Apologies if this is the wrong section, but there appear to be reports of such things here.

The site I’m concerned about links to a download page for Eaton (Powerware) software. The linked page looks genuine, except for some subtle differences. I have been through and compared the whole (tedious) download process on the both the real site and the second-party linked site. Two differences there are: The original site ‘remembers’ a second email I entered once, the linked site doesn’t; And, the linked site shows https:// in the address bar where the original site doesn’t.

It may not be a problem. I couldn’t detect malware anywhere, buut…
The first time I tried to install something from the second hand site (a while ago now), all it did was place my “Homegroup” whatsit (NOT a Shortcut!) on my Desktop and I couldn’t get rid of it except by System Restore.
A little worrying, imo, tho I can’t replicate it now.

Any thoughts?
Thanks.

Difficult to say without a broken link to that website in particular. Eaton software could have come bundled with some crap or foistware, but again difficult to trace without any leads. This link seems OK: https://www.virustotal.com/nl/url/6aa819b87218bc4e5469098ce9005134e7c5b541e2ad9ff456b47727eecdea18/analysis/1394891454/

polonus

Thanks. I did a Virustotal check on the URL’s. They test clean there.

Anyhow… The one I was bothered about is http://www.xentrikDOTnet/software/lansafe.html. The “Download now” goes to the same URL as I can find directly through Eaton’s own site. The page displayed, however, was slightly different.

Today I find some of those differences gone, except on Eaton’s page there is a time stamp (and some other numbers, and a red down arrow) - top right, beneath the search box http://powerquality.eaton.com/Support/Software-Drivers/Default.asp

On the page linked from xentrix net, the time stamp is missing. Oh, and… It’s https, not http.

Maybe nothing to worry about…

See the code hick-up here: http://jsunpack.jeek.org/?report=437f4b6a51e5187ba7524c6597925d62197a0e6a
wXw.xentrik dot net/resources/ui.core.js
status: (referer=wXw.xentrik dot .net/software/lansafe.html)saved 13932 bytes 726343f71a9c691d959bbe720f9085b63c1b4598
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable $.fn
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var $.fn = 1;
error: line:1: …^
suspicious:
DNS issues - errors: No SOA record found for wXw.xentrik dot net.

No SOA record was found when querying the name server. This is most probably due to a misconfiguration at the name server - a zone must have a SOA record.

Nameserver 64.68.192.210 does not do DNSSEC extra processing.
Nameserver 72.52.2.1 does not do DNSSEC extra processing.
Nameserver 64.68.196.10 does not do DNSSEC extra processing.

polonus

Thanks Polonus. That’s interesting; what I see on the link you provide is:

wXw.xentrik.net/resources/ui.core.js benign
[nothing detected] (script) wXw.xentrik.net/resources/ui.core.js
status: (referer=wXw.xentrik.net/software/lansafe.html)saved 13932 bytes 726343f71a9c691d959bbe720f9085b63c1b4598
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable $.fn
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var $.fn = 1;
error: line:1: …^
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
file: 726343f71a9c691d959bbe720f9085b63c1b4598: 13932 bytes
file: 02374313b7d5efe1a82f6a8961c175612aeece6f: 14309 bytes
file: 911fab93715f12ecb5a335a1e963305d13b9c618: 14403 bytes

No idea what any of it means.

Hi CCV,

Try to explain to you as best I can. I have fed the site url to jsunpack, a javascript unpacker tool and javascript malcode analyzer, meant for security researchers. Everything I found was benign…
What I reported there is a what I myself will call some “code hick-up”. It is flagged “suspicious” as the code takes somewhat longer to perform as expected - max runtime is exceeded by 10 seconds, probably because of errors for that ui.core.js code in Firefox, but also kicks some errors in IE. The particular problem in IE is being reported here by “mssbee”, read: http://wordpress.org/support/topic/plugin-vslider-fix-if-you-get-an-error-with-ie
Most Content Management Software problems do not arise from the core software as this is often and regularly checked against insecurities and therefore comes fully updated and patched. It is free plug-ins and themes where the exploitable and code that can be abused/hacked is found.
Javascript coding is performed with more security in mind nowadays, but time pressure for developers and the need to “bend some curves” for better code performance under all circumstances and browser differences will make that we see such issues appear and sometimes they create exploitable situations that could lead to infestations of sorts. Here I get a “proxy-revalidate, must-revalidate” with this application/javascript.
Well we can establish there is no malcode there: http://wepawet.iseclab.org/view.php?hash=cccebf64ae63c98b561cba49624fa288&t=1394976349&type=js
See response headers here: https://www.virustotal.com/nl/url/ff6433dee42ac2f59298298fab6fd0474926c47a9132d7661b7686508ce16b30/analysis/1394976419/

The variable must be set before allowing it to echo, that is why we get the error : https://www.virustotal.com/nl/url/ff6433dee42ac2f59298298fab6fd0474926c47a9132d7661b7686508ce16b30/analysis/1394976419/

The behavior of

 var $.fn = 1; 

is quirky across browsers - it is a funcrtion pointer that you actually do not see in javascript.

But these are issues that should not be worrying you, but that should be a concern for the jQuery developers.

Hope that you understand now that analyzing website malcode is a rather complicated business, it is very very interesting stuff.
So it was fun to dive a little further into this for you. Have a nice day and stay safe and secure,

Damian

I’m glad to hear it was some fun for you. And, I can very well imagine it being that interesting, albeit complicated.

I could’ve played it safer by not attempting to download the software from an outside source. Not sure now what I thought it might accomplish, but was at my wit’s end trying to get the program running properly. Anyway, it linked through to the Eaton site so I thought it would be ok. There is still a question, if the Eaton page linked to xentrik.net might be counterfeit and it contain malware. I think that’s unlikely, really, but it is a bit different from the original (as in link posted previously).

Thanks again, and cheers.

Hi CVV,

WOT only questions lansafe downloads from softadvice informer dot com and this base, see: https://www.mywot.com/en/scorecard/lit.powerware.com?utm_source=addon&utm_content=popup
This should set you mind at ease however: http://www.shouldiremoveit.com/LanSafe-66917-program.aspx
Hope we can reckon you to be among the 93% that will keep the program, whereas 7% of users decided to remove it.

greets,

Damian

I wonder what problem WOT has with that branch of Eaton’s site. I mean, from what I know of it, it is basic documentation about their products - user manuals and such. (I have seen report of ransomeware sometimes masquerading as PDF. downloads, but this is not the case here - not yet anyway.)
Like this, for example http://powerquality.eaton.com/Products-services/Backup-Power-UPS/5110-eol.aspx#documentationtab
Or, because I want to find what on earth “X-slot” (as it appears on the Device Manager entry for this thing) means, http://powerquality.eaton.com/Products-services/legacy/usb-card-info.asp

I always had the idea that Lansafe was required for the UPS to do a ‘graceful’ shutdown. Tho, in the lifetime of the first battery (about 15 years), I never found out for sure…
In any case, where the problem lay this time was the (required) driver installation which I wouldn’t have known about except for Lansafe not functioning properly. The driver installation was a breeze in XP; Not so in 8.1.