[BBC-Micro] Potential malware warning - very OT but...

Rick Murray rick at rs432.net
Mon Jun 22 23:22:05 BST 2009


Hello everybody,

This is extremely off-topic, but as Beeb stuff is hosted on my site, I'd 
be failing in my duty as a conscientious person if I didn't say 
anything. For reasons that will become clear, I couldn't exactly add 
this message to my website.


If you use a PC to access heyrick.co.uk, you may have already 
encountered the bright red "panic! panic! pee in your pant(ie)s now!" 
warning about malware on my site.


I, personally, have a rather lackadaisical attitude to who is accessing 
my site. I want your name and email address if you are buying something, 
or want support... but beyond that, I don't really care. I don't use 
cookies, it's nice to know what people are looking at, but since I've 
spent *EIGHT* years offline (can't believe Paul Vigay is no longer! 
sob!), I am not all obsessed with how many hits I get. If I get a 
million, cool. If I get none, whatever...

So the idea of malware is like a TOTAL anathema. I might work a 35 hour 
week on minimum wage, but somehow it's rather more satisfying than 
ripping off bank accounts.


My friend in London (hi! he reads this list) sent me the report:
--8<--------
What is the current listing status for www.heyrick.co.uk?

Site is listed as suspicious - visiting this web site may harm your 
computer.
Part of this site was listed for suspicious activity 2 time(s) over the 
past 90 days.


What happened when Google visited this site?

Of the 139 pages we tested over the past 90 days, 73 page(s) resulted in 
malicious software being downloaded and installed without user consent. 
The last time Google visited this site was on 2009-06-21, and the last 
time suspicious content was found on this site was on 2009-06-21.
Malicious software is hosted on 1 domain(s), including 92.38.0.0/.

1 domain(s) appear to be functioning as intermediaries for distributing 
malware to visitors of this site, including m-analytics.net/.

This site was hosted on 1 network(s) including AS39451 (MELBOURNE).


Has this site acted as an intermediary resulting in further distribution 
of malware?

Over the past 90 days, www.heyrick.co.uk did not appear to function as 
an intermediary for the infection of any sites.


Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.


How did this happen?

In some cases, third parties can add malicious code to legitimate sites, 
which would cause us to show the warning message.


[snip "next steps" stuff]
--8<--------

My site is actually hosted on www2.squirrelinternet.co.uk; I'm sure some 
tool or other will tell you where that is located. I *think* Manchester. 
Sure as hell isn't Melbourne!

Oh, and while you are scratching your head, perhaps you can ponder why 
my site is reported as 73 of 139 pages caused malicious software to be 
installed (wonder how they tested that?!?), yet a coupla paragraphs 
later it says my site hasn't hosted malicious software. Eh!?!?


My friend then looked at this Melbourne server:
--8<--------
Safe Browsing Diagnostic page for AS39451 (MELBOURNE).

What happened when Google visited sites hosted on this network?

Of the 2223 site(s) we tested on this network over the past 90 days, 99 
site(s), including, for example, flixman.com/, heyrick.co.uk/, 
medelhawaii.com/, served content that resulted in malicious software 
being downloaded and installed without user consent.

The last time Google tested a site on this network was on 2009-06-22, 
and the last time suspicious content was found was on 2009-06-21.


Has this network hosted sites acting as intermediaries for further 
malware distribution?

Over the past 90 days, we found 4 site(s) on this network, including, 
for example, buyonlineticket.com/, reallifemarketing.org/, 
visaworld.us/, that appeared to function as intermediaries for the 
infection of 4 other site(s) including, for example, devimultiplex.com/, 
skinfoways.com/, toolshed.co.uk/.


Has this network hosted sites that have distributed malware?

Yes, this network has hosted sites that have distributed malicious 
software in the past 90 days. We found 3 site(s), including, for 
example, visaworld.us/, digitalbroadcasters.co.uk/, 
buyonlineticket.com/, that infected 5 other site(s), including, for 
example, tnydeli.co.uk/, mcpatiala.com/, devimultiplex.com/.


[next steps stuff omitted]
--8<--------

If "visaworld.us", "buyonlineticket.com", and 
"digitalbroadcasters.co.uk" are real sites and not viable hoaxes (like 
various misspellings of Google and Microsoft...), then this is a bigger 
problem than just my site. Furthermore, it's little comfort to be lumped 
in with the likes of visaworld, but it's certainly odd. Oh, and don't do 
the Google maths, I'm finding this stuff doesn't seem to be adding up!

Still have no idea what Melbourne has to do with anything.


I have a trusted friend (a different one, yes, I have more than one 
friend and they're real people too! <giggle>) who I've given carte 
blanche to do whatever is necessary to sort this. I hope it is some 
nasty DNS spoof or some giant cache site that's gone badly astray, or 
maybe Google itself?
However if anything has managed to compromise heyrick (amid the sftp and 
ssh!), then it'll be ripped out - even if that means rm'ing the whole 
damn site. Well, no, there appear to be 66 good pages!


On the plus side, I've just signed a contract for 8Mbit ADSL which I 
think ought to arrive in a week or two. FINALLY! Then I can spend all my 
spare time looking at really stupid stuff on YouTube :-) instead of 
doing anything remotely useful. At least I'll be able to answer mails 
with a better turnaround than ~ two weeks!



ANYWAY, thanks for reading, and if you plan to access my site on a PC 
(amid all those scary warnings), make sure you are running 
anti-everything and lock your system up tighter than a Victorian corset.
Or use a RISC OS machine and go "nerr-nerr!". :-)


Best wishes,

a confused and somewhat irked Rick...

-- 
Rick Murray, irregular internet access at local library.
BBC B: ANFS, 2 x 5.25" floppies, EPROM prog, Acorn TTX
E01S FileStore, A3000/A5000/RiscPC/various PCs/blahblah...




More information about the bbc-micro mailing list