paypal down!

• Previous message (by thread): paypal down!
• Next message (by thread): paypal down!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Nov 15, 2005, at 10:22 PM, Hannigan, Martin wrote:
>
> No chance. Do you have the attributions wrong here? Even your own  
> website
> says that 404's are 70% burp-factor - which I would tend to agree with
> for the most part. Not enough httpd spurned, reloads, bad pages, etc.
>
> http://www.404lab.com/404/yikes.asp
>
> And oddly enough, no mention of the possibility of malware. Time to
> update. :-)
>

Sorry, I guess I wasn't quite clear. No, I'm not suggesting that you  
specifically have a trojan on your system(I know from your reputation  
that's not happening :) ), or that I believed that malware was  
definitively the cause for the original poster's problem either.

The point I was trying to make was malware does cause these exact  
problems, and those attempting to support end users reporting these  
problems need to keep trojans and other spyware in mind when  
researching "{big_important_site} is down!!!' complaints, when it  
appears to be up from everywhere else you look.

One really strange example happened about 6 months ago. One of our  
"adult oriented" customers started getting emails from people saying  
that their adult site was showing up to lots of users when they tried  
visiting a certain list of sites (PayPal, eBay, Google, CNN, Hotmail,  
etc). These users could still access small sites fine, but when they  
entered any of the larger sites in their browser, they got a rather  
graphic page from porn site instead. We took down the page that the  
viewers were being redirected to and put a "Seeing this message  
instead of the site you expected? Email us for help". After talking  
to a few dozen people who wrote in, we finally figured it out. It  
turns out that the common thing between all the people sending  
complaints about this was that they were infected with an MSIE  
"Browser Helper Object" that was redirecting traffic to any of these  
sites to a HTTP proxy in Russia. This proxy was taking any request  
and redirecting them to my client's URL. I'm guessing they were  
sniffing for private info or inserting pops in the HTML or something,  
and decided they were done. Why they didn't just kill the proxy  
server instead of showing unsuspecting users "adult materials" isn't  
really clear, unless it was meant to be some juvenile "fun".

I'd be curious to see if anyone on the ISP side of things has made a  
list of recent/common IP addresses and hostnames that malware  
attempts to connect to or resolve, and looked for accesses in name  
server logs and netflow records to get an idea of what percentage of  
end-users end up hitting them. I'm willing to bet it's disturbingly  
high.


-- Kevin

(And I can't take credit for 404lab, not my site at all) :)

• Previous message (by thread): paypal down!
• Next message (by thread): paypal down!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]