It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Something is wrong after I press post on ATS

page: 1
6
<<   2  3 >>

log in

join
share:

posted on Nov, 10 2014 @ 09:46 AM
link   
Twice now over the past few day my browser has been taken to a site trying to download a virus to my machine by pretending to be a update for my flash player after I pressed the post/edit button when replying to a thread

I just mentioned it in the thread I was posting too the first time but it has happened again just a few seconds ago.

Being a security freak today I am using a VPN that gives me a French IP-Address and my browser got sent to
hxxp://www.yuntaishan9.com/flash/fr/index.html?sid=618&dv1=ad611-fr&kw1=ad611-fr-ln&uuid=026e485d-d0c6-4514-5bd5-8739afe7e4ba

Sorry I was not running a proxy server at the time else I could have worked out from the HTTP request where this was coming from but I would suspect the adverts on ATS are being sub-let and are most likely responsible.

Please don't let have the usual fob off about my machine being infected or the VPN doing something strange and lets deal the problem please Bill.

I don't know how the IFrame scripts are getting .top from the DOM of the page without having a trace but keep an eye on who the frames are being sub-let to which is not easy when often the space for the advert is assigned to a winning bidder so it could be anyone out of hundreds

Has anyone else seen this today



posted on Nov, 10 2014 @ 09:56 AM
link   
I had some luck since I did not close the virus page down so I started my local proxy server to capture the request and pressed refresh to get the page details as shown below and the guilty party is "http://fra1.ib.adnxs.com" and you can see that it is connected to ATS because it's been added to the end of a very long URL

Mods please delete the details below and send them to bill

GET /flash/fr/index.html?sid=618&dv1=ad611-fr&kw1=ad611-fr-ln&uuid=026e485d-d0c6-4514-5bd5-8739afe7e4ba HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: fra1.ib.adnxs.com... kBJA4BNIAlDzguAJWMfeF2AAaMsPcAB4spUDgAEBigEDVVNEkgUG8NyYAdgFoAFaqAEAsAEAuAECwAEFyAEA0AEA2AEA4AEA6gGmAmh0dHA6Ly9mcmExLmliLmFkbnhzLmNvbS9jbGljaz9RQUVLVU lBQ2xEOFFnUWhFSUFLUlAwb01BaXVIRnY4X0VJRUlSQ0FDa1Q5QUFRcFFnQUtVUDdZOW0wWEJCQmtOQXZXQVk3VnpNeHcwMkdCVUFBQUFBSGtETkFESEJBQUFWd01BQUFJQUFBQXRNVDhCVVhZSEFB QUFBUUJWVTBRQVZWTkVBTmdDV2dBM2tRQUEwZG9EQVFVQUFRQQE0GEFlUnJselEFC7guL2NuZD0lMjFUUWZoUkFqOXROc0NFSzNpX0FrWTBld2RJQUEuL3JlZmVycmVyPQH5aCUzQSUyRiUyRnd3dy 5hYm92ZXRvcHNlY3JldDkE0GVuYz3wAQCKAld1ZignYScsIDM5Njk4OSwgMTQxNTYzMjk0OCk7dWYoJ2MnLCA1Njg0MjY3Rh0ALHInLCAyMDQ0NzYwMzYeAPCKkgKdASFBU2p2M3dpci1Ob0NFUE9D NEFrWUFDREgzaGN3QkRnQVFBQkk0Qk5RejhiakFWZ0FZTUlCYUFCd0JIamtBb0FCQklnQjVBS1FBUUdZQVFHZ0FSS29BUU93QVFDNUFiZ2VoZXRSdUo0X3dRRzRIb1hyVWJpZVA4a0Jjb3dHeFV3S0 EwRFpBUSVJaEFBUEFfNEFFQTlRSE56TXc5mgIdITZnYS1RUTagAAx4OTRYIVUs2ALuCOACl8oN6gIdIVcIOi8vVlEBdIADAIgDAZADAJgDAKADAaoDALADALgDAMADAMgDAA..&dlo=1&referrer= http%3A%2F%2Fwww.abovetopsecret.com
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
If-Modified-Since: Thu, 30 Oct 2014 11:42:51 GMT
Host: www.yuntaishan9.com
Pragma: no-cache
Cookie: __cfduid=d2731cd8325ac91c08e7db094174816751415632949663; AWSELB=8DDF1FEF0856FA42F0DA1C5BF7FA7515B4C2EA40D657F7D4CC3E2394EFE1D6704BB54CA0882DE26397296B0C434D2C0FF176A76453A8147072FFB2F088DA4B9BCD722E2F6C; __clk_993d22a3ad55d8fda8b5d277240f07e1=1



posted on Nov, 10 2014 @ 11:10 AM
link   
I have a problem with something wrong after I post something too. Usually I need to edit it to correct something I screwed up on.

Oh sorry, I guess my grammar problems are different than what you are experiencing.
edit on 10-11-2014 by rickymouse because: (no reason given)

edit on 10-11-2014 by rickymouse because: (no reason given)



posted on Nov, 10 2014 @ 02:53 PM
link   
a reply to: VirusGuard

Its a virus. Info how to remove below and on-line elsewhere.

Remove Fra1.ib.adnxs.com pop-up ads (Virus Removal Guide)
malwaretips.com/blogs/fra1-ib-adnxs-com-removal/



posted on Nov, 10 2014 @ 03:24 PM
link   
a reply to: mysterioustranger
Yes I am sure if you was fooled into running the setup.exe they want you to download then you would have a virus alright but Bill needs to deal with how people are being directed to download the virus in the first place and the details I posted should give him all the information he needs.

I think the link you gave is for people who have already got the virus to help them remove it so it seems like it must be a very common one so I will see if I can get someone to take the site down to stop em so thanks for the help.

Many of these types of viruses won't damage your machine too much but are used to fake click adverts so that the add-servers gets some revenue from the poor old customer and ATS certainly would not want to be associated with any of that.
edit on 10-11-2014 by VirusGuard because: (no reason given)



posted on Nov, 10 2014 @ 03:41 PM
link   
HAHA VirusGuard gets a virus surfing ATS. That's rich!
hehehe



posted on Nov, 10 2014 @ 04:45 PM
link   
a reply to: Rosinitiate
No I just got the redirect to the download page but even if I clicked it then the .exe would had been blocked by my router and proxy server if it was running.

What I do when I catch them is switch the safe guards off, download the .exe and then use a program to search the .exe file for any Urls that you always find and then I go after these servers, hence doing everyone a service.

Using Whois I also contact who hosts the sites in the chain plus DNS servers that host the domain and get them closed down too.

This one seems to go back to "appnexus" who have been asked to contact me because it is not always their fault unless I happen to find Urls in the .exe that also link back to them.

If you are feeling brave then download the Setup.exe yourself (WHAT EVER YOU DO DON'T CLICK RUN) and save the file and then rename it to "Setup.exe.txt" and then open it in notepad and do a search for "HTTP://"

I will bet you that you will see who is behind this virus or just about any other if you ever find one.

What happens when you see an advert is the add is displayed in an I-Frame but the advert does not come from the owner of the frame but is sub-let out to the highest bidder who pays the highest bid to produce an advert for your IP-Address and all this electronic bidding happens behind the scenes in a split second.

The add-servers just happen to sub-let to bad tenants now and then and this is why its often not their fault and you should understand this if you ever try to track them down.



posted on Nov, 10 2014 @ 04:52 PM
link   
i also have the same issue , it redirects to saying i need to install flash ?

what is it ATS ?



posted on Nov, 10 2014 @ 05:16 PM
link   
a reply to: Walsh
it's not flash that's for sure !

I just contacted Adobe to enlist there help in getting the site took down as they have more bite than me.



posted on Nov, 10 2014 @ 05:59 PM
link   
We're not running any ads from AppNexus at the time… which would be the source of the problem.

This is most likely another case of ad-injection from an ISP.



posted on Nov, 10 2014 @ 08:01 PM
link   
a reply to: VirusGuard

Just a point here:

Think of all the hundreds of thousands of members and others reading and contributing to ATS...and all the different makes, models, types of devices they use, download and upload with. And consider all the settings...all different, browsers, firewalls, security and privacy settings, anti-maleware and virus programs, softwares, applications....you name it!

I can see why there would be some issues for some people...sometimes on some devices, servers, settings and locations! Its inevitable, though I beleive much of it is unintentional...just a side-effect of all the stuff we use and agree to. Even we were arent aware that we did!

Good luck to us all......



posted on Nov, 10 2014 @ 11:04 PM
link   
a reply to: mysterioustranger

Exceptionally well put.



posted on Nov, 11 2014 @ 04:45 AM
link   
a reply to: SkepticOverlord
You are right ISP's can inject into any web page but not in this case because I was using a VPN from Cyberghost so the ISP can only see encrypted data and unless the other guy here was also using CyberGhost then I just cannot see it.



posted on Nov, 11 2014 @ 05:11 AM
link   

originally posted by: mysterioustranger
a reply to: VirusGuard
Think of all the hundreds of thousands of members and others reading and contributing to ATS...and all the different makes, models, types of devices they use, download and upload with. And consider all the settings...all different, browsers, firewalls, security and privacy settings, anti-maleware and virus programs, softwares, applications....you name it!


That's not half of it and we also have ISPs hijacking DNS lookups and plugins so its amazing that people like me manage to get anything working but we do and we can even see who the virus is calling and in this case it is sf.symcb.com

Sometimes we even install the virus on a sandbox and then see what adverts they are clicking so we can contact the customer to let them know they are being ripped off by the add-servers with fake clicks from a virus.

We have quite a community working hard not that many people would know.



posted on Nov, 11 2014 @ 07:08 PM
link   
a reply to: Springer

Thanks very much sir! MS



posted on Nov, 11 2014 @ 09:47 PM
link   
a reply to: SkepticOverlord
Anyone that does a quick Google to see if fra1.ib.adnxs.com is putting viruses on peoples machines will see that they are

fra1-ib-adnxs-com

fra1.ib.adnxs.com is a sub domain of adnxs.com and unless my machine has little goblins inside it then this site is using adnxs.com and here is the proof.

GET /mapuid?member=1471&user=8392647897195647 HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Referer: www.abovetopsecret.com...
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
Accept-Encoding: gzip, deflate
Host: ib.adnxs.com
Connection: Keep-Alive

I think other members here can also see that this add-server is being used so I don't think you can keep it quite

Now before you answer that me look at my name ! Does it not tell you something

if you would like to PM then please do



posted on Nov, 15 2014 @ 12:18 PM
link   

originally posted by: VirusGuard
... fra1.ib.adnxs.com is a sub domain of adnxs.com and unless my machine has little goblins inside it then this site is using adnxs.com and here is the proof ...

It's easier to understand as a diagram : here's one I prepared earlier ...


www.abovetopsecret.com...

It looks more like adware than virus which is being delivered via the fake Java* and fake Flash updates.

[ * see my avatar ]

UPDATE here's a graph from a few minutes ago ...

A new record : over one-hundred third-party sites, (including adnxs), connected to ATS within 5 minutes.
edit on 15-11-2014 by engvbany because: (no reason given)



posted on Nov, 17 2014 @ 06:58 AM
link   
a reply to: engvbany


A new record : over one-hundred third-party sites, (including adnxs), connected to ATS within 5 minutes.

Yes I can confirm that the numbers are about that high.

I would take money that the fake flash virus would click pay per click adverts and the customer on the end of it will be getting the bill.

Adobe was contacted and it looks like they have done nothing about it so this makes me feel very unsafe having Flash on my machine.



posted on Nov, 17 2014 @ 12:13 PM
link   

originally posted by: VirusGuard
... Adobe was contacted and it looks like they have done nothing about it so this makes me feel very unsafe having Flash on my machine.

Even if you removed Adobe flash from your machine, if you encountered the same webpage again you would still see the same fake "Flash update" scam designed to get you to download some malware. [ Ditto for fake Java update ( see my avatar) ].



posted on Nov, 18 2014 @ 05:52 AM
link   
The trackers on ATS currently reach 150 , I've posted a list of them on paste bin.com/gGr4QEFx as it's too big to post here.

see ...

edit on 18-11-2014 by engvbany because: (no reason given)




top topics



 
6
<<   2  3 >>

log in

join