We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide

Advice needed on possible virus

As a regular on the comps board some of us are having a problem with a possible virus attack, if anyone has the time could they glance over the thread below and gives us some advice/opinions - thank you:)

https://forums.moneysavingexpert.com/discussion/comment/47373449#Comment_47373449
Thank you for this site Martin
The time for change has come
Good luck for the future

Comments

  • GunJack
    GunJack Posts: 11,947 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    havin a scan now :)
    ......Gettin' There, Wherever There is......

    I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple :D
  • GunJack
    GunJack Posts: 11,947 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    it seems like the most likely cause is the way the page has been programmed and the way it interacts with cookies, not necessarily anything malicious. By the look of it, you've taken sensible precautions so should be ok :)
    ......Gettin' There, Wherever There is......

    I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple :D
  • RussJK
    RussJK Posts: 2,359 Forumite
    edited 3 October 2011 at 12:34AM
    There is something about how the page is made that makes it hard to run through scanners e.g. virustotal.com, wepawet, etc but overall I doubt there's anything malicious about it.

    URLVoid (which checks multiple 'site reputation' sources) lists the site as clean, but that's not direct evidence.

    VScan (a website virus scanner) had trouble actually scanning the page, same as VirusTotal.com which is much the same.

    Wepawet (a website and Javascript analyser) was able to run the third time I tried it, and found no exploits: http://wepawet.iseclab.org/view.php?hash=b73d28f2b0334c43cd29b6be1d02aeb9&t=1317601704&type=js

    Looking at the HTML code itself, there aren't any obvious cross-site request forgeries using HTML methods. I'd be looking for something like:
    From: http://www.cgisecurity.com/csrf-faq.html
    it could also be <script src="http:// or <img src="http://

    OTOH if there was a CSRF using a Javascript method, then I wouldn't be able to spot them as it's beyond me - but Wepawet didn't find any problems with the Javascript.

    I put it through a sandbox analyser (Malbox) and no malicious files were downloaded or dodgy sites accessed. No obvious targets for a CSRF in the domains accessed, although I didn't go as far as handchecking every IP address.

    These are the domains and IP addresses accessed, looks like just the usual affiliates, social media, and adservers:
    Try to connect domain:
    connect.facebook.net
    services.hearstmags.com
    w.sharethis.com
    req.connect.wunderloop.net
    ad.uk.doubleclick.net
    s0.2mdn.net
    www.google.co.uk

    images.productserve.com
    fpdownload2.macromedia.com
    subscribe.hearstmags.com
    ad.360yield.com
    creative.360yield.com
    fly2.adprs.net
    fly2pool2.adprs.net
    images.adprs.net
    metrics.allaboutyou.com
    b.scorecardresearch.com
    www.google-analytics.com


    Tcp Connection:

    local:1050 --> 63.80.138.43:80
    local:1051 --> 63.80.138.43:80
    local:1052 --> 63.80.138.43:80
    local:1053 --> 63.80.138.43:80
    local:1054 --> 184.30.255.139:80
    local:1055 --> 184.30.248.241:80
    local:1099 --> 50.18.55.217:80
    local:1100 --> 50.18.104.95:80
    local:1056 --> 63.80.242.43:80
    local:1098 --> 204.236.131.36:80
    local:1057 --> 95.172.69.42:80
    local:1058 --> 74.125.71.148:80
    local:1059 --> 74.125.71.148:80
    local:1060 --> 63.80.138.43:80
    local:1061 --> 63.80.138.43:80
    local:1062 --> 74.125.71.105:80
    local:1063 --> 63.80.138.43:80
    local:1064 --> 63.80.138.43:80
    local:1065 --> 63.80.138.43:80
    local:1066 --> 63.80.138.43:80
    local:1067 --> 62.216.237.30:80
    local:1068 --> 62.216.237.30:80
    local:1070 --> 63.80.138.17:80
    local:1071 --> 173.222.35.171:443
    local:1072 --> 107.20.232.185:80
    local:1074 --> 117.121.249.254:80
    local:1075 --> 78.109.174.167:80
    local:1076 --> 78.109.174.132:80
    local:1077 --> 173.222.35.171:80
    local:1078 --> 173.222.35.171:80
    local:1079 --> 173.222.35.171:80
    local:1080 --> 173.222.35.171:80
    local:1081 --> 173.222.35.171:80
    local:1082 --> 173.222.35.171:80
    local:1083 --> 78.109.174.167:80
    local:1084 --> 78.109.174.167:80
    local:1086 --> 78.109.174.167:80
    local:1085 --> 78.109.174.167:80
    local:1087 --> 78.109.174.167:80
    local:1088 --> 78.109.174.167:80
    local:1089 --> 66.235.142.24:80
    local:1090 --> 63.80.4.34:80
    local:1091 --> 74.125.71.100:80

    So in conclusion: I can't find any problems with the site, and neither can any of the website analysis tools. I'd suggest anyone getting the CSRF warning to find the help forum associated with their antivirus program and ask why they get the warning.
  • glowgirl_2
    glowgirl_2 Posts: 4,591 Forumite
    Thanks for the replies everyone especially RussJK:T for the huge effort, I'll post this thread on the comps board for everyone.
    Thank you for this site Martin
    The time for change has come
    Good luck for the future
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 353.5K Banking & Borrowing
  • 254.2K Reduce Debt & Boost Income
  • 455K Spending & Discounts
  • 246.6K Work, Benefits & Business
  • 602.9K Mortgages, Homes & Bills
  • 178.1K Life & Family
  • 260.6K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.