ANSWERED VPN compromised?

[tbaum 0]

I was browsing with AirVPN running and I saw this HTML injection on a site (see attached InjectedHTML), when I turned off the VPN it was gone (see NoVPN_HTML) - this seems to indicate that your VPN node was compromised.

 

Has anyone had this happen and what does it mean for all of my other private data

[Staff 9973]

Hello!

 

No, the VPN servers are not compromised. It's that web site that's compromised.

 

You can easily verify that. First of all, have a look here:

https://sitecheck.sucuri.net/results/www.lsri.uic.edu

 

Then, look at how that page appears in Google cache (it appears with scam links):

https://webcache.googleusercontent.com/search?q=cache:-hOXCMK9BA0J:www.lsri.uic.edu/faculty-staff+&cd=1&hl=en&ct=clnk&gl=it

 

The above shows that it's not a problem in our VPN servers and that it's not an injection in the middle.

 

So, that's what we think (and we are very very probably right) has happened to that web site. Someone infected their web server with SEO spam, and they configured the php / js / whatever file to show the scam links and pages only to some destinations in some list which includes Google bot, dedicated servers... In this way the scam is indexed and the rank is increased. This enhances the likelihood that the scam will remain for a long time before the web site operators even realize that their server has been compromised.

 

From an Italian ISP we can see the scam links, from other ISPs we can't. Also, most of our VPN servers don't see the scam links (so they are not included). That's a quite subtle tactics for the purposes of the attackers.

 

Is there anyone willing to link this thread to that web site operators? We'll also do the same as soon as possible.

 

Kind regards

[rickjames 106]

Spammers getting smart, we're all fuc*ed...