Page 2 of 3

Re: TSRA site compromised

Posted: Fri Jul 06, 2012 1:15 pm
by pbwalker
Charles L. Cotton wrote:
bentcursor wrote:Thanks for the suggestion - typing https://www.tsra.com/" onclick="window.open(this.href);return false; takes you to the site.
I forgot it was on a secure server. I bet the SSL has expired.

Chas.
Cert looks good

Image

I'm happy to help out the TSRA team with any tech questions...I've spent the past 8 years in the Hosting industry, so I've seen the good, the bad, and the ugly. :lol:

Re: TSRA site compromised

Posted: Fri Jul 06, 2012 1:28 pm
by pbwalker
Charles L. Cotton wrote:Icdsoft has data centers in Boston, Hong Kong and somewhere in Germany. Unless TSRA changed hosts, they are using Icdsoft.

Chas.
Actually, IDCSoft doesn't have any data centers, but they use facilities provided by Savvis, iAdvantage, and Equinix. As a shared hosting provider, they get to piggy back off of the infrastructure provided by these DC providers without incurring the capex of building one out themselves. A LOT of providers do this and it's quite common. IDCSoft makes their $$ off of squeezing as many customers as they possibly can on to one server. It's a compromise though as you are in a "multi-tenant" environment (fancy word for shared) and if an offending IP is compromised, it can trickle down.

All that being said, if I go to https://64.14.78.167" onclick="window.open(this.href);return false;, I am hit with the "trusted certificate" dialog box before I get the "sorry, you can't go here by IP" page. So it looks like the HTTP and HTTPS sites run off of the same IP. SSL sites need a dedicated IP (can't be shared) so TAM's information previously mentioned seems to be more in line than the possibility of a shared IP being compromised.

/nerd

Re: TSRA site compromised

Posted: Fri Jul 06, 2012 1:39 pm
by G.A. Heath
If you look at the left side of the screen shot in the OP you will note the links pointing to non-TSRA "products". Either the host/website is compromised or google and bing are conspiring to insert data into the web results.

Re: TSRA site compromised

Posted: Fri Jul 06, 2012 9:10 pm
by JJVP
I searched in both Bing and Yahoo. In both the title relates to Viagra, although when you actually click on it, you end up on the TSRA web site.

The title that shows is "Viagra XXXXXXX, Viagra Introduced In + Purchase Online". The XXXXXXX is a word the will get me kicked out of the forum.

Re: TSRA site compromised

Posted: Fri Jul 06, 2012 10:25 pm
by The Annoyed Man
pbwalker wrote:
Charles L. Cotton wrote:
bentcursor wrote:Thanks for the suggestion - typing https://www.tsra.com/" onclick="window.open(this.href);return false; takes you to the site.
I forgot it was on a secure server. I bet the SSL has expired.

Chas.
Cert looks good

Image

I'm happy to help out the TSRA team with any tech questions...I've spent the past 8 years in the Hosting industry, so I've seen the good, the bad, and the ugly. :lol:
Their SSL expired a little while back, and they called me asking what to do. I said "renew it."

"Oh."

The SSL cert is current.

Re: TSRA site compromised

Posted: Sat Jul 07, 2012 7:10 am
by TxSheepdog
The Annoyed Man wrote:
pbwalker wrote:
Charles L. Cotton wrote:
bentcursor wrote:Thanks for the suggestion - typing https://www.tsra.com/" onclick="window.open(this.href);return false; takes you to the site.
I forgot it was on a secure server. I bet the SSL has expired.

Chas.
Cert looks good

Image

I'm happy to help out the TSRA team with any tech questions...I've spent the past 8 years in the Hosting industry, so I've seen the good, the bad, and the ugly. :lol:
Their SSL expired a little while back, and they called me asking what to do. I said "renew it."

"Oh."

The SSL cert is current.
:lol:

Re: TSRA site compromised

Posted: Sat Jul 07, 2012 12:46 pm
by 92f-fan
Charles L. Cotton wrote:I don't have anything to do with the TSRA site, but here is a link to Google's warning. http://support.google.com/websearch/bin ... CHwQpwgwAA" onclick="window.open(this.href);return false;

I've never seen such a warning before. It's interesting that Google makes such a claim without giving the facts to justify scaring people away from a site. I wonder if it has anything to do with it being a gun-related site?

Chas.
Looking at the search results it looks like somehow a BUNCH of spam pages were inserted in Joomla at one time and they are in the Google index.
The cache view shows what Google indexed off those pages

As TAM mentioned if they are running out of date Joomla they likely got compromised. IMO Has nothing to do with Anti gun sentiment. Has nothing to do with the web server its on. Its simply failure to keep the software up to date .

See screenshot for cache of what google found
"This is Google's cache of https://www.tsra.com/index.php?option=c ... Itemid=105" onclick="window.open(this.href);return false;. It is a snapshot of the page as it appeared on Jun 29, 2012 04:04:35 GMT. The current page could have changed in the meantime."

http://webcache.googleusercontent.com/s ... =firefox-a" onclick="window.open(this.href);return false;

Looks like the header was compromised some how - or the spam content was inserted ABOVE the real page content

Joomla admin could look for article 109 item 105 and see if that i still a problem

unfortunate that they are changing to an expansive host simply because the admins didnt keep the free software updated

Re: TSRA site compromised

Posted: Sat Jul 07, 2012 1:24 pm
by The Annoyed Man
92f-fan wrote:
Charles L. Cotton wrote:I don't have anything to do with the TSRA site, but here is a link to Google's warning. http://support.google.com/websearch/bin ... CHwQpwgwAA" onclick="window.open(this.href);return false;

I've never seen such a warning before. It's interesting that Google makes such a claim without giving the facts to justify scaring people away from a site. I wonder if it has anything to do with it being a gun-related site?

Chas.
Looking at the search results it looks like somehow a BUNCH of spam pages were inserted in Joomla at one time and they are in the Google index.
The cache view shows what Google indexed off those pages

As TAM mentioned if they are running out of date Joomla they likely got compromised. IMO Has nothing to do with Anti gun sentiment. Has nothing to do with the web server its on. Its simply failure to keep the software up to date .

See screenshot for cache of what google found
"This is Google's cache of https://www.tsra.com/index.php?option=c ... Itemid=105" onclick="window.open(this.href);return false;. It is a snapshot of the page as it appeared on Jun 29, 2012 04:04:35 GMT. The current page could have changed in the meantime."

http://webcache.googleusercontent.com/s ... =firefox-a" onclick="window.open(this.href);return false;

Looks like the header was compromised some how - or the spam content was inserted ABOVE the real page content

Joomla admin could look for article 109 item 105 and see if that i still a problem

unfortunate that they are changing to an expansive host simply because the admins didnt keep the free software updated
I have Joomla administrator access and I just took a look, and there are no such article ID numbers, either in the Article Manager, or in the Article Trash. One of the link references is to a product ID number in the Virtuemart Cart, but when I checked for any product by such a number, there was no such product ID in the system. Since all of the data accessible from the administrator panel is current and none of what is accessible from the panel contains any meta data to match what is showing on Google, I can only conclude a couple of things. One possibility is that someone used (I'm not sure how) a script to inject some SQL into the database, which is in turn being called to by a malware file that was deposited on the server somehow. Another possibility is that one of the existing Joomla script files got corrupted with malware somehow, and it injected some data into one of the mySQL tables.

Also, I'm looking right now at the PHP in the template index file, and there is nothing there above the document header that would cause this.

I will try to phone TSRA on Monday and see if they can give me access to their hosting account, which will allow me to do some diagnostic work.

Re: TSRA site compromised

Posted: Sat Jul 07, 2012 1:29 pm
by 92f-fan
since all the google links now work and dont show any spam

the issue may have been corrected

Ill bet that the next time Google Bots index the pages the warnings will be gone

Im disappointed that folks here think that Google due to the perceived anti gun stance some how fabricated all this.... :confused5

The warnings are there to protect the tech innocent .... Not to promote some political stance....

Edit - one open question is does the TSRA store and member info on that server ? Was it compromised also ?

Re: TSRA site compromised

Posted: Sat Jul 07, 2012 2:46 pm
by 74novaman
92f-fan wrote:
Im disappointed that folks here think that Google due to the perceived anti gun stance some how fabricated all this.... :confused5
Not exactly a perceived anti gun stance as much as a documented anti gun stance:

http://www.thefirearmblog.com/blog/2012 ... s-results/

Re: TSRA site compromised

Posted: Sat Jul 07, 2012 3:30 pm
by 92f-fan
74novaman wrote:
92f-fan wrote:
Im disappointed that folks here think that Google due to the perceived anti gun stance some how fabricated all this.... :confused5
Not exactly a perceived anti gun stance as much as a documented anti gun stance:

http://www.thefirearmblog.com/blog/2012 ... s-results/
So business decides it doesnt want to promote the sale of weapons.
Google Shopping should be compatible with Google's brand decisions. Google Shopping must be compatible with company brand decisions. Our company has a strong culture and values, and we've chosen not to allow ads that promote products and services that are incompatible with these values. In addition, like all companies, Google sometimes makes decisions based on technical limitations, resource constraints, or requirements from our business partners. Our policies reflect these realities.
Its likely because that category of products have caused them more problems than others. And they don't want the liability.

Does that mean that they also poison search results for weapon related sites as was suggested here ? I dont think so. It would be much easier for Google to simply drop weapons related search results from their index.

Re: TSRA site compromised

Posted: Sat Jul 07, 2012 6:33 pm
by The Annoyed Man
92f-fan wrote:Im disappointed that folks here think that Google due to the perceived anti gun stance some how fabricated all this.... :confused5

The warnings are there to protect the tech innocent .... Not to promote some political stance....

Edit - one open question is does the TSRA store and member info on that server ? Was it compromised also ?
There is member information stored in Paypal, but as far as I know there is none on the server, other than a username/password record.

BTW, I agree that this cannot possibly be a deliberate effort by Google to poison the site. They may not allow promoting the sales of guns in their searches, but they cannot allow criminal acts, and whoever did this committed a cyber crime. They are a major corporation, and the liability to them for doing something like this deliberately would be so big as to make it punitively expensive.

Re: TSRA site compromised

Posted: Sat Jul 07, 2012 7:23 pm
by DocV
A Joomla 1.6-1.7-2.5 privilege escalation vulnerability was announced in mid-March. The site seems clean now.
These attacks are typical of the rogue pharmacy criminals.

Re: TSRA site compromised

Posted: Sat Jul 07, 2012 9:37 pm
by The Annoyed Man
DocV wrote:A Joomla 1.6-1.7-2.5 privilege escalation vulnerability was announced in mid-March. The site seems clean now.
These attacks are typical of the rogue pharmacy criminals.
Yes, but versions 2.5.5+ deal with that vulnerability, and the TSRA site is a 1.5.20 site.

Re: TSRA site compromised

Posted: Sun Jul 08, 2012 3:50 am
by tommyg
I have been hearing stories about google attempting to block out pro gun websites. This looks like one of their attempts
use another search engine for now