Puddintan3

Possible Hijacker when Downloading Plugins

Recommended Posts

I tried to give you two .png files showing the problem, but a 256KB total limit? Seriously? Less than a 3-1/2" floppy?

No crash log for this problem.

 

I suspect there may be malware sneaking in when downloading some of the plugins. A real nasty hijacker known as "amazonaws[dot]com" or "S3.amazonaws.com". I've tried several scanners, and NONE have found it so I can remove it. Chrome and Firefox on my Android phone, Chrome, Firefox, and Edge on my Windows 10 Home PC all show symptoms of this hijacker. I am still searching for the bugger. I am fairly certain I got bad files where the plugin was in someone's Dropbox, but since I didn't notice for a while, I'm not sure that is the only place. See the image for a plugin that does this every time for me.

 

I'm not sure what else to tell you for now, but please contact me if I can do anything else. I'd hate for other PDN users to get this nasty problem.

Paint dot net error.PNG

Share this post


Link to post
Share on other sites

Here is the other image referenced. I did a reset on my LG phone
and installed Chrome as plain vanilla as possible. I did NOT
get hijacked and was able to download both zips to my phone,
then transferred them to my PC nice and clean.

 

Paint dot net error BAD SITE.PNG

Share this post


Link to post
Share on other sites

Hello @Puddintan3 you can also store your images on a host site such as: Imgur and postimages.org and then copy the URL's over to your thread.

 

I have just checked those links and they downloaded perfectly for me, without any diversions as you describe.  This leads me to suspect you do indeed have a virus lurking and you really need to do a thorough test on your computer.

Share this post


Link to post
Share on other sites

s3.amazonaws.com is an Amazon Web Services server Invision forum is using serve attachment downloads as part of Invision Community in Cloud service.

IMO it is quite safe and not a hijacker of some kind.

Edited by Zagna
  • Upvote 1

Share this post


Link to post
Share on other sites

I've read that it can also be a virus:

 

How to remove S3.amazonaws.com Adware (VirusRemoval Guide) ... S3.amazonaws.com is a legitimate and safe content delivery network owned by Amazon, however cyber criminals are abusing this CDN to deliver malicious content. This S3.amazonaws.com redirect is usually caused by adware installed on your computer.

Share this post


Link to post
Share on other sites

Just giving everyone a chance to double-check before you get this crapware, too. Yes, I have read pages and pages about it. I never had trouble until I downloaded several PDN plugin packages. No telling where it is lurking, but it is a big PIA. I have run scanners and cleaners, done new install of Firefox. Still there. Any suggestions welcome!

Share this post


Link to post
Share on other sites

Other places I need to get to are being diverted to (S3).amazonaws.com. This is a confirmed malware. Read my note. When I reset the phone browser, It went straight to the site in the link, not the hijack page. I get a warning in my browser that this forum page is not safe due to mixed content. It might be hiding right in front of you now. I don't know how to properly scan the PDN forum. This is why I sent an alert.

Perhaps, since there is known criminal activity on S3.amazonaws.com, a cleaner site might be worth looking into. I set my firewall to block all connections to it.

Also, the site certificate here on PDN looks weird to me, but I am no expert on them.

PDN page not secure 4..JPG

Share this post


Link to post
Share on other sites

There are no infected links going on here. Let's break down the "s3.amazonaws.com" link you are seeing. Note two things: Invisioncommunity makes the software this forum uses and their cloud service uses amazon aws.

 

  • s3.amazonaws.com/ 
  • ips-cic-filestore/ 
  • r125076/
    • I assume this is the forum id for Paint.NET of some kind to separate files from other forums in the filestore.
  • monthly_08_2015/<file name here> 
    • The filestore breaks up uploaded files by months.

 

It is not a confirmed malware... sure in the general sense someone could use "s3.amazonaws" storage to host malware of their own. However, the service and domain itself are not malware. The file you were downloading is not malware. 

 

Amazon AWS is a very popular service used by many sites for storage and other services which is why you would be seeing it everywhere as you navigate the web. You did a scan and nothing turned up because you are fine!

Share this post


Link to post
Share on other sites

I carefully researched this before posting. There is a known malware by that name, and that site in particular has been used by criminals to distribute malware. With all of the uploads there, it is likely a hijacker is going to a bad repository on amazonaws. Guess we'll see. Something isn't right somewhere.


BTW:  PDN's security isn't looking healthy right now.

 

 

PDN page not secure 5..JPG

Share this post


Link to post
Share on other sites
5 hours ago, Puddintan3 said:

I carefully researched this before posting.

 

I'm sorry to say you didn't fully understand what you found in your researching. If you are experiencing symptoms of malware, it's on your end. Perhaps a change in your HOSTS file, or an untrusted root certificate installed in your certificate store.

 

Again, this forum uses S3 for ZIP attachment.  Are there criminals who also use S3? Probably.

I'm sure there are criminals who also use the same bank as me. Big deal, that doesn't taint my account, or my money there.

 

5 hours ago, Puddintan3 said:

PDN's security isn't looking healthy right now.

 

It's simply saying that images are being loaded from a 3rd-party domain (imgur.com) through a non-TLS connection. That in no way compromises the encryption of the connection to this site.

Share this post


Link to post
Share on other sites

Your attempt at helping out is appreciated, but you also need to listen to the findings and advice from others. I don't think anyone else is having these same problems. "These URLs look weird to me" and "I got an error message" does not lead directly to a conclusion of "your site is compromised." You were given additional information from others in this thread and have refused to incorporate it into a second iteration of investigation.

 

I'm locking this thread now.

  • Upvote 2

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.