Everyone is back at work and starting to use computers on our smallest network which has Internet access through a rather old Linksys router.? Two systems were left on and screen-locked over the extra long weekend.? There does not appear to have been any Internet access interruption in our absence. A Firefox browser on one system was left pointing to a commonly used web site: https://www.yahoo.com/.? This Yahoo web page was not displayed when the user unlocked the screen and brought up the browser from the task bar.? Instead, a site located at the link https://gaibacoupontec.com was displayed with a message indicating that there was an urgent Firefox update required.? There was a button to download and to install the update.? I killed the Firefox browser rather than getting rid of it with the X in the upper right hand corner. This event has the aroma of an unwanted cyber intrusion, which is why I killed the browser.? I have also copied and stored the full URL displayed in the browser, but have only included the first part "https://gaibacoupontec.com" here so as not to tempt anyone to risk access. Is it possible that a new Firefox flaw has been detected and is being exploited for malicious purposes?
> Instead, a site located at the link https://gaibacoupontec.com > was displayed with a message indicating that there was an urgent > Firefox update required.Have you checked the user's Firefox profile for any unusual extensions? That would be my first suspicion.
Maybe is was an ad redirect. I get this a lot on my phone where people are putting malicious js in ads that redirects me to advertisements for rock hard erections whilst I'm reading articles. Its very noisome! On 4 January 2017 at 22:33, Chris Olson <chris_e_olson at yahoo.com> wrote:> Everyone is back at work and starting to use computers on our > smallest network which has Internet access through a rather old > Linksys router. Two systems were left on and screen-locked over > the extra long weekend. There does not appear to have been any > Internet access interruption in our absence. > > A Firefox browser on one system was left pointing to a commonly > used web site: https://www.yahoo.com/. This Yahoo web page was > not displayed when the user unlocked the screen and brought up > the browser from the task bar. > > Instead, a site located at the link https://gaibacoupontec.com > was displayed with a message indicating that there was an urgent > Firefox update required. There was a button to download and to > install the update. I killed the Firefox browser rather than > getting rid of it with the X in the upper right hand corner. > > This event has the aroma of an unwanted cyber intrusion, which > is why I killed the browser. I have also copied and stored the > full URL displayed in the browser, but have only included the > first part "https://gaibacoupontec.com" here so as not to tempt > anyone to risk access. > > Is it possible that a new Firefox flaw has been detected and is > being exploited for malicious purposes? > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
On Wed, 2017-01-04 at 21:33 +0000, Chris Olson wrote:> ...... A Firefox browser on one system ..... > Instead, a site located at the link https://gaibacoupontec.com > was displayed with a message indicating that there was an urgent > Firefox update required.Firefox, like other web browsers, usually displays text in HTML mode. Seeing a "link" for https://gaibacoupontec.com does not guarantee the hidden 'A HREF' code is actually for that site.> Is it possible that a new Firefox flaw has been detected and is > being exploited for malicious purposes?Yes. Alertness and improving security are continuous tasks. SQL injection attempts, made by suffixing usually very long strings of SQL coding to valid parameters such as domain.com/info.php?aaaa=12345, has been popular with the Russians for at least the last few years. The only method of preventing it compromising a site is to test the acceptable maximum length of the parameter (in this example '12345') and if exceeded block the IP address in iptables. Cyber attacks are gradually replacing armed conflicts. -- Regards, Paul. England, EU. England's place is in the European Union.
On 1/5/2017 2:23 PM, Always Learning wrote:> SQL injection attempts, made by suffixing usually very long strings of > SQL coding to valid parameters such as domain.com/info.php?aaaa=12345, > has been popular with the Russians for at least the last few years.SQL Injection is a server side issue, not a browser issue.> The only method of preventing it compromising a site is to test the > acceptable maximum length of the parameter (in this example '12345') and > if exceeded block the IP address in iptables.no, the proper method of preventing it is not checking the length of the parameter, rather, its ensuring you don't construct SQL queries out of arbitrary URL input without proper parameter substitution techniques such as passing parameters by value rather than string substitution, or using the appropriate string escaping techniques for your database API.. -- john r pierce, recycling bits in santa cruz
On Thu, Jan 05, 2017 at 10:23:18PM +0000, Always Learning wrote:> [...] The > only method of preventing it compromising a site is to test the > acceptable maximum length of the parameter (in this example '12345') and > if exceeded block the IP address in iptables.I'm honestly interested in what you mean by this. -- Jonathan Billings <billings at negate.org>