hmmm malware?

[darkoshi]

This is the 2nd time in about as many days that when clicking a link, I've gotten a page like this, which is not the link I clicked:


[Firefox Logo - making it look like it's a Mozilla survey, but it isn't]
2019 Annual Visitor Survey undefined
Browser Opinion survey
April 21, 2019
Congratulations!

You’ve been personally selected to take part in our 2019 Annual Visitor Survey! Tell us what you think of Firefox and to say “Thank You” you’ll receive a chance to get an Apple iPhone Xs!
Question 1 of 4:
How often do you use Firefox ?

When I go back and click the link again, the expected page opens.

Today it happened upon clicking a link in the Google search results. Yesterday, I don't remember which page I had clicked the link from.

It seems to be malware:
https://duckduckgo.com/?q=firefox+%222019+Annual+Visitor+Survey%22&ia=web

(But none of the links in those search results look particularly trustworthy to me.)

An MBAM scan didn't find anything.
Currently doing an scan with my antivirus software.
... it didn't detect anything either.

This has been happening in Waterfox. I wonder if one of my add-ons got hacked. Hopefully not Waterfox itself.

Or maybe the sites that the links I clicked go to were hacked, to occasionally redirect the visitor to this bogus survey site. Both times, the domain of the survey URLs were different:
http://prize8384.bestlifehere24.life/...
http://competition8713.bumblbee82.life/...

Comments

[marahmarie]

Results in both DDG and Google are uniformly garbage for that search, so questions:

--Are you clicking links in search results that bring you to the fake survey?
--Is it a redirect to a website or do you see a popup window in the browser (I'm mostly seeing the latter screencapped in search results I check)?

I'm just curious when/where one might run into this so I can try to avoid it. My use of Waterfox is limited to sorting/storing/reading bookmarks and doing CSS stuff on DW but that said, I have Waterfox "customized" a bit: after I installed it maybe over a year ago, I went into about:config and ripped out anything that can update the browser or my add-ons, because I didn't want my (mostly ancient) add-ons breaking with auto-updates.

Whatever I did worked, so I need to watch things - maybe a bit more carefully than most.

[darkoshi]

It's not a popup; seems to be a redirect though based on my browser history I'm not certain.

I checked my browser history using Nirsoft's BrowsingHistoryView tool, as Firefox's history list filters out duplicate entries, making it harder to see what exact order you did things in.

Yesterday on 4/21:
I did this search in DuckDuckGo:
https://duckduckgo.com/?q=android+screen+goes+black+during+call

Then, I clicked one of the top search results (right-click, to open in new tab):
http://www.smartmobilephonesolutions.com/content/cell-phone-shows-a-black-screen-during-or-after-a-phone-call

My history first shows the above URL having been opened, and next is the URL to the bogus survey, with "Visited From" equal to the above URL. So I suspect now that the above site is infected, and that it redirected me. The new tab that opened for me only showed the survey. I closed that tab, and re-clicked the link in the search results to get the correct page to display. It displayed then, but with some error message, so I closed it.

The day before on 4/20:
I did this search:
https://duckduckgo.com/?q=mayor+steven+benjamin+mailing+list

I had clicked this link in the search results: https://stevebenjamin.com/

My history first shows the above URL having been opened, and 1 second later is the URL to the bogus survey, with "Visited From" equal to the above URL. So again, I suspect the above site is infected. [ But I guess it might still instead be a problem in my browser or an add-on of mine? ]
Upon closing the tab, and re-clicking the link in the search results, the correct page displayed, without any error.

I'm running the latest Waterfox, 56.2.9. With 11 add-ons. Since this has only happened twice so far, and isn't recreatable by opening the same sites again, I can't test if disabling the add-ons would fix the problem.

From what I read, the end of the survey prompts you to buy some things, so that seems to be its main purpose. I don't think it does anything else nefarious to the machine (whether it's on my end or the server end). But I can't be sure.

[marahmarie]

Thanks for the rundown. Just tried both links in Firefox (as the kitchen laptop I'm on doesn't have Waterfox); the first link brought up the error message sans survey, while the second went to the web page, sans survey. I'll try both again in Waterfox (and check its version number then) once I'm back on my personal laptop, probably later on tonight.

I would've suggested disabling add-ons to test things out, too, but if it's not happening now then there's probably no point. Short of that, I might also try googling the names of said add-ons to see if anyone else has complained of adware or other malware being attached to them, but if the issue doesn't come up again then there's probably no need.

(Sometimes, it occurs to me, I can find strange things by checking about:config - so for this one I might type "redirect" or "popup" or similar into the about:config search box to see what comes up. I've found some odd/surprising stuff just by looking through it.)

[darkoshi]

I'm mainly listing all this for my own reference if it happens again, or for anyone else who may search on the same problem. I'm still researching it.

I checked my about:config, as well as running tasks in Task Manager, and my Windows folders for any files with recent dates. Haven't found anything suspicious yet.

I ran this scanner; it didn't detect any rootkits:
https://support.kaspersky.com/viruses/utility#TDSSKiller

I ran AdwCleaner; it didn't find anything.

[marahmarie]

Smart Solutions has a problem; every page comes up as an error page using DDG's "search website" link. Checking archive.org, the last scrape was done on April 5th and the site was still loading pages correctly: https://web.archive.org/web/20190405164812/http://www.smartmobilephonesolutions.com/content

So, it was maybe possibly hacked. Google's cache brings up a mixture of 404 pages (on their own servers, not on the website's) and archived pages but with older page dates, so without looking through their cache and archive.org's copy some more it's hard to say.

I have a feeling the mayor's personal website might have had an issue as well, as the page you visited is no longer showing up in results; instead, DDG points us to https://columbiasc.net/mayor/about. Neither Google nor DDG has removed his site from results, nor does either flag either possibly messed-with website in question as "possibly hacked", so I don't know.

Neither redirected me or gave me any popup to the survey while checking in Waterfox tonight (version 56.2.0, released Jan. 2018). Clicked the "check for updates" button while I was in there and see it's offering to upgrade to 56.2.9, so I must've missed something in about:config, because if I'd done the ripping out of things right that button wouldn't even work. Oh, well.

[darkoshi]

It hasn't happened for me on any other pages so far. But now, opening the stevebenjamin site again, I got it again. (and several other variations of it, when clicking the back button - it loads a different page each time.)

The http://www.smartmobilephonesolutions.com/ site is now giving an error which lists a user id and password (Access denied for user 'bond007_james'@'localhost' (using password: YES)
Whether that has anything to do with it being hacked or not, I can't say... maybe someone hacked that id & weak password, so the webmaster disabled its access? Either way, it's still bad coding to have the id & password displayed to anyone opening the page.

[marahmarie]

Huh. The survey's not loading for me on either site in either Firefox or Waterfox so I'm really torn if it's a) the websites in question got hacked (but it's kinda strange you'd run 2 for 2 on that) or 2) if it's say, possibly one of your add-ons. I don't know which add-ons you use so can't say off-hand nor search for any known problems in Google (I'm really curious now, though).

[marahmarie]

On smartmobilephonesolutions.com I'm getting this error message, now: "PDOException: SQLSTATE[HY000] [1045] Access denied for user 'bond007_james'@'localhost' (using password: YES) in lock_may_be_available() (line 167 of /home/bond007/public_html/includes/lock.inc)."

Which I was not getting just minutes before I wrote my earlier replies tonight to you.

ETA: The lock.inc thing looks like: "Wow, websites can get ransomwared?" maybe at first glance but is actually a known thing in Drupal, perhaps to prevent race conditions: https://api.drupal.org/api/drupal/includes%21lock.inc/function/lock_may_be_available/7.x

Database meltdown perhaps (or hack)? Sort of interesting. Googled the heck out of the bond007 and bond007_james portion but all I get is that Paul Manafort used something similar as his password and some Pinterests and a MySpace. IP lookup's not illuminating but does indicate malware gets hosted there (blacklisted): https://dnslytics.com/ip/104.28.29.148

And here's the top result for "'@'localhost' (using password: YES)": https://stackoverflow.com/questions/20353402/access-denied-for-user-testlocalhost-using-password-yes-except-root-user

[darkoshi]

Ahh.. reading that stackoverflow page, maybe what that "using password: YES" message means is that "yes, a password was used", rather than "the password used was 'YES'".

[marahmarie]

Yeah...my best guess (I could be wrong, as I spent as few minutes with MySQL as I could get away with back when I had my own website) is that the server is seeing everyone as using a password, but everyone is presenting as that user because something's adrift in the coding of the name/pass thing. So most likely misconfigured server, methinks, either because someone unauthorized is in there who doesn't know what they're doing, or else someone just doesn't know what they're doing.

Either way Google results are pretty voluminous so the error does seem common enough.