It's the same here.
We have an odd situation here that I wonder if you could try and replicate...
Several times over the past week users have called me to look at a virus alert that they have got on their computer...
...thing is it is not a real virus alert, just a web page that looks like a windows screen with a fake virus scan running that then offers a download of an anti-virus package.
I have been investigating and have found the following...
If I search Google for "free subtraction worksheets" or other education related terms I get a page of results that work ok.
If I then tick the radio control for "pages from the uk" and search again I get results as usual but some of them have links in the form http://xxxxxxxxx.yy.zz/fyprwa/bfz.ph...ion+worksheets where the domain appears to be genuine but the link takes me to the fake virus scanner.
I am trying to determine whether this is a google issue or an infection at our end...can anybody else replicate my problem?
It's the same here.
Yep same as here.
Last edited by SYSMAN_MK; 20th January 2010 at 02:44 PM.
Very, very interesting. It does look like a Google issue. I wonder if it's related to the attacks on Google recently?
Does anyone know how to read (rather than execute) the "bfz.php" or similar file that is provided in the Google links? Looks like Google is just indexing loads of compromised web-sites, rather than being at fault itself?
Running Firefox with NoScript just seems to pull up a page of junk (text and further links), so maybe it is some script kicked of by PHP that gives the virus scanner message (and i don't want to risk running it, hence wondering what the source of the PHP code is)?
Edit - if you're bored enough to nslookup a few of the sites in those results it seems to confirm what I said above, very small IP range, probably a few compromised servers on a webhost somewhere...
Final edit - definitely a host issue. If you wget the pages with and without a google.co.uk referrer you will get the normal text without google referrer and a 302 redirect to the malware site if used. This came up ages ago, can't find the thread I posted in about the compromised site - I know it was one with school related bits on...Code:Default Server: google-public-dns-a.google.com Address: 18.104.22.168 > activebrokers.co.uk Server: google-public-dns-a.google.com Address: 22.214.171.124 Non-authoritative answer: Name: activebrokers.co.uk Address: 126.96.36.199 > clmi.co.uk Server: google-public-dns-a.google.com Address: 188.8.131.52 Non-authoritative answer: Name: clmi.co.uk Address: 184.108.40.206 > theilliteratekniferack.com Server: google-public-dns-a.google.com Address: 220.127.116.11 Non-authoritative answer: Name: theilliteratekniferack.com Address: 18.104.22.168 > jim-gray.co.uk Server: google-public-dns-a.google.com Address: 22.214.171.124 Non-authoritative answer: Name: jim-gray.co.uk Address: 126.96.36.199 > hackersunited.co.uk Server: google-public-dns-a.google.com Address: 188.8.131.52 Non-authoritative answer: Name: hackersunited.co.uk Address: 184.108.40.206 > formbyurc.co.uk Server: google-public-dns-a.google.com Address: 220.127.116.11 Non-authoritative answer: Name: formbyurc.co.uk Address: 18.104.22.168
Last edited by OutToLunch; 20th January 2010 at 03:47 PM.
I have reported this to Heart Internet, who appear to be hosting the compromised web-sites!
I agree from the nslookups it is a host issue. I particularly like this domain name:
Just seems very random! I wonder what kind of website it really is?theilliteratekniferack.com
I get this warning from Google Chrome when I click on the link.
Warning: Visiting this site may harm your computer!
The website at sweetlemongrass.com appears to host malware - software that can hurt your computer or otherwise operate without your consent. Just visiting a site that hosts malware can infect your computer.
For detailed information about the problems with this site, visit the Google Safe Browsing diagnostic page for ------------.com."
it's compromised sites, not hosts or search engines. Rather than inject a virus stright into the code a hacker has made it so you only get it if you go through search engines.
After all what webmaster google's his own site?
Last edited by mossj; 20th January 2010 at 09:42 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)