Everyone is back at work and starting to use computers on our smallest network which has Internet access through a rather old Linksys router. Two systems were left on and screen-locked over the extra long weekend. There does not appear to have been any Internet access interruption in our absence.
A Firefox browser on one system was left pointing to a commonly used web site: https://www.yahoo.com/.%C2%A0 This Yahoo web page was not displayed when the user unlocked the screen and brought up the browser from the task bar.
Instead, a site located at the link https://gaibacoupontec.com was displayed with a message indicating that there was an urgent Firefox update required. There was a button to download and to install the update. I killed the Firefox browser rather than getting rid of it with the X in the upper right hand corner.
This event has the aroma of an unwanted cyber intrusion, which is why I killed the browser. I have also copied and stored the full URL displayed in the browser, but have only included the first part "https://gaibacoupontec.com" here so as not to tempt anyone to risk access.
Is it possible that a new Firefox flaw has been detected and is being exploited for malicious purposes?
Instead, a site located at the link https://gaibacoupontec.com was displayed with a message indicating that there was an urgent Firefox update required.
Have you checked the user's Firefox profile for any unusual extensions? That would be my first suspicion.
Maybe is was an ad redirect. I get this a lot on my phone where people are putting malicious js in ads that redirects me to advertisements for rock hard erections whilst I'm reading articles. Its very noisome!
On 4 January 2017 at 22:33, Chris Olson chris_e_olson@yahoo.com wrote:
Everyone is back at work and starting to use computers on our smallest network which has Internet access through a rather old Linksys router. Two systems were left on and screen-locked over the extra long weekend. There does not appear to have been any Internet access interruption in our absence.
A Firefox browser on one system was left pointing to a commonly used web site: https://www.yahoo.com/. This Yahoo web page was not displayed when the user unlocked the screen and brought up the browser from the task bar.
Instead, a site located at the link https://gaibacoupontec.com was displayed with a message indicating that there was an urgent Firefox update required. There was a button to download and to install the update. I killed the Firefox browser rather than getting rid of it with the X in the upper right hand corner.
This event has the aroma of an unwanted cyber intrusion, which is why I killed the browser. I have also copied and stored the full URL displayed in the browser, but have only included the first part "https://gaibacoupontec.com" here so as not to tempt anyone to risk access.
Is it possible that a new Firefox flaw has been detected and is being exploited for malicious purposes?
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Wed, 2017-01-04 at 21:33 +0000, Chris Olson wrote:
...... A Firefox browser on one system ..... Instead, a site located at the link https://gaibacoupontec.com was displayed with a message indicating that there was an urgent Firefox update required.
Firefox, like other web browsers, usually displays text in HTML mode. Seeing a "link" for https://gaibacoupontec.com does not guarantee the hidden 'A HREF' code is actually for that site.
Is it possible that a new Firefox flaw has been detected and is being exploited for malicious purposes?
Yes. Alertness and improving security are continuous tasks.
SQL injection attempts, made by suffixing usually very long strings of SQL coding to valid parameters such as domain.com/info.php?aaaa=12345, has been popular with the Russians for at least the last few years. The only method of preventing it compromising a site is to test the acceptable maximum length of the parameter (in this example '12345') and if exceeded block the IP address in iptables.
Cyber attacks are gradually replacing armed conflicts.
On 1/5/2017 2:23 PM, Always Learning wrote:
SQL injection attempts, made by suffixing usually very long strings of SQL coding to valid parameters such as domain.com/info.php?aaaa=12345, has been popular with the Russians for at least the last few years.
SQL Injection is a server side issue, not a browser issue.
The only method of preventing it compromising a site is to test the acceptable maximum length of the parameter (in this example '12345') and if exceeded block the IP address in iptables.
no, the proper method of preventing it is not checking the length of the parameter, rather, its ensuring you don't construct SQL queries out of arbitrary URL input without proper parameter substitution techniques such as passing parameters by value rather than string substitution, or using the appropriate string escaping techniques for your database API..
On Thu, Jan 05, 2017 at 10:23:18PM +0000, Always Learning wrote:
[...] The only method of preventing it compromising a site is to test the acceptable maximum length of the parameter (in this example '12345') and if exceeded block the IP address in iptables.
I'm honestly interested in what you mean by this.
-
Always Learning -
Andrew Holway -
Chris Olson -
David Nelson -
John R Pierce -
Jonathan Billings