Strange Problem - DNS Cache Poisoning?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
6
down vote

favorite












I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:



About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.



I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.



  • Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.


  • And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.


  • AV software doesn't report any issues.


Any ideas? And what should I do to prevent this?



EDIT:



In response to questions:



  • It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.


  • Visiting the same site again just opens the normal site.


  • Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to: http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2


  • I am in Estonia


  • The browsers and machines are completely different. Even the router and ISPs have changed between issues.


EDIT 2



The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/










share|improve this question



















  • 13




    Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
    – Steffen Ullrich
    Aug 23 at 14:12











  • Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
    – hft
    Aug 23 at 15:12










  • when I open some website : this is an indication that the say website is hosting some script that load the same stuff.
    – mootmoot
    Aug 23 at 15:54










  • try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
    – Krishna Pandey
    Aug 23 at 16:34










  • Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
    – SecurityDoctor
    Aug 23 at 18:47
















up vote
6
down vote

favorite












I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:



About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.



I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.



  • Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.


  • And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.


  • AV software doesn't report any issues.


Any ideas? And what should I do to prevent this?



EDIT:



In response to questions:



  • It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.


  • Visiting the same site again just opens the normal site.


  • Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to: http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2


  • I am in Estonia


  • The browsers and machines are completely different. Even the router and ISPs have changed between issues.


EDIT 2



The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/










share|improve this question



















  • 13




    Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
    – Steffen Ullrich
    Aug 23 at 14:12











  • Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
    – hft
    Aug 23 at 15:12










  • when I open some website : this is an indication that the say website is hosting some script that load the same stuff.
    – mootmoot
    Aug 23 at 15:54










  • try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
    – Krishna Pandey
    Aug 23 at 16:34










  • Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
    – SecurityDoctor
    Aug 23 at 18:47












up vote
6
down vote

favorite









up vote
6
down vote

favorite











I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:



About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.



I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.



  • Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.


  • And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.


  • AV software doesn't report any issues.


Any ideas? And what should I do to prevent this?



EDIT:



In response to questions:



  • It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.


  • Visiting the same site again just opens the normal site.


  • Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to: http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2


  • I am in Estonia


  • The browsers and machines are completely different. Even the router and ISPs have changed between issues.


EDIT 2



The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/










share|improve this question















I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:



About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.



I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.



  • Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.


  • And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.


  • AV software doesn't report any issues.


Any ideas? And what should I do to prevent this?



EDIT:



In response to questions:



  • It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.


  • Visiting the same site again just opens the normal site.


  • Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to: http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2


  • I am in Estonia


  • The browsers and machines are completely different. Even the router and ISPs have changed between issues.


EDIT 2



The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/







dns dns-spoofing






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 24 at 13:58

























asked Aug 23 at 14:01









Gleno

1336




1336







  • 13




    Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
    – Steffen Ullrich
    Aug 23 at 14:12











  • Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
    – hft
    Aug 23 at 15:12










  • when I open some website : this is an indication that the say website is hosting some script that load the same stuff.
    – mootmoot
    Aug 23 at 15:54










  • try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
    – Krishna Pandey
    Aug 23 at 16:34










  • Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
    – SecurityDoctor
    Aug 23 at 18:47












  • 13




    Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
    – Steffen Ullrich
    Aug 23 at 14:12











  • Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
    – hft
    Aug 23 at 15:12










  • when I open some website : this is an indication that the say website is hosting some script that load the same stuff.
    – mootmoot
    Aug 23 at 15:54










  • try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
    – Krishna Pandey
    Aug 23 at 16:34










  • Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
    – SecurityDoctor
    Aug 23 at 18:47







13




13




Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
– Steffen Ullrich
Aug 23 at 14:12





Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
– Steffen Ullrich
Aug 23 at 14:12













Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
– hft
Aug 23 at 15:12




Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
– hft
Aug 23 at 15:12












when I open some website : this is an indication that the say website is hosting some script that load the same stuff.
– mootmoot
Aug 23 at 15:54




when I open some website : this is an indication that the say website is hosting some script that load the same stuff.
– mootmoot
Aug 23 at 15:54












try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
– Krishna Pandey
Aug 23 at 16:34




try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
– Krishna Pandey
Aug 23 at 16:34












Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
– SecurityDoctor
Aug 23 at 18:47




Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
– SecurityDoctor
Aug 23 at 18:47










2 Answers
2






active

oldest

votes

















up vote
9
down vote



accepted










I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.



Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.



Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.






share|improve this answer
















  • 4




    Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
    – mootmoot
    Aug 23 at 16:02










  • That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
    – Gleno
    Aug 24 at 10:40










  • There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
    – Matt G
    Aug 25 at 16:00

















up vote
1
down vote













There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.



The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.



If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).



If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.



Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.






share|improve this answer






















  • I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
    – Gleno
    Aug 24 at 10:44










  • That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
    – jcaron
    Aug 24 at 15:21










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f192182%2fstrange-problem-dns-cache-poisoning%23new-answer', 'question_page');

);

Post as a guest






























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
9
down vote



accepted










I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.



Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.



Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.






share|improve this answer
















  • 4




    Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
    – mootmoot
    Aug 23 at 16:02










  • That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
    – Gleno
    Aug 24 at 10:40










  • There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
    – Matt G
    Aug 25 at 16:00














up vote
9
down vote



accepted










I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.



Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.



Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.






share|improve this answer
















  • 4




    Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
    – mootmoot
    Aug 23 at 16:02










  • That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
    – Gleno
    Aug 24 at 10:40










  • There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
    – Matt G
    Aug 25 at 16:00












up vote
9
down vote



accepted







up vote
9
down vote



accepted






I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.



Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.



Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.






share|improve this answer












I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.



Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.



Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.







share|improve this answer












share|improve this answer



share|improve this answer










answered Aug 23 at 14:35









Matt G

1444




1444







  • 4




    Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
    – mootmoot
    Aug 23 at 16:02










  • That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
    – Gleno
    Aug 24 at 10:40










  • There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
    – Matt G
    Aug 25 at 16:00












  • 4




    Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
    – mootmoot
    Aug 23 at 16:02










  • That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
    – Gleno
    Aug 24 at 10:40










  • There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
    – Matt G
    Aug 25 at 16:00







4




4




Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
– mootmoot
Aug 23 at 16:02




Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
– mootmoot
Aug 23 at 16:02












That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
– Gleno
Aug 24 at 10:40




That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
– Gleno
Aug 24 at 10:40












There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
– Matt G
Aug 25 at 16:00




There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
– Matt G
Aug 25 at 16:00












up vote
1
down vote













There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.



The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.



If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).



If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.



Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.






share|improve this answer






















  • I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
    – Gleno
    Aug 24 at 10:44










  • That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
    – jcaron
    Aug 24 at 15:21














up vote
1
down vote













There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.



The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.



If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).



If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.



Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.






share|improve this answer






















  • I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
    – Gleno
    Aug 24 at 10:44










  • That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
    – jcaron
    Aug 24 at 15:21












up vote
1
down vote










up vote
1
down vote









There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.



The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.



If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).



If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.



Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.






share|improve this answer














There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.



The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.



If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).



If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.



Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.







share|improve this answer














share|improve this answer



share|improve this answer








edited Aug 24 at 0:20

























answered Aug 23 at 16:34









jcaron

44029




44029











  • I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
    – Gleno
    Aug 24 at 10:44










  • That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
    – jcaron
    Aug 24 at 15:21
















  • I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
    – Gleno
    Aug 24 at 10:44










  • That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
    – jcaron
    Aug 24 at 15:21















I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
– Gleno
Aug 24 at 10:44




I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
– Gleno
Aug 24 at 10:44












That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
– jcaron
Aug 24 at 15:21




That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and it’s quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on user’s computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
– jcaron
Aug 24 at 15:21

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f192182%2fstrange-problem-dns-cache-poisoning%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?