Welcome to WebmasterWorld Guest from 18.205.176.85

Forum Moderators: Ocean10000

Message Too Old, No Replies

Searchincognito.com

     
9:22 pm on Apr 28, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3673
votes: 374


I've seen this one several times lately.. Here is google's search results snippet about it:
Searchincognito.com virus is a browser hijacker that attacks Internet Explorer, Mozilla Firefox, Google Chrome and even Safari browsers. ... Once inside, the application replaces your homepage and default search provider with Searchincognito.com


Host: 73.250.98.*** 
/
Http Code: 200 Date: Apr 28 16:54:31 Http Version: HTTP/1.1 Size in Bytes: 24210
Referer: http://r.searchincognito.com/
Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36

[edited by: keyplyr at 12:45 am (utc) on Apr 29, 2016]
[edit reason] depersonalized IP address [/edit]

11:51 pm on Apr 28, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


73.250.98.*** is Comcast, so likely an infected browser of an ISP customer.

They host at: AWS
NetRange: 23.20.0.0 - 23.23.255.255
23.20.0.0/14
12:22 pm on Apr 29, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1998
votes: 75


I had a visitor with the https: //www.searchincognito.com/ referrer as well, from 75-137-4-**.dhcp.nwnn.ga.charter.com ----- Charter Communications -- ISP

UA was different: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Seems to be the same build of Chrome though.

Nothing special about the visitor, hit a home page and then browsed 7 other pages. Normal requests.

OT >>

As far as : aristotle, not particularly @ U.
Searchincognito.com virus is a browser hijacker that attacks Internet Explorer, Mozilla Firefox, Google Chrome and even Safari browsers. ... Once inside, the application replaces your homepage and default search provider with Searchincognito.com


That would be an incorrect statement. Searchincognito is an approved chrome extension:
 https://chrome.google.com/webstore/detail/search-incognito/fdobakplmmicnnhioedbifobmpoaglac
. If it was a virus it would not make it to chrome.google.com/webstore.....

What's virus is Goog providing links to 50,000 + WIKI-HOW types of sites/pages(I am assuming snipped belonged to 2-viruses.com) that go a full length in explaining how to remove a particular program along side with displaying Ads that make a user/visitor feel safer and misleading visitors at the same time with HUGE Green and Yellow Download Uninstaller buttons and Phone numbers to call. Oh and while you browse those sites, just know that DoubleClick, AddThis and such would be there as well.

If we follow the same logic/common sense, then Goog/Bing/Ask/Yahoo Toolbars are in the same exact category.

Try downloading Java, and clicking Next, Next Next... One will end up with some type of a browser toolbar. Try finding a driver for a slightly outdated HP printer... - end up with a Gig of junky software that does nothing but "Monitors Your system for the best performance".

<< OT
2:02 pm on Apr 29, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3673
votes: 374


That would be an incorrect statement. Searchincognito is an approved chrome extension:

That might be a different search incognito utility. At any rate, I'm not going to take the risk of going to searchincognito.com to see if it has any official connection with google.
8:40 pm on Apr 29, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15944
votes: 890


I'm not going to take the risk of going to searchincognito.com to see if it has any official connection with google.

If it were google-connected, wouldn't it live on a Google server instead of AWS?
9:17 pm on Apr 29, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3673
votes: 374


If it were google-connected, wouldn't it live on a Google server instead of AWS?

That's just another reason not to take the risk.
9:27 pm on Apr 29, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I agree with blend27. There may or may not be a virus circulating at one time or presently that injects code to switch browser preferences, but setting up Warning sites to get add clicks is a well know black hat tactic. Also, competitors may start these net rumors to discredit another company.

Searchincognito is indeed a valid search resource and browser extension (although I block it because of the "incognito" attribute.) Just because a visitor has a referrer from any remote web site does not in itself construct a threat to your web site. There would need to be some sort of script injection.
1:59 pm on Apr 30, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3673
votes: 374


Well if you do a google search for "searchincognito.com" (without quotes), and look at the results, there are literally dozens of entries about how to remove it from your browser.

So you certainly get the impression that a lot of people must want to get rid of it.

Since otherwise there wouldn't be so many sites with removal instructions.

So for whatever reason, a lot of people evidently want to get rid of it.
4:59 pm on May 2, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5507
votes: 5


FWIW, this morning had a valid visitor (all supporting files and images) with the com as the refer.

50.45.44.zzz - - [02/May/2016:09:31:07 -0600] "GET /MySub/MyPage.html HTTP/1.1" 200 5967 "https:// www.searchincognito.com" "Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0"
6:19 pm on May 2, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member aristotle is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 4, 2008
posts:3673
votes: 374


Yes, I'm pretty sure that these are real human visitors. But I still think they may be using infected browsers.
6:40 pm on May 2, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5507
votes: 5


I had UA's with FunWebProducts denied (may still) for longest while because that product was a URL hi-hacker (replaced links of web pages with their spam links), however many folks disagreed with that analysis of FunWebProducts.
9:24 am on May 3, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1998
votes: 75


"FunWebProducts - Get thousands of smileys, screensavers, cursors and more cool stuff - all 100% free!"

I literally have that HARD-CODDED within the first 15 lines of the site-access module, with the abort following it. I remember that at some point almost a half of my beloved AOL visitors were having Fun with their products, on the Web.