Virus or innovation security vkontakte?
Just witnessed a very strange behavior on the Vkontakte site.
Unfortunately, the screens did not think at that moment.
I demanded a mobile number.
A kind of web gopnik.
Just in case, I am writing a system config:
Mac OS X 10.6.6, Firefox 3.6.13
So: when you try to open Vkontakte on the usual domain vkontakte.ru, a facebox window appeared (output through jQuery), with the text:
')
thanks for the screen dudeonthehorse
At the same time, my page opened on a darkened background (i.e. authorization passed).
I go to the domain vk.com - everything is as before. No windows.
Opened the source vkontakte.ru - there is a page with a frame, where vk.com is loaded, on top of which this window is open.
Pretty weird.
At the same time, when you try to enter any page on the vkontakte.ru domain (a la / club123456 ... or / id123456 ...), the same window opens in which the frame loads the vk.com main page again.
I tear off vkontakte.ru through safari, ipad and phone - everything is the same: immediately redirect to vk.com.
Thus, I localize the problem only on FF.
We investigate the problem further.
Yandex knows nothing about this.
Google gave one link on the topic, which says that this is an innovation of the administration, which I strongly doubt.
Pingugu:
vkontakte.ru - leads to 194.28.112.71
vk.com leads to 87.240.188.250
We punch addresses through whois:
IP Address: 194.28.112.71
Country: Moldova, Republic of
Region: Chisinau
City: Rybnitsa
IP Address: 87.240.188.250
Country: Russian Federation
Region: St. Petersburg
City: St. Petersburg
The first is obviously very strange. What does the Vkontakte server do in the city of Rybnitsa of the Republic of Moldova?
Run to the terminal. The / etc / hosts file is unchanged. No new entries.
Go ahead.
I enter instead of the number 10 random numbers.
Through firebug I traced where he sends information. The request went to the page (I speak from memory, I don’t remember exactly), something like vkontakte.ru/verifycation.php, in response there was 403 error signed by the Apache. Opened this page in the browser - a white sheet. Same as when trying to open 194.28.112.71 directly.
But back to the window. In the meantime, the information in the window has changed to the following:
Introduced again a random set of numbers and letters. It has been transferred to vk.com, everything has disappeared and now the domain vkontakte.ru does not open - immediately there is a redirect to vk.com
I could not reproduce the problem again - I cleaned the cookies, changed the ip, logged in through a proxy - everything disappeared as if it hadn’t.
Now I am looking for a way to once again reproduce the situation, to make screenshots and dig additional information.
What we have at the moment:
Instead of the site vkontakte.ru, a Moldovan IP is opened, which requires you to enter a phone number and sends (did not check) SMS to it with a supposedly password.
It does not ask to send anything. Those. besides the phone number (or abracadabra in my case) there is no profit.
If it is a virus, then rather strange. What is he doing? Assembles a phone base?
If this is an innovation of the administration for security, then why is it so crookedly done, and why is it all so easy to get by entering a simple random way?
And why did it work only in FF?
In general, much is not yet clear, I am going to sleep, tomorrow I will dig further from a fresh head.
If someone encounters a similar situation, make screenshots, write down the exact address of the page where the request goes, I will add to the post.
I will update the topic as new information becomes available.
UPD:
1. Today in the morning ping was already going to the normal server vkontakte.ru.
2. Judging by the comments, the problem can be reproduced by specifying ip 194.28.112.71 for the domain vkontakte.ru
I could not get. Ping goes to 194.28.112.71, but displays a normal page.
3. In vain, yesterday I hurried to ascribe the problem to only FF, because other browsers instead of the normal login to vkontakte.ru redirected to vk.com
the problem is somewhere deeper.
UPD2:
On the same day I could not enter the control panel of the router. Login-password did not fit.
There is a version that someone got remote access to my ASUS wl500gp router and changed DNS there.
The firmware is native, the password for accessing the control panel during configuration was changed from standard to its own.
I made a reset, reconfigured again, changed all possible login passwords, changed the wifi encryption.
It is possible that there is some way to reach the router from the outside and change its settings.
The question is, is this a massive problem or are units so lucky?
UPD3:
Together we came to the conclusion that the purpose of this virus is to subscribe the victim to a paid service by sending a special code via SMS, which must be entered in order to activate this subscription.
UPD4:
The confirmation of the non-involvement of Vkontakte administration to this problem has come.
The iFrontX user sent a correspondence with the head of the Vkontakte press service:
Unfortunately, the screens did not think at that moment.
I demanded a mobile number.
A kind of web gopnik.
Just in case, I am writing a system config:
Mac OS X 10.6.6, Firefox 3.6.13
So: when you try to open Vkontakte on the usual domain vkontakte.ru, a facebox window appeared (output through jQuery), with the text:
')
thanks for the screen dudeonthehorse
At the same time, my page opened on a darkened background (i.e. authorization passed).
I go to the domain vk.com - everything is as before. No windows.
Opened the source vkontakte.ru - there is a page with a frame, where vk.com is loaded, on top of which this window is open.
Pretty weird.
At the same time, when you try to enter any page on the vkontakte.ru domain (a la / club123456 ... or / id123456 ...), the same window opens in which the frame loads the vk.com main page again.
I tear off vkontakte.ru through safari, ipad and phone - everything is the same: immediately redirect to vk.com.
Thus, I localize the problem only on FF.
We investigate the problem further.
Yandex knows nothing about this.
Google gave one link on the topic, which says that this is an innovation of the administration, which I strongly doubt.
Pingugu:
vkontakte.ru - leads to 194.28.112.71
vk.com leads to 87.240.188.250
We punch addresses through whois:
IP Address: 194.28.112.71
Country: Moldova, Republic of
Region: Chisinau
City: Rybnitsa
IP Address: 87.240.188.250
Country: Russian Federation
Region: St. Petersburg
City: St. Petersburg
The first is obviously very strange. What does the Vkontakte server do in the city of Rybnitsa of the Republic of Moldova?
Run to the terminal. The / etc / hosts file is unchanged. No new entries.
Go ahead.
I enter instead of the number 10 random numbers.
Through firebug I traced where he sends information. The request went to the page (I speak from memory, I don’t remember exactly), something like vkontakte.ru/verifycation.php, in response there was 403 error signed by the Apache. Opened this page in the browser - a white sheet. Same as when trying to open 194.28.112.71 directly.
But back to the window. In the meantime, the information in the window has changed to the following:
SMS .
.
.
: ___________Introduced again a random set of numbers and letters. It has been transferred to vk.com, everything has disappeared and now the domain vkontakte.ru does not open - immediately there is a redirect to vk.com
I could not reproduce the problem again - I cleaned the cookies, changed the ip, logged in through a proxy - everything disappeared as if it hadn’t.
Now I am looking for a way to once again reproduce the situation, to make screenshots and dig additional information.
What we have at the moment:
Instead of the site vkontakte.ru, a Moldovan IP is opened, which requires you to enter a phone number and sends (did not check) SMS to it with a supposedly password.
It does not ask to send anything. Those. besides the phone number (or abracadabra in my case) there is no profit.
If it is a virus, then rather strange. What is he doing? Assembles a phone base?
If this is an innovation of the administration for security, then why is it so crookedly done, and why is it all so easy to get by entering a simple random way?
And why did it work only in FF?
In general, much is not yet clear, I am going to sleep, tomorrow I will dig further from a fresh head.
If someone encounters a similar situation, make screenshots, write down the exact address of the page where the request goes, I will add to the post.
I will update the topic as new information becomes available.
UPD:
1. Today in the morning ping was already going to the normal server vkontakte.ru.
2. Judging by the comments, the problem can be reproduced by specifying ip 194.28.112.71 for the domain vkontakte.ru
I could not get. Ping goes to 194.28.112.71, but displays a normal page.
3. In vain, yesterday I hurried to ascribe the problem to only FF, because other browsers instead of the normal login to vkontakte.ru redirected to vk.com
the problem is somewhere deeper.
UPD2:
On the same day I could not enter the control panel of the router. Login-password did not fit.
There is a version that someone got remote access to my ASUS wl500gp router and changed DNS there.
The firmware is native, the password for accessing the control panel during configuration was changed from standard to its own.
I made a reset, reconfigured again, changed all possible login passwords, changed the wifi encryption.
It is possible that there is some way to reach the router from the outside and change its settings.
The question is, is this a massive problem or are units so lucky?
UPD3:
Together we came to the conclusion that the purpose of this virus is to subscribe the victim to a paid service by sending a special code via SMS, which must be entered in order to activate this subscription.
UPD4:
The confirmation of the non-involvement of Vkontakte administration to this problem has come.
The iFrontX user sent a correspondence with the head of the Vkontakte press service:
iFrontX | Il'ya Kruglov :
@tsyplukhin - ? habrahabr.ru/blogs/social_networks/112758
tsyplukhin | Vladislav Tsyplukhin :
@iFrontX : - , DNS. , .
tsyplukhin | Vladislav Tsyplukhin :
@iFrontX ( Dr.Web CureIt). , ...
tsyplukhin | Vladislav Tsyplukhin :
@iFrontX ... , DNS- .
iFrontX | Il'ya Kruglov :
@tsyplukhin . , .Source: https://habr.com/ru/post/112758/
All Articles