Hey,

I was logging onto Ausfish tonight like normal, when in Firefox where it shows loading items, I noticed it was loading a link from "PornHub". I remembered an incident a month or so back where Chrome reported this site to be infected. I looked into this more and this post is a result of what I found as I thought I thought it required the members here to know(Just a note for Steve, I mean no dis-respect here at all, please don't hide this post).

I loaded up my debugger in Firefox and reloaded Ausfish, I can now see link by link what is loaded. I found the PornHub link and read the javascript code it loaded. Turns out an ad service that this forum uses is handing out bad links, i.e pornhub. Once this bad link is loaded it then runs code to install a tracking cookie on your PC using flash code. I've read the code and found out this is an evercookie. This cookie will TRACK your browsing history and send it back to a third part server. Once it is installed on your PC it installs itself to a variety of locations so it's hard for you to actually remove. This is a nasty cookie that invades your privacy.

What can you do?
- Delete all stored information in your browser
- Install adblock-plus
- Run a spyware program over your PC

Steve, this post is in total respect to yourself. You did not know that this would occur again. Can I please ask though that you disable all ad service's from this site until you know 100% it is fixed.

As this cookie sends data home all the time it WILL slow your computer down during data sends. I have verified this information by watching it do so, bringing my computer to a crawl.

Information about the cookie:

- http://samy.pl/evercookie/
- https://en.wikipedia.org/wiki/Evercookie

Screenshot:

http://www.ausfish.com.au/vforum/attachment.php?attachmentid=109627&stc=1

For the technical mined here is the code so you don't need to download it. http://pastebin.com/AWybfnAE

Thanks for the info, will check everything again just to be sure it is still clear.

Ads are served by Google

What thread/URL were you viewing?

Just checked Google webmaster scans and Google states that the site has been clear since 18th May

The cookie is being set by Cloudflare, this helps increase the speed of the site as it does not have to load all the javascripts everytime a page is opened.
It is not a malicious file.

https://www.google.com/safebrowsing/diagnostic?site=ausfish.com.au


Safe BrowsingDiagnostic page for ausfish.com.auWhat is the current listing status for ausfish.com.au?

This site is not currently listed as suspicious.
What happened when Google visited this site?

Of the 12106 pages we tested on the site over the past 90 days, 20 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-06-21, and the last time suspicious content was found on this site was on 2015-05-18.Malicious software includes 13 exploit(s), 6 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 16 domain(s), including powerporn.pw/ (https://www.google.com/safebrowsing/diagnostic?site=powerporn.pw/), danburykawasaki.com/ (https://www.google.com/safebrowsing/diagnostic?site=danburykawasaki.com/), realty411.co/ (https://www.google.com/safebrowsing/diagnostic?site=realty411.co/).
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including powerporn.pw/ (https://www.google.com/safebrowsing/diagnostic?site=powerporn.pw/).
This site was hosted on 6 network(s) including AS22611 (IMH-WEST) (https://www.google.com/safebrowsing/diagnostic?site=AS:22611), AS13335 (CLOUDFLARENET) (https://www.google.com/safebrowsing/diagnostic?site=AS:13335), AS15169 (GOOGLE) (https://www.google.com/safebrowsing/diagnostic?site=AS:15169).
Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, ausfish.com.au did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 0 domain(s), including .

Hey,

I was logging onto Ausfish tonight like normal, when in Firefox where it shows loading items, I noticed it was loading a link from "PornHub". I remembered an incident a month or so back where Chrome reported this site to be infected. I looked into this more and this post is a result of what I found as I thought I thought it required the members here to know(Just a note for Steve, I mean no dis-respect here at all, please don't hide this post).

I loaded up my debugger in Firefox and reloaded Ausfish, I can now see link by link what is loaded. I found the PornHub link and read the javascript code it loaded. Turns out an ad service that this forum uses is handing out bad links, i.e pornhub. Once this bad link is loaded it then runs code to install a tracking cookie on your PC using flash code. I've read the code and found out this is an evercookie. This cookie will TRACK your browsing history and send it back to a third part server. Once it is installed on your PC it installs itself to a variety of locations so it's hard for you to actually remove. This is a nasty cookie that invades your privacy.

What can you do?
- Delete all stored information in your browser
- Install adblock-plus
- Run a spyware program over your PC

Steve, this post is in total respect to yourself. You did not know that this would occur again. Can I please ask though that you disable all ad service's from this site until you know 100% it is fixed.

As this cookie sends data home all the time it WILL slow your computer down during data sends. I have verified this information by watching it do so, bringing my computer to a crawl.

Information about the cookie:

- http://samy.pl/evercookie/
- https://en.wikipedia.org/wiki/Evercookie

Screenshot:

http://www.ausfish.com.au/vforum/attachment.php?attachmentid=109627&stc=1

For the technical mined here is the code so you don't need to download it. http://pastebin.com/AWybfnAE


When was this screen shot taken?

Was it taken today or was it from last time this happened in May?

It seems as if it was taken in May as it shows the real IP address of the site (173.247.253.191), instead of the Cloudeflare IP address (104.28.10.124) if it was taken today.

Traceroute - http://network-tools.com/default.asp?prog=trace&host=ausfish.com.au


2
0
0
0
206.123.64.46
-




3
1
1
1
173.219.246.92
173-219-246-92-link.sta.suddenlink.net




4
390
272
248
173.219.225.54
173-219-225-54-link.sta.suddenlink.net




5
1
1
1
206.223.118.145
xe-0-0-3.edge01.dfw01.as13335.net




6
1
1
0
104.28.10.124
-

Screenshot was taken last night.

luvtrack.net is the site that is serving the evercookie mate and it is coming from a few different urls loaded from luvtrack.net.

Please please please turn off the ads. I can clean up my computer easy after getting it, but folks here can't and now you know, you're letting folks get this cookie by not turning them off. It really does send your browsing history back to a third party and it does slow your computer down.

Some help for Windows users to remove cookie.

http://www.thewindowsclub.com/delete-evercookie-cookie-bleachbit-anonymizer-nevercookie

When was this screen shot taken?

Was it taken today or was it from last time this happened in May?

It seems as if it was taken in May as it shows the real IP address of the site (173.247.253.191), instead of the Cloudeflare IP address (104.28.10.124) if it was taken today.











juliand@bozo:~$ dig ausfish.com.au +short
104.28.10.124
104.28.11.124

juliand@bozo:~$ dig www.ausfish.com.au +short
173.247.253.191

Your DNS is wrong...

Have done a scan of the site and also contacted Google, but can not find anything.

What Thread were you viewing?

Was the cookie present on your computer from a month or longer?

Only ads we have on the site are from Google. Google says their ads are clean.


http://network-tools.com/default.asp?prog=trace&host=www.ausfish.com.au



2
0
0
0
206.123.64.46
-




3
1
1
1
173.219.246.92
173-219-246-92-link.sta.suddenlink.net




4
259
208
190
173.219.230.155
173-219-230-155-link.sta.suddenlink.net




5
7
2
1
206.223.118.145
xe-0-0-3.edge01.dfw01.as13335.net




6
1
0
0
104.28.11.124
-

Have done a scan of the site and also contacted Google, but can not find anything.

What Thread were you viewing?

Was the cookie present on your computer from a month or longer?

Only ads we have on the site are from Google. Google says their ads are clean.


http://network-tools.com/default.asp?prog=trace&host=www.ausfish.com.au



2
0
0
0
206.123.64.46
-




3
1
1
1
173.219.246.92
173-219-246-92-link.sta.suddenlink.net




4
259
208
190
173.219.230.155
173-219-230-155-link.sta.suddenlink.net




5
7
2
1
206.223.118.145
xe-0-0-3.edge01.dfw01.as13335.net




6
1
0
0
104.28.11.124
-




Why are you posting traceroutes? This not the right info you need man.

The cookie got loaded on the main site. I'm now on my work computer so I'm not going to play again. Google probally don't pick up the cookie as malware. I don't know how their processes for identifying works, so I'm not going to comment more on them except they are wrong here.

What you need to do to find it is this:

Download firebug for firefox. Load ausfish, enable firebug. Click the "net" tab, enable it. Then reload the ausfish site. You'll now see every link the site is trying to load. You're then looking for a page which has "servlet" in the URL, as my research this morn showed me it's loaded from random sites, but via the site luvtrack.net. I have verified it is STILL being served.

My question to you know is though. Why have you not disabled ads yet? You're now responsible for the viewers of this forum getting the cookie and having their browser history sent to third parties and SLOWING DOWN THIER COMPUTERS. I find this offensive considering the help I'm giving you.

I will not asssit anymore until you turn of ads. Please Steve turn of the ads.

Why are you posting traceroutes? This not the right info you need man.

The cookie got loaded on the main site. I'm now on my work computer so I'm not going to play again. Google probally don't pick up the cookie as malware. I don't know how their processes for identifying works, so I'm not going to comment more on them except they are wrong here.

What you need to do to find it is this:

Download firebug for firefox. Load ausfish, enable firebug. Click the "net" tab, enable it. Then reload the ausfish site. You'll now see every link the site is trying to load. You're then looking for a page which has "servlet" in the URL, as my research this morn showed me it's loaded from random sites, but via the site luvtrack.net. I have verified it is STILL being served.

My question to you know is though. Why have you not disabled ads yet? You're now responsible for the viewers of this forum getting the cookie and having their browser history sent to third parties and SLOWING DOWN THIER COMPUTERS. I find this offensive considering the help I'm giving you.

I will not asssit anymore until you turn of ads. Please Steve turn of the ads.

Thanks for your help on this. We have contacted Google and they assure the ads are not the cause. I have a couple of systems guys doing some scans and checks on the system

The ads have been turned off for you.

Thanks for your help on this. We have contacted Google and they assure the ads are not the cause. I have a couple of systems guys doing some scans and checks on the system

The ads have been turned off for you.

Thank you so much. Use the information I posted to track it down. I have submitted the offending url to google to de-index and de-register from the ad service, however I'm not sure how they respond to these requests. I can confirm that the ad is no longer being served.

Good stuff Julian.
It's good to have our own private systems engineer on board for occasions like this.
The last thing I need is an infected work computer.

So far looks like the systems egineers and google were correct, nothing to do with the ads. Appears at this stage to be a cache issue at Cloudflare and maybe browsers. Have cleared the cache on cloudflare and appears to have fix the problem. Still investigating though, so will post as we find out more info.

Looks like a cloudflare issue, waiting to hear back from them.
Cookie they were setting. Still working on it.

Looks like a cloudflare issue, waiting to hear back from them.
Cookie they were setting. Still working on it.

Definately not a cloudfare issue. While going through cloudfare with google ads off, there was no cookie from the offending site. Then this arvo when you were testing the ads, it came back. I'm 100% certain it's a google ad that's serving it. Also - the evercookie won't get flagged by google for malicous site detection. However I can't find any information to back this statement up. It might be worth asking google what their policy on evercookies are?

To help you a bit more. This is the exact URL that luvtrack.net is loading, http://stat.luvtrack.net/click.js. Please only open the link if you have JS disabled. Basically that is the malicous part of the ad that is being served. It loads the other code that installs the tracking cookie. My information, which is all here to read, 100% points to google ad services as the culprit.

I am a computer dumbo ( Not much better at fishing either) and have adblock enabled and run avast do I have anything to worry about?
Cheers
Ray

I am a computer dumbo ( Not much better at fishing either) and have adblock enabled and run avast do I have anything to worry about?
Cheers
Ray

Nothing to worry about, you are doing everything correct Ray.

Hi Julian,
I'm running the full scan with Bleachbit ( Everything ticked )
Hope it doesn't delete everything :o

Only 248mins to go :-?

Only 248mins to go :-?

That's awhile. I don't use Windows, so didn't test the tool(but even Microsoft recommends it) was only a help for people. Aussie123 ran it today and inital reports are good.

That's awhile. I don't use Windows, so didn't test the tool(but even Microsoft recommends it) was only a help for people. Aussie123 ran it today and inital reports are good.

Thanks,
Will let you know how I go.
My pc has been slow for a little while now, so hopefully a fix.

Jullian,

i was was on pornhub today ... Do I have anything to worry about... Actually I'm on it most days.. More than Ausfish..lol

I ran BleachBit today and my pc is running better than it ever has.
Be careful though if you select Free Disc Space.
That consumed my entire hard drive and the pc stopped as I had no disc space left.
I can cancelled the scan and luckily things returned to normal.
I then ran it without that option ticked and also no ticks in the password boxes and then ran the scan and it worked a treat.
It seems to be a very thorough program and cleans parts of your hard drive that other programs don't go near.



Hi Julian,
I'm running the full scan with Bleachbit ( Everything ticked )
Hope it doesn't delete everything :o

Jullian,

i was was on pornhub today ... Do I have anything to worry about... Actually I'm on it most days.. More than Ausfish..lol

Have you learn't anything ? you no you can ask its the least we can do seeing you helped with catching reds and trout.

Definately not a cloudfare issue. While going through cloudfare with google ads off, there was no cookie from the offending site. Then this arvo when you were testing the ads, it came back. I'm 100% certain it's a google ad that's serving it. Also - the evercookie won't get flagged by google for malicous site detection. However I can't find any information to back this statement up. It might be worth asking google what their policy on evercookies are?

To help you a bit more. This is the exact URL that luvtrack.net is loading, http://stat.luvtrack.net/click.js. Please only open the link if you have JS disabled. Basically that is the malicous part of the ad that is being served. It loads the other code that installs the tracking cookie. My information, which is all here to read, 100% points to google ad services as the culprit.

Does not appear to be Google at fault. Have been dealing with them for many years and am sure they are not the problem.

Also consider that is a company the size of Google was delivering this type of cookie, do you think you would be the only person in the world to know about it?

I am a computer dumbo ( Not much better at fishing either) and have adblock enabled and run avast do I have anything to worry about?
Cheers
Ray

You are fine. Just don't listen to every expert on the Internet. No need to block Google ads. No need to block most ads actually. It is the ads that keep sites online. Like this one for the past few years.

So how do we know if we have a problem on our PC's. Do we have to just run Bleachbit or is there something we can do first to confirm if it is required ??

So how do we know if we have a problem on our PC's. Do we have to just run Bleachbit or is there something we can do first to confirm if it is required ??

In FF go to preferences, privacy, then click remove individual cookies. In the list presented you can search cookies, look for milf.pornhub and gay.*. If anything liek that is present, then you need to clean.

You are fine. Just don't listen to every expert on the Internet. No need to block Google ads. No need to block most ads actually. It is the ads that keep sites online. Like this one for the past few years.

That was a very cheap shot at me mate after all the help I've given... Your fine technical skills are on display here, so I suggest you don't comment on subjects you don't have a handle on.

In FF go to preferences, privacy, then click remove individual cookies. In the list presented you can search cookies, look for milf.pornhub and gay.*. If anything liek that is present, then you need to clean.

Excellent advice right there. Thanks Julian. I - and I expect many others - will do that right now.

That was a very cheap shot at me mate after all the help I've given... Your fine technical skills are on display here, so I suggest you don't comment on subjects you don't have a handle on.

Not a shot at you. Do not know why you would think that. Just a general comment as people will click on all sorts of things and download all sorts of software and install it with out realising what can happen.

Just look at the click bait on this page :-) http://www.thewindowsclub.com/delete-evercookie-cookie-bleachbit-anonymizer-nevercookie

The link to Bleachbit is not as clear as the other links, then that link goes to the Windows club, then down the bottom of that page after the click bait is a text link Click here (http://bleachbit.sourceforge.net/) to download BleachBit. And then you get to the Bleachbit page

Seems like good software for people to use. But just because a couple of pages with ads and click bait says to use it does not mean it is the answer to everything :-) As with all software you download and install, read the fine print, do not just click on OK. Lots of free software installs malware on your computer. Even free apps like flashlights install stuff you don't want on your phone and spy on you. So be careful

Direct link to Bleachbit - http://bleachbit.sourceforge.net/

How to manage cookies in Firefox - https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences



How to remove cookies in Chrome - https://www.google.com/search?q=how+to+remove+cookies+on+chrome&ie=utf-8&oe=utf-8


How to remove cookies in Firefox - https://www.google.com/search?q=how+to+remove+cookies+on+chrome&ie=utf-8&oe=utf-8#q=how+to+remove+cookies+firefox


(https://www.google.com/search?q=how+to+remove+cookies+on+chrome&ie=utf-8&oe=utf-8#q=how+to+remove+cookies+firefox)

Waiting for more info from Cloudflare, so far they have acknowledged the issue and are working on it.

Not a shot at you. Do not know why you would think that. Just a general comment as people will click on all sorts of things and download all sorts of software and install it with out realising what can happen.

Just look at the click bait on this page :-) http://www.thewindowsclub.com/delete-evercookie-cookie-bleachbit-anonymizer-nevercookie

The link to Bleachbit is not as clear as the other links, then that link goes to the Windows club, then down the bottom of that page after the click bait is a text link Click here (http://bleachbit.sourceforge.net/) to download BleachBit. And then you get to the Bleachbit page

Seems like good software for people to use. But just because a couple of pages with ads and click bait says to use it does not mean it is the answer to everything :-) As with all software you download and install, read the fine print, do not just click on OK. Lots of free software installs malware on your computer. Even free apps like flashlights install stuff you don't want on your phone and spy on you. So be careful

Direct link to Bleachbit - http://bleachbit.sourceforge.net/

The drama for me is I don't use Windows. I haven't in 10 years. But I couldn't post up a warning with no fix and I bet nearly 80% of people on here use Windows, so I found the most information I could for fixing Windows. However the problem you describe is rife for Windows issues. You just have to sort through it all to get the info you need. On linux it's easy. Delete your FF profile from ~/.mozilla and you're done.

I do applaud you for working through to get the issue fixed up.

.................................................. ....

.................................................. ....

https://kb.iu.edu/d/ajfi hope that helps.

Ok, ran Bleachbit ( Windows ) overnight with everything ticked.
Froze at zero percent but everything seems to be running ok.
Done a search milf.pornhub and gay.*. and nothing came up........so looks like I don't have the Clap or Pox :P
Thanks Julian

Ok, ran Bleachbit ( Windows ) overnight with everything ticked.
Froze at zero percent but everything seems to be running ok.
Done a search milf.pornhub and gay.*. and nothing came up........so looks like I don't have the Clap or Pox :P
Thanks Julian

Glad to hear your tests came back with the all clear :-)