darkoshi: (Default)
This is the 2nd time in about as many days that when clicking a link, I've gotten a page like this, which is not the link I clicked:


[Firefox Logo - making it look like it's a Mozilla survey, but it isn't]
2019 Annual Visitor Survey undefined
Browser Opinion survey
April 21, 2019
Congratulations!

You’ve been personally selected to take part in our 2019 Annual Visitor Survey! Tell us what you think of Firefox and to say “Thank You” you’ll receive a chance to get an Apple iPhone Xs!
Question 1 of 4:
How often do you use Firefox ?


When I go back and click the link again, the expected page opens.

Today it happened upon clicking a link in the Google search results. Yesterday, I don't remember which page I had clicked the link from.

It seems to be malware:
https://duckduckgo.com/?q=firefox+%222019+Annual+Visitor+Survey%22&ia=web

(But none of the links in those search results look particularly trustworthy to me.)

An MBAM scan didn't find anything.
Currently doing an scan with my antivirus software.
... it didn't detect anything either.

This has been happening in Waterfox. I wonder if one of my add-ons got hacked. Hopefully not Waterfox itself.

Or maybe the sites that the links I clicked go to were hacked, to occasionally redirect the visitor to this bogus survey site. Both times, the domain of the survey URLs were different:
http://prize8384.bestlifehere24.life/...
http://competition8713.bumblbee82.life/...

Date: 2019-04-22 07:04 am (UTC)From: [personal profile] marahmarie
marahmarie: (M In M Forever) (Default)
Results in both DDG and Google are uniformly garbage for that search, so questions:

--Are you clicking links in search results that bring you to the fake survey?
--Is it a redirect to a website or do you see a popup window in the browser (I'm mostly seeing the latter screencapped in search results I check)?

I'm just curious when/where one might run into this so I can try to avoid it. My use of Waterfox is limited to sorting/storing/reading bookmarks and doing CSS stuff on DW but that said, I have Waterfox "customized" a bit: after I installed it maybe over a year ago, I went into about:config and ripped out anything that can update the browser or my add-ons, because I didn't want my (mostly ancient) add-ons breaking with auto-updates.

Whatever I did worked, so I need to watch things - maybe a bit more carefully than most.

Date: 2019-04-22 09:09 pm (UTC)From: [personal profile] marahmarie
marahmarie: (M In M Forever) (Default)
Thanks for the rundown. Just tried both links in Firefox (as the kitchen laptop I'm on doesn't have Waterfox); the first link brought up the error message sans survey, while the second went to the web page, sans survey. I'll try both again in Waterfox (and check its version number then) once I'm back on my personal laptop, probably later on tonight.

I would've suggested disabling add-ons to test things out, too, but if it's not happening now then there's probably no point. Short of that, I might also try googling the names of said add-ons to see if anyone else has complained of adware or other malware being attached to them, but if the issue doesn't come up again then there's probably no need.

(Sometimes, it occurs to me, I can find strange things by checking about:config - so for this one I might type "redirect" or "popup" or similar into the about:config search box to see what comes up. I've found some odd/surprising stuff just by looking through it.)
Edited (typo) Date: 2019-04-22 09:10 pm (UTC)

Date: 2019-04-26 02:37 am (UTC)From: [personal profile] marahmarie
marahmarie: (M In M Forever) (Default)
Smart Solutions has a problem; every page comes up as an error page using DDG's "search website" link. Checking archive.org, the last scrape was done on April 5th and the site was still loading pages correctly: https://web.archive.org/web/20190405164812/http://www.smartmobilephonesolutions.com/content

So, it was maybe possibly hacked. Google's cache brings up a mixture of 404 pages (on their own servers, not on the website's) and archived pages but with older page dates, so without looking through their cache and archive.org's copy some more it's hard to say.

I have a feeling the mayor's personal website might have had an issue as well, as the page you visited is no longer showing up in results; instead, DDG points us to https://columbiasc.net/mayor/about. Neither Google nor DDG has removed his site from results, nor does either flag either possibly messed-with website in question as "possibly hacked", so I don't know.

Neither redirected me or gave me any popup to the survey while checking in Waterfox tonight (version 56.2.0, released Jan. 2018). Clicked the "check for updates" button while I was in there and see it's offering to upgrade to 56.2.9, so I must've missed something in about:config, because if I'd done the ripping out of things right that button wouldn't even work. Oh, well.
Edited (added WF release info link for my version; typo) Date: 2019-04-26 02:50 am (UTC)

Date: 2019-04-26 04:46 am (UTC)From: [personal profile] marahmarie
marahmarie: (M In M Forever) (Default)
Huh. The survey's not loading for me on either site in either Firefox or Waterfox so I'm really torn if it's a) the websites in question got hacked (but it's kinda strange you'd run 2 for 2 on that) or 2) if it's say, possibly one of your add-ons. I don't know which add-ons you use so can't say off-hand nor search for any known problems in Google (I'm really curious now, though).
Edited Date: 2019-04-26 04:47 am (UTC)

Date: 2019-04-26 04:49 am (UTC)From: [personal profile] marahmarie
marahmarie: (M In M Forever) (Default)
On smartmobilephonesolutions.com I'm getting this error message, now: "PDOException: SQLSTATE[HY000] [1045] Access denied for user 'bond007_james'@'localhost' (using password: YES) in lock_may_be_available() (line 167 of /home/bond007/public_html/includes/lock.inc)."

Which I was not getting just minutes before I wrote my earlier replies tonight to you.

ETA: The lock.inc thing looks like: "Wow, websites can get ransomwared?" maybe at first glance but is actually a known thing in Drupal, perhaps to prevent race conditions: https://api.drupal.org/api/drupal/includes%21lock.inc/function/lock_may_be_available/7.x

Database meltdown perhaps (or hack)? Sort of interesting. Googled the heck out of the bond007 and bond007_james portion but all I get is that Paul Manafort used something similar as his password and some Pinterests and a MySpace. IP lookup's not illuminating but does indicate malware gets hosted there (blacklisted): https://dnslytics.com/ip/104.28.29.148

And here's the top result for "'@'localhost' (using password: YES)": https://stackoverflow.com/questions/20353402/access-denied-for-user-testlocalhost-using-password-yes-except-root-user
Edited (more info; again) Date: 2019-04-26 05:02 am (UTC)

Date: 2019-04-26 05:23 am (UTC)From: [personal profile] marahmarie
marahmarie: (M In M Forever) (Default)
Yeah...my best guess (I could be wrong, as I spent as few minutes with MySQL as I could get away with back when I had my own website) is that the server is seeing everyone as using a password, but everyone is presenting as that user because something's adrift in the coding of the name/pass thing. So most likely misconfigured server, methinks, either because someone unauthorized is in there who doesn't know what they're doing, or else someone just doesn't know what they're doing.

Either way Google results are pretty voluminous so the error does seem common enough.

May 2025

S M T W T F S
    123
45678910
11121314151617
1819 202122 2324
25262728 293031

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Sunday, June 1st, 2025 10:10 pm
Powered by Dreamwidth Studios