Hey,
I was logging onto Ausfish tonight like normal, when in Firefox where it shows loading items, I noticed it was loading a link from "PornHub". I remembered an incident a month or so back where Chrome reported this site to be infected. I looked into this more and this post is a result of what I found as I thought I thought it required the members here to know(Just a note for Steve, I mean no dis-respect here at all, please don't hide this post).
I loaded up my debugger in Firefox and reloaded Ausfish, I can now see link by link what is loaded. I found the PornHub link and read the javascript code it loaded. Turns out an ad service that this forum uses is handing out bad links, i.e pornhub. Once this bad link is loaded it then runs code to install a tracking cookie on your PC using flash code. I've read the code and found out this is an evercookie. This cookie will TRACK your browsing history and send it back to a third part server. Once it is installed on your PC it installs itself to a variety of locations so it's hard for you to actually remove. This is a nasty cookie that invades your privacy.
What can you do?
- Delete all stored information in your browser
- Install adblock-plus
- Run a spyware program over your PC
Steve, this post is in total respect to yourself. You did not know that this would occur again. Can I please ask though that you disable all ad service's from this site until you know 100% it is fixed.
As this cookie sends data home all the time it WILL slow your computer down during data sends. I have verified this information by watching it do so, bringing my computer to a crawl.
Information about the cookie:
- http://samy.pl/evercookie/
- https://en.wikipedia.org/wiki/Evercookie
Screenshot:
For the technical mined here is the code so you don't need to download it. http://pastebin.com/AWybfnAE
Last edited by JulianDeMarchi; 22-06-2015 at 08:39 PM. Reason: Update
Thanks for the info, will check everything again just to be sure it is still clear.
Ads are served by Google
What thread/URL were you viewing?
Just checked Google webmaster scans and Google states that the site has been clear since 18th May
The cookie is being set by Cloudflare, this helps increase the speed of the site as it does not have to load all the javascripts everytime a page is opened.
It is not a malicious file.
Last edited by Ausfish; 27-07-2015 at 12:32 PM.
Regards
Steve Brown
https://www.google.com/safebrowsing/...ausfish.com.au
Safe Browsing
Diagnostic page for ausfish.com.au
What is the current listing status for ausfish.com.au?
This site is not currently listed as suspicious.What happened when Google visited this site?
Of the 12106 pages we tested on the site over the past 90 days, 20 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-06-21, and the last time suspicious content was found on this site was on 2015-05-18.Malicious software includes 13 exploit(s), 6 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.Has this site acted as an intermediary resulting in further distribution of malware?
Malicious software is hosted on 16 domain(s), including powerporn.pw/, danburykawasaki.com/, realty411.co/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including powerporn.pw/.
This site was hosted on 6 network(s) including AS22611 (IMH-WEST), AS13335 (CLOUDFLARENET), AS15169 (GOOGLE).
Over the past 90 days, ausfish.com.au did not appear to function as an intermediary for the infection of any sites.Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 0 domain(s), including .
Regards
Steve Brown
Originally Posted by JulianDeMarchi
Hey,
I was logging onto Ausfish tonight like normal, when in Firefox where it shows loading items, I noticed it was loading a link from "PornHub". I remembered an incident a month or so back where Chrome reported this site to be infected. I looked into this more and this post is a result of what I found as I thought I thought it required the members here to know(Just a note for Steve, I mean no dis-respect here at all, please don't hide this post).
I loaded up my debugger in Firefox and reloaded Ausfish, I can now see link by link what is loaded. I found the PornHub link and read the javascript code it loaded. Turns out an ad service that this forum uses is handing out bad links, i.e pornhub. Once this bad link is loaded it then runs code to install a tracking cookie on your PC using flash code. I've read the code and found out this is an evercookie. This cookie will TRACK your browsing history and send it back to a third part server. Once it is installed on your PC it installs itself to a variety of locations so it's hard for you to actually remove. This is a nasty cookie that invades your privacy.
What can you do?
- Delete all stored information in your browser
- Install adblock-plus
- Run a spyware program over your PC
Steve, this post is in total respect to yourself. You did not know that this would occur again. Can I please ask though that you disable all ad service's from this site until you know 100% it is fixed.
As this cookie sends data home all the time it WILL slow your computer down during data sends. I have verified this information by watching it do so, bringing my computer to a crawl.
Information about the cookie:
- http://samy.pl/evercookie/
- https://en.wikipedia.org/wiki/Evercookie
Screenshot:
For the technical mined here is the code so you don't need to download it. http://pastebin.com/AWybfnAE
When was this screen shot taken?
Was it taken today or was it from last time this happened in May?
It seems as if it was taken in May as it shows the real IP address of the site (173.247.253.191), instead of the Cloudeflare IP address (104.28.10.124) if it was taken today.
Traceroute - http://network-tools.com/default.asp...ausfish.com.au
2 0 0 0 206.123.64.46 -
3 1 1 1 173.219.246.92 173-219-246-92-link.sta.suddenlink.net
4 390 272 248 173.219.225.54 173-219-225-54-link.sta.suddenlink.net
5 1 1 1 206.223.118.145 xe-0-0-3.edge01.dfw01.as13335.net
6 1 1 0 104.28.10.124 -
Last edited by Ausfish; 23-06-2015 at 03:14 AM.
Regards
Steve Brown
Screenshot was taken last night.
luvtrack.net is the site that is serving the evercookie mate and it is coming from a few different urls loaded from luvtrack.net.
Please please please turn off the ads. I can clean up my computer easy after getting it, but folks here can't and now you know, you're letting folks get this cookie by not turning them off. It really does send your browsing history back to a third party and it does slow your computer down.
Some help for Windows users to remove cookie.
http://www.thewindowsclub.com/delete...er-nevercookie
juliand@bozo:~$ dig ausfish.com.au +short
104.28.10.124
104.28.11.124
juliand@bozo:~$ dig www.ausfish.com.au +short
173.247.253.191
Your DNS is wrong...
Have done a scan of the site and also contacted Google, but can not find anything.
What Thread were you viewing?
Was the cookie present on your computer from a month or longer?
Only ads we have on the site are from Google. Google says their ads are clean.
http://network-tools.com/default.asp...ausfish.com.au
2 0 0 0 206.123.64.46 -
3 1 1 1 173.219.246.92 173-219-246-92-link.sta.suddenlink.net
4 259 208 190 173.219.230.155 173-219-230-155-link.sta.suddenlink.net
5 7 2 1 206.223.118.145 xe-0-0-3.edge01.dfw01.as13335.net
6 1 0 0 104.28.11.124 -
Last edited by Ausfish; 23-06-2015 at 11:04 AM.
Regards
Steve Brown
Why are you posting traceroutes? This not the right info you need man.
The cookie got loaded on the main site. I'm now on my work computer so I'm not going to play again. Google probally don't pick up the cookie as malware. I don't know how their processes for identifying works, so I'm not going to comment more on them except they are wrong here.
What you need to do to find it is this:
Download firebug for firefox. Load ausfish, enable firebug. Click the "net" tab, enable it. Then reload the ausfish site. You'll now see every link the site is trying to load. You're then looking for a page which has "servlet" in the URL, as my research this morn showed me it's loaded from random sites, but via the site luvtrack.net. I have verified it is STILL being served.
My question to you know is though. Why have you not disabled ads yet? You're now responsible for the viewers of this forum getting the cookie and having their browser history sent to third parties and SLOWING DOWN THIER COMPUTERS. I find this offensive considering the help I'm giving you.
I will not asssit anymore until you turn of ads. Please Steve turn of the ads.
Thanks for your help on this. We have contacted Google and they assure the ads are not the cause. I have a couple of systems guys doing some scans and checks on the system
The ads have been turned off for you.
Regards
Steve Brown
Thank you so much. Use the information I posted to track it down. I have submitted the offending url to google to de-index and de-register from the ad service, however I'm not sure how they respond to these requests. I can confirm that the ad is no longer being served.
Good stuff Julian.
It's good to have our own private systems engineer on board for occasions like this.
The last thing I need is an infected work computer.
So far looks like the systems egineers and google were correct, nothing to do with the ads. Appears at this stage to be a cache issue at Cloudflare and maybe browsers. Have cleared the cache on cloudflare and appears to have fix the problem. Still investigating though, so will post as we find out more info.
Regards
Steve Brown
Looks like a cloudflare issue, waiting to hear back from them.
Cookie they were setting. Still working on it.
Regards
Steve Brown
Posting Permissions
Reply With Quote
