dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1249
share rss forum feed


seaman
Premium
join:2000-12-08
Seattle, WA

Is this website compromised?

I get this security warning repeatedly when I attempt to access this site. I tested on both FF19 and IE10 and get the same result. It seems like each frame (or button) generates this warning before it will load. Any thoughts?

Edit: headlines salon dot com

mysec
Premium
join:2005-11-29
kudos:4

1 edit
The application that wants to run is Java:




The connection out IP address in the firewall alert is the site's own, so it's possible that the site uses a Java applet to load stuff.

I couldn't find anything about farid-send [dot] com

EDIT: When I permitted the outbound connection, buttons loaded on the left side:




My Opera browser doesn't have the latest Java plug-in, so place holders appear:



----
rich


seaman
Premium
join:2000-12-08
Seattle, WA
mysec, very helpful observations, thanks. When I allow the app to run then selected content starts to load. It seem like I have to grant permission for each button/photo. Is it possible that this is just a very outdated website and my java settings are set on "paranoid"?

mysec
Premium
join:2005-11-29
kudos:4

1 recommendation

I don't know much about Java at all, except that the exploits are easily blocked with proper security policies in place.

I was not aware that Java applets on a web site needed to use the application executable to connect out.

By the way, I found that farid-send {dot} com is the same site, so everything looks legitimate:

Headlinessalon.com - Whois Information
We include detailed information like the server IP Address which is 209.237.150.20.
Headlinessalon.com resides at Web.com in Jacksonville, FL, United States.
-----------------------------------
farid-send.com
Location of the Host IP address
209.237.150.20:
Jacksonville in United States
 

----
rich


seaman
Premium
join:2000-12-08
Seattle, WA
said by mysec:

By the way, I found that farid-send {dot} com is the same site, so everything looks legitimate:

Nice work, thanks for connecting that!

mysec
Premium
join:2005-11-29
kudos:4
You are welcome!

I had a chance to take a peek at the code, and each of the buttons is loaded via the Java Applet. For example, the "Home" button, showing the home page URL:

<applet code="fphover.class" codebase="_fpclass/" > 
<param name="url" value="home.htm" valuetype="ref"> 
 

----
rich

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

4 edits
reply to seaman
it is "funny" that, now, any time one sees java trying to run, one has to ask "has this website been compromised?"..

a better question would be "should i take a huge risk by allowing java to run?"

note that, on rich's computer, it didn't matter that the "java plugin" is not installed, for his "opera" browser..java ran anyway..

p.s. rich, i am surprised that you are running the "old" kerio firewall.. i used it for many years but i started having problems with it, a while back.. i always thought that the problem was caused by one of MS's windows updates..

mysec
Premium
join:2005-11-29
kudos:4
said by redwolfe_98:

it is "funny" that, now, any time one sees java trying to run, one has to ask "has this website been compromised?"..

a better question would be "should i take a huge risk by allowing java to run?"


For sure! This is the first time I've seen an instance where the Java executable connects out to run its applet...

note that, on rich's computer, it didn't matter that the "java plugin" is not installed, for his "opera" browser..java ran anyway..


No, it didn't run in Opera - Opera displayed placeholders,which did not do anything when clicked.

Java ran in Firefox, which gave the alert.

p.s. rich, i am surprised that you are running the "old" kerio firewall.. i used it for many years but i started having problems with it, a while back.. i always thought that the problem was caused by one of MS's windows updates..


I've never had any problems with it.

----
rich

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 edits
reply to seaman
seaman, i am wondering if you are using the latest version of java? i think that the alert that pops up, with the latest of version of java, has the java icon.. maybe the difference is that, in one case, there is no "certificate" while, in the other, there is..

the latest version of java 7 is 7.17..

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to seaman
Click for full size
Yep. That site has got to change because Java now will give that alert on EVERY FRAME on that site. No one will stay on that site as bad as it is is now.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
I get the same warning when I run the Java speed test here at dslreports. I did not get this kind of warning in the past, so it may well have something to do with the latest Java updates.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
That's my point. That site has got to change because Java now will give that alert on EVERY frame on that site (and on any Java invoked on any site).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:13
reply to Mele20

 

Site looks good to me sweetie

Didnt take long for the applet to load (a couple seconds i would say)

Clicking anything on that menu opens a new tab

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
You don't have IE 10. Try that site on IE 10 on Win 8. It is an UTTER NIGHTMARE. I got the Java warning 11 times in a row when I first went there. I clicked yes to each warning. UGH.

All that did was then allow me to click on the links on the left side. I clicked on the second one which is the picture of the salon that I posted. When I did that,the Java alert appeared 13 more times! I had to click 13 times after already clicking 11 times!!! You think that is acceptable? Clicking 24 times on the Java alert is ok? REALLY?

That site has to change drastically or no one with a modern version of IE, or any other browser, on a current version of Windows will go there.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


seaman
Premium
join:2000-12-08
Seattle, WA
reply to Mele20

Re: Is this website compromised?

said by Mele20:

Yep. That site has got to change because Java now will give that alert on EVERY FRAME on that site. No one will stay on that site as bad as it is is now.

Agreed! My hunch is that this site was developed back when Java was new and cool hasnt been updated since.


seaman
Premium
join:2000-12-08
Seattle, WA
reply to redwolfe_98
said by redwolfe_98:

seaman, i am wondering if you are using the latest version of java?

Yes, I am using 7.17 and I think your point about no cert is probably right.

btw- my Java security is on "High" which I now realize is an oxymoron.


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:13
reply to Mele20

 

Oh my Mele,im sorry this is going on!!

Do you get java alerts ON ANY PAGE with that new java version??

Try this game and see: »glenn.sanson.free.fr/fb/play.html

redwolfe_98
Premium
join:2001-06-11
kudos:1
reply to seaman

Re: Is this website compromised?

i think dude111 is using the old java 6.x version which doesn't have the warnings..

one could lower java 7's security-level and then not have the popups..


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

1 edit
reply to Dude111

Re:  

FWIW, I also got that security warning for that site you gave a link to, but before that, Chrome asked for permission to run Java. So, I got two warnings for that. Did not try IE, and I have XP Pro, so IE10 is not applicable.

I had disabled the security warning I got for the java speedtest here at dslreports, so that seems to be a specific disabling and not general. That's good to know, since I generally don't run any Java except here.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.

mysec
Premium
join:2005-11-29
kudos:4
reply to redwolfe_98

Re: Is this website compromised?

said by redwolfe_98:

it is "funny" that, now, any time one sees java trying to run, one has to ask "has this website been compromised?"..

a better question would be "should i take a huge risk by allowing java to run?"


redwolfe_98 See Profile,

In looking at my earlier post in response to these questions, I see there could be some misunderstanding.

I wrote,"For sure," referring to your first question, not the second!

To those who have looked at this site, if you went there from a Search, or from a recommendation from someone, and you saw your pop ups, how would you respond, not knowing anything about this site?

By the way, am I the only one who got a firewall alert for the Java executable attempting to connect out?

I get it again this morning -- as you can see the navigation bar is blank because the buttons are loaded by the Java Applet, which hasn't been given permission to run. (I have Java 6 on my WinXP SP3 laptop.)



----
rich

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Dude111

Re:  

Oracle has made it so that there will now ALWAYS be at least one alert on any page that has Java applet. I get ONE alert at that game page. One is fine....it was the excessive number at the hair salon site that was so bad and the excessive number there is due to how that site is set up.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:13
Is there a way of disabling the alert Mele? (Check under SECURITY and see if you can disable the SW alerting you of a site calling it)


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to Mele20
said by Mele20:

Oracle has made it so that there will now ALWAYS be at least one alert on any page that has Java applet. I get ONE alert at that game page. One is fine....it was the excessive number at the hair salon site that was so bad and the excessive number there is due to how that site is set up.

Actually, it is site (and Java applet) specific. You can tell the Java run time executable to always allow specific applets from specific sites. Until I did that for the internal web server in my HP print server (shown below), I got the warning popups for almost every mouse click, but after explicitly allowing that site (and all of its individual Java applets), I no longer get the warning popups. Of course the warning popups do occur for sites/applets that have not been white listed by me, and there are very few external sites that I would consider white listing (in fact, there are none at this time).




Prior to white listing that HP admin site and its Java applets, I would get six popups when just the index page was loading (and many, many more if I actually tried to look at any status page or make any changes).
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.

When governments fear people, there is liberty. When the people fear the government, there is tyranny.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
I realize you can whitelist and that is fine for some program you own (like I would probably have to do if I were to install MySpeed on Win 8 computer) but white list websites? Nah. That salon site needs to be updated.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson