Intrusion Attempts Via Charity Engine

Apastron ID: 2830 Posts: 5
10 Jul 2012 10:27 PM

This is a semi-regular occurance.  Explanation?

andrew.m ID: 3139 Posts: 5
11 Jul 2012 01:31 AM

Is it always from the same location or domain?

That site is compromised for the record, hidden iframe which may be why you're seeing it.

If I were to venture a guess, it's because you've visited a previously compromised site from the same network and they seen you have a port open so they're probing.

Jonathan Brier ID: 159 Posts: 112
11 Jul 2012 05:09 AM

@Apastrom  How often are you seeing these alerts?  We are aware of only a few incidents where a few others have reported an alert such as this.  The Charity Engine web crawling task pulls content from a list of urls using Java and does not visit a site like one would with a browser.  The tasks process the content of the website without displaying.  This is run in an isolated sandbox on your computer.  This is a more safe practice than visiting the website directly.

We are confident that our configuration is protecting Charity Engine participants.  We review these reports for any hint of security risks and will promptly correct them if any do appear (no changes needed yet).  We have no reported incidents of machines becoming compromised after running Charity Engine.

We always encourage participants to make sure sure their computer is up to date with patches and running a firewall and security software to further ensure their system protection.  

I personally recommend Secunia PSI for assisting in patching home windows users.  It is a free program for personal use that scans your installed programs and tells you if there is a security alert for the installed version and even will auto update the programs is you opt into this.  Being patched closes the holes an attack could target.

We realize that there may be some side effects of crawling sites and statistically speaking a Charity Engine web crawling task will visit a compromised site at some time even if we block every known compromised site.  Very few compromised sites will cause this type of alert.  We appologize for this inconveniance and thank you for reporting this event to us.

Let us know how often you are seeing these and if they are from the same domain.  I am alerting out team to this event.

Apastron ID: 2830 Posts: 5
11 Jul 2012 01:52 PM

This was one of seven that hit all at once.  The other two urls last night were:

w#w#w#.#d#j#-#z#e#d#.#d#e & w#w#w#.#g#o#e#l#z#.#d#e

Anyone reading this, do not attempt to visit these sites.

Semi-regular is perhaps stretching it, but I've personally been on the computer when it has happened at least once a week.  It also used to occur on the laptop I had registered with CE, although I've since removed the program from that as it is rarely used.

As Norton keeps a record of practically everything, I can provide you with others if you wish, although I don't particularly want to have to post all of these urls in this thread, so we'll have to look at doing it another way.

Thanks for the advice regarding secunia, I shall look into it.

Jonathan Brier ID: 159 Posts: 112
11 Jul 2012 03:21 PM

Thanks Apastron - You can contact us more privately via our Contact Us form:  

Please do not post any more of the urls in the forums for security reasons... I do thank you for placing the hashes before the letters so it is not recognised as a clickable url.  We may remove the urls provided to prevent anyone from visiting these sites.

You can ignore these blocked attempts as you are safe.  We will discuss this issue further on how we might improve further the experince of participating in Charity Engine.

James ID: 2513 Posts: 1
13 Jul 2012 07:23 PM

I've been getting the same errors, ever so often in Kaspersky. Was wondering why it was doing it.

Jonathan Brier ID: 159 Posts: 112
13 Jul 2012 08:32 PM

Hi James  

We want to make participation as non invasive as possible... these alerts do not conform with the level of service we want to provide.  Seeing as more users are informing us that these alerts are occuring.  

We decided to suspend the web crawling indexing and it is rolling out to participant computers over the next few days.  These alerts should no longer be bothering participants.  Thank you for letting us know this is happening.  

The only way we can make Charity Engine better is with help of the participants.  Keep the feedback coming!

vm1990 ID: 2547 Posts: 16
15 Jul 2012 02:47 AM

hmmm intresting i dont recognise the url as a project one might be worth running a virus check warning have been poping up on most of my java installed computer even ones without CE think either someones found a back door in java or AV are picking up a false positive. ill get a looking tomorow when im at work on the dumby machines

but the fact the AV has blocked it is a good sign


also noticed some activity in my kaspersky logs mostly program changes which is normal for CE and Boinc as each time it downloads a new task set its a new program running kaspersky just restricts them which is fine as for any hack attacks id run virus check and change you ip addresses (turn router off wait 5 mins turn router back on) this should re asign you ip address