hmmm malware?

[darkoshi]

This is the 2nd time in about as many days that when clicking a link, I've gotten a page like this, which is not the link I clicked:


[Firefox Logo - making it look like it's a Mozilla survey, but it isn't]
2019 Annual Visitor Survey undefined
Browser Opinion survey
April 21, 2019
Congratulations!

You’ve been personally selected to take part in our 2019 Annual Visitor Survey! Tell us what you think of Firefox and to say “Thank You” you’ll receive a chance to get an Apple iPhone Xs!
Question 1 of 4:
How often do you use Firefox ?

When I go back and click the link again, the expected page opens.

Today it happened upon clicking a link in the Google search results. Yesterday, I don't remember which page I had clicked the link from.

It seems to be malware:
https://duckduckgo.com/?q=firefox+%222019+Annual+Visitor+Survey%22&ia=web

(But none of the links in those search results look particularly trustworthy to me.)

An MBAM scan didn't find anything.
Currently doing an scan with my antivirus software.
... it didn't detect anything either.

This has been happening in Waterfox. I wonder if one of my add-ons got hacked. Hopefully not Waterfox itself.

Or maybe the sites that the links I clicked go to were hacked, to occasionally redirect the visitor to this bogus survey site. Both times, the domain of the survey URLs were different:
http://prize8384.bestlifehere24.life/...
http://competition8713.bumblbee82.life/...

Comments

[marahmarie]

Smart Solutions has a problem; every page comes up as an error page using DDG's "search website" link. Checking archive.org, the last scrape was done on April 5th and the site was still loading pages correctly: https://web.archive.org/web/20190405164812/http://www.smartmobilephonesolutions.com/content

So, it was maybe possibly hacked. Google's cache brings up a mixture of 404 pages (on their own servers, not on the website's) and archived pages but with older page dates, so without looking through their cache and archive.org's copy some more it's hard to say.

I have a feeling the mayor's personal website might have had an issue as well, as the page you visited is no longer showing up in results; instead, DDG points us to https://columbiasc.net/mayor/about. Neither Google nor DDG has removed his site from results, nor does either flag either possibly messed-with website in question as "possibly hacked", so I don't know.

Neither redirected me or gave me any popup to the survey while checking in Waterfox tonight (version 56.2.0, released Jan. 2018). Clicked the "check for updates" button while I was in there and see it's offering to upgrade to 56.2.9, so I must've missed something in about:config, because if I'd done the ripping out of things right that button wouldn't even work. Oh, well.

[darkoshi]

It hasn't happened for me on any other pages so far. But now, opening the stevebenjamin site again, I got it again. (and several other variations of it, when clicking the back button - it loads a different page each time.)

The http://www.smartmobilephonesolutions.com/ site is now giving an error which lists a user id and password (Access denied for user 'bond007_james'@'localhost' (using password: YES)
Whether that has anything to do with it being hacked or not, I can't say... maybe someone hacked that id & weak password, so the webmaster disabled its access? Either way, it's still bad coding to have the id & password displayed to anyone opening the page.

[marahmarie]

Huh. The survey's not loading for me on either site in either Firefox or Waterfox so I'm really torn if it's a) the websites in question got hacked (but it's kinda strange you'd run 2 for 2 on that) or 2) if it's say, possibly one of your add-ons. I don't know which add-ons you use so can't say off-hand nor search for any known problems in Google (I'm really curious now, though).

[marahmarie]

On smartmobilephonesolutions.com I'm getting this error message, now: "PDOException: SQLSTATE[HY000] [1045] Access denied for user 'bond007_james'@'localhost' (using password: YES) in lock_may_be_available() (line 167 of /home/bond007/public_html/includes/lock.inc)."

Which I was not getting just minutes before I wrote my earlier replies tonight to you.

ETA: The lock.inc thing looks like: "Wow, websites can get ransomwared?" maybe at first glance but is actually a known thing in Drupal, perhaps to prevent race conditions: https://api.drupal.org/api/drupal/includes%21lock.inc/function/lock_may_be_available/7.x

Database meltdown perhaps (or hack)? Sort of interesting. Googled the heck out of the bond007 and bond007_james portion but all I get is that Paul Manafort used something similar as his password and some Pinterests and a MySpace. IP lookup's not illuminating but does indicate malware gets hosted there (blacklisted): https://dnslytics.com/ip/104.28.29.148

And here's the top result for "'@'localhost' (using password: YES)": https://stackoverflow.com/questions/20353402/access-denied-for-user-testlocalhost-using-password-yes-except-root-user

[darkoshi]

Ahh.. reading that stackoverflow page, maybe what that "using password: YES" message means is that "yes, a password was used", rather than "the password used was 'YES'".

[marahmarie]

Yeah...my best guess (I could be wrong, as I spent as few minutes with MySQL as I could get away with back when I had my own website) is that the server is seeing everyone as using a password, but everyone is presenting as that user because something's adrift in the coding of the name/pass thing. So most likely misconfigured server, methinks, either because someone unauthorized is in there who doesn't know what they're doing, or else someone just doesn't know what they're doing.

Either way Google results are pretty voluminous so the error does seem common enough.