Pages:
1
2
3 |
franklyn
International Hazard
Posts: 3026
Registered: 30-5-2006
Location: Da Big Apple
Member Is Offline
Mood: No Mood
|
|
This happened to me
Read about my recent experience here _
http://forum.grisoft.cz/freeforum/read.php?4,99239,100601#ms...
http://forum.grisoft.cz/freeforum/read.php?4,99239,101548#ms...
I don't wish this on anyone except those that perpetrate such haoc.
Countermeasures you can take , see the end of this post here _
http://www.sciencemadness.org/talk/viewthread.php?tid=7144&a...
I have updated the links cited there
The above was my experience despite having a router and windows XP firewall
working together ( I have since installed ZoneAlarm which can at least warn of
uninitiated accessing of the internet by one's system ) and all the usual - Grisoft
AVG Antivirus real time resident scanner , Winpatrol and RegProtector real time
resident registry monitors , Spywareblaster browser configuration application ,
Spybot Search and Destroy , Ad-aware , Microsofts own Malicious Software
Removal utility , two rootkit scanners.
Unfortunately available anti-virus , anti-spyware , and " security " software are
as useful as a smoke detector when a jet plane crashes your building.
It may take a lot to make a grown man cry and that may well be the result if
one is the least careless online. In the present day being complacent is no longer
an option. This means Active-X, active scripting , and Java must all be disabled
by default , only enabled as needed.
http://docs.info.apple.com/article.html?artnum=305149
A heap buffer overflow exists in the handling of QuickTime (*.qt ) movie files. By
the user unknowingly accessing a maliciously-crafted *.qt file the scripted attack
triggers the overflow , which leads to arbitrary JavaScript code execution in
context of the local domain. The file need not be visible or even evident , at 20
kilobytes or less , it merely serves as an attack vector to compromise the host
system. I also experienced this after the debacle cited above.
If you use this format install the patched Quicktime player 7.1.5 or later.
Apple's Quicktime *.qt video is an older format , I do not ever recall having seen
one , *.mov is now universal. To obviate potential vulnerabilities I changed the
*.qt file association so that it opens harmlessly in notepad. In the toolbar at the
top of a window of windows explorer , click " Tools " > " File Types " tab > scroll
down to " QT " and below where it says " Opens with : " click the " Change " box
and browse for Notepad and click OK. While you're there do the same for the REG
( registry file extension ) . Should you need to merge a registry file you can always
use the right click context menu " Open With " option and select the Registry Editor
from there.
[Edited on 25-6-2007 by franklyn]
|
|
franklyn
International Hazard
Posts: 3026
Registered: 30-5-2006
Location: Da Big Apple
Member Is Offline
Mood: No Mood
|
|
W A R N I N G
I have found that his site _
http://freebooksandmagazines.blogspot.com/2007_09_01_archive...
which is posted above here _
http://www.sciencemadness.org/talk/viewthread.php?tid=7208&a...
after loading it's very substantial size , to be un-navigable. The scroll bar remains
inoperable but activates another instance of my browser which displays in Task
Manager ( this is a means of remotely gaining surreptitious control of your sytem )
all browser function freezes and it has to be terminated. All the while an unusual
amount of outgoing activity is detected by Zone Alarm. Very odd for files which
are supposedly being uploaded.
My browser and system security settings only prevent unwarranted actions from
executing. Investigating the cause discloses that 7 script files are loaded. This is
normal for a multimedia site , what is not is that 4 of these scripts are identified
as a security risk by the script scanner I use.
3 have this warning _
Can use the Eval/Execute Function to hide malicious code
The Eval and Execute Functions are pieces of code that
can be used to generate and execute code on the fly.
A malicious script could use this to hide what actions
it's going to perform.
one other has this warning _
Can execute Other Programs
This script can run other programs. This could give the
script the ability to execute potentially hazardous programs
without your knowledge.
I have had prior experience with this type of attack and it is not pretty.
This is undetected by the usual security software since it is not a virus
nor a malicious file that's installed , it is all done while you browse.
See my previous post here above ^
http://www.sciencemadness.org/talk/viewthread.php?tid=8075&a...
freebooksandmagazines is hosted by Blogspot a commercial Google site.
http://buzz.blogger.com/2007/08/blogger-and-malware.html
Blogger sites are known vectors for disseminating " drive by installs "
J U S T . B E . C A R E F U L , deactivate scripts and Java beforehand.
In fairness to http://freebooksandmagazines.blogspot.com
that page loads well and does not exhibit any suspicious behaviors. The problem
seems to be exclusive to the reference - /2007_09_01_archive.html
The chemistry section accessible from a margin link on the home page displays well.
.
[Edited on 3-10-2007 by franklyn]
|
|
Sauron
International Hazard
Posts: 5351
Registered: 22-12-2006
Location: Barad-Dur, Mordor
Member Is Offline
Mood: metastable
|
|
Why don't you post this warning in same thread as the troublesome post, and contact JohnWW and ask him to delete it?
Even if he does not agree, a moderator can elect to do so over his objections if the link is deemed to be a threat to this site and/or community - I
suppose.
I tried the Chemistry section and only saw one book worth downloading.
Sic gorgeamus a los subjectatus nunc.
|
|
franklyn
International Hazard
Posts: 3026
Registered: 30-5-2006
Location: Da Big Apple
Member Is Offline
Mood: No Mood
|
|
Remarks to live by
For those who believe they could not have been hacked , I have two questions :
1 ) How are you able to tell ?
2) Outline the proceedure you use to determine your conclusion.
Not experiencing an intrusion yourself does not preclude it from happening
to others if the site is co-opted moments after you left it.
How site hijacking may be done _
See what Google has to say _
http://www.google.com/support/bin/answer.py?answer=45449&...
One method that may be used to inspect a site for worthiness beforehand
is to have it audited by an online url / webpage scanner.
Online internet site scanners -
http://www.w3.org/QA/Tools
Two of the scanners listed below here _
Markup HTML validation
Click -More Options- and click [ Verbose ]
http://validator.w3.org
CSS style sheet validation
Click -More Options- and select -Warnings-[ Normal report ] , -Profile-[ No special profile ] , -Medium-[ all ]
http://jigsaw.w3.org/css-validator
Two more site scanners
http://online.drweb.com/?url=1
http://www.void.be/urlcheck.html
Please note that any proper url reviewed will within five seconds return a report.
Only something that does not correspond to accepted norms and standards cannot
be interpreted.
Using this scanner cited above _ http://jigsaw.w3.org/css-validator
to inspect this questionable site _
http://
freebooksandmagazines.blogspot.com/2007_09_01_archive.html
results in a detailed report. Type the site in yourself to view the report
from the scan itself.
Excerpts _
Value Error : cursor hand is not a cursor value : hand
This is why initially the cusor will not scroll the page , and is apparently set
to trigger another sequence of executable code opening another browser.
Warnings (1)
If quoting is omitted, any whitespace characters before and after the name
are ignored and any sequence of whitespace characters inside the name is
converted to a single space.
This is similar to the quote convention for a non Dos path to a file in windows.
This code is not seen as text.
Valid CSS Information
.blog-posts {
overflow : hidden;
}
This is the classic buffer overflow attack. Such a thing cannot take place
inadvertently because of bad coding , it must be deliberately contrived.
Unable to do any more online I used the application HTTrack Website Copier
cited here _
http://www.sciencemadness.org/talk/viewthread.php?tid=7200&a...
to download the entire website as an archive. Things just get more bizarre from
there on. Download proceeds at just under 25 KB per second , which would try
the patience of even dial up users. After 45 minutes , 3400 links and files , a total
369 MB were copied , at which point I stopped the HTTrack. The folder to which
this had supposedly been written to indicates it is only 56 MB containing just 1592
files. Inspecting the log file of the HTTrack shows the same warning repeated six
times , that the download is looping. Makes sense this explains the size difference
the files were being overwritten. The supposed website mirror that should have
been created on my system is not accessible by the browser and does not display.
A virus scan reveals nothing.
Again as I posted above _
In fairness to http://freebooksandmagazines.blogspot.com
that page loads well and does not exhibit any suspicious behaviors. The problem
seems to be exclusive to the reference - /2007_09_01_archive.html
The chemistry section accessible from a margin link on the home page displays well.
To make sure that malware won't be able to install on your computer: never work
as an administrator or a member of Administrators group. Make your user account
" limited user ". Then , even if some security hole or your negligence allows some
malware to install and run , it won't be able to copy anything to the system folders
and register itself in the OS. ( this is not guaranteed )
Alternatively ,
To prevent Internet sites from leaving data on your hard drive, run your browser in
Protected Mode prior to navigating the web. To start your browser , right-click it
and choose Run As. In the Run As dialog box, select Current user and make sure
that the option " Protect my computer and data from unauthorized program activity "
is checked . Then click OK.
* Note that when running in this protected mode, you won't be able to access
any secured sites whose URLs begin with " https:// ". Also, some commands ( such
as " Open Link in New Window " on the context menu ) may not work.
When running in the " Protect my computer " mode , that program can read Registry
settings, but cannot change them. In addition, if your hard disk is formatted with
NTFS, the program won't be able to alter any files associated with the current
profile, including cookies, temporary Internet files, the desktop, and My Documents.
Be aware , that while this option protects against a potentially harmful program
running on your system , it also brings grief to many perfectly healthy applications
that need to store settings or files in one of these locations. This reduces your
options to that of the Safe Mode one might apply a child. ( this also is no
guarantee of safety )
Go here to test your browser's security to Java exploits
http://www.halfhill.com/jsecure.html
Go here to test your firewall for port penetration
http://www.auditmypc.com
http://www.speedguide.net/scan.php
- note that this test will finish but the test page remains , so check the previous
start page after a couple of minutes to see if has completed.
Firewall integrity tests
http://bcheck.scanit.be/bcheck
-close the popup window only after it becomes erratic , the test will eventually
finish but the test page remains , go back to the start page to view results.
http://www.security-hacks.com/2007/04/24/how-to-test-your-fi...
http://insecure.org/nmap/index.html
Firewall evaluations
http://www.matousec.com/projects/windows-personal-firewall-a...
Highest rated Comodo Firewall Pro - http://www.personalfirewall.comodo.com/whyfree.html
just out since January , Version 2.4.18.184 and earlier are already potentially compromised
http://www.matousec.com/info/advisories/Comodo-Bypassing-set...
http://www.pcworld.com/downloads/userreviews/fid,63762/userr...
download version beta 3 for vista
http://www.softpedia.com/get/Security/Firewall/Comodo-Person...
I highly recommend the following , it requires no system overhead , it changes Script and Java
file extension associations so that these can be evaluated before they become activated.
You must do this manually by inspecting the downloaded script file in your browser cache.
This to some extent protects you from your thoughtless actions and won't stymie browsing.
http://www.jasons-toolbox.com/programs.asp?Program=Script%20...
EBAY Safe Browsing Tutorial
http://members.ebay.com/ws/eBayISAPI.dll?ViewUserPage&us...
Here is the sum of knowledge from available security sites and disclosures
http://www.snnx.com/securitynews
Select portals listed at the left , find CERT ( next here below ) with myriad others
CERT
http://www.us-cert.gov
http://www.kb.cert.org/vuls
http://www.cert.org/tech_tips/malicious_code_FAQ.html
http://www.us-cert.gov/reading_room
http://en.wikipedia.org/wiki/Cross-site_scripting
Digging Deeper
http://www.technicalinfo.net/tools/index.html
A related security post _
http://www.sciencemadness.org/talk/viewthread.php?tid=7144&a...
.
[Edited on 4-10-2007 by franklyn]
|
|
franklyn
International Hazard
Posts: 3026
Registered: 30-5-2006
Location: Da Big Apple
Member Is Offline
Mood: No Mood
|
|
First thing to do on that new just out of the box computer - run antivirus , I kid you not. Better yet reformat and install the operating system
fresh.
www.independent.co.uk/life-style/gadgets-and-tech/news/micro...
.
|
|
Eliteforum
National Hazard
Posts: 571
Registered: 18-11-2002
Location: United Kingdom
Member Is Offline
Mood: Enjoying the journey
|
|
Was there any need in digging up an old thread from five years ago for that utterly pointless reply?
All that glitters isn't gold.
|
|
Rogeryermaw
National Hazard
Posts: 656
Registered: 18-8-2010
Member Is Offline
Mood: No Mood
|
|
would you prefer he make a new thread on an existent topic? that is generally frowned upon here.
|
|
franklyn
International Hazard
Posts: 3026
Registered: 30-5-2006
Location: Da Big Apple
Member Is Offline
Mood: No Mood
|
|
Another " utterly pointless reply "
www.cnbc.com/id/49032374
Related Post
www.sciencemadness.org/talk/viewthread.php?tid=19386&pag...
.
|
|
Pages:
1
2
3 |