Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Sunday May 03 2015, @06:39AM   Printer-friendly
from the you-tell-me dept.

I recently updated my list of Seattle Tech Employers. All the way at the bottom is a link to Zoomingo, a local shopping site. When viewed on the iPhone, but not on Android, Windows nor Mac OS X, Zoomingo's Jobs page serves pr0n.

I attempted to contact Zoomingo through their contact page a few days ago but met with no response. I called the Domains by Proxy number listed in their WHOIS, only to reach a totally clueless customer service agent. He was generally nice about it, but quite confused.

"We only pass on your phone messages when they call in for it."

"Suppose they don't call in until a month from now. Are they going to be happy that a local sales website has been serving pr0n for a solid month?"

My understanding is that the Uniform Domain Dispute Resolution Policy requires up-to-date contact information in one's WHOIS record; I recall specifically that a domain was lost due to a stale postal address.

I don't have a problem with WHOIS privacy services but there should be a way for anyone who wants to reach the admin of a faulty server, to reach it immediately.

(My guess is that Zoomingo's jobs page depends on Javascript from some other domain, and that other domain's nameservers have been 0wnz0r3d.)

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday May 03 2015, @07:09AM

    by Anonymous Coward on Sunday May 03 2015, @07:09AM (#178061)

    Zoomingo's Jobs page serves pr0n.

    Either they already fixed it ... orrrrr..... it's something on your machine. Maybe your browser got owned and is injecting that javascript on the client
    Anyway, another good reason to not enable that shit

    • (Score: 2, Informative) by Anonymous Coward on Sunday May 03 2015, @07:15AM

      by Anonymous Coward on Sunday May 03 2015, @07:15AM (#178067)

      If his browser wasn't owned before it may be now, by visiting that domain loading whatever the hijack made it serve alongside the porn.

    • (Score: 2, Interesting) by anubi on Sunday May 03 2015, @07:35AM

      by anubi (2828) on Sunday May 03 2015, @07:35AM (#178069) Journal

      Yeh, I *try* not to enable it, but many businesses flat will not talk to you unless you enable it.

      Now, for a *real* exercise in futility, try to use healthcare.gov with a malware-hardened system!!! I cannot get it to do a thing until I go online to them with complete vulnerability to everything. I am still looking for some way to sign up for healthcare without involving the computer, as once I have anything to do with my government using a computer, I will be highly vulnerable to phish attacks from hoodlums and extortion artists posing as governmental authorities with the ability to penalize and punish me for my failure to obey. So far, my obedience to phishers has been zero. I am comforted that they cannot have me jailed and my assets seized for failure to comply with their demand letters. I would not have that option if it looked like it came from the government. It costs me hundreds of dollars a year these days just to hire the skills to interface to my government to pay my tax. A good round of phish letters could easily cost me several hundred dollars if it trips off having to interface to government.

      I am rather miffed at the American people for not asking their Congressmen to clean up this mess. I would go further on this, but its offtopic, so I will shut up.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
      • (Score: 1, Informative) by Anonymous Coward on Sunday May 03 2015, @08:47AM

        by Anonymous Coward on Sunday May 03 2015, @08:47AM (#178074)

        Run the browser in a chroot-jail (or VM if on windows).

      • (Score: 0) by Anonymous Coward on Sunday May 03 2015, @09:35AM

        by Anonymous Coward on Sunday May 03 2015, @09:35AM (#178078)

        Yeah, healthcare.gov is a piece of garbage, which is especially inexcusable because you practically have to use it. This is likely the result of rampant corporatism in government.

        • (Score: 1) by anubi on Sunday May 03 2015, @10:07AM

          by anubi (2828) on Sunday May 03 2015, @10:07AM (#178080) Journal

          I still have not gotten healthcare.gov to work. It keeps showing me the same page over and over and over.

          It often sends me to pages with nothing on them. Just a logo and a picture of a smiling person. And maybe some comfort words like "we're here to help".

          I do not know what it is I am supposed to use to talk to them. Hell, I have even been having trouble talking to Amazon. The web pages have become so tangled up with scripts that no telling which scripts are getting tangled up in the firewalls or antivirus.

          I sure would like to assess each Congressman who voted this thing in a $95 dollar "responsibility" fee for failure to provide means of compliance with the law they passed.

          As a public, we are sure giving Congress far more authority than responsibility.

          --
          "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
          • (Score: 3, Informative) by takyon on Sunday May 03 2015, @03:57PM

            by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Sunday May 03 2015, @03:57PM (#178137) Journal

            Call to start or finish an application, compare plans, enroll or ask a question.

            1-800-318-2596 / TTY: 1-855-889-4325

            Available 24 hours a day, 7 days a week. Closed Memorial Day, July 4th, and Labor Day.

            --
            [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
            • (Score: 1) by anubi on Monday May 04 2015, @12:07AM

              by anubi (2828) on Monday May 04 2015, @12:07AM (#178278) Journal

              Thanks!

              I kept getting so much run-around I gave up.

              I figured I would rather pay the penalty than spend my time trying to comply. As far as I am concerned, their website just does not work. I do not know why all these "name-brand" people think they can get away with stuff that does not work.

              The problem is that Congress, unlike merchants, has the authority to enforce usage of their site while denying responsibility for even having their site work. Maybe it will on a specific browser/router setup, but it certainly does not work on mine. I believe it is most likely some little script getting hung up in the antivirus or firewall - and their end is not sufficiently robust to maintain connection with the customer in the event of a non-compliant connection. ( Well, I have problems with Amazon, too, but there are many other merchants on the net that work just fine, like Alibris, Ebay, and AliExpress. ).

              Besides I know elections are coming up and this whole thing could get thrown out if enough people like me were sufficiently annoyed by this whole affair.

              --
              "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
      • (Score: 0) by Anonymous Coward on Sunday May 03 2015, @10:58AM

        by Anonymous Coward on Sunday May 03 2015, @10:58AM (#178089)

        I am rather miffed at the American people for not asking their Congressmen to clean up this mess.

        Where did you hear that congress critters work for the people? Who told you these lies?

    • (Score: 2) by BK on Sunday May 03 2015, @01:33PM

      by BK (4868) on Sunday May 03 2015, @01:33PM (#178112)

      Checked and verified. You have to try it in default iOS safari.

      --
      ...but you HAVE heard of me.
    • (Score: 2) by MichaelDavidCrawford on Sunday May 03 2015, @05:09PM

      Sorry I should have been more clear in my submission - it was reported to me by a complete stranger.

      --
      Yes I Have No Bananas. [gofundme.com]
  • (Score: 2, Informative) by anubi on Sunday May 03 2015, @07:10AM

    by anubi (2828) on Sunday May 03 2015, @07:10AM (#178062) Journal

    The first whack I would take is emailing to "abuse@zoomingo.com".

    Abuse is becoming so common that many webmasters use this name so feedback relating to this goes directly to the webmaster.

    I have used this a few times already to alert webmasters whose site was spewing phishes behind their back.

    I have posted on this forum a lot about phishing. This kind of crap pisses me off so much I will make a deliberate effort to trace it down and alert the webmasters who are getting stuck with the bandwidth hit distributing someone else's crap.

    Incidentally, I always make it a point to inline attach the raw page source of the offending email, all of it, to my email - as that way its all out in the open and will be seen, not executed.

    If they are going to root through their system, they need all the info I can come up with - just telling them they are spewing phishes does not give them very much to go on. A dead phish gives them something to do a post-mortem on.

    In the event of a web page, I would do the same... inline copy/paste the page source of the offending page and put it beneath a dashed line so the webmaster can look at its headers and get a clue where in the system his little bastard is hiding.

    --
    "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
  • (Score: 2) by captain normal on Sunday May 03 2015, @07:13AM

    by captain normal (2205) on Sunday May 03 2015, @07:13AM (#178064)

    Mike, if you really want a good job, all you need to do is adapt a British (or any European country) accent. Then you can go to work for Google and get a good salary for taking a great UI web site and loading it with mystery meat navigation and broken links. Just like these guys: http://www.theblaze.com/stories/2014/02/20/if-you-use-google-maps-be-ready-for-a-change-soon/ [theblaze.com]

    --
    When life isn't going right, go left.
    • (Score: 2) by Appalbarry on Sunday May 03 2015, @10:57PM

      by Appalbarry (66) on Sunday May 03 2015, @10:57PM (#178260) Journal

      Am I blind, or is there now no way to actually PRINT off a Google Map? (Aside from CTRL-P)

      Used to be you could preview and tweak the output before printing - it was a good thing.

      Of course Google now always clutters up every map with boxes full of stuff that I don't need, and which just block off part of the screen.

      Maybe it's a sign that Maps is about to offer a paid subscription version that actually does what it did two years ago?

  • (Score: 5, Informative) by toygeek on Sunday May 03 2015, @07:13AM

    by toygeek (28) on Sunday May 03 2015, @07:13AM (#178065) Homepage

    This is pretty basic web hosting knowledge, and this applies to any type of situation like this. In this case, you've got a site that is hosted on Amazon Web Services:

    root@home:~# host zoomingo.com
    zoomingo.com has address 107.21.231.44

    root@home:~# host 107.21.231.44
    44.231.21.107.in-addr.arpa domain name pointer ec2-107-21-231-44.compute-1.amazonaws.com.

    Their MX points at Google, so there's no finding the hostname of the machine they're running on, but you can stop here. Now lets look at their website source code:

    meta name="generator" content="WordPress 3.1"

    Their WordPress installation is older than a free AOL CD. Their WordPress site is compromised (obviously). So, what do you do? You take this knowledge to Amazon AWS's abuse dept:

    root@home:~# whois amazonaws.com | grep abuse@Tech Email: abuse@amazonaws.com

    Dear Amazon Abuse,

    It's come to my attention while I was browsing the following site that their very old WordPress installation is compromised and being used to server pornographic material to IOS users.

    Then paste in the material you've found including screenshots and URL's. They'll contact the customer or host of the customer and you've done your part.

    Have a great evening :)

    --
    There is no Sig. Okay, maybe a short one. http://miscdotgeek.com
    • (Score: 1, Touché) by Anonymous Coward on Sunday May 03 2015, @09:36AM

      by Anonymous Coward on Sunday May 03 2015, @09:36AM (#178079)

      not that im advocating vigilantism, heavens no. However, if there's nothing "lawful" to be done... owner is dead/doesn't care/wontfix/goes aggro on you...? Time to go chaotic good on his ass.

      So this lame site is pissing you off by its existence... AND it runs wordpress for cavemen... a quick stroll across secunia's or packetstorm's advisory/exploit section, a chain of proxies or a combination of tor and proxies and someone elses wifi router, and you can take out the offending website YOURSELF without wasting anytime on middlemen.

      Since the page is clearly malicious, and forwarding people to whatever... And the site has no useful, irreplaceable data someone worked for years to generate... It is my personal opinion, that taking the server out is the ethical thing to do, since the owners clearly don't give a damn. Ofc, as a citizen of a civilized country, i don't face any realistic penalty at all for this, your country stance on this stuff might be different, heh heh.

      Don't fuck up.

      • (Score: 3, Insightful) by maxwell demon on Sunday May 03 2015, @10:11AM

        by maxwell demon (1608) on Sunday May 03 2015, @10:11AM (#178082) Journal

        I'm sure Amazon is not interested in serving porn, and probably has some terms in its contracts to that effect. So I guess if the web site owner is unresponsive also to Amazon, they'll simply shut down his site in accord with the contract.

        --
        The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 4, Insightful) by toygeek on Sunday May 03 2015, @03:14PM

          by toygeek (28) on Sunday May 03 2015, @03:14PM (#178122) Homepage

          I doubt they care about hosting porn. But hosting a compromised site is a liability, and that, they care about.

          --
          There is no Sig. Okay, maybe a short one. http://miscdotgeek.com
      • (Score: 2, Disagree) by toygeek on Sunday May 03 2015, @03:11PM

        by toygeek (28) on Sunday May 03 2015, @03:11PM (#178121) Homepage

        And you sir, and your screwed up morality and ethics, are what is wrong. You DDOS this guys site into oblivion, and take an unknown number of sites with it. When you DDOS a site, this usually results in the sites IP being null routed for a few hours. Now, everyone who has a site on that IP address gets their site taken offline. You've now hurt hundreds to get back at one, when all you had to do was email abuse@ their host and they'll take care of it FOR you in a civilized manner that won't hurt others. If you can take the time to DDOS then I'm sure looking up an abuse address is within your means. "But that's not as much fun!" you say? See my first sentence.

        --
        There is no Sig. Okay, maybe a short one. http://miscdotgeek.com
        • (Score: 3, Touché) by Geotti on Sunday May 03 2015, @05:56PM

          by Geotti (1146) on Sunday May 03 2015, @05:56PM (#178173) Journal

          He/She didn't say anything about DDoSing the site. The "action-plan" consisted of using an exploit for the Wordpress version (for cavemen, I like that!) in use and taking it down. No word about DoS.

          • (Score: 3, Insightful) by toygeek on Sunday May 03 2015, @09:39PM

            by toygeek (28) on Sunday May 03 2015, @09:39PM (#178234) Homepage

            Yup. You're right. This is what I get for posting before reading 3x. Thanks for the correction.

            --
            There is no Sig. Okay, maybe a short one. http://miscdotgeek.com
  • (Score: 2) by Tork on Sunday May 03 2015, @08:36AM

    by Tork (3914) Subscriber Badge on Sunday May 03 2015, @08:36AM (#178072)
    This is one of those cases where those that didn't RTFA will kick themselves later.
    --
    🏳️‍🌈 Proud Ally 🏳️‍🌈
  • (Score: 0) by Anonymous Coward on Sunday May 03 2015, @08:38AM

    by Anonymous Coward on Sunday May 03 2015, @08:38AM (#178073)

    If abuse@domain doesn't work you could try writing to postmaster@domain [wikipedia.org]. It's technically a requirement for all email servers, but the web sector isn't very big on the whole standards compliance thing as you probably know.

  • (Score: 4, Insightful) by sjames on Sunday May 03 2015, @09:08AM

    by sjames (2882) on Sunday May 03 2015, @09:08AM (#178076) Journal

    Try the form on the Contact Us page. Really, that's the end of it, you've done your good deed. If they reject the effort to help, that's on them.

    • (Score: 2) by toygeek on Sunday May 03 2015, @03:29PM

      by toygeek (28) on Sunday May 03 2015, @03:29PM (#178129) Homepage

      Emailing their host's abuse department is far more effective.

      --
      There is no Sig. Okay, maybe a short one. http://miscdotgeek.com
      • (Score: 2) by sjames on Sunday May 03 2015, @10:11PM

        by sjames (2882) on Sunday May 03 2015, @10:11PM (#178239) Journal

        If the objective is to punish them, yes. If the objective is to help them, no.

        If the material is truly offensive or likely to be found by kids, that might be the next step to get it taken down, but really I don't think that site would be all that attractive to kids.

    • (Score: 2) by MichaelDavidCrawford on Sunday May 03 2015, @05:12PM

      It's clear to me that many who operate websites, don't visit them themselves. Maybe they see their own homepage but don't visit their own jobs page until a new position opens up.

      I used their Contact Us form four days before I called Domains by Proxy.

      --
      Yes I Have No Bananas. [gofundme.com]
      • (Score: 2) by sjames on Sunday May 03 2015, @10:09PM

        by sjames (2882) on Sunday May 03 2015, @10:09PM (#178237) Journal

        That's it then. If they don't care about their own web page, why should you?

  • (Score: -1, Offtopic) by Anonymous Coward on Sunday May 03 2015, @09:35AM

    by Anonymous Coward on Sunday May 03 2015, @09:35AM (#178077)

    It doesn't seem to matter which site I read, there always appears to be a private browsing tab open and a pile of damp kleenex on my floor. I should probably start reporting this to web site operators as it can be embarrassing when I am on public transport. Does anybody have any tips?

  • (Score: 1, Informative) by Anonymous Coward on Sunday May 03 2015, @11:02AM

    by Anonymous Coward on Sunday May 03 2015, @11:02AM (#178090)

    I attempted to contact Zoomingo through their contact page a few days ago but met with no response. I called the Domains by Proxy number listed in their WHOIS, only to reach a totally clueless customer service agent. He was generally nice about it, but quite confused.

    This story should never have been submitted, much less posted.

    Q: How To Inform Domains by Proxy Customer Of Website Defacement?
    A: Via the admin email address listed in the WHOIS entry.

    Admin Name: Registration Private
    Admin Organization: Domains By Proxy, LLC
    Admin Street: DomainsByProxy.com
    Admin Street: 14747 N Northsight Blvd Suite 111, PMB 309
    Admin City: Scottsdale
    Admin State/Province: Arizona
    Admin Postal Code: 85260
    Admin Country: United States
    Admin Phone: +1.4806242599
    Admin Phone Ext:
    Admin Fax: +1.4806242598
    Admin Fax Ext:
    Admin Email: ZOOMINGO.COM@domainsbyproxy.com

    BTW, Zoomingo looks like it was abandoned last year and is just roadkill. The website hasn't had any updates all this year. Whatever listing you have them in, you should prune them out.

    • (Score: 2) by BK on Sunday May 03 2015, @01:38PM

      by BK (4868) on Sunday May 03 2015, @01:38PM (#178113)

      You could also go to their office. In person like.

      Now admittedly, this doesn't make sense if you live in Miami, but I presume these guys are a commutable distance from you.

      Of course, if they're closed down, you'd find that out. The best option may be to prune them from your list.

      --
      ...but you HAVE heard of me.
    • (Score: 0) by Anonymous Coward on Sunday May 03 2015, @03:22PM

      by Anonymous Coward on Sunday May 03 2015, @03:22PM (#178125)

      I would add that you made your effort to help them. But do not go any further. They obviously do not care why should you? You have made your good faith effort. Remove them from your list and move on.

      Yes their computer is 'broken' however until someone on their end does something it will remain that way (probably when the money runs out and their web hosting turns them off).

      Does it hurt that they are broken? Yes. But there is little you can do to compel them to do better other than what you have already done. Which is ask.

  • (Score: 0) by Anonymous Coward on Sunday May 03 2015, @11:15AM

    by Anonymous Coward on Sunday May 03 2015, @11:15AM (#178094)

    OP: dontcha miss it?

  • (Score: 2) by Whoever on Sunday May 03 2015, @11:52AM

    by Whoever (4524) on Sunday May 03 2015, @11:52AM (#178101) Journal

    Domains by Proxy may forward the email, depending on the settings that the domain owner has used.

  • (Score: 2) by darkfeline on Monday May 04 2015, @08:20AM

    by darkfeline (1030) on Monday May 04 2015, @08:20AM (#178373) Homepage

    The way WHOIS is set up now is okay for businesses, but I think WHOIS privacy should be free for single persons owning domains. Paying for privacy is something that borders on the dystopian.

    To me, it's similar to defamation and libel. Large entities and celebrities have more clout with the press, so libel against them isn't seen as as harmful as libel against your average person, who has no recourse for fixing his reputation. Likewise, companies can very well register domains behind their various corporate masks, but a person has to pay extra to protect himself from exposing his privacy, which is required by law?

    --
    Join the SDF Public Access UNIX System today!