Have Seen This Problem

For several months now I've had Norton's AV block the site, listing some nefarious website.  If I click my link another time, then the site comes up fine.  I don't know if there is someone out there that has hacked the site, or if Norton (Symantec) has a "false positive" for the TMTV site.

Edit:  just tried the site again and was blocked.  Norton lists the website sweeps9780.hardmonday89.agency (5.189.252.12,80) as attacking the site.  Clicking on the TMTV link another time gets me in to TMTV.

In my experience

I won't use Symantec.  Years ago we had far too many problems with the anti-virus stopping things that were not a threat.  While I'm not suggesting "there is nothing to see here" I would wait further investigation before pronouncing that TMTV has been hacked.

Proof TMTV site is totally okay and clean

TMTV is fine and I can prove it. I ran several online hack checkers against the site, and they all come back green and no threats or damage.

---

 

 

VIRUS TOTAL

https://www.virustotal.com/gui/home/url 

 

This site runs a slew of tests using dozens of site testers, and they all come back green. No threats, no compromises.

 

 

Is anyone else seeing the TMTV site as a problem?

It's fine now but not earlier

The second poster here posted the IP and URL it gave, which I had left off.

It was not just me that had the issue. It was early this AM. It runs fine now and I connect. Your testing doesn't say "looks good now but at 7AM it was messed up" Your testing shows okay NOW as it is okay NOW.

I don't need the public patronizing about "Chuck's PC is full of Malware. Better get it cleaned up". I've worked corp IT for 30 years. I'm fully aware of what I'm talking about. It also affected my iPhone on the cellular network (not wifi). Is that full of malware too? Hardly.

PLEASE SEE THE 2nd POST

that people keep skipping over.

It was earlier this AM and seems fine now. The second poster listed the IP and URL. Obviously another person saw the issue.

Okay

Okay, we accept that. At least it got cleaned up quickly then by our hosting provider -- they must have been attacked.

Selecting on the TMTV site, I

Selecting on the TMTV site, I got redirected to the following site:

http://play2449.freeyourfriday89.agency/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_c3040fad4d1b0a6e036d

Norton flags it as a malicious site.  I closed out and reselected the link thru the web site, and it worked fine the second time. 

Had this same problem a couple of weeks ago.

Regards,

GNNPNUT

Sounds more like Norton has been hacked ...

Sounds more like Norton has been hacked:
https://gizmodo.com/antivirus-makers-confirm-and-deny-getting-breached-afte-1834725136

The antivirus article

was not about a breach of the data for what is being seen here.

My Mac and iPhone have no anti-virus at all and saw the same thing.

Your upstream provider has issues. Maybe not your issue directly, but it affects you.

Maybe, but how do you explain that..............................

TMTV is the only site that has an issue on my computer.  No other site nets this result. 

Regards,

GNNPNUT

Norton Hacked

Even thought it might appear that Norton was hacked, it doesn't automatically mean that the system they use to create browser plug-ins that look if a URL is safe or not would be compromised as well. I highly doubt that to be the case as it would be an easy give away that you hacked a company and thus throw away your "hard earned hacking work" for a few hours worth of redirects to websites with ad revenue (which likely will be blocked/confiscated by the Googles etc anyways when they find out).

There could be other (easier) reasons why some people are seeing issues with TMTV access and being redirected to bad URLs. DNS hijack could be one of them. This could be either the TMTV DNS, the end-users ISP DNS or any other DNS server in between in the path of name-to-IP resolution. A compromised ISP Proxy Server is another vector to consider or the end-user browser had a proxy configured by malware.

Unfortunately there is no easy way to solve where the problem is coming from, without all parties looking directly at actual settings on their respective sides. Relying on outside tools to verify is a fast way to check, but in no way a fool proof substitute for detecting a potential breach on the actual server itself. This is why there is such a debate on which anti-virus application is better: they all have detection rates in in very upper 90%, but none is fool proof. Website scanners can't be fool proof either. If I was a hacker, the first thing I would do is figure out how I, within my malicious code, can detect if a site visit is coming from one of those scanning sites and ensure my malicious code responds in a normal fashion to avoid detection and alerting from such service.

Maybe

Maybe -- I have a tech session open with our ISP right now ... we can't recreate the problem no matter what.

I do have to ask, on your Mac and iPhone, did you go through your WiFi, or did you go through 3G/4G -- in other words, did you completely sidestep your own network?

side step network

Joe, that is a very good question to ask.

A while back I was having issues with being able to reach certain websites and it ended up being the ISP DNS servers that were having issues resolving names for me. After changing my WiFi router to use a static DNS server from an outside service (like opendns) I was able to get to my intended website.

I have also seen that WiFi routers can be setup to do deep packet inspection and alter the URL you are going to. It is very well possible that particular WiFi routers are being targeted right now and instructed to rewrite/redirect URLs to malicious sites. This issue might be solved as easy as powering down the router and powering it back on, but some hacks even re-program the firmware making it so the malicious code can survive such reboots. If it doesn't survive a reboot, there is always the chance that within minutes the router is compromised again unless the firmware is updated to patch whatever vulnerability is being used to compromise the device in the first place.

The above is why I typically bring my phone into LTE mode only (disable WiFi) and try from there to test a completely different network path.

i just did a quick scan with Norton

and it flagged 14 tracking cookies for deletion.  Again went and tried the TMTV site, and it loaded fine. 

I'll try a few more times later today. 

I'm not the most savvy computer user, but if you need me to check any settings, please LMK. 

Regards.

GNNPNUT

A malicious cookie ... ?

Wow, a malicious cookie? Our ISP is running a deep scan now for malware.

When we get odd behavior, we try side-stepping our network completely using a tablet or phone and doing LTE on the mobile device. That completely bypasses our own network and will quickly tell us if the issue is in our network somewhere.

A network can be corrupted and it will cause all manner of odd error warnings. Much of the time when people have reported to us our site is acting weird getting them to do a total network reset solves it.

Malicious ad?

I'm not logged into TMTV now so I don't remember if it has ads or not.

But the redirect to some random ad site behavior described above is exactly what's been happening to rcgroups.com with google ads.  Some bad actors occasionally manage to get a malicious ad past google, and by targeting it to a site with less traffic (e.g. rcgroups, not the nytimes), they manage to get away with it for a while.  The way the ad works is the javascript in it redirects the entire page to the ad site.  In the rcgroups case the ad was more subtle - the ad buys are apparently only for mobile devices (as checked by the browser user agent string that gets send by the browser with each request), so on a desktop with proper debugging tools you could never catch the problem ads.

Anyway, point is, if there are ads, suspect them.

No ads

TMTV ISP deep scan results

Joe, there might be a problem again with TMTV

Joe, just minutes ago (around 9am eastern) I was heading to TMTV to subscribe with that great deal and I was greeted after clicking on the deal image in the TMTV deal post on MRH with the following:

Then like earlier posters stated, when they go to the site again it loads just fine. I can't replicate it on my PC and can't replicate it on my work PC or on my cell in cell-mode only. I was going to run with a tcpdump and HTTP header logger in my browser to see where this is coming from, but since I can't replicate it now it won't do any good...

Looking at my browser history it looks the URLs I got redirected to by the TMTV website are these last two in my history (pardon the language in the URL):

Me too...

I have to click on TMTV, get directed to the malicious site, back out, click again and it's fine. Been going on for the last couple weeks. 

No problem on any other site. 

Randy

Then let's move you two gents

First time, no problem

Thanks, Joe. I logged on just now and it signed on with no trouble. Looks nice.  I'll try to remember to try again when I get home and I'll let you know how that goes. 

Randy

The new site

That's great.

The new site has an improved player with more features planned soon such as remembering where you left off when watching a video.

The new site will also have a Roku app, Samsung smart TV app and mobile apps. And the new site includes the ability to do and post live videos -- so TMTV live will be coming ...