Yes I have seen it before. I have about a dozen word press sites on this server. Some were hacked the other day, I thought gg was ok but I guess not. Taking the kids to school right now then I will fix.
- Status
I have made my findings and been in close contact with Imeo.
chris aka "Repent"
chris aka "Repent"
Last time I went to the site, something keeps trying to re-direct my browser so I havent been back since.
My Eset doesnt alert me but I am sure caddyman will fix everything. Thanks a lot Chase, your support is more than quick!
site should be cleaned up now, let me know if you guys are still seeing errors. post here or PM me.
Hello Family;
Just got back from work so I thought I'd post what I know. Last night Baldr sent me a PM answering my question about his experience on the GG site. We PM'd back and forth but I won't go into the contents of those PM's. Best to let that alone.
I found the issue last night shortly after starting my investigation. I then spent the next hour or so, until about 12:30 AM PST, doing some cross browser and cross platform tests and additional testing using different methodology and software (eggs not in same basket) to confirm my original suspicions.
I also de-compiled the website so I could look at the raw code that makes a website a website. I found the offending line items of Java code that was causing the redirect actions some users reported. I won't bother posting the offending code here because code is cryptic to say the least and it wouldn't make sense to anyone anyway. I will tell you that the re-directs were pointing to the Russian Federation and I was able to pinpoint the location on a world map.
I am surmising that the offending code was injected into the website due to exploitation of certain WordPress Webserver file vulnerabilities that (have become) known by the "Black Hat" community. "Black Hats" are the bad guys and "White Hats" are the good guys. For the security of other WordPress Webservers out there I will not mention the affected files. Google will have my response typed here indexed within 5 minutes.
After concluding my investigation I emailed all my detailed findings to Imeo as per my protocol and of course I mentioned it to no one. No reason to start a stampede. I reasoned that Imeo would forward my findings to Chase, his Web designer, and the issue would be resolved. It was.
I felt it was up to Imeo's timing what and when to say anything concerning this issue and of course, as I expected, Imeo was open and honest from the get-go about the site as you have read in the previous posts.
I have just now re-conducted my testing of the ggecig . com and it is verified as clean. As an aside, after learning what I did last night I went ahead and tested COV because Imeo had mentioned that Bruce also uses this platform and I know a lot of us shop there. COV site was clean.
That's basically it in a nutshell. Hopefully I didn't bore anyone with the particulars.
PS;
OK now I'll bore you.......Do you guys remember the "Nimda" virus from about 10 years ago? "Nimda" is "Admin" spelled backwards. That was supposed to be a "Ha-Ha" from the Black Hat Community to the White Hat Community. As a test, (back then) and just to tinker, I built up a computer and placed it on the outside of my firewall so that it was accessible to the public just like MSN, Yahoo, etc. I left it there and didn't do anything on it or to it. Within 12 minutes it was infected with the Nimda virus.
People who do this type of thing will typically take known virus code, change it around to suit "their purposes" and then release it into the wild (internet). Problem is, most of the times, because the person doesn't really know what they are doing, and didn't fully test their code, the virus code is broken in such a way that the full, intended payload is not realized. Sure damage can be caused but a lot of times the damaged caused is not the intended outcome of the virus writer. We can see this here in our situation. Not everyone reported the same anomalies, each was different in some way. Different OS, different browser, etc.
A "good" virus coder, if there is such a thing, will spend the time it takes to test their virus against commonly used Operating Systems and Web Browsers so that their intentions are carried out without the virus or them being discovered. Back at that time I had an isolated virus lab setup and I did take the time to develop and test my code. Of course I never released my code to the wild. You catch a crook by thinking like a crook.
The intention, is always, to make money. That will be the bottom line in all such cases. Also realize it is not a human actively hacking a website. Typically it is what is called a "Web Spider" that crawls the internet rattling doors (open ports) looking for vulnerabilities. When a vulnerability is found, it is reported back to the hacker and then the hands on begins.......
Now do you see why I said last night that I didn't want to type out all the ways this can possibly happen?
Just got back from work so I thought I'd post what I know. Last night Baldr sent me a PM answering my question about his experience on the GG site. We PM'd back and forth but I won't go into the contents of those PM's. Best to let that alone.
I found the issue last night shortly after starting my investigation. I then spent the next hour or so, until about 12:30 AM PST, doing some cross browser and cross platform tests and additional testing using different methodology and software (eggs not in same basket) to confirm my original suspicions.
I also de-compiled the website so I could look at the raw code that makes a website a website. I found the offending line items of Java code that was causing the redirect actions some users reported. I won't bother posting the offending code here because code is cryptic to say the least and it wouldn't make sense to anyone anyway. I will tell you that the re-directs were pointing to the Russian Federation and I was able to pinpoint the location on a world map.
I am surmising that the offending code was injected into the website due to exploitation of certain WordPress Webserver file vulnerabilities that (have become) known by the "Black Hat" community. "Black Hats" are the bad guys and "White Hats" are the good guys. For the security of other WordPress Webservers out there I will not mention the affected files. Google will have my response typed here indexed within 5 minutes.
After concluding my investigation I emailed all my detailed findings to Imeo as per my protocol and of course I mentioned it to no one. No reason to start a stampede. I reasoned that Imeo would forward my findings to Chase, his Web designer, and the issue would be resolved. It was.
I felt it was up to Imeo's timing what and when to say anything concerning this issue and of course, as I expected, Imeo was open and honest from the get-go about the site as you have read in the previous posts.
I have just now re-conducted my testing of the ggecig . com and it is verified as clean. As an aside, after learning what I did last night I went ahead and tested COV because Imeo had mentioned that Bruce also uses this platform and I know a lot of us shop there. COV site was clean.
That's basically it in a nutshell. Hopefully I didn't bore anyone with the particulars.
PS;
OK now I'll bore you.......Do you guys remember the "Nimda" virus from about 10 years ago? "Nimda" is "Admin" spelled backwards. That was supposed to be a "Ha-Ha" from the Black Hat Community to the White Hat Community. As a test, (back then) and just to tinker, I built up a computer and placed it on the outside of my firewall so that it was accessible to the public just like MSN, Yahoo, etc. I left it there and didn't do anything on it or to it. Within 12 minutes it was infected with the Nimda virus.
People who do this type of thing will typically take known virus code, change it around to suit "their purposes" and then release it into the wild (internet). Problem is, most of the times, because the person doesn't really know what they are doing, and didn't fully test their code, the virus code is broken in such a way that the full, intended payload is not realized. Sure damage can be caused but a lot of times the damaged caused is not the intended outcome of the virus writer. We can see this here in our situation. Not everyone reported the same anomalies, each was different in some way. Different OS, different browser, etc.
A "good" virus coder, if there is such a thing, will spend the time it takes to test their virus against commonly used Operating Systems and Web Browsers so that their intentions are carried out without the virus or them being discovered. Back at that time I had an isolated virus lab setup and I did take the time to develop and test my code. Of course I never released my code to the wild. You catch a crook by thinking like a crook.
The intention, is always, to make money. That will be the bottom line in all such cases. Also realize it is not a human actively hacking a website. Typically it is what is called a "Web Spider" that crawls the internet rattling doors (open ports) looking for vulnerabilities. When a vulnerability is found, it is reported back to the hacker and then the hands on begins.......
Now do you see why I said last night that I didn't want to type out all the ways this can possibly happen?
Last edited:
That's the longest P.S. ever!
Thanks for taking the time to help Imeo,Caddy and the rest of the GG community Repent! We appreciate the time and effort you have spent, and your expertise.
Thanks for taking the time to help Imeo,Caddy and the rest of the GG community Repent! We appreciate the time and effort you have spent, and your expertise.
yes thank you for your time and effort Repent. COV and GG are not the same CMS and I don't host COV either. I did build COV, as well as many well known sites. the only problems i have seen recently are wordpress installs on my servers. it all happened one night and i spent days cleaning up and securing the sites. i checked the others, GG seemed ok, but i was wrong.
all the sites have been secured very well now, exploits patched, etc. please, to whoever, always report any unusual activity on any website to that sites webmaster. makes our job much easier.
good example, i built and own a large web forum for delawareans. many months ago i noticed a decline in traffic and activity and wrote it off as a lull, forums go through that, no biggie. i always went to the site VIA a bookmark of course, never noticed any issues. when a month of so ago i was checking my SERP (search engine ranking pages) in google and clicked a link to my site from google and was redirected to a crazy survey site. i had NO IDEA this had been happening for MONTHS for ALL of my google traffic. that was a big deal! lots of lost activity. so i fixed it and re-secured everything, and it seems the site is bouncing back.
moral of the story. 99% of the time, the owner or operator of a website has no idea at all that the site has been compromised and has a virus, trojan, etc.
all the sites have been secured very well now, exploits patched, etc. please, to whoever, always report any unusual activity on any website to that sites webmaster. makes our job much easier.
good example, i built and own a large web forum for delawareans. many months ago i noticed a decline in traffic and activity and wrote it off as a lull, forums go through that, no biggie. i always went to the site VIA a bookmark of course, never noticed any issues. when a month of so ago i was checking my SERP (search engine ranking pages) in google and clicked a link to my site from google and was redirected to a crazy survey site. i had NO IDEA this had been happening for MONTHS for ALL of my google traffic. that was a big deal! lots of lost activity. so i fixed it and re-secured everything, and it seems the site is bouncing back.
moral of the story. 99% of the time, the owner or operator of a website has no idea at all that the site has been compromised and has a virus, trojan, etc.
LOL, you're right Rick. Kept telling myself to keep it brief..... you'll glaze their eyes over....... no one knows what you're talking about anyway.......
Thanks for the kind words Rick.
Reoent was very helpful to me via pms and he bother to talk to Bal too. He wanted to help him understand. Thank you very repent for this, it was a very nice move of you
Chase I am very glad that problem is solved. You did an exellent and very quick job as always and I want to really thank you for this
Chase I am very glad that problem is solved. You did an exellent and very quick job as always and I want to really thank you for this
LOL, you're right Rick. Kept telling myself to keep it brief..... you'll glaze their eyes over....... no one knows what you're talking about anyway.......
Thanks for the kind words Rick.
i did but dont ask me to do what you did... to much code makes the eye run away... i used to code in my day but with CSS and all those update since html4 i decided it best to step back and watch.
P.S. in short your efforts where understood by at least one person and truly apprenticed with knowning the items you had to use. and code you had to debug to find said code.
Thanks for all your time and effort Repent. It's greatly appreciated, now YOU can be #1 for VV. Anything for a great fam. member. Now we can await Baldr's reply
I think that malware warning is a manifestation of the universes disgust that there is not more of Imeo's products around the globe! I've been wanting to join the GG family for a while now, the only thing holding me back is not knowing what kind of juice feeder to put on it... been looking at the Alpha RES, the UFS, the iAtty, Stainless liquinators... so it seems that I'm leaning towards a tank solution.
Make that two.
But also like yourself, unless it's a favor for a friend or helping someone with a very limited budget to work with, I no longer fight with it. I don't have the patience nor the eyes I once had "back in the day". And very nice lay-speak explanation Repent. Not to mention the tracking downm of the injection. As stated above, I no longer have the eyes nor the patience to stay current enough to be of any real value on the security front any longer
, maybe I agree Rev! I will have something soon, no worries- Status
