Possible BlueMoon page hijack?

[Centurions]

My Avast antivirus may be giving a false positive but in the last couple of days it's blocked random occasional pages (although the page itself shows up) with the message:

<a class="postlink" href="http://54.148.81.109/getdata.xgi" onclick="window.open(this.href);return false;">http://54.148.81.109/getdata.xgi</a>? (plus lots of code) is blocked as a possibly harmful url site.

According to whatismyip this belongs to:

IP Address: 54.148.81.109
City: Boardman
State/Region: Oregon
Country Code US
Postal Code: 97818
ISP: Amazon
Latitude: 45.7788
Longitude: -119.529

This is on PC/Chrome platform and I've recently ran a battery of programs as part of my normal monthly clean up with absolutely nothing coming up, and this has only occurred on BM.

Can whoever manages the website confirm whether this is a false positive or not?

 

[blue b4 the moon]

My Avast was playing up before Christmas as well, seemed to be on various adverts.

I couldn't be arsed looking into it. It's been fine for the last week or so. Is your Avast upto date?

 

[Centurions]

My Avast was playing up before Christmas as well, seemed to be on various adverts.

I couldn't be arsed looking into it. It's been fine for the last week or so. Is your Avast upto date?

Yeah, it's set to auto update. I'm thinking it's just a false positive set off by one of the adverts but just wondered if any of the mods has any knowledge.



Perhaps I should rephrase that last part ;)

 

[Damocles]

Can you post the code? Looks like a false positive but better to be safe either way

 

[Centurions]

02.01.2015 12:28:06 Network Shield: blocked access to malicious site http ://54.148.81.109/e/getdata.xgi?dt=br&pkey=rfkm88wbvzn36&reppipe=,&edr=off&repequal=_&ru=http%3A%2F%2Fp.acxiom-online.com%2Fpixel%2Fpel%3Fpid%3D1001%26id%3D%3Cna_da%3E%26t%3D1004%26uid%3D%3Cna_id%3E%26dpid%3D3011%26ord%3D1000%26fwd%3Dhttp%253A%252F%252Fbcp.crwdcntrl.net%252F5%252Fc%253D1205%252Fseg%253D%2523DATTRIBUTES%2523 ([54.148.81.109]:80) [ C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ( 5608 ) ]


After a bit more research it seems to be due to acxiom-online.com which is some uber tracking/data broker company:

http://www.itworld.com/article/2710...-one-of-the-world-s-largest-data-brokers.html

Why it's only happening on BlueMoon I don't know. It may be linked to one of the adverts? I'll delete my cookies and see how I go on.

 

[Centurions]

In the Avast log I had lots of lines similar to the following:

02.12.2014 12:17:22 Network Shield: blocked access to malicious site <a class="postlink" href="http://scontent-b.cdninstagram.com/hphotos-xfp1/t51.2885-15/10809919_532394063561711_1697281727_s.jpg" onclick="window.open(this.href);return false;">http://scontent-b.cdninstagram.com/hpho ... 1727_s.jpg</a> ([31.13.90.183]:80) [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 4184 ) ]

I thought I'd check before mentioning this just in case ;) but they're actually small jpegs of City players and I don't even have Firefox installed.

 

[Damocles]

In the Avast log I had lots of lines similar to the following:

02.12.2014 12:17:22 Network Shield: blocked access to malicious site <a class="postlink" href="http://scontent-b.cdninstagram.com/hphotos-xfp1/t51.2885-15/10809919_532394063561711_1697281727_s.jpg" onclick="window.open(this.href);return false;">http://scontent-b.cdninstagram.com/hpho ... 1727_s.jpg</a> ([31.13.90.183]:80) [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 4184 ) ]

I thought I'd check before mentioning this just in case ;) but they're actually small jpegs of City players and I don't even have Firefox installed.

cdninstagram seems to be the Content Delivery Network for Instagram, a normal photosharing site. I'd be highly surprised if that is the cause of an infection.

http ://54.148.81.109/e/getdata.xgi?dt=br&pkey=rfkm88wbvzn36&reppipe=,&edr=off&repequal=_&ru=http%3A%2F%2Fp.acxiom-online.com%2Fpixel%2Fpel%3Fpid%3D1001%26id%3D%3Cna_da%3E%26t%3D1004%26uid%3D%3Cna_id%3E%26dpid%3D3011%26ord%3D1000%26fwd%3Dhttp%253A%252F%252Fbcp.crwdcntrl.net%252F5%252Fc%253D1205%252Fseg%253D%2523DATTRIBUTES%2523 ([54.148.81.109]:80) [ C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ( 5608 ) ]

This is a tracking cookie redirect. It must be coming from one of the ads, which ad do you see when this pops up?

 

[FantasyIreland]

I posted the other day that my connection was dropping out only on this site,i had Avast installed.......I replaced it with AVG yesterday and guess what? no more issues.

 

[Centurions]

In the Avast log I had lots of lines similar to the following:

02.12.2014 12:17:22 Network Shield: blocked access to malicious site <a class="postlink" href="http://scontent-b.cdninstagram.com/hphotos-xfp1/t51.2885-15/10809919_532394063561711_1697281727_s.jpg" onclick="window.open(this.href);return false;">http://scontent-b.cdninstagram.com/hpho ... 1727_s.jpg</a> ([31.13.90.183]:80) [ C:\Program Files (x86)\Mozilla Firefox\firefox.exe ( 4184 ) ]

I thought I'd check before mentioning this just in case ;) but they're actually small jpegs of City players and I don't even have Firefox installed.

cdninstagram seems to be the Content Delivery Network for Instagram, a normal photosharing site. I'd be highly surprised if that is the cause of an infection.

http ://54.148.81.109/e/getdata.xgi?dt=br&pkey=rfkm88wbvzn36&reppipe=,&edr=off&repequal=_&ru=http%3A%2F%2Fp.acxiom-online.com%2Fpixel%2Fpel%3Fpid%3D1001%26id%3D%3Cna_da%3E%26t%3D1004%26uid%3D%3Cna_id%3E%26dpid%3D3011%26ord%3D1000%26fwd%3Dhttp%253A%252F%252Fbcp.crwdcntrl.net%252F5%252Fc%253D1205%252Fseg%253D%2523DATTRIBUTES%2523 ([54.148.81.109]:80) [ C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ( 5608 ) ]

This is a tracking cookie redirect. It must be coming from one of the ads, which ad do you see when this pops up?

I'm not sure an as even showed up to be honest, it was infrequent anyway. I've deleted cookies so it may be it won't come back anyway.
I've no idea what the issue is with the small jpegs since I was unaware of a problem until I checked the log. I'm not even sure they're from Blue Moon.

 

[Centurions]

I posted the other day that my connection was dropping out only on this site,i had Avast installed.......I replaced it with AVG yesterday and guess what? no more issues.

I changed from AVG to Avast because AVG was giving me problems at the time :(

 

[Damocles]

The best way not to get virus is by safe browsing techniques rather than having some bulletproof anti-virus.

I use the inbuilt Microsoft one and do a weekly scan with Malwarebytes and find it sufficient.

 

[Ricster]

I'm getting pop up ads almost every time I click a blue moon page and for some reason the site is now as slow as a week in the jail for me. Also cannot see a word I have typed using my iPhone.

 

[Centurions]

The best way not to get virus is by safe browsing techniques rather than having some bulletproof anti-virus.

I use the inbuilt Microsoft one and do a weekly scan with Malwarebytes and find it sufficient.

True, although it wasn't a virus in my case. Since I've deleted my cookies it's not popped up again, or perhaps Avast got updated and stopped identifying it as a redirect.

Do Microsoft themselves state that MSE is purely a starting point for an Anti-virus program and more or less recommend upgrading to a 3rd party App?

 

[Damocles]

The best way not to get virus is by safe browsing techniques rather than having some bulletproof anti-virus.

I use the inbuilt Microsoft one and do a weekly scan with Malwarebytes and find it sufficient.

True, although it wasn't a virus in my case. Since I've deleted my cookies it's not popped up again, or perhaps Avast got updated and stopped identifying it as a redirect.

Do Microsoft themselves state that MSE is purely a starting point for an Anti-virus program and more or less recommend upgrading to a 3rd party App?

They do but it's worth knowing WHY they say that.

MSE isn't an inferior anti-virus, it's just that MS sends all of its virus definitions database to the other anti-virus companies for free. The purpose of this is to help others detect viruses better but the corollary to this is that an updated MSE will have less of a detection database than anyone else.

Importantly there are several ways which viruses are caught. The first is by a definition detection - this is where a company has seen this virus before or something similar and stored a log of the virus in a database that comes bundled with their software. Antivirus software will scan a file and then see if it matches any program in their database and if it does then it flags it as a virus and if it doesn't then it leaves it alone. This database of big viruses is what MSE is sharing with other companies.

Another way of detecting them is by heuristics detection. This is a bit like a definition detection but instead of logging what the details of a file known to be a virus, instead it logs the behaviour of the virus file and stores them. This is also held in a database like format and MSE will share this with others.

The last way is via a more behavioural model which scans your computer almost constantly and when it sees a file doing something that looks like it could be a virus (rather than detecting it before it has ran) it stops it and asks you whether you authorised a program to do it. Various companies have various ways of going about this and I'm happy enough that the engineers at Microsoft are extremely good at this, often branded as real time detection.

In conjunction with safe browsing habits and using common sense when using the internet, MSE does a good enough job for me. If you don't trust yourself or feel your knowledge might not be sufficient enough to be aware of all dangers then I'd recommend staying with Avast or switching over to AVG which both have excellent detection ratios and are currently the two industry leaders,.