jmar83

Is your site compromised??

9 posts in this topic

Hi there!

The download link points to http://www.presettourssigns.com/51OgNLwuISr_DGBFNwULnu3Cwidg02_X7jwjFE4gIFRHJDTlkAL2GpYtbZkiR7+0n5zkbgUQvvBu37h6z8RgWybvVj++l6V1o_q896g3HPCxuNtNAyPlJfTD7CyhTYkyKkwN+OrHvRNeUoL2RN2sT_j5bGsKU1WR0QYyeQi4Hz_vRJS7XTkX2WzUAwydQDcHRBxqASnI-GyYAAEQ3F5vGrg5MZ_gJNiCiyOKQDLDPlrjEZMXOwxztw7uoloYD-e that must be wrong...?

I don't think it's a client-side (spyware) problem which changes that link, because it's on both of my computers...

 

Regards,

Jan

Share this post


Link to post
Share on other sites

No, it is not compromised.. it is called advertising.. doing all of this cost money...

Share this post


Link to post
Share on other sites

FYI for me the download link was blocked by F-Secure by default. It seems to have some objections against presettourssigns.com.

Share this post


Link to post
Share on other sites

I see it is centralheadrepository.com now.

Both of these sites are registered to Communigal Communication Ltd in Israel.

Seeing as how this CD/DVD burning site is on a TLD from Sweden, and has nothing to do with "Central Head Repository" nor "Pre Set Tours Signs" (whatever those are). I assume something is seriously wrong.

It also doesn't seem to be connected to the ad/junkware from installCore, since they already have their own (unrelated) domain.

This seem to be for the sole purpose of (at the control of the attacker) replacing the normal installer download with any other download they want (or taking you to a site to attack your browser with exploits). The randomized domain names seem to be for the purpose of evading virus detection. I have now submitted them for detection, hopefully someone will clean up the this site's download link.

Remember to check the digital signature on any software you download! (only trust that software as much as you trust the signer)

Share this post


Link to post
Share on other sites
18 hours ago, schmeffn said:

This seem to be for the sole purpose of (at the control of the attacker) replacing the normal installer download with any other download they want (or taking you to a site to attack your browser with exploits).

Why would they ever do that? 

18 hours ago, schmeffn said:

I assume something is seriously wrong.

Nope. 

Share this post


Link to post
Share on other sites
7 hours ago, floele said:
On ‎7‎/‎14‎/‎2017 at 4:06 PM, schmeffn said:

This seem to be for the sole purpose of (at the control of the attacker) replacing the normal installer download with any other download they want (or taking you to a site to attack your browser with exploits).

Why would they ever do that? 

Why would attackers, after breaking into a site and modifying a popular link to point to suspicious unidentified site continue on and do as they please (attacking those who use the link)? After breaking into a house or bank why does a burglar steal anything before leaving? After forging a check why does a forger try to cash the check rather than just shredding it?

I didn't think I would have to explain the motives of cyber bad guys. Mostly their motives are to steal things of value. Compromising a computer by malware download or malware via exploit potentially allows them access to things of value on a computer.

So I take it you know why multiple rotating obfuscated URLs are on your download page? Domain names that appear to be randomly generated nonsense.

I dug up some closely tied examples:

www.bitsapplicationspresent.com
www.bundlestoursclear.com
www.contenttodaybest.com
www.currentdownloadssafe.com
www.deliveryapplicationdelivery.com
www.downloadbinariesguard.com
www.guardbundlesbest.com
www.guardbundlevault.com
www.guardconceptsshare.com
www.nowcapitalmeta.com
www.presentfuncontent.com
www.quickworldcentral.com
www.safecleanapplication.com
www.signssharepackage.com
www.softwarecentralclear.com
www.stocksoftwarebyte.com
www.tagbytevaults.com
www.tourdlshare.com
www.applicationflashbulk.com
www.applicationstowercenter.com
www.bundlesapplicationsoftware.com
www.bundlesbitsfun.com
www.bytetagcontent.com
www.clearpresenthead.com
www.currentfarmheart.com
www.headbundlesclean.com
www.heartflashcontent.com
www.signsdlranch.com
www.softwaretoursdownloads.com
www.binariessigncapital.com
www.binariesvaultcentral.com
www.bulkmegaquick.com
www.bundlesmegavault.com
www.bundletowergift.com
www.cleanchucklequick.com
www.cleanflashnow.com
www.conceptsbundlesstock.com
www.conceptsheartshare.com
www.conecptcentercontent.com
www.downloadsquicksign.com
www.farmsoftwaretour.com
www.filesheartfiles.com
www.gifttowershead.com
www.grabmetacycle.com
www.headcapitalbundles.com
www.heartcleantours.com
www.presentheadstock.com
www.presenttowerspackage.com
www.presentworldcentral.com
www.repositoryappvaults.com
www.repositorygiftbody.com
www.sharedlgift.com
www.sharefungift.com
www.sharetodaytour.com
www.stocktowercity.com
www.toursbundlechuckle.com
www.towerbulkhosting.com
www.towermetafactory.com
www.towersmegasafe.com
www.vaultsheartgift.com
www.worldclearuniverse.com
www.applicationfactoryhost.com
www.binariessignpresent.com
www.bitstodaystock.com
www.bodychuckleconcepts.com
www.chucklebinariescontent.com
www.contentdltoday.com
www.currentnowfiles.com
www.factorycapitalapp.com
www.factorytowersmeta.com
www.farmsafelaboratory.com
www.filesbundleranch.com
www.flashdownloadstock.com
www.giftnewtoday.com
www.heartcleanapps.com
www.heartdownloadsworld.com
www.hostingtowertown.com
www.laboratoryhostingtower.com
www.megaranchheart.com
www.nowcapitalcurrent.com
www.presentsignsapplications.com
www.repositoryuniverseapplication.com
www.tourdownloadbinaries.com
www.tourssignconcepts.com
www.universebitshead.com
www.updatebundlesdelivery.com
www.besttodaydownloads.com
www.binariescontentquick.com
www.bitsnowfarm.com
www.bodycleanbody.com
www.bulkappsclean.com
www.bundlemetadownload.com
www.bundlepackagegift.com
www.bytequickbinaries.com
www.byteuniverseapplication.com
www.capitalvaultspackage.com
www.cyclecapitaltowers.com
www.farmvaultscity.com
www.headcleargift.com
www.hostingsigndownloads.com
www.metatourvault.com
www.newsafepackage.com
www.nowbundlesstock.com
www.quickchucklebest.com
www.sendmegabinaries.com
www.sharebitsbundle.com
www.signsgrabbulk.com
www.taggrabmeta.com
www.todaynewcapital.com
www.towerstocksign.com
www.towervaultsbest.com
www.townfactorymeta.com
www.vaultsmetanow.com
www.vaulttowerscenter.com
www.applicationmegasafe.com
www.appsfilescenter.com
www.bestsoftwareapplication.com
www.binariesapplicationsclear.com

 

Share this post


Link to post
Share on other sites
19 minutes ago, schmeffn said:

Why would attackers, after breaking into a site and modifying a popular link to point to suspicious unidentified site continue on and do as they please (attacking those who use the link)?

Actual attackers, sure. But there aren't any so I'm not quite sure what your concern is currently.

Share this post


Link to post
Share on other sites
On ‎7‎/‎15‎/‎2017 at 6:54 PM, floele said:

Actual attackers, sure. But there aren't any so I'm not quite sure what your concern is currently.

Maybe I'm not being clear here. What's with the unnecessary, bizarre, and highly suspect domain names on your main download link?

Are you starting a "Central Head Repository"? Selling "Preset Tours Signs"?

One would think that your download link would lead to your download site.

Share this post


Link to post
Share on other sites

It's just a random domain name that hosts an ad which is shown before downloading. It's not always displayed though and might just work like a direct download link. I didn't decide the domain names being used, the advertisement server is not under my control. It may beem a bit strange but is completely harmless.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now