We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Advice needed on possible virus
glowgirl_2
Posts: 4,591 Forumite
in Techie Stuff
As a regular on the comps board some of us are having a problem with a possible virus attack, if anyone has the time could they glance over the thread below and gives us some advice/opinions - thank you:)
https://forums.moneysavingexpert.com/discussion/comment/47373449#Comment_47373449
https://forums.moneysavingexpert.com/discussion/comment/47373449#Comment_47373449
Thank you for this site Martin
The time for change has come
Good luck for the future
0
Comments
-
havin a scan now
......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple
0 -
it seems like the most likely cause is the way the page has been programmed and the way it interacts with cookies, not necessarily anything malicious. By the look of it, you've taken sensible precautions so should be ok ......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
There is something about how the page is made that makes it hard to run through scanners e.g. virustotal.com, wepawet, etc but overall I doubt there's anything malicious about it.
URLVoid (which checks multiple 'site reputation' sources) lists the site as clean, but that's not direct evidence.
VScan (a website virus scanner) had trouble actually scanning the page, same as VirusTotal.com which is much the same.
Wepawet (a website and Javascript analyser) was able to run the third time I tried it, and found no exploits: http://wepawet.iseclab.org/view.php?hash=b73d28f2b0334c43cd29b6be1d02aeb9&t=1317601704&type=js
Looking at the HTML code itself, there aren't any obvious cross-site request forgeries using HTML methods. I'd be looking for something like:
From: http://www.cgisecurity.com/csrf-faq.html
it could also be <script src="http:// or <img src="http://
OTOH if there was a CSRF using a Javascript method, then I wouldn't be able to spot them as it's beyond me - but Wepawet didn't find any problems with the Javascript.
I put it through a sandbox analyser (Malbox) and no malicious files were downloaded or dodgy sites accessed. No obvious targets for a CSRF in the domains accessed, although I didn't go as far as handchecking every IP address.
These are the domains and IP addresses accessed, looks like just the usual affiliates, social media, and adservers:Try to connect domain:
connect.facebook.net
services.hearstmags.com
w.sharethis.com
req.connect.wunderloop.net
ad.uk.doubleclick.net
s0.2mdn.net
www.google.co.uk
images.productserve.com
fpdownload2.macromedia.com
subscribe.hearstmags.com
ad.360yield.com
creative.360yield.com
fly2.adprs.net
fly2pool2.adprs.net
images.adprs.net
metrics.allaboutyou.com
b.scorecardresearch.com
www.google-analytics.com
Tcp Connection:
local:1050 --> 63.80.138.43:80
local:1051 --> 63.80.138.43:80
local:1052 --> 63.80.138.43:80
local:1053 --> 63.80.138.43:80
local:1054 --> 184.30.255.139:80
local:1055 --> 184.30.248.241:80
local:1099 --> 50.18.55.217:80
local:1100 --> 50.18.104.95:80
local:1056 --> 63.80.242.43:80
local:1098 --> 204.236.131.36:80
local:1057 --> 95.172.69.42:80
local:1058 --> 74.125.71.148:80
local:1059 --> 74.125.71.148:80
local:1060 --> 63.80.138.43:80
local:1061 --> 63.80.138.43:80
local:1062 --> 74.125.71.105:80
local:1063 --> 63.80.138.43:80
local:1064 --> 63.80.138.43:80
local:1065 --> 63.80.138.43:80
local:1066 --> 63.80.138.43:80
local:1067 --> 62.216.237.30:80
local:1068 --> 62.216.237.30:80
local:1070 --> 63.80.138.17:80
local:1071 --> 173.222.35.171:443
local:1072 --> 107.20.232.185:80
local:1074 --> 117.121.249.254:80
local:1075 --> 78.109.174.167:80
local:1076 --> 78.109.174.132:80
local:1077 --> 173.222.35.171:80
local:1078 --> 173.222.35.171:80
local:1079 --> 173.222.35.171:80
local:1080 --> 173.222.35.171:80
local:1081 --> 173.222.35.171:80
local:1082 --> 173.222.35.171:80
local:1083 --> 78.109.174.167:80
local:1084 --> 78.109.174.167:80
local:1086 --> 78.109.174.167:80
local:1085 --> 78.109.174.167:80
local:1087 --> 78.109.174.167:80
local:1088 --> 78.109.174.167:80
local:1089 --> 66.235.142.24:80
local:1090 --> 63.80.4.34:80
local:1091 --> 74.125.71.100:80
So in conclusion: I can't find any problems with the site, and neither can any of the website analysis tools. I'd suggest anyone getting the CSRF warning to find the help forum associated with their antivirus program and ask why they get the warning.0 -
Thanks for the replies everyone especially RussJK:T for the huge effort, I'll post this thread on the comps board for everyone.Thank you for this site MartinThe time for change has comeGood luck for the future0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards