TSRA site compromised

[BenGoodLuck]

Does anyone know what's going on with the Texas State Rifle Association's website? Google says it's been compromised:

[The Annoyed Man]

They phoned me about this the day before yesterday (I occasionally help them with their website). I referred them to their webhost. TSRA hasn't yet given me FTP access, so I can't search their hosting account for the corrupted file that does this. All of their meta tag settings are correct within the CMS, so this is either an external file or a corrupted file that is doing this.

They are having the company which handles the NRA website take over their website management soon, so maybe they'll get it clear up.

They are also several generations behind in updates to their CMS, including one that will require a complete rebuild of the site....so maybe this situation will force them to take the actions needed to get on top of things.

[Charles L. Cotton]

I don't have anything to do with the TSRA site, but here is a link to Google's warning. http://support.google.com/websearch/bin ... CHwQpwgwAA" onclick="window.open(this.href);return false;

I've never seen such a warning before. It's interesting that Google makes such a claim without giving the facts to justify scaring people away from a site. I wonder if it has anything to do with it being a gun-related site?

Chas.

[Charles L. Cotton]

They are having the company which handles the NRA website take over their website management soon, so maybe they'll get it clear up.

That's not going to be cheap! We spend a lot on the NRA website.

Chas.

[Jumping Frog]

I don't have anything to do with the TSRA site, but here is a link to Google's warning. http://support.google.com/websearch/bin ... CHwQpwgwAA" onclick="window.open(this.href);return false;

I've never seen such a warning before. It's interesting that Google makes such a claim without giving the facts to justify scaring people away from a site. I wonder if it has anything to do with it being a gun-related site?

Chas.

Ohioans For Concealed Carry website was hit the same way.

If you linked there from google, you got the warning. If you typed the URL directly, there was no problem.

Same way with TSRA. Searching on google or bing is compromised. Enter the URL directly and it goes straight to the website.

[AEA]

Ah so......it's a Google thing!

[The Annoyed Man]

I don't have anything to do with the TSRA site, but here is a link to Google's warning. http://support.google.com/websearch/bin ... CHwQpwgwAA" onclick="window.open(this.href);return false;

I've never seen such a warning before. It's interesting that Google makes such a claim without giving the facts to justify scaring people away from a site. I wonder if it has anything to do with it being a gun-related site?

Chas.

I referred Gail to that page yesterday and told her to follow those instructions. I suppose it is possible that google is pulling some funny business, but I suspect not. I think that the truth is the site has actually gotten something injected into it which is malicious, but without FTP access, and access to the ICD hosting account so that I can look directly at the database, I can't do much to help them.

If I were them, I'd take the whole site down and start over. They're still on Joomla 1.5.20. The latest security release in that development fork is 1.5.26, and the current development fork is already at 2.5.6. The current development fork has a totally different data structure, and is as different from 1.5.x as that one was from 1.0.x. It is also more flexible and more secure. They really need to just start over, but in the meantime, without being willing to invest some money in hiring somebody like me and giving that person the access they need, TSRA's website is dead in the water. And, they are hampered by the need to have the board approve such expenditures, so nothing gets done right away.

[74novaman]

I don't have anything to do with the TSRA site, but here is a link to Google's warning. http://support.google.com/websearch/bin ... CHwQpwgwAA" onclick="window.open(this.href);return false;

I've never seen such a warning before. It's interesting that Google makes such a claim without giving the facts to justify scaring people away from a site. I wonder if it has anything to do with it being a gun-related site?

Chas.

I suppose it is possible that google is pulling some funny business, but I suspect not. I think that the truth is the site has actually gotten something injected into it which is malicious, but without FTP access, and access to the ICD hosting account so that I can look directly at the database, I can't do much to help them.

I agree. I doubt its intentional on googles part, but it could be some lefty programmer type is attacking gun sights with malware.

[pbwalker]

They phoned me about this the day before yesterday (I occasionally help them with their website). I referred them to their webhost. TSRA hasn't yet given me FTP access, so I can't search their hosting account for the corrupted file that does this. All of their meta tag settings are correct within the CMS, so this is either an external file or a corrupted file that is doing this.

They are having the company which handles the NRA website take over their website management soon, so maybe they'll get it clear up.

They are also several generations behind in updates to their CMS, including one that will require a complete rebuild of the site....so maybe this situation will force them to take the actions needed to get on top of things.

Agreed, and I'd also put $5 on it possibly being an issue with the shared hosting provider. The IP address points back to Savvis (hosting provider), and if you attempt to access via http://64.14.78.167" onclick="window.open(this.href);return false;, it directs you to an error page for Sureserver / Suresupport (likely a reseller or v-hoster). It's likely that another site using the same IP is compromised.

[The Annoyed Man]

They phoned me about this the day before yesterday (I occasionally help them with their website). I referred them to their webhost. TSRA hasn't yet given me FTP access, so I can't search their hosting account for the corrupted file that does this. All of their meta tag settings are correct within the CMS, so this is either an external file or a corrupted file that is doing this.

They are having the company which handles the NRA website take over their website management soon, so maybe they'll get it clear up.

They are also several generations behind in updates to their CMS, including one that will require a complete rebuild of the site....so maybe this situation will force them to take the actions needed to get on top of things.

Agreed, and I'd also put $5 on it possibly being an issue with the shared hosting provider. The IP address points back to Savvis (hosting provider), and if you attempt to access via http://64.14.78.167" onclick="window.open(this.href);return false;, it directs you to an error page for Sureserver / Suresupport (likely a reseller or v-hoster). It's likely that another site using the same IP is compromised.

Is Savvis the same as ICD Soft? Because that is who Gail told me is their webhost.

[MeMelYup]

Bing does the same as Google. You click on it and it takes you to the correct website, it appears the titles are just messed up.

[pbwalker]

They phoned me about this the day before yesterday (I occasionally help them with their website). I referred them to their webhost. TSRA hasn't yet given me FTP access, so I can't search their hosting account for the corrupted file that does this. All of their meta tag settings are correct within the CMS, so this is either an external file or a corrupted file that is doing this.

They are having the company which handles the NRA website take over their website management soon, so maybe they'll get it clear up.

They are also several generations behind in updates to their CMS, including one that will require a complete rebuild of the site....so maybe this situation will force them to take the actions needed to get on top of things.

Agreed, and I'd also put $5 on it possibly being an issue with the shared hosting provider. The IP address points back to Savvis (hosting provider), and if you attempt to access via http://64.14.78.167" onclick="window.open(this.href);return false;, it directs you to an error page for Sureserver / Suresupport (likely a reseller or v-hoster). It's likely that another site using the same IP is compromised.

Is Savvis the same as ICD Soft? Because that is who Gail told me is their webhost.

It looks like ICDSoft uses Savvis datacenters (and their IP space apparently) in the US. http://www.icdsoft.com/data.php" onclick="window.open(this.href);return false;

[Charles L. Cotton]

Icdsoft has data centers in Boston, Hong Kong and somewhere in Germany. Unless TSRA changed hosts, they are using Icdsoft.

Chas.

[BenGoodLuck]

Thanks for the suggestion - typing https://www.tsra.com/" onclick="window.open(this.href);return false; takes you to the site.

[Charles L. Cotton]

Thanks for the suggestion - typing https://www.tsra.com/" onclick="window.open(this.href);return false; takes you to the site.

I forgot it was on a secure server. I bet the SSL has expired.

Chas.