Jump to content

Unwanted popup, bogus login app, harassment.


onederer

Recommended Posts

Hi,

 

I'm looking for the brightest amongst you to solve an unsolvable problem (based on my experience). There is a popup that states that "name and password required". It seems to originate from a Naval server xxx.coffey. Behind the login application, the total background (full screen), is a grayish transparent color, that prevents me to access my desktop. I can enter dumb entries of names and passwords, and click "enter", but it pops back up. If I click "Cancel", it goes away, and pops back up again. This keeps on happening innumerable times, causing a lot of consternation, and frustration. Then it goes away for a while, and the whole sequence will start again.

 

It's hard to do any work when those interruptions occur at random. Popup blocker doesn't work. When I checked the source of the login application, it is offshore, so that they can't be reached, or sued.

 

I use ZenMate (free), for my voip, tunnel, proxy. However, they don't lay claim to causing this harassment because I'm not using the play-for-pay version.

 

So being at wit's end, I come here for relief. I need a way to block this nuisance.

 

Ant takers??

Link to comment
Share on other sites

Thanks for the tip, However, I already have those two items. They didn't seem to be able to overcome that problem. I had tried to enter every title of the login application (the beginning of the name, are ever changing numbers, perhaps the server numbers), but that didn't help. And since the background, transparent gray, covering the work screen, prevented me from accessing any of the available tools that may possibly have worked.

 

I don't know how to do it, but I started thinking that perhaps the nasty login could possibly be blocked using the IP door level, before it gets in. I was not able to make the OS identify the pirate, so it could be squashed.

 

Cheers!

Link to comment
Share on other sites

V.T. Eric Layton

First thing I need to ask here is what is the website (link please) where you're experiencing this?

 

The second question is is this a site that you visit regularly and have a login for?

 

I'm confused about where you are, what you're seeing, and what you're trying to do. Maybe I'm not one the "brightest" you spoke of above. :(

Link to comment
Share on other sites

The website listed below, I never visited it, never logged into it, never wanted any part of it. It showed up like a bad ghost.

 

What I'm getting is a bogus login application. Never been there, never wanted to have any pert of it. It just seems to be a terrible disruptive occurrence. If I knew the password/name, perhaps I could have made it go away, but I don't. "some always changing #.coffey-us.navy".

This nasty occurrence happens on my screen's browser, no matter what or where I would be, at any time of day or night. It's the transparent gray background covering the entire screen, behind the login app. That gray shield prevents me from accessing any browser functions, until the login app goes away. I just want that login app gone and dead, or blocked permanently. It seems to be able to violate any protection that I've tried to use, to get rid of it. And it gets in. It's probably playing tricks with my IP stack, to get through.

Cheers!

Link to comment
Share on other sites

V.T. Eric Layton

"The website listed below..."

 

What website? You haven't posted a link in any of your posts. You posted "#.coffey-us.navy". That's not a link. I'm still not understanding you here... my thick-headedness, I guess.

 

1. You're not going to any particular website when this happens?

 

2. What is a "screen's browser"? You mean your desktop? Your file manager? Or your browser application (Firefox, Chrome, etc.)?

 

3. Is this in a Linux OS?

 

Sorry, Onederer. This just isn't computing with me for some reason. If this is happening in your browser (Firefox, Chromium, etc.), no matter the website you're visiting at that moment, then I'd have to say your browser (and possibly your operating system) are compromised by some form of malware or other security breach. Login pop-ups that disable webpages just do not pop up randomly on any website. I've seen pop-ups like that on particular websites where the login is relevant to the website, but not random pop-ups without regard to the current website being visited.

 

More details please... screenshot, maybe?

  • Like 1
Link to comment
Share on other sites

securitybreach

Yeah, I was bit confused myself as to what he meant. I just assumed it was an element on a certain website he went to that he couldn't get rid of.

  • Like 1
Link to comment
Share on other sites

V.T. Eric Layton

We'll have to wait on some more info/clarification, I think.

 

Onderer, sir... Please have patience with us. Communication via the written word is not always as clear and understandable in circumstances such as these. Let's make sure if we're on the same page here.

 

1. You are logged in as user on your system (Linux, I'm assuming).

2. You are attempting to use your system for its normal purpose.

3. This login pop-up occurs, blocking your entire desktop... or is it just your browser's window?

4. You can cancel and it goes away, but returns later.

5. You found out something about the source of the pop-up somehow obtaining "coffey-us.navy", whatever that is (a google search is just hits about people named coffey in the us navy).

  • Like 1
Link to comment
Share on other sites

OK, the login app that's disrupting me is: https://36.coffey.-navy.ml. It says that I have to login. When that app. appears, it comes with a transparent grey background behind it, that covers my web page, and prevents me from accessing anything on my browser during the presence of that application.

 

I would have liked to have made a screen snapshot of the login application, but my browser gets disabled when that nasty application is present.

 

The login screen popup happens on/at ANY random web site that I just happen to be on. 24/7, day or night. No single one website triggers it. It's appearance is random. The application COVERS the website page that I'm visiting with that transparent gray cover. The login box sits on top of the transparent gray cover, which is blocking my access to the entire browser When I click "cancel" on the application, it will go away, but quickly come back. And it can come back numerous times, before it finally goes away for a while.

I've entered vulgar names or sentences, and random passwords in that application. I wonder if anyone ever reads them. But I prefer to just click on the cancel button to make it go away, perhaps forever.

 

The browser that I'm using is Vivaldi, a clone of Chrome, but it doesn't send any personal activity or information to the Gov't.

 

This popup happens only on a browser, in the browser. It doesn't show up anywhere else in the computer. This irritating application doesn't care what or which website that I'm on. It just blankets and covers the browser's page.

 

 

I'm using PCLinuxOS.

 

As I'm writing this, it just visited me again. I managed to capture a screen shot. I also saved it in Gimp. I tried to paste it here, but it didn't take. I can't seem to make it appear on this page. Anyway, I tried to be as complete as possible in my description, using different words, and different methods.

 

Just picture yourself using a browser, suddenly your work (could be writing a Google based email), when this popup appears, interrupting your work. A gray transparent cloud covers your work. You can't reach your work anymore. The cloud blocks you from your work. In the center of that gray transparent cloud sits a clear white box. At the top, informing you that you have to login to the server: https;//45.coffey-navy.ml. Below the above information, is the little box to enter your name, and below that, your password.

At the bottom you read "cancel" and next to that, "enter".

If you push "cancel" the cloud will go away with the gray cloud. Then suddenly, it comes back again! Click on "cancel", and the whole sequence will occur again and again, 'till you're ready to pull out your hair. As a small reprieve, the invader will take a leave of absence for a while. But at any random time, it will return to haunt you all over again. Sometimes it will popup and leave right away. At times when I was not using the computer, but the machine was still on, that login box would just sit there, with that gray cloud covering the browser page. One would never know if that invader will go away by itself, or the "cancel" button has to be pushed to make it get lost temporarily.

 

How else can I describe this? Next step is to obliterate that nasty invader. You've seen white login boxes before, haven't you? This one looks no different than any other. The gray cloud separates the foreground login box from the background, creating an access barrier to the background.

 

Cheers!

  • Like 1
Link to comment
Share on other sites

Hello,

 

I've seen this mentioned somewhere else in the past couple of weeks, but I don't remember where and can't seem to find it.

 

My initial thought was some kind of malvertising, but now I'm wondering if it is a poorly-targeted attempt at phishing US Navy personnel.

 

To figure out where exactly it is coming from, though, you'll probably need to do a packet capture and sift through it to identify it's origination point. I'm not particularly familiar with doing that on Linux these days, but I would imagine tcpdump or WireShark would be good places to start. If you have any security software on a computer running Windows, you might want to contact that company's tech support department. Even though you're not running their software on the Linux box, the tech would probably appreciate the chance to do some interesting Linux forensics.

 

Regards,

 

Aryeh Goretsky

  • Like 3
Link to comment
Share on other sites

securitybreach

Yeah, that is definitely malware in your browser. I would do as the reddit link suggested or simply delete your local profile (chrome folder) and then open it fresh and log back in to sync all your stuff.

 

Your VPN (Zenmate) is causing this to happen. I would suggest finding a different one to use. Here is some info on that url: https://www.robtex.c....coffey-navy.ml

 

Personally I use AirVPN which works beautifully and gives you the same speeds as your ISP does.

  • Like 1
Link to comment
Share on other sites

V.T. Eric Layton

When I clicked your link above:

 

Server not found

Firefox can't find the server at 36.coffey.-navy.ml.

   Check the address for typing errors such as ww.example.com instead of www.example.com
   If you are unable to load any pages, check your computer's network connection.
   If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

 

Anyway, excellent progress above, I believe. Securitybreach's link to the ZenMate issue is most probably the culprit here. I would dump it immediately and clean out my browser's cashe/cookies, etc. Maybe even just delete the profile for the browser and start with a clean new one.

 

As far as VPNs go...

 

http://forums.scotsnewsletter.com/index.php?showtopic=86738

 

http://forums.scotsnewsletter.com/index.php?showtopic=94085

 

http://forums.scotsnewsletter.com/index.php?showtopic=94001

  • Like 1
Link to comment
Share on other sites

Oh gee!

 

I had spent a long time writing, explaining your questions. Then I took a short break to check up on your links. When I came back, all my work was gone! I guess that this forum doesn't save from time-to-time, the work that's being written, until it's sent out.

 

Am I now to assume that we all agree that the coffey login unwanted application belongs to ZenMate? If so, the reason that I came here originally was to find a way to kill that unwanted intrusion, and still keep on using the free version of ZenMate. I like it because if it offers encryption, tunnel, IP address masking, and not being detectable as being a proxy (tested by checking which IP masking address that I was assigned, and if it was detected that it was a proxy). Oh, and I can use Google mail with ZenMate, without anything going bonkers because I'm doing that.

 

Based on the above premise, can we get together and find a way to obliterate the coffey intruder? There must be a way to block it! And yes, the gray transparent cloud, behind the white login application, blocks everything on the browser's page, and also the desktop controls that the cloud covers. The only thing working is the mouse pointer, which does nothing.

 

Another thing, the number in front of "coffey" isn't set in concrete. It changes every time the invasion occurs. The application seems to be immune to blockers. I don't know how to read TCP dumps, and I wouldn't be able to activate it while I'm being invaded, since I can't access the lower controls on the desktop.

 

I better send this, before I lose this communication again.

 

Cheers!

Edited by onederer
Link to comment
Share on other sites

securitybreach

Well first off, nothing is saved until you click the post button and this has always been the case. It would be nice to have an autosave function but I do not know how well that would work with a forum and posts.

 

Secondly, this is malware spread by Zenmate so I doubt you will be able to remove it without disabling the VPN. Personally I would never be comfortable running my internet traffic through a company that spreads malware to it's users with a malicious url made to trick people into thinking it was a government url.

 

I think the only option you have is to either deal with the issue or change VPN providers. I am almost certain that this is done at a DNS level so nothing you do will change that.

  • Like 1
Link to comment
Share on other sites

securitybreach

Am I now to assume that we all agree that the coffey login unwanted application belongs to ZenMate? If so, the reason that I came here originally was to find a way to kill that unwanted intrusion, and still keep on using the free version of ZenMate. I like it because if it offers encryption, tunnel, IP address masking, and not being detectable as being a proxy (tested by checking which IP masking address that I was assigned, and if it was detected that it was a proxy). Oh, and I can use Google mail with ZenMate, without anything going bonkers because I'm doing that.

 

 

BTW all of that is available on pretty much every single VPN, paid or not. All my traffic has went through VPNs for years without any issues. Heck, Opera even offers a VPN with everything you listed already built into their browser. Most VPNs are not like Tor where it switches IPs all the time and causes issues with websites.

  • Like 1
Link to comment
Share on other sites

It's true I don't need that intrusion. And it could be malware, or then again, it could be the server that the paid up users have to use to login. I'm already logged in to ZenMate as a free user. I have to assume that perhaps the payers have to use a separate and different means of logging in. And also different servers than I get to use. I'm using ZenMate right now, and everything is fine until the next invation.

 

It could be bad programming that created an unwanted side effect, which for me is now malware. The real facts, I don't know.

 

Could this be controlled at the IP level? You know, like those firewalls that use all those commands to allow this and drop that? I never could understand how to configure that type of firewall.

Link to comment
Share on other sites

securitybreach

Well you have to understand how VPNs work. You directly connect to the VPN and then all your traffic goes through the VPN. Your ISP only sees a direct connection to the VPN. So if you use a VPN, you use the assigned IP address they give to route your traffic through. So I do not think your suggestion would work as you would not be connecting to the VPN.

 

Also, think about this.. why would a legitimate site use a phishing address for their paid users? Using navy.ml instead of the legit navy.mil.

 

You can continue using the service if you like but all of this stuff is throwing up huge red flags to me. While searching, I do not see anything flagging them as malicious but think about what is happening. Can you honestly without a doubt, trust them?

 

Also, you might want to check for a dns leak to see if they are protecting you at all https://dnsleaktest.com/

  • Like 1
Link to comment
Share on other sites

Here's the results of the dns leak test. They think that I'm in Masassas (Virginia??), with the IP address belonging to that server and no indication of mine.

 

 

I tried to post the results here. But the Forum left a message that I was trying to post too many images, and would not allow me to post the results.

 

The test shows that I'm in Menassas (VA??). No name was produced. Showed that I was using Google.

 

Hey, I tried!

Edited by onederer
Link to comment
Share on other sites

I tried to post the results here. But the Forum left a message that I was trying to post too many images, and would not allow me to post the results.

How are you trying to post images? You can't post direct to the forum. You need to upload to an image sharing site such as Imgur and post the image link in image tags.

Link to comment
Share on other sites

Well, i have to admit that I don't know anything about Imgur. This does complicate things doesn't it? One more layer.

Anyway, I perceived no leaks based on that website.

 

I could put up with the invader, if it would go away after one click to the "cancel" button. Maybe I could tolerate doing it twice! It gets bad when it comes back persistently over and over again. This reminds me of those of those Capcha applications with images. It's like one is chasing it's tail. It keeps one busy for what seems an endless time, with more and more images appearing, while clicking to make them disappear.

 

I

Link to comment
Share on other sites

securitybreach

Well it will never go away until you change VPN providers to one that does not host malware on malicious urls.

Link to comment
Share on other sites

Could it be that Zenmate uses the coffey.ml server as part of its VPN setup and that it's just buggy and asking you to log in? My VPN allows you to choose a different location to log in and hence a different server. Is that possible with Zenmate?

Speaking personally if you want to use VPN I think it's better to pay the $4 per month and get a service like PIA. There is no free lunch ( except maybe for Linux - but even there you have to invest your time.) But that's just me. Your mileage may vary.

  • Like 1
Link to comment
Share on other sites

V.T. Eric Layton

Consider this, if that login popup is some sort of malware and you entered your Zenmate user/pw at any time since this started happening, the chances are that someone somewhere may now have your Zenmate login information.

  • Like 1
Link to comment
Share on other sites

V.T. Eric Layton

That xx.coffey.ml is a domain owned by LeaseWeb. You can whois the IP address 108.59.8.218 (Manassas, VA) and get the abuse phone number for LeaseWeb. They may be able to tell you something about this annoying popup.

 

vtel57@ericsbane07~:$ whois 108.59.8.218

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=108.59.8.218?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:	   108.59.0.0 - 108.59.15.255
CIDR:		   108.59.0.0/20
NetName:	    LEASEWEB-USA-WDC-01
NetHandle:	  NET-108-59-0-0-1
Parent:		 NET108 (NET-108-0-0-0-0)
NetType:	    Direct Allocation
OriginAS:	   AS30633
Organization:   Leaseweb USA, Inc. (LU)
RegDate:	    2010-11-18
Updated:	    2016-06-06
Comment:	    Please send all abuse notifications to the following email address: abuse@us.leaseweb.com. To ensure proper processing of your abuse notification, please visit the website www.leaseweb.com/abuse for notification requirements. All police and other government agency requests must be sent to subpoenas@us.leaseweb.com.
Ref:		    https://whois.arin.net/rest/net/NET-108-59-0-0-1


OrgName:	    Leaseweb USA, Inc.
OrgId:		  LU
Address:	    9480 Innovation Dr
City:		   Manassas
StateProv:	  VA
PostalCode:	 20109
Country:	    US
RegDate:	    2010-09-13
Updated:	    2017-01-28
Comment:	    www.leaseweb.com
Ref:		    https://whois.arin.net/rest/org/LU


OrgTechHandle: LEASE-ARIN
OrgTechName:   Leaseweb ARIN
OrgTechPhone:  +1-571-814-3777
OrgTechEmail:  arin@us.leaseweb.com
OrgTechRef:    https://whois.arin.net/rest/poc/LEASE-ARIN

OrgNOCHandle: LEASE-ARIN
OrgNOCName:   Leaseweb ARIN
OrgNOCPhone:  +1-571-814-3777
OrgNOCEmail:  arin@us.leaseweb.com
OrgNOCRef:    https://whois.arin.net/rest/poc/LEASE-ARIN

OrgAbuseHandle: LUAD3-ARIN
OrgAbuseName:   Leaseweb US abuse dept
OrgAbusePhone:  +1-571-814-3777
OrgAbuseEmail:  abuse@us.leaseweb.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/LUAD3-ARIN

RNOCHandle: LEASE-ARIN
RNOCName:   Leaseweb ARIN
RNOCPhone:  +1-571-814-3777
RNOCEmail:  arin@us.leaseweb.com
RNOCRef:    https://whois.arin.net/rest/poc/LEASE-ARIN

RAbuseHandle: LUAD3-ARIN
RAbuseName:   Leaseweb US abuse dept
RAbusePhone:  +1-571-814-3777
RAbuseEmail:  abuse@us.leaseweb.com
RAbuseRef:    https://whois.arin.net/rest/poc/LUAD3-ARIN

RTechHandle: LEASE-ARIN
RTechName:   Leaseweb ARIN
RTechPhone:  +1-571-814-3777
RTechEmail:  arin@us.leaseweb.com
RTechRef:    https://whois.arin.net/rest/poc/LEASE-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#

 

Also, Zenmate VPN has some pretty ugly reviews online. Do a Google search for "Zenmate reviews" to read some of them.

  • Like 1
Link to comment
Share on other sites

I'm already logged into ZenMate. So basically, that logon doesn't really pertain to me. It could be meant for the payees for the faster service. And yes, it could also be malware.

 

However, as a matter of learning and exercise, going back to the first question. Whether it is malware, or just bad programming and sending the logon application to the wrong people, Either way, there must be some way to block this nuisance! That was my quest.

 

It doesn't fit into the blocking programs's category, where it can easily be blocked. So it's coming in via some other means. And what is that means? Firewall? Anyone know? I'm sure that it can be blocked, I just don't have the knowledge to know how to do it! That company has the knowledge how to by-pass barriers, foreign and domestic, where some countries censor Internet knowledge.

 

And I want to thank you guys for sticking with me on this topic. I really appreciate it. Your input is always welcome.

  • Like 1
Link to comment
Share on other sites

V.T. Eric Layton

Just out of curiosity...

 

Does this happen in other browsers? Firefox? Konqueror, etc? Or does that Zenmate VPN only work through the Chrome extension?

Link to comment
Share on other sites

You are right! I've been putting up with this for a while, but so far, found no way to block the invader login. With that link you provided, you will find that another user uses ZenMate in another browser.

 

This time, I thought that I'd put another effort to try to learn how to get rid of this invader login. There must be a way! I thought with all of us together, we could learn and find a way to block that nuisance.

 

Cheers!

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...