31 replies to this topic

[onederer]

Hi,

I'm looking for the brightest amongst you to solve an unsolvable problem (based on my experience). There is a popup that states that "name and password required". It seems to originate from a Naval server xxx.coffey. Behind the login application, the total background (full screen), is a grayish transparent color, that prevents me to access my desktop. I can enter dumb entries of names and passwords, and click "enter", but it pops back up. If I click "Cancel", it goes away, and pops back up again. This keeps on happening innumerable times, causing a lot of consternation, and frustration. Then it goes away for a while, and the whole sequence will start again.

It's hard to do any work when those interruptions occur at random. Popup blocker doesn't work. When I checked the source of the login application, it is offshore, so that they can't be reached, or sued.

I use ZenMate (free), for my voip, tunnel, proxy. However, they don't lay claim to causing this harassment because I'm not using the play-for-pay version.

So being at wit's end, I come here for relief. I need a way to block this nuisance.

Ant takers??

[securitybreach]

Install Privacy Badger and also uBlock origin browser extensions. Both are available on Firefox, Chrome and Opera.

[onederer]

Thanks for the tip, However, I already have those two items. They didn't seem to be able to overcome that problem. I had tried to enter every title of the login application (the beginning of the name, are ever changing numbers, perhaps the server numbers), but that didn't help. And since the background, transparent gray, covering the work screen, prevented me from accessing any of the available tools that may possibly have worked.

I don't know how to do it, but I started thinking that perhaps the nasty login could possibly be blocked using the IP door level, before it gets in. I was not able to make the OS identify the pirate, so it could be squashed.

Cheers!

[V.T. Eric Layton]

First thing I need to ask here is what is the website (link please) where you're experiencing this?

The second question is is this a site that you visit regularly and have a login for?

I'm confused about where you are, what you're seeing, and what you're trying to do. Maybe I'm not one the "brightest" you spoke of above.

[onederer]

The website listed below, I never visited it, never logged into it, never wanted any part of it. It showed up like a bad ghost.

What I'm getting is a bogus login application. Never been there, never wanted to have any pert of it. It just seems to be a terrible disruptive occurrence. If I knew the password/name, perhaps I could have made it go away, but I don't. "some always changing #.coffey-us.navy".

This nasty occurrence happens on my screen's browser, no matter what or where I would be, at any time of day or night. It's the transparent gray background covering the entire screen, behind the login app. That gray shield prevents me from accessing any browser functions, until the login app goes away. I just want that login app gone and dead, or blocked permanently. It seems to be able to violate any protection that I've tried to use, to get rid of it. And it gets in. It's probably playing tricks with my IP stack, to get through.

Cheers!

[V.T. Eric Layton]

"The website listed below..."

What website? You haven't posted a link in any of your posts. You posted "#.coffey-us.navy". That's not a link. I'm still not understanding you here... my thick-headedness, I guess.

1. You're not going to any particular website when this happens?

2. What is a "screen's browser"? You mean your desktop? Your file manager? Or your browser application (Firefox, Chrome, etc.)?

3. Is this in a Linux OS?

Sorry, Onederer. This just isn't computing with me for some reason. If this is happening in your browser (Firefox, Chromium, etc.), no matter the website you're visiting at that moment, then I'd have to say your browser (and possibly your operating system) are compromised by some form of malware or other security breach. Login pop-ups that disable webpages just do not pop up randomly on any website. I've seen pop-ups like that on particular websites where the login is relevant to the website, but not random pop-ups without regard to the current website being visited.

More details please... screenshot, maybe?

[securitybreach]

Yeah, I was bit confused myself as to what he meant. I just assumed it was an element on a certain website he went to that he couldn't get rid of.

[V.T. Eric Layton]

We'll have to wait on some more info/clarification, I think.

Onderer, sir... Please have patience with us. Communication via the written word is not always as clear and understandable in circumstances such as these. Let's make sure if we're on the same page here.

1. You are logged in as user on your system (Linux, I'm assuming).
2. You are attempting to use your system for its normal purpose.
3. This login pop-up occurs, blocking your entire desktop... or is it just your browser's window?
4. You can cancel and it goes away, but returns later.
5. You found out something about the source of the pop-up somehow obtaining "coffey-us.navy", whatever that is (a google search is just hits about people named coffey in the us navy).

[securitybreach]

Yeah, the real navy urls end with navy.mil

[onederer]

OK, the login app that's disrupting me is: https://36.coffey.-navy.ml. It says that I have to login. When that app. appears, it comes with a transparent grey background behind it, that covers my web page, and prevents me from accessing anything on my browser during the presence of that application.

I would have liked to have made a screen snapshot of the login application, but my browser gets disabled when that nasty application is present.

The login screen popup happens on/at ANY random web site that I just happen to be on. 24/7, day or night. No single one website triggers it. It's appearance is random. The application COVERS the website page that I'm visiting with that transparent gray cover. The login box sits on top of the transparent gray cover, which is blocking my access to the entire browser  When I click "cancel" on the application, it will go away, but quickly come back. And it can come back numerous times, before it finally goes away for a while.
I've entered vulgar names or sentences, and random passwords in that application. I wonder if anyone ever reads them. But I prefer to just click on the cancel button to make it go away, perhaps forever.

The browser that I'm using is Vivaldi, a clone of Chrome, but it doesn't send any personal activity or information to the Gov't.

This popup happens only on a browser, in the browser. It doesn't show up anywhere else in the computer. This irritating application doesn't care what or which  website that I'm on. It just blankets and covers the browser's page.


I'm using PCLinuxOS.

As I'm writing this, it just visited me again. I managed to capture a screen shot. I also saved it in Gimp. I tried to paste it here, but it didn't take. I can't seem to make it appear on this page. Anyway, I tried to be as complete as possible in my description, using different words, and different methods.

Just picture yourself using a browser, suddenly your work (could be writing a Google based email), when this popup appears, interrupting your work. A gray transparent cloud covers your work. You can't reach your work anymore. The cloud blocks you from your work. In the center of that gray transparent cloud sits a clear white box. At the top, informing you that you have to  login to the server: https;//45.coffey-navy.ml. Below the above information, is the little box to enter your name, and below that, your password.
At the bottom you read "cancel" and next to that, "enter".
If you push "cancel" the cloud will go away with the gray cloud. Then suddenly, it comes back again! Click on "cancel", and the whole sequence will occur again and again, 'till you're ready to pull out your hair. As a small reprieve, the  invader will take a leave of absence for a while. But at any random time, it will return to haunt you all over again. Sometimes it will popup and leave right away. At times when I was not using the computer, but the  machine was still on, that login box would just sit there, with that gray cloud covering the browser page. One would never know if that invader will go away by itself, or the "cancel" button has to be pushed to make it get lost temporarily.

How else can I describe this? Next step is to obliterate that nasty invader. You've seen white login boxes before, haven't you? This one looks no different than any other. The gray cloud separates the foreground login box from the background, creating an access barrier to the background.

Cheers!

[goretsky]

Hello,

I've seen this mentioned somewhere else in the past couple of weeks, but I don't remember where and can't seem to find it.

My initial thought was some kind of malvertising, but now I'm wondering if it is a poorly-targeted attempt at phishing US Navy personnel.

To figure out where exactly it is coming from, though, you'll probably need to do a packet capture and sift through it to identify it's origination point.  I'm not particularly familiar with doing that on Linux these days, but I would imagine tcpdump or WireShark would be good places to start.  If you have any security software on a computer running Windows, you might want to contact that company's tech support department.  Even though you're not running their software on the Linux box, the tech would probably appreciate the chance to do some interesting Linux forensics.

Regards,

Aryeh Goretsky

[raymac46]

https://www.reddit.c...15coffeynavyml/

[securitybreach]

Yeah, that is definitely malware in your browser. I would do as the reddit link suggested or simply delete your local profile (chrome folder) and then open it fresh and log back in to sync all your stuff.

Your VPN (Zenmate) is causing this to happen. I would suggest finding a different one to use. Here is some info on that url: https://www.robtex.c....coffey-navy.ml

Personally I use AirVPN which works beautifully and gives you the same speeds as your ISP does.

[V.T. Eric Layton]

When I clicked your link above:

Server not found

Firefox can't find the server at 36.coffey.-navy.ml.

	Check the address for typing errors such as ww.example.com instead of www.example.com
	If you are unable to load any pages, check your computer's network connection.
	If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Anyway, excellent progress above, I believe. Securitybreach's link to the ZenMate issue is most probably the culprit here. I would dump it immediately and clean out my browser's cashe/cookies, etc. Maybe even just delete the profile for the browser and start with a clean new one.

As far as VPNs go...

http://forums.scotsn...showtopic=86738

http://forums.scotsn...showtopic=94085

http://forums.scotsn...showtopic=94001

[onederer]

Oh gee!

I had spent a long time writing, explaining your questions. Then I took a short break to check up on your links. When I came back, all my work was gone! I guess that this forum doesn't save from time-to-time, the work that's being written, until it's sent out.

Am I now to assume that we all agree that the coffey login unwanted application belongs to ZenMate? If so, the reason that I came here originally was to find a way to kill that unwanted intrusion, and still keep on using the free version of ZenMate. I like it because if it offers encryption, tunnel, IP address masking, and not being detectable as being a proxy (tested by checking which IP masking address that I was assigned, and if it was detected that it was a proxy). Oh, and I can use Google mail with ZenMate, without anything going bonkers because I'm doing that.

Based on the above premise, can we get together and find a way to obliterate the coffey intruder? There must be a way to block it! And yes, the gray transparent cloud, behind the white login application, blocks everything on the browser's page, and also the desktop controls that the cloud covers. The only thing working is the mouse pointer, which does nothing.

Another thing, the number in front of "coffey" isn't set in concrete. It changes every time the invasion occurs. The application seems to be immune to blockers. I don't know how to read TCP dumps, and I wouldn't be able to activate it while I'm being invaded, since I can't access the lower controls on the desktop.

I better send this, before I lose this communication again.

Cheers!

Edited by onederer, 18 May 2017 - 07:29 PM.

[securitybreach]

Well first off, nothing is saved until you click the post button and this has always been the case. It would be nice to have an autosave function but I do not know how well that would work with a forum and posts.

Secondly, this is malware spread by Zenmate so I doubt you will be able to remove it without disabling the VPN. Personally I would never be comfortable running my internet traffic through a company that spreads malware to it's users with a malicious url made to trick people into thinking it was a government url.  

I think the only option you have is to either deal with the issue or change VPN providers. I am almost certain that this is done at a DNS level so nothing you do will change that.

[securitybreach]

Quote

Am I now to assume that we all agree that the coffey login unwanted application belongs to ZenMate? If so, the reason that I came here originally was to find a way to kill that unwanted intrusion, and still keep on using the free version of ZenMate. I like it because if it offers encryption, tunnel, IP address masking, and not being detectable as being a proxy (tested by checking which IP masking address that I was assigned, and if it was detected that it was a proxy). Oh, and I can use Google mail with ZenMate, without anything going bonkers because I'm doing that.

BTW all of that is available on pretty much every single VPN, paid or not. All my traffic has went through VPNs for years without any issues. Heck, Opera even offers a VPN with everything you listed already built into their browser. Most VPNs are not like Tor where it switches IPs all the time and causes issues with websites.

[onederer]

It's true I don't need that intrusion. And it could be malware, or then again, it could be the server that the paid up users have to use to login. I'm already logged in to ZenMate as a free user. I have to assume that perhaps the payers have to use a separate and different means of logging in. And also different servers than I get to use. I'm using ZenMate right now, and everything is fine until the next invation.

It could be bad programming that created an unwanted side effect, which for me is now malware. The real facts, I don't know.

Could this be controlled at the IP level? You know, like those firewalls that use all those commands to allow this and drop that? I never could understand how to configure that type of firewall.

[securitybreach]

Well you have to understand how VPNs work. You directly connect to the VPN and then all your traffic goes through the VPN. Your ISP only sees a direct connection to the VPN. So if you use a VPN, you use the assigned IP address they give to route your traffic through. So I do not think your suggestion would work as you would not be connecting to the VPN.

Also, think about this.. why would a legitimate site use a phishing address for their paid users? Using navy.ml instead of the legit navy.mil.

You can continue using the service if you like but all of this stuff is throwing up huge red flags to me. While searching, I do not see anything flagging them as malicious but think about what is happening. Can you honestly without a doubt, trust them?

Also, you might want to check for a dns leak to see if they are protecting you at all https://dnsleaktest.com/

[onederer]

Here's the results of the dns leak test. They think that I'm in Masassas (Virginia??), with the IP address belonging to that server and no indication of mine.




I tried to post the results here. But the Forum left a message that I was trying to post too many images, and would not allow me to post the results.

The test shows that I'm in Menassas (VA??). No name was produced. Showed that I was using Google.

Hey, I tried!

Edited by onederer, 18 May 2017 - 10:37 PM.

[sunrat]

onederer, on 18 May 2017 - 10:31 PM, said:

I tried to post the results here. But the Forum left a message that I was trying to post too many images, and would not allow me to post the results.

How are you trying to post images? You can't post direct to the forum. You need to upload to an image sharing site such as Imgur and post the image link in image tags.

[onederer]

Well, i have to admit that I don't know anything about Imgur. This does complicate things doesn't it? One more layer.
Anyway, I perceived no leaks based on that website.

I could put up with the invader, if it would go away after one click to the "cancel" button. Maybe I could tolerate doing it twice! It gets bad when it comes back persistently over and over again. This reminds me of those of those Capcha applications with images. It's like one is chasing it's tail. It keeps one busy for what seems an endless time, with more and more images appearing, while clicking to make them disappear.

I

[securitybreach]

Well it will never go away until you change VPN providers to one that does not host malware on malicious urls.

[raymac46]

Could it be that Zenmate uses the coffey.ml server as part of its VPN setup and that it's just buggy and asking you to log in? My VPN allows you to choose a different location to log in and hence a different server. Is that possible with Zenmate?
Speaking personally if you want to use VPN I think it's better to pay the $4 per month and get a service like PIA. There is no free lunch ( except maybe for Linux - but even there you have to invest your time.) But that's just me. Your mileage may vary.

[V.T. Eric Layton]

Consider this, if that login popup is some sort of malware and you entered your Zenmate user/pw at any time since this started happening, the chances are that someone somewhere may now have your Zenmate login information.