TSRA site compromised

As the name indicates, this is the place for gun-related political discussions. It is not open to other political topics.

Moderators: carlson1, Charles L. Cotton

User avatar
pbwalker
Senior Member
Posts: 3032
Joined: Thu May 01, 2008 10:12 am
Location: Northern Colorado

Re: TSRA site compromised

Post by pbwalker »

Charles L. Cotton wrote:
bentcursor wrote:Thanks for the suggestion - typing https://www.tsra.com/" onclick="window.open(this.href);return false; takes you to the site.
I forgot it was on a secure server. I bet the SSL has expired.

Chas.
Cert looks good

Image

I'm happy to help out the TSRA team with any tech questions...I've spent the past 8 years in the Hosting industry, so I've seen the good, the bad, and the ugly. :lol:
*NRA Endowment Member* | Veteran
Vote Adam Kraut for the NRA Board of Directors - http://www.adamkraut.com/
User avatar
pbwalker
Senior Member
Posts: 3032
Joined: Thu May 01, 2008 10:12 am
Location: Northern Colorado

Re: TSRA site compromised

Post by pbwalker »

Charles L. Cotton wrote:Icdsoft has data centers in Boston, Hong Kong and somewhere in Germany. Unless TSRA changed hosts, they are using Icdsoft.

Chas.
Actually, IDCSoft doesn't have any data centers, but they use facilities provided by Savvis, iAdvantage, and Equinix. As a shared hosting provider, they get to piggy back off of the infrastructure provided by these DC providers without incurring the capex of building one out themselves. A LOT of providers do this and it's quite common. IDCSoft makes their $$ off of squeezing as many customers as they possibly can on to one server. It's a compromise though as you are in a "multi-tenant" environment (fancy word for shared) and if an offending IP is compromised, it can trickle down.

All that being said, if I go to https://64.14.78.167" onclick="window.open(this.href);return false;, I am hit with the "trusted certificate" dialog box before I get the "sorry, you can't go here by IP" page. So it looks like the HTTP and HTTPS sites run off of the same IP. SSL sites need a dedicated IP (can't be shared) so TAM's information previously mentioned seems to be more in line than the possibility of a shared IP being compromised.

/nerd
*NRA Endowment Member* | Veteran
Vote Adam Kraut for the NRA Board of Directors - http://www.adamkraut.com/
User avatar
G.A. Heath
Senior Member
Posts: 2987
Joined: Sat Mar 31, 2007 9:39 pm
Location: Western Texas

Re: TSRA site compromised

Post by G.A. Heath »

If you look at the left side of the screen shot in the OP you will note the links pointing to non-TSRA "products". Either the host/website is compromised or google and bing are conspiring to insert data into the web results.
How do you explain a dog named Sauer without first telling the story of a Puppy named Sig?
R.I.P. Sig, 08/21/2019 - 11/18/2019
User avatar
JJVP
Senior Member
Posts: 2093
Joined: Mon Feb 23, 2009 4:34 pm
Location: League City, TX

Re: TSRA site compromised

Post by JJVP »

I searched in both Bing and Yahoo. In both the title relates to Viagra, although when you actually click on it, you end up on the TSRA web site.

The title that shows is "Viagra XXXXXXX, Viagra Introduced In + Purchase Online". The XXXXXXX is a word the will get me kicked out of the forum.
2nd Amendment. America's Original Homeland Security.
Alcohol, Tobacco , Firearms. Who's Bringing the Chips?
No Guns. No Freedom. Know Guns. Know Freedom.
User avatar
The Annoyed Man
Senior Member
Posts: 26885
Joined: Wed Jan 16, 2008 12:59 pm
Location: North Richland Hills, Texas
Contact:

Re: TSRA site compromised

Post by The Annoyed Man »

pbwalker wrote:
Charles L. Cotton wrote:
bentcursor wrote:Thanks for the suggestion - typing https://www.tsra.com/" onclick="window.open(this.href);return false; takes you to the site.
I forgot it was on a secure server. I bet the SSL has expired.

Chas.
Cert looks good

Image

I'm happy to help out the TSRA team with any tech questions...I've spent the past 8 years in the Hosting industry, so I've seen the good, the bad, and the ugly. :lol:
Their SSL expired a little while back, and they called me asking what to do. I said "renew it."

"Oh."

The SSL cert is current.
“Hard times create strong men. Strong men create good times. Good times create weak men. And, weak men create hard times.”

― G. Michael Hopf, "Those Who Remain"

#TINVOWOOT
User avatar
TxSheepdog
Member
Posts: 185
Joined: Fri Aug 27, 2010 7:12 pm
Location: San Antonio

Re: TSRA site compromised

Post by TxSheepdog »

The Annoyed Man wrote:
pbwalker wrote:
Charles L. Cotton wrote:
bentcursor wrote:Thanks for the suggestion - typing https://www.tsra.com/" onclick="window.open(this.href);return false; takes you to the site.
I forgot it was on a secure server. I bet the SSL has expired.

Chas.
Cert looks good

Image

I'm happy to help out the TSRA team with any tech questions...I've spent the past 8 years in the Hosting industry, so I've seen the good, the bad, and the ugly. :lol:
Their SSL expired a little while back, and they called me asking what to do. I said "renew it."

"Oh."

The SSL cert is current.
:lol:
"If there must be trouble, let it be in my day, that my child may have peace."- Thomas Paine

"And those who were seen dancing were thought to be insane by those who could not hear the music." - Friedrich Nietzsche
User avatar
92f-fan
Senior Member
Posts: 533
Joined: Mon Nov 02, 2009 4:08 pm
Location: Carrollton

Re: TSRA site compromised

Post by 92f-fan »

Charles L. Cotton wrote:I don't have anything to do with the TSRA site, but here is a link to Google's warning. http://support.google.com/websearch/bin ... CHwQpwgwAA" onclick="window.open(this.href);return false;

I've never seen such a warning before. It's interesting that Google makes such a claim without giving the facts to justify scaring people away from a site. I wonder if it has anything to do with it being a gun-related site?

Chas.
Looking at the search results it looks like somehow a BUNCH of spam pages were inserted in Joomla at one time and they are in the Google index.
The cache view shows what Google indexed off those pages

As TAM mentioned if they are running out of date Joomla they likely got compromised. IMO Has nothing to do with Anti gun sentiment. Has nothing to do with the web server its on. Its simply failure to keep the software up to date .

See screenshot for cache of what google found
"This is Google's cache of https://www.tsra.com/index.php?option=c ... Itemid=105" onclick="window.open(this.href);return false;. It is a snapshot of the page as it appeared on Jun 29, 2012 04:04:35 GMT. The current page could have changed in the meantime."

http://webcache.googleusercontent.com/s ... =firefox-a" onclick="window.open(this.href);return false;

Looks like the header was compromised some how - or the spam content was inserted ABOVE the real page content

Joomla admin could look for article 109 item 105 and see if that i still a problem

unfortunate that they are changing to an expansive host simply because the admins didnt keep the free software updated
Attachments
screenshot
screenshot
User avatar
The Annoyed Man
Senior Member
Posts: 26885
Joined: Wed Jan 16, 2008 12:59 pm
Location: North Richland Hills, Texas
Contact:

Re: TSRA site compromised

Post by The Annoyed Man »

92f-fan wrote:
Charles L. Cotton wrote:I don't have anything to do with the TSRA site, but here is a link to Google's warning. http://support.google.com/websearch/bin ... CHwQpwgwAA" onclick="window.open(this.href);return false;

I've never seen such a warning before. It's interesting that Google makes such a claim without giving the facts to justify scaring people away from a site. I wonder if it has anything to do with it being a gun-related site?

Chas.
Looking at the search results it looks like somehow a BUNCH of spam pages were inserted in Joomla at one time and they are in the Google index.
The cache view shows what Google indexed off those pages

As TAM mentioned if they are running out of date Joomla they likely got compromised. IMO Has nothing to do with Anti gun sentiment. Has nothing to do with the web server its on. Its simply failure to keep the software up to date .

See screenshot for cache of what google found
"This is Google's cache of https://www.tsra.com/index.php?option=c ... Itemid=105" onclick="window.open(this.href);return false;. It is a snapshot of the page as it appeared on Jun 29, 2012 04:04:35 GMT. The current page could have changed in the meantime."

http://webcache.googleusercontent.com/s ... =firefox-a" onclick="window.open(this.href);return false;

Looks like the header was compromised some how - or the spam content was inserted ABOVE the real page content

Joomla admin could look for article 109 item 105 and see if that i still a problem

unfortunate that they are changing to an expansive host simply because the admins didnt keep the free software updated
I have Joomla administrator access and I just took a look, and there are no such article ID numbers, either in the Article Manager, or in the Article Trash. One of the link references is to a product ID number in the Virtuemart Cart, but when I checked for any product by such a number, there was no such product ID in the system. Since all of the data accessible from the administrator panel is current and none of what is accessible from the panel contains any meta data to match what is showing on Google, I can only conclude a couple of things. One possibility is that someone used (I'm not sure how) a script to inject some SQL into the database, which is in turn being called to by a malware file that was deposited on the server somehow. Another possibility is that one of the existing Joomla script files got corrupted with malware somehow, and it injected some data into one of the mySQL tables.

Also, I'm looking right now at the PHP in the template index file, and there is nothing there above the document header that would cause this.

I will try to phone TSRA on Monday and see if they can give me access to their hosting account, which will allow me to do some diagnostic work.
Last edited by The Annoyed Man on Sat Jul 07, 2012 1:29 pm, edited 1 time in total.
“Hard times create strong men. Strong men create good times. Good times create weak men. And, weak men create hard times.”

― G. Michael Hopf, "Those Who Remain"

#TINVOWOOT
User avatar
92f-fan
Senior Member
Posts: 533
Joined: Mon Nov 02, 2009 4:08 pm
Location: Carrollton

Re: TSRA site compromised

Post by 92f-fan »

since all the google links now work and dont show any spam

the issue may have been corrected

Ill bet that the next time Google Bots index the pages the warnings will be gone

Im disappointed that folks here think that Google due to the perceived anti gun stance some how fabricated all this.... :confused5

The warnings are there to protect the tech innocent .... Not to promote some political stance....

Edit - one open question is does the TSRA store and member info on that server ? Was it compromised also ?
User avatar
74novaman
Senior Member
Posts: 3798
Joined: Wed Feb 18, 2009 7:36 am
Location: CenTex

Re: TSRA site compromised

Post by 74novaman »

92f-fan wrote:
Im disappointed that folks here think that Google due to the perceived anti gun stance some how fabricated all this.... :confused5
Not exactly a perceived anti gun stance as much as a documented anti gun stance:

http://www.thefirearmblog.com/blog/2012 ... s-results/
TANSTAAFL
User avatar
92f-fan
Senior Member
Posts: 533
Joined: Mon Nov 02, 2009 4:08 pm
Location: Carrollton

Re: TSRA site compromised

Post by 92f-fan »

74novaman wrote:
92f-fan wrote:
Im disappointed that folks here think that Google due to the perceived anti gun stance some how fabricated all this.... :confused5
Not exactly a perceived anti gun stance as much as a documented anti gun stance:

http://www.thefirearmblog.com/blog/2012 ... s-results/
So business decides it doesnt want to promote the sale of weapons.
Google Shopping should be compatible with Google's brand decisions. Google Shopping must be compatible with company brand decisions. Our company has a strong culture and values, and we've chosen not to allow ads that promote products and services that are incompatible with these values. In addition, like all companies, Google sometimes makes decisions based on technical limitations, resource constraints, or requirements from our business partners. Our policies reflect these realities.
Its likely because that category of products have caused them more problems than others. And they don't want the liability.

Does that mean that they also poison search results for weapon related sites as was suggested here ? I dont think so. It would be much easier for Google to simply drop weapons related search results from their index.
User avatar
The Annoyed Man
Senior Member
Posts: 26885
Joined: Wed Jan 16, 2008 12:59 pm
Location: North Richland Hills, Texas
Contact:

Re: TSRA site compromised

Post by The Annoyed Man »

92f-fan wrote:Im disappointed that folks here think that Google due to the perceived anti gun stance some how fabricated all this.... :confused5

The warnings are there to protect the tech innocent .... Not to promote some political stance....

Edit - one open question is does the TSRA store and member info on that server ? Was it compromised also ?
There is member information stored in Paypal, but as far as I know there is none on the server, other than a username/password record.

BTW, I agree that this cannot possibly be a deliberate effort by Google to poison the site. They may not allow promoting the sales of guns in their searches, but they cannot allow criminal acts, and whoever did this committed a cyber crime. They are a major corporation, and the liability to them for doing something like this deliberately would be so big as to make it punitively expensive.
“Hard times create strong men. Strong men create good times. Good times create weak men. And, weak men create hard times.”

― G. Michael Hopf, "Those Who Remain"

#TINVOWOOT
DocV
Senior Member
Posts: 1127
Joined: Fri Nov 25, 2011 4:29 pm

Re: TSRA site compromised

Post by DocV »

A Joomla 1.6-1.7-2.5 privilege escalation vulnerability was announced in mid-March. The site seems clean now.
These attacks are typical of the rogue pharmacy criminals.
User avatar
The Annoyed Man
Senior Member
Posts: 26885
Joined: Wed Jan 16, 2008 12:59 pm
Location: North Richland Hills, Texas
Contact:

Re: TSRA site compromised

Post by The Annoyed Man »

DocV wrote:A Joomla 1.6-1.7-2.5 privilege escalation vulnerability was announced in mid-March. The site seems clean now.
These attacks are typical of the rogue pharmacy criminals.
Yes, but versions 2.5.5+ deal with that vulnerability, and the TSRA site is a 1.5.20 site.
“Hard times create strong men. Strong men create good times. Good times create weak men. And, weak men create hard times.”

― G. Michael Hopf, "Those Who Remain"

#TINVOWOOT
tommyg
Senior Member
Posts: 875
Joined: Sun Aug 07, 2011 9:59 am
Location: Dale, TX

Re: TSRA site compromised

Post by tommyg »

I have been hearing stories about google attempting to block out pro gun websites. This looks like one of their attempts
use another search engine for now
N.R.A. benefactor Member :tiphat: Please Support the N.R.A. :patriot:
Post Reply

Return to “Gun and/or Self-Defense Related Political Issues”