Author Topic: Changing URLs  (Read 2409 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Changing URLs
« on: August 28, 2017, 03:36:28 AM »
Hello,
For the last couple days I've had something happening that is a new one on me:
When I go to my personal site, http://sprdave.us , there are added letters after the URL...
In other words, when I click on the link on my desktop ( http://sprdave.us ) what ends up
in the Browser bar is the address to a directory that doesn't exist...   This only happens when I click on a link...

http://sprdave.us/OfNmZ/

The added letters are different every time.  I have no directory with that designation.....
I'm not sure what I did to start this.... 

Any thoughts..??
Thanx,
SD

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31205
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Changing URLs
« Reply #1 on: August 28, 2017, 06:37:32 AM »

REDACTED

  • Guest
Re: Changing URLs
« Reply #2 on: August 28, 2017, 09:50:45 AM »
Hello & Thanx for the reply...
I downloaded and ran the Malware program and it didn't find anything...
The problem still persists...
I'm still at a loss...

-SD

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31205
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Changing URLs
« Reply #3 on: August 28, 2017, 09:54:18 AM »
Provide the log files as explained.

REDACTED

  • Guest
Re: Changing URLs
« Reply #4 on: August 28, 2017, 10:19:56 AM »
It doesn't say much other than 'No malicious items detected'....
-SD

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/28/17
Scan Time: 12:54 AM
Log File: b171bdd8-8bbd-11e7-a8d5-90b11c727e40.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.188
Update Package Version: 1.0.2671
License: Trial

-System Information-
OS: Windows 10 (Build 15063.540)
CPU: x64
File System: NTFS
User: CELL-SAT-77\Home

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 403288
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 0 min, 24 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31205
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Changing URLs
« Reply #5 on: August 28, 2017, 10:22:12 AM »
The instructions say to ATTACH the logs, not to copy/paste them.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37147
  • Not a avast user
Re: Changing URLs
« Reply #6 on: August 28, 2017, 10:52:43 AM »
If you scan   hxxp://sprdave.us   with  https://zulu.zscaler.com/

Then click on detailed results it will show hxxp://sprdave.us/OfNmZ/  as one of the links found on the website




REDACTED

  • Guest
Re: Changing URLs
« Reply #7 on: August 28, 2017, 11:36:32 AM »
Pondus, Thanx for the reply...
Well. that's different... I looked thru the page code and I don't see the link anywhere..
The domain name is forwarded..  The domain forwarding puts the index page in
a frame... I'm gonna get ahold of GoDaddy and see if it's happening
on their end....
I can't help but wonder: How can that link show up in a scan and not be in the html anywhere..??
Thanx again,
-SD

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33524
  • malware fighter
Re: Changing URLs
« Reply #8 on: August 28, 2017, 12:06:20 PM »
Hi sprdave,

Seems your issues are host-related...
From the point of the website being checked, there are MX problems.  Mailserver repsonse failed.
Quote
Connection Check   Failed   Can't connect to the following mail servers:
smtp.secureserver.net
mailstore1.secureserver.net
Found mail servers without 'AAAA' record
smtp.secureserver.net: ?
mailstore1.secureserver.net: ?
Status codes OK Status codes
These should normally all be the same.

Google Chrome returned code 302 to /OfNmZ/
GoogleBot returned code 302 to /OfNmZ/

Excessive header warning, your Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319  speaks too loud, which means excessive info proliferation problem.

F-Grade with recommended change: https://observatory.mozilla.org/analyze.html?host=sprdave.us

The problems result from abuse being performed from that secureserver IP address, so the problems created on the Scottsdale racks with host = -ip-184-168-221-25.ip.secureserver.net (serving up an unrecognized linux-gnu service nConnection / r/nPr/ HTTP 1.1.
x20no-cache cache-control. But they probably are working on it as the address is temporarily unavailable...http://toolbar.netcraft.com/site_report?url=http://ip-184-168-221-25.ip.secureserver.net - risk rate 8 red out of 10!!!!

see: https://ransomwaretracker.abuse.ch/ip/184.168.221.25/  (various Locky ransomeware distribution domains on that same IP),
so I propose you'd take that up with GoDaddy...and there is more abuse from that address like spamvertizing:
https://www.abuseipdb.com/check/184.168.221.25
Active spamming there galore: https://otx.alienvault.com/indicator/ip/184.168.221.25/
and it could well be that you could be another vicitim of such hacked abuse.... :o >:(
well it is a risk you run when sharing your IP with naughty neigbors.

Have a good day and stay safe and secure,

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33524
  • malware fighter
Re: Changing URLs
« Reply #9 on: August 28, 2017, 12:26:13 PM »
Hi Dave,

Update - I see the address now has been changed to sprdave.16mb.com
Did you change the hosting to Hostinger International Limited, IP address 31.220.104.103 ?
with the old referrer now resolving to 0.0.0
This IP 31.220.104.103 comes blocked with adblockers because of this list: https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-social/hostshttp://sysctl.org/cameleon/hosts

Hope you are aware of this, seems to me you're mitigating or your address is out of your hands.

polonus (volunteer website security analyst and website error-hunter)



« Last Edit: August 28, 2017, 12:28:29 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33524
  • malware fighter
Re: Changing URLs
« Reply #10 on: August 28, 2017, 03:07:12 PM »
Joomla issues: Version does not appear to be latest 3.7.3 - update now.
Google does not like: Google safe browse check - latest = ok.

WARNING
Google finds the site to be potentially dangerous
OK -> http://www.statcounter.com/counter/counter.js
-> http://toolbar.netcraft.com/site_report?url=http://sprdave.16mb.com  (7 red out of 10).
now A status 97,8 %

Whois record name servers don't match the data provided by NS servers

Name Servers from DNS   Name Servers from Whois
ns1.16mb.com
ns1.16mb.com
ns2.16mb.com
ns3.16mb.com
ns4.16mb.com

Consider also: https://urlscan.io/result/e5a0a7dd-617d-4991-97f9-ca0af6d5f90e#summary

WOT  web rep status still unsatisfactory..

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Changing URLs
« Reply #11 on: August 29, 2017, 10:48:59 PM »
Wow.!!  That's what I get for using a free host...
My domain names are at GoDaddy and pointed to the servers at 16mg.com....
I'll be getting rid of the free host...
Thanx for all the help..  I appreciate it...
SD

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33524
  • malware fighter
Re: Changing URLs
« Reply #12 on: August 29, 2017, 11:16:16 PM »
Hi sprdave,

We thank you for coming here, so we could explain what's happening
from our experience and understanding of these matters.

Not only you learn, we learn and others learn as well and gain expertise.

That is what education and learning should be all about.

Loads of success with whatever your online enterprises may be.

Stay safe and secure, both online as offline,
that is the wish of

P.S. Your website, -http://sprdave.us/ is now being blocked by a chrome extension for me.
You are now on a GoDaddy ransomeware launching IP: https://ransomwaretracker.abuse.ch/ip/50.63.202.16/
https://www.abuseipdb.com/check/50.63.202.16

Seems GoDaddy Free indeed is going "rogue" sort of... at least condoning loads of ip-abuse  :o
-> https://asafaweb.com/Scan?Url=ip-50-63-202-16.ip.secureserver.net

See what others experience at 16mb.com as in April this "victim": https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=redingue.16mb.com%2Fwp-signup.php%3Fnew%3Dredingue.16mb.com&ref_sel=GSP2&ua_sel=ff&fs=1
Quote
Note: It looks like your site has returned a 403 Forbidden. In some cases the firewall or a bad bot utility will block the use of this tool as a "fake Googlebot", the primary reason for this is the tool is a "fake Googlebot". With a 403 response you should use the Fetch as Goolgebot utility in Webmaster Tools to verify your site is returning a 403.
ERR_TOO_MANY_REDIRECTS

polonus
« Last Edit: August 30, 2017, 12:04:00 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31205
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Changing URLs
« Reply #13 on: August 30, 2017, 01:31:42 AM »
Keep in mind that free almost always come at a price  ;)