Strange Problem - DNS Cache Poisoning?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
6
down vote
favorite
I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:
About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.
I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.
Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.
And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.
AV software doesn't report any issues.
Any ideas? And what should I do to prevent this?
EDIT:
In response to questions:
It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.
Visiting the same site again just opens the normal site.
Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to:
http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2
I am in Estonia
The browsers and machines are completely different. Even the router and ISPs have changed between issues.
EDIT 2
The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/
dns dns-spoofing
 |Â
show 1 more comment
up vote
6
down vote
favorite
I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:
About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.
I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.
Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.
And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.
AV software doesn't report any issues.
Any ideas? And what should I do to prevent this?
EDIT:
In response to questions:
It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.
Visiting the same site again just opens the normal site.
Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to:
http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2
I am in Estonia
The browsers and machines are completely different. Even the router and ISPs have changed between issues.
EDIT 2
The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/
dns dns-spoofing
13
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
â Steffen Ullrich
Aug 23 at 14:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
â hft
Aug 23 at 15:12
when I open some website
: this is an indication that the say website is hosting some script that load the same stuff.
â mootmoot
Aug 23 at 15:54
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
â Krishna Pandey
Aug 23 at 16:34
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
â SecurityDoctor
Aug 23 at 18:47
 |Â
show 1 more comment
up vote
6
down vote
favorite
up vote
6
down vote
favorite
I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:
About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.
I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.
Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.
And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.
AV software doesn't report any issues.
Any ideas? And what should I do to prevent this?
EDIT:
In response to questions:
It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.
Visiting the same site again just opens the normal site.
Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to:
http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2
I am in Estonia
The browsers and machines are completely different. Even the router and ISPs have changed between issues.
EDIT 2
The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/
dns dns-spoofing
I'm a developer by trade, but not that well versed in information security. I've encountered a strange problem at home:
About three times now in the past year, when I open some website - I'm thrown to some garbage domain which tries to phish me to do some kind of security audit or whatever. First time it happened - I thought I had some malware on my system. I'm normally very cautious. So I pretty much burned my drives and got a fresh everything going. Then it happened again, a few months by, and now again - after moving to a different apartment and on my GFs laptop.
I'm suspecting DNS tampering of some sort, but there's no way to verify. Opening the same domain again, just gives me the right page.
Between now and then I moved apartments, moved ISP, changed router to Google Mesh, changed DNS to 8.8.8.8 on it. So... now even DNS poisoning doesn't make much sense.
And the websites that do open, are very similar in spirit. I suspect that the problem is persistent.
AV software doesn't report any issues.
Any ideas? And what should I do to prevent this?
EDIT:
In response to questions:
It happened to three different websites. I honestly don't recall which, I think it's entirely possible that it wasn't any of the big ones.
Visiting the same site again just opens the normal site.
Last time it happened yesterday (my GF visited some blog. I will update again if she remembers which site it was originally), and this is the garbage result I was referring to:
http://play6052.try-it-now3.club/?utm_medium=oxxGrJ1EO8rl%2flkgHhDHtdaJe%2b6y3ml38Z%2b1ZX9QaLo%3d&t=main6_mcas2
I am in Estonia
The browsers and machines are completely different. Even the router and ISPs have changed between issues.
EDIT 2
The offending original was:
http://www.byronkatie.com/2018/07/how-to-be-safe-in-the-abyss-the-work-of-byron-katie/
dns dns-spoofing
dns dns-spoofing
edited Aug 24 at 13:58
asked Aug 23 at 14:01
Gleno
1336
1336
13
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
â Steffen Ullrich
Aug 23 at 14:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
â hft
Aug 23 at 15:12
when I open some website
: this is an indication that the say website is hosting some script that load the same stuff.
â mootmoot
Aug 23 at 15:54
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
â Krishna Pandey
Aug 23 at 16:34
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
â SecurityDoctor
Aug 23 at 18:47
 |Â
show 1 more comment
13
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
â Steffen Ullrich
Aug 23 at 14:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
â hft
Aug 23 at 15:12
when I open some website
: this is an indication that the say website is hosting some script that load the same stuff.
â mootmoot
Aug 23 at 15:54
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
â Krishna Pandey
Aug 23 at 16:34
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
â SecurityDoctor
Aug 23 at 18:47
13
13
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
â Steffen Ullrich
Aug 23 at 14:12
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
â Steffen Ullrich
Aug 23 at 14:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
â hft
Aug 23 at 15:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
â hft
Aug 23 at 15:12
when I open some website
: this is an indication that the say website is hosting some script that load the same stuff.â mootmoot
Aug 23 at 15:54
when I open some website
: this is an indication that the say website is hosting some script that load the same stuff.â mootmoot
Aug 23 at 15:54
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
â Krishna Pandey
Aug 23 at 16:34
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
â Krishna Pandey
Aug 23 at 16:34
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
â SecurityDoctor
Aug 23 at 18:47
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
â SecurityDoctor
Aug 23 at 18:47
 |Â
show 1 more comment
2 Answers
2
active
oldest
votes
up vote
9
down vote
accepted
I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.
Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.
Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
â mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
â Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
â Matt G
Aug 25 at 16:00
add a comment |Â
up vote
1
down vote
There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.
The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.
If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).
If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.
Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
â Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and itâÂÂs quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on userâÂÂs computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
â jcaron
Aug 24 at 15:21
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
accepted
I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.
Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.
Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
â mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
â Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
â Matt G
Aug 25 at 16:00
add a comment |Â
up vote
9
down vote
accepted
I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.
Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.
Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
â mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
â Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
â Matt G
Aug 25 at 16:00
add a comment |Â
up vote
9
down vote
accepted
up vote
9
down vote
accepted
I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.
Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.
Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.
I agree with Steffen, this sounds like malvertising as the most likely cause, with a less likely option being compromise of the visited site with embedded redirects.
Running ad-blockers and script-blockers is effective against most malvertising, but can negatively affect your browsing experience.
Sometimes malvertising is targeted at only certain browsers. I used to have a site I visited regularly that suffered from frequent malvertising on the mobile version. Switching from Chrome to Opera solved that problem entirely. Ads still loaded (I wanted to support the site) but not the malicious redirects.
answered Aug 23 at 14:35
Matt G
1444
1444
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
â mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
â Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
â Matt G
Aug 25 at 16:00
add a comment |Â
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
â mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
â Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
â Matt G
Aug 25 at 16:00
4
4
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
â mootmoot
Aug 23 at 16:02
Yupe, browser user-agent, geoip make a different. Some malvertisement only pop up when using mobile device user agent.
â mootmoot
Aug 23 at 16:02
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
â Gleno
Aug 24 at 10:40
That's very interesting. I've never heard of malvertising before this. I would have imagined that this was more common, and I would be made aware of this issue by now. As you say, mayhaps, this malvertising is careful and manifests rarely and for my region in a particular way.
â Gleno
Aug 24 at 10:40
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
â Matt G
Aug 25 at 16:00
There is an entire ecosystem with targeting algorithms and automated bidding going on in the background when you are served an advert online. Attackers are able to compromise this process (either by hacking or simply paying) to effectively run their scripts on otherwise legitimate sites. Some ad networks are much worse than others as they are low margin operations that do little or no checking of their ads, or even tacitly take the money from malicious sources.
â Matt G
Aug 25 at 16:00
add a comment |Â
up vote
1
down vote
There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.
The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.
If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).
If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.
Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
â Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and itâÂÂs quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on userâÂÂs computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
â jcaron
Aug 24 at 15:21
add a comment |Â
up vote
1
down vote
There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.
The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.
If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).
If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.
Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
â Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and itâÂÂs quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on userâÂÂs computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
â jcaron
Aug 24 at 15:21
add a comment |Â
up vote
1
down vote
up vote
1
down vote
There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.
The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.
If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).
If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.
Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.
There's some malware out there that infects websites, but the code is triggered only randomly a fraction of the time.
The site can thus appear completely normal to most, and even yourself after a reload, but will still show the bad stuff once in a while. It may either display directly on the site, or provoke a redirect.
If you have control of the website you went to, check all php code for infection. It is usually quite obvious (a big bunch of base64 at the start of many of the files), sometimes a bit more difficult to find (it may be a single php file that is indirectly included in other pages).
If you don't have control of the website, you may try to alert the site owner, but unless you can pinpoint it quite precisely it may be difficult to get a good response.
Those sites usually end up blocked by malware detectors, including Google, Safari, Chrome, etc. but it may take a while as the scanner needs to stumble on the infected version of the page.
edited Aug 24 at 0:20
answered Aug 23 at 16:34
jcaron
44029
44029
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
â Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and itâÂÂs quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on userâÂÂs computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
â jcaron
Aug 24 at 15:21
add a comment |Â
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
â Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and itâÂÂs quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on userâÂÂs computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
â jcaron
Aug 24 at 15:21
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
â Gleno
Aug 24 at 10:44
I will try and figure out what the original site was, and try and get in touch with the owner to see if there's a possible infection. I think it was a personal blog, so you are likely on to something. However I'm not entirely convinced, because this has happened on three occasions and the MO is exactly the same. The target sites feel the same, and either there's a rampant infection or there's some kind of issue on my end.
â Gleno
Aug 24 at 10:44
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and itâÂÂs quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on userâÂÂs computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
â jcaron
Aug 24 at 15:21
That kind of malware spreads via automated tools that scan for vulnerable hosts and automatically infect all the files they can. There are probably millions of sites infected like that, and itâÂÂs quite often the same perpetrators, using those hosts for the currently most valuable attacks. Some use them to send spam, others to mine cryptocurrency, others to install malware on userâÂÂs computers, etc, but you will only see those that have a visible effect for visitors, and those doing that are usually not very original. Cut and paste is the favorite tool of the script kiddie.
â jcaron
Aug 24 at 15:21
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f192182%2fstrange-problem-dns-cache-poisoning%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
13
Based on your description this might also be malvertising: attackers claim to delivers ads and pay for these but instead of the ads they deliver selected users malware, scareware or try phishing. There does not need to any infection on your system or in your network for this, no DNS spoofing involved etc. Of course, it might also be that the site you visit was hacked, which often also is not that obvious when only selected users get attacked from the site. Antivirus have a hard time to catch up to these kind of more stealth attacks.
â Steffen Ullrich
Aug 23 at 14:12
Seems like there is not quite enough info in your question to give a good answer. Can you be more specific about exactly what website (rather then just "some website") and what domain (rather than just "some garbage domain")? Also, what ISPs were you using and what country are you in?
â hft
Aug 23 at 15:12
when I open some website
: this is an indication that the say website is hosting some script that load the same stuff.â mootmoot
Aug 23 at 15:54
try using incognito/private browsing with a web proxy routing traffic from different country and visit same site to find out.
â Krishna Pandey
Aug 23 at 16:34
Please describe to the group what browser you are experiencing this issue with and what if any extensions you are using within that browser?
â SecurityDoctor
Aug 23 at 18:47