

Unwanted popup, bogus login app, harassment.
#1 OFFLINE
Posted 17 May 2017 - 12:11 PM
I'm looking for the brightest amongst you to solve an unsolvable problem (based on my experience). There is a popup that states that "name and password required". It seems to originate from a Naval server xxx.coffey. Behind the login application, the total background (full screen), is a grayish transparent color, that prevents me to access my desktop. I can enter dumb entries of names and passwords, and click "enter", but it pops back up. If I click "Cancel", it goes away, and pops back up again. This keeps on happening innumerable times, causing a lot of consternation, and frustration. Then it goes away for a while, and the whole sequence will start again.
It's hard to do any work when those interruptions occur at random. Popup blocker doesn't work. When I checked the source of the login application, it is offshore, so that they can't be reached, or sued.
I use ZenMate (free), for my voip, tunnel, proxy. However, they don't lay claim to causing this harassment because I'm not using the play-for-pay version.
So being at wit's end, I come here for relief. I need a way to block this nuisance.
Ant takers??
#2 OFFLINE
Posted 17 May 2017 - 12:19 PM



CNI Radio/G+ Profile/Configs/PGP Key/comhack π ∞
"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984
#3 OFFLINE
Posted 17 May 2017 - 04:51 PM
I don't know how to do it, but I started thinking that perhaps the nasty login could possibly be blocked using the IP door level, before it gets in. I was not able to make the OS identify the pirate, so it could be squashed.
Cheers!
#4 OFFLINE
Posted 17 May 2017 - 07:22 PM
The second question is is this a site that you visit regularly and have a login for?
I'm confused about where you are, what you're seeing, and what you're trying to do. Maybe I'm not one the "brightest" you spoke of above.

#5 OFFLINE
Posted 17 May 2017 - 08:35 PM
What I'm getting is a bogus login application. Never been there, never wanted to have any pert of it. It just seems to be a terrible disruptive occurrence. If I knew the password/name, perhaps I could have made it go away, but I don't. "some always changing #.coffey-us.navy".
This nasty occurrence happens on my screen's browser, no matter what or where I would be, at any time of day or night. It's the transparent gray background covering the entire screen, behind the login app. That gray shield prevents me from accessing any browser functions, until the login app goes away. I just want that login app gone and dead, or blocked permanently. It seems to be able to violate any protection that I've tried to use, to get rid of it. And it gets in. It's probably playing tricks with my IP stack, to get through.
Cheers!
#6 OFFLINE
Posted 17 May 2017 - 08:54 PM
What website? You haven't posted a link in any of your posts. You posted "#.coffey-us.navy". That's not a link. I'm still not understanding you here... my thick-headedness, I guess.
1. You're not going to any particular website when this happens?
2. What is a "screen's browser"? You mean your desktop? Your file manager? Or your browser application (Firefox, Chrome, etc.)?
3. Is this in a Linux OS?
Sorry, Onederer. This just isn't computing with me for some reason. If this is happening in your browser (Firefox, Chromium, etc.), no matter the website you're visiting at that moment, then I'd have to say your browser (and possibly your operating system) are compromised by some form of malware or other security breach. Login pop-ups that disable webpages just do not pop up randomly on any website. I've seen pop-ups like that on particular websites where the login is relevant to the website, but not random pop-ups without regard to the current website being visited.
More details please... screenshot, maybe?
#7 OFFLINE
Posted 17 May 2017 - 08:57 PM



CNI Radio/G+ Profile/Configs/PGP Key/comhack π ∞
"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984
#8 OFFLINE
Posted 17 May 2017 - 09:12 PM
Onderer, sir... Please have patience with us. Communication via the written word is not always as clear and understandable in circumstances such as these. Let's make sure if we're on the same page here.
1. You are logged in as user on your system (Linux, I'm assuming).
2. You are attempting to use your system for its normal purpose.
3. This login pop-up occurs, blocking your entire desktop... or is it just your browser's window?
4. You can cancel and it goes away, but returns later.
5. You found out something about the source of the pop-up somehow obtaining "coffey-us.navy", whatever that is (a google search is just hits about people named coffey in the us navy).
#9 OFFLINE
Posted 17 May 2017 - 09:34 PM



CNI Radio/G+ Profile/Configs/PGP Key/comhack π ∞
"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984
#10 OFFLINE
Posted 17 May 2017 - 11:39 PM
I would have liked to have made a screen snapshot of the login application, but my browser gets disabled when that nasty application is present.
The login screen popup happens on/at ANY random web site that I just happen to be on. 24/7, day or night. No single one website triggers it. It's appearance is random. The application COVERS the website page that I'm visiting with that transparent gray cover. The login box sits on top of the transparent gray cover, which is blocking my access to the entire browser When I click "cancel" on the application, it will go away, but quickly come back. And it can come back numerous times, before it finally goes away for a while.
I've entered vulgar names or sentences, and random passwords in that application. I wonder if anyone ever reads them. But I prefer to just click on the cancel button to make it go away, perhaps forever.
The browser that I'm using is Vivaldi, a clone of Chrome, but it doesn't send any personal activity or information to the Gov't.
This popup happens only on a browser, in the browser. It doesn't show up anywhere else in the computer. This irritating application doesn't care what or which website that I'm on. It just blankets and covers the browser's page.
I'm using PCLinuxOS.
As I'm writing this, it just visited me again. I managed to capture a screen shot. I also saved it in Gimp. I tried to paste it here, but it didn't take. I can't seem to make it appear on this page. Anyway, I tried to be as complete as possible in my description, using different words, and different methods.
Just picture yourself using a browser, suddenly your work (could be writing a Google based email), when this popup appears, interrupting your work. A gray transparent cloud covers your work. You can't reach your work anymore. The cloud blocks you from your work. In the center of that gray transparent cloud sits a clear white box. At the top, informing you that you have to login to the server: https;//45.coffey-navy.ml. Below the above information, is the little box to enter your name, and below that, your password.
At the bottom you read "cancel" and next to that, "enter".
If you push "cancel" the cloud will go away with the gray cloud. Then suddenly, it comes back again! Click on "cancel", and the whole sequence will occur again and again, 'till you're ready to pull out your hair. As a small reprieve, the invader will take a leave of absence for a while. But at any random time, it will return to haunt you all over again. Sometimes it will popup and leave right away. At times when I was not using the computer, but the machine was still on, that login box would just sit there, with that gray cloud covering the browser page. One would never know if that invader will go away by itself, or the "cancel" button has to be pushed to make it get lost temporarily.
How else can I describe this? Next step is to obliterate that nasty invader. You've seen white login boxes before, haven't you? This one looks no different than any other. The gray cloud separates the foreground login box from the background, creating an access barrier to the background.
Cheers!
#11 OFFLINE
Posted 18 May 2017 - 03:03 AM
I've seen this mentioned somewhere else in the past couple of weeks, but I don't remember where and can't seem to find it.
My initial thought was some kind of malvertising, but now I'm wondering if it is a poorly-targeted attempt at phishing US Navy personnel.
To figure out where exactly it is coming from, though, you'll probably need to do a packet capture and sift through it to identify it's origination point. I'm not particularly familiar with doing that on Linux these days, but I would imagine tcpdump or WireShark would be good places to start. If you have any security software on a computer running Windows, you might want to contact that company's tech support department. Even though you're not running their software on the Linux box, the tech would probably appreciate the chance to do some interesting Linux forensics.
Regards,
Aryeh Goretsky
Aryeh Goretsky
Microsoft MVP 2004-2018 [Cloud and Datacenter Management]
(previously Networking, Windows, Windows for Devices and IT)
Facebook • Google+ • personal blog • personal website • Twitter • work blog
#12 OFFLINE
#13 OFFLINE
Posted 18 May 2017 - 08:10 AM
Your VPN (Zenmate) is causing this to happen. I would suggest finding a different one to use. Here is some info on that url: https://www.robtex.c....coffey-navy.ml
Personally I use AirVPN which works beautifully and gives you the same speeds as your ISP does.



CNI Radio/G+ Profile/Configs/PGP Key/comhack π ∞
"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984
#14 OFFLINE
Posted 18 May 2017 - 11:44 AM
Server not found Firefox can't find the server at 36.coffey.-navy.ml. Check the address for typing errors such as ww.example.com instead of www.example.com If you are unable to load any pages, check your computer's network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
Anyway, excellent progress above, I believe. Securitybreach's link to the ZenMate issue is most probably the culprit here. I would dump it immediately and clean out my browser's cashe/cookies, etc. Maybe even just delete the profile for the browser and start with a clean new one.
As far as VPNs go...
http://forums.scotsn...showtopic=86738
http://forums.scotsn...showtopic=94085
http://forums.scotsn...showtopic=94001
#15 OFFLINE
Posted 18 May 2017 - 07:24 PM
I had spent a long time writing, explaining your questions. Then I took a short break to check up on your links. When I came back, all my work was gone! I guess that this forum doesn't save from time-to-time, the work that's being written, until it's sent out.
Am I now to assume that we all agree that the coffey login unwanted application belongs to ZenMate? If so, the reason that I came here originally was to find a way to kill that unwanted intrusion, and still keep on using the free version of ZenMate. I like it because if it offers encryption, tunnel, IP address masking, and not being detectable as being a proxy (tested by checking which IP masking address that I was assigned, and if it was detected that it was a proxy). Oh, and I can use Google mail with ZenMate, without anything going bonkers because I'm doing that.
Based on the above premise, can we get together and find a way to obliterate the coffey intruder? There must be a way to block it! And yes, the gray transparent cloud, behind the white login application, blocks everything on the browser's page, and also the desktop controls that the cloud covers. The only thing working is the mouse pointer, which does nothing.
Another thing, the number in front of "coffey" isn't set in concrete. It changes every time the invasion occurs. The application seems to be immune to blockers. I don't know how to read TCP dumps, and I wouldn't be able to activate it while I'm being invaded, since I can't access the lower controls on the desktop.
I better send this, before I lose this communication again.
Cheers!
Edited by onederer, 18 May 2017 - 07:29 PM.
#16 OFFLINE
Posted 18 May 2017 - 07:40 PM
Secondly, this is malware spread by Zenmate so I doubt you will be able to remove it without disabling the VPN. Personally I would never be comfortable running my internet traffic through a company that spreads malware to it's users with a malicious url made to trick people into thinking it was a government url.
I think the only option you have is to either deal with the issue or change VPN providers. I am almost certain that this is done at a DNS level so nothing you do will change that.



CNI Radio/G+ Profile/Configs/PGP Key/comhack π ∞
"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984
#17 OFFLINE
Posted 18 May 2017 - 07:45 PM
Quote
BTW all of that is available on pretty much every single VPN, paid or not. All my traffic has went through VPNs for years without any issues. Heck, Opera even offers a VPN with everything you listed already built into their browser. Most VPNs are not like Tor where it switches IPs all the time and causes issues with websites.



CNI Radio/G+ Profile/Configs/PGP Key/comhack π ∞
"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984
#18 OFFLINE
Posted 18 May 2017 - 08:07 PM
It could be bad programming that created an unwanted side effect, which for me is now malware. The real facts, I don't know.
Could this be controlled at the IP level? You know, like those firewalls that use all those commands to allow this and drop that? I never could understand how to configure that type of firewall.
#19 OFFLINE
Posted 18 May 2017 - 08:24 PM
Also, think about this.. why would a legitimate site use a phishing address for their paid users? Using navy.ml instead of the legit navy.mil.
You can continue using the service if you like but all of this stuff is throwing up huge red flags to me. While searching, I do not see anything flagging them as malicious but think about what is happening. Can you honestly without a doubt, trust them?
Also, you might want to check for a dns leak to see if they are protecting you at all https://dnsleaktest.com/



CNI Radio/G+ Profile/Configs/PGP Key/comhack π ∞
"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984
#20 OFFLINE
Posted 18 May 2017 - 10:31 PM
I tried to post the results here. But the Forum left a message that I was trying to post too many images, and would not allow me to post the results.
The test shows that I'm in Menassas (VA??). No name was produced. Showed that I was using Google.
Hey, I tried!
Edited by onederer, 18 May 2017 - 10:37 PM.
#21 OFFLINE
Posted 18 May 2017 - 10:55 PM
onederer, on 18 May 2017 - 10:31 PM, said:




For the things we have to learn before we can do them, we learn by doing them.
#22 OFFLINE
Posted 18 May 2017 - 11:41 PM
Anyway, I perceived no leaks based on that website.
I could put up with the invader, if it would go away after one click to the "cancel" button. Maybe I could tolerate doing it twice! It gets bad when it comes back persistently over and over again. This reminds me of those of those Capcha applications with images. It's like one is chasing it's tail. It keeps one busy for what seems an endless time, with more and more images appearing, while clicking to make them disappear.
I
#23 OFFLINE
Posted 19 May 2017 - 06:02 AM



CNI Radio/G+ Profile/Configs/PGP Key/comhack π ∞
"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984
#24 OFFLINE
Posted 19 May 2017 - 09:07 AM
Speaking personally if you want to use VPN I think it's better to pay the $4 per month and get a service like PIA. There is no free lunch ( except maybe for Linux - but even there you have to invest your time.) But that's just me. Your mileage may vary.

Registered Linux User 445659
#25 OFFLINE
Posted 19 May 2017 - 10:03 AM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users