16:34
jcaron
44529
answered Aug 23 at 16:34
jcaron
44529
answered Aug 23 at 16:34
jcaron
44529
44529
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
– Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
– jcaron
Aug 24 at 15:21
add a comment |
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
– Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
– jcaron
Aug 24 at 15:21
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
– Gleno
Aug 24 at 10:44
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
– Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
– jcaron
Aug 24 at 15:21
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
– jcaron
Aug 24 at 15:21
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f192182%2fstrange-problem-dns-cache-poisoning%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
13
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
– Steffen Ullrich
Aug 23 at 14:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
– hft
Aug 23 at 15:12
when I open some website: this is an indication that the say website is hosting some script that load the same stuff.– mootmoot
Aug 23 at 15:54
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
– Krishna Pandey
Aug 23 at 16:34
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
– SecurityDoctor
Aug 23 at 18:47