Go Down

Topic: Redirected on login - Captcha / no Robot? (Read 10234 times) previous topic - next topic

nickgammon

Nick this is redirecting everyday for me, as pointed out its definitely more frequent when opening a brand new page
It would be great if you can capture one of the pages as served up which causes the redirect. Or does it redirect too quickly for that? Some hard evidence (logs, etc.) would be really helpful.

Quote
Your doing a grand job keeping cool Nick but you must be frustrated by the lack of buy in by the sites founders?,
This site has a great base of users who are knowledgeable and provide a lot of support to Arduino users. Let's stick to the positive side here.

We moderators also have a method of discussing things with the site administrators. This issue has been raised there as well. Let's just say that we have met a similar sort of response.

There are tens of thousands of Arduino Forum users. Let's just try to "crowd source" finding what the problem is. I suspect that will be much the fastest way of solving it.

I might try to find if someone on Stack Overflow has heard of this sort of thing. The problem is, as it stands, it is pretty generic. I know what will happen:

Me: Sometimes on our web site we get directed to a malicious site.

Them: Any details?

Me: Sorry, no.

Them: Closed as too broad a question.
Please post technical questions on the forum, not by personal message. Thanks!

More info:
http://www.gammon.com.au/electronics

Riva

I got redirected last night when clicking on the link in an email alert sent to a post I made on here but it was on my ipad so no logging. Second time I clicked the link it came through to here okay.

I have never (yet) been redirected on my desktop PC but I run noScript on Firefox and only allow arduino.cc & ajax.googleapis.com on this site. It is currently showing google-analytics.ga & google-analytics.com as untrusted. And google-analytics.com/mozilla.org as recently blocked.
Don't PM me for help as I will ignore it.

travis_farmer

I got redirected last night when clicking on the link in an email alert sent to a post I made on here but it was on my ipad so no logging. Second time I clicked the link it came through to here okay.

I have never (yet) been redirected on my desktop PC but I run noScript on Firefox and only allow arduino.cc & ajax.googleapis.com on this site. It is currently showing google-analytics.ga & google-analytics.com as untrusted. And google-analytics.com/mozilla.org as recently blocked.
it would be interesting to know if either of those blocked scripts are compromised. if you could temporarily "trust" those other script sites, one at a time, for a day or so each. let us know if you get a redirect, and try and gather as much info as you can.

it would be a big help to narrow down what script is causing the redirects. because if you are blocking those from running scripts, and have not gotten a redirect, then it must be a compromised script.

I will try the same on my computer, and temporarily turn off logging (it seems to block the redirects somehow). you may be on to something here.

~Travis
Currently trying to rebuild a 48" X 48" X 5" (working area) CNC Router.

_pepe_

#93
Mar 18, 2017, 11:11 am Last Edit: Mar 18, 2017, 11:11 am by _pepe_
I've been tracking my network traffic for three days in order to capture all the elements of the issue. Unfortunatly, nothing happened.

Has anybody recently met the problem ?

ballscrewbob

@ Riva

Almost the same results here in chrome with googles own "Google Analytics Opt-out Add-on (by Google)" and certainly the same API and URL's

Have noticed a few times in the last 5 days that the forum was giving out an error and refused to open but closing page and re-open fixed that.

Not sure if it was re-direct or the forum and did not track it as I was thinking of other things.
It may not be the answer you were looking for but its the one I am giving based on either experience, educated guess, google or the fact that you gave nothing to go with in the first place so I used my wonky crystal ball.

Resinator

It would be great if you can capture one of the pages as served up which causes the redirect. Or does it redirect too quickly for that? Some hard evidence (logs, etc.) would be really helpful.

This site has a great base of users who are knowledgeable and provide a lot of support to Arduino users. Let's stick to the positive side here.

We moderators also have a method of discussing things with the site administrators. This issue has been raised there as well. Let's just say that we have met a similar sort of response.

There are tens of thousands of Arduino Forum users. Let's just try to "crowd source" finding what the problem is. I suspect that will be much the fastest way of solving it.

I might try to find if someone on Stack Overflow has heard of this sort of thing. The problem is, as it stands, it is pretty generic. I know what will happen:

Me: Sometimes on our web site we get directed to a malicious site.

Them: Any details?

Me: Sorry, no.

Them: Closed as too broad a question.
I appreciate your input in this thread Nick and I mean that, I simply dont have the time or enthusiasm to start looking into logging things or doing admins work for them, its their site, Arduino is (supposedly) their baby

I have seen David on Twitter telling the world how the 'University' is taking up his time which is too bad for this place. These two did one when it was Arduino vs Arduino, why bother trying to protect the name when you go on to abandon the whole lot?

How long before they are mentioning it on other sites?, just looks so amateur from the outside

thanks for your input though Nick this is in no way a dig at you I quite respect you and your work

Good luck

ballscrewbob

#96
Mar 21, 2017, 02:45 am Last Edit: Mar 21, 2017, 04:42 am by Ballscrewbob
Had to click on "forum" at least twice to get in. on two occasions within a few seconds of each other.

Snagged this on the second attempt.

Code: [Select]


Failed to load resource: net::ERR_BLOCKED_BY_CLIENT
www.arduino.cc/:983 Refused to load the script 'https://dnn506yrbagrg.cloudfront.net/pages/scripts/0021/3255.js?413905' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://forum.arduino.cc https://store.arduino.cc https://arduino.cc https://checkout.stripe.com https://stats.g.doubleclick.net https://connect.facebook.net https://ssl.google-analytics.com https://google-analytics.ga https://code.jquery.com https://ajax.googleapis.com https://js.stripe.com".

(anonymous) @ www.arduino.cc/:983
www.arduino.cc/:1 Refused to load the script 'https://id.arduino.cc/auth/login/?returnurl=http%3A%2F%2Fstore.arduino.cc%2…%26callback%3DjQuery21105086242847933968_1490060474371%26_%3D1490060474372' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://forum.arduino.cc https://store.arduino.cc https://arduino.cc https://checkout.stripe.com https://stats.g.doubleclick.net https://connect.facebook.net https://ssl.google-analytics.com https://google-analytics.ga https://code.jquery.com https://ajax.googleapis.com https://js.stripe.com".

(index):190 error Object error
www.arduino.cc/:1 Refused to load the script 'https://id.arduino.cc/auth/login/?returnurl=https%3A%2F%2Fforum.arduino.cc%…%26callback%3DjQuery21105086242847933968_1490060474369%26_%3D1490060474370' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://forum.arduino.cc https://store.arduino.cc https://arduino.cc https://checkout.stripe.com https://stats.g.doubleclick.net https://connect.facebook.net https://ssl.google-analytics.com https://google-analytics.ga https://code.jquery.com https://ajax.googleapis.com https://js.stripe.com".

www.arduino.cc/:190 error Object error




Coming in after a clean up. and still had a delay but pulled the whole log. this time.

Code: [Select]


GET https://google-analytics.ga/analytics?ab net::ERR_BLOCKED_BY_CLIENT
(anonymous) @ newsletter_subscribe_popup.js:170
(anonymous) @ newsletter_subscribe_popup.js:171
(index):983 Refused to load the script 'https://dnn506yrbagrg.cloudfront.net/pages/scripts/0021/3255.js?413907' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://forum.arduino.cc https://store.arduino.cc https://arduino.cc https://checkout.stripe.com https://stats.g.doubleclick.net https://connect.facebook.net https://ssl.google-analytics.com https://google-analytics.ga https://code.jquery.com https://ajax.googleapis.com https://js.stripe.com".

(anonymous) @ (index):983
(index):1 Refused to load the script 'https://id.arduino.cc/auth/login/?returnurl=https%3A%2F%2Fforum.arduino.cc%…m%26callback%3DjQuery2110902682805814695_1490067470028%26_%3D1490067470029' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://forum.arduino.cc https://store.arduino.cc https://arduino.cc https://checkout.stripe.com https://stats.g.doubleclick.net https://connect.facebook.net https://ssl.google-analytics.com https://google-analytics.ga https://code.jquery.com https://ajax.googleapis.com https://js.stripe.com".

(index):190 error Objectabort: ( statusText )always: ()complete: ()done: ()error: ()fail: ()getAllResponseHeaders: ()getResponseHeader: ( key )overrideMimeType: ( type )pipe: ( /* fnDone, fnFail, fnProgress */ )progress: ()promise: ( obj )readyState: 4setRequestHeader: ( name, value )state: ()status: 404statusCode: ( map )statusText: "error"success: ()then: ( /* fnDone, fnFail, fnProgress */ )__proto__: Object error
(index):1 Refused to load the script 'https://id.arduino.cc/auth/login/?returnurl=http%3A%2F%2Fstore.arduino.cc%2…t%26callback%3DjQuery2110902682805814695_1490067470030%26_%3D1490067470031' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline' https://forum.arduino.cc https://store.arduino.cc https://arduino.cc https://checkout.stripe.com https://stats.g.doubleclick.net https://connect.facebook.net https://ssl.google-analytics.com https://google-analytics.ga https://code.jquery.com https://ajax.googleapis.com https://js.stripe.com".

(index):190 error Objectabort: ( statusText )always: ()complete: ()done: ()error: ()fail: ()getAllResponseHeaders: ()getResponseHeader: ( key )overrideMimeType: ( type )pipe: ( /* fnDone, fnFail, fnProgress */ )progress: ()promise: ( obj )readyState: 4setRequestHeader: ( name, value )state: ()status: 404statusCode: ( map )statusText: "error"success: ()then: ( /* fnDone, fnFail, fnProgress */ )__proto__: Object error
Navigated to http://forum.arduino.cc/
alerts.js?alph21:115 0
newsletter_subscribe_popup.js:170 GET https://google-analytics.ga/analytics?ab net::ERR_BLOCKED_BY_CLIENT
(anonymous) @ newsletter_subscribe_popup.js:170
(anonymous) @ newsletter_subscribe_popup.js:171
cron.php:1 GET http://forum.arduino.cc/cron.php?ts=1490067510 500 (Internal Server Error)
It may not be the answer you were looking for but its the one I am giving based on either experience, educated guess, google or the fact that you gave nothing to go with in the first place so I used my wonky crystal ball.

Coding Badly


Ugh.  Double fault.  The software you are using to log failed us.  There is no way the actual URL includes an ellipses character.


ballscrewbob

#98
Mar 21, 2017, 04:15 am Last Edit: Mar 21, 2017, 04:16 am by Ballscrewbob
WTH was "https://checkout.stripe.com" though ?

Another also throws up red "https://17q.org/ga" derived from "https://google-analytics.ga"

BTW that was directly pulled from the chrome dev console. in the prev post.
It may not be the answer you were looking for but its the one I am giving based on either experience, educated guess, google or the fact that you gave nothing to go with in the first place so I used my wonky crystal ball.

Chagrin

Neither 17q.org or google-analytics.ga look legitimate. They resolve to addresses in Bulgaria, and both have SSL certificates created with LetsEncrypt.

So the real question is what script attempted to load content from those domains. Neither domain is ever contacted when I perform a test from my system.


ballscrewbob

#100
Mar 21, 2017, 04:39 pm Last Edit: Mar 21, 2017, 04:40 pm by Ballscrewbob
I use the "no script" and google's own tool and am pretty sure they are the reason I dont get to see any re-directs from Chrome.

Avast free is the primary AV and have a few blacklisted items on the router (prevents wife issues with technology ;) )
It may not be the answer you were looking for but its the one I am giving based on either experience, educated guess, google or the fact that you gave nothing to go with in the first place so I used my wonky crystal ball.

Riva

Performing a whois on google-analytics.ga point to Amsterdam addresses.

https://www.whois.net/ yields...
Quote
Owner contact:
Organization: N/A
Name: Stichting OpenTLD WHOIS Proxy
Address: Keizersgracht 213
Zipcode: 1016DT
City: Amsterdam
State: Noord-Holland
Country: Netherlands
Phone: +31205315729
Fax: +31205315721
E-mail: 6af4ff40cd7d5586.shielded@idshield.tk
while http://signer.my.ga/cgi-bin/whois yields...
Quote
Owner contact
Company name (optional) Stichting OpenTLD WHOIS Proxy
Name Registrant of GOOGLE-ANALYTICS.GA
Address Danzigerkade 23D
Zip / Postal code 1013 AP
City Amsterdam
State/province NL-NH
Country NL
Phone number +31-205315726
Fax number +31-205315721
E-mail address 6af4ff40cd7d5586.shielded@idshield.tk
An http://website.informer.com/Stichting+OpenTLD+WHOIS+Proxy.html shows the top domains of this owner contain some less than savoury sites.
I know the whois data is probably shielded but all the same...
Don't PM me for help as I will ignore it.

Riva

This all seems to have gone silent now. Are people still getting re-directed or has the problem/cause been found and fixed?

I could swear I just seen this site link out to virus total but no logging turned on to confirm this.
Don't PM me for help as I will ignore it.

ballscrewbob

Not heard or seen anything.

I could swear my feet hung out of bed so I got up to check...
Virus total is a safe site anyway..
It may not be the answer you were looking for but its the one I am giving based on either experience, educated guess, google or the fact that you gave nothing to go with in the first place so I used my wonky crystal ball.

Riva

Virus total is a safe site anyway..
Yes I know it is but I have never noticed this before so maybe the admins are sitting up and taking notice or found the problem/cause and quietly fixed it.
Don't PM me for help as I will ignore it.

Go Up