 sj |
||
|
||
Tech: 2345 piggybacking Mudcat
|
|
|
Subject: Tech: 2345 piggybacking Mudcat From: Bob the Postman Date: 03 Jul 13 - 12:56 PM The Chinese web archive site 2345(dot)com has attached itself to Mudcat on my iPad. When I open Mudcat, I get 2345 at the top of the page. Scrolling down there is the usual Mudcat home page. I understand that 2345 has a reputation for this sort of thing, but even so I don't know why this is happening to me, because I've always been a good person. What's gonna happen when the NSA realises I'm loading a Chinese site umpteen times a day? It won't matter that I got good marks in high school and always paid my taxes on time, I could be on a rendition flight to Syria by lunchtime. Any ideas how I got this tick on me and how to get rid of it? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Richard Bridge Date: 03 Jul 13 - 03:23 PM Try Ad-Aware or Spybot Search and Destroy - or possibly a rollback? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 03 Jul 13 - 03:50 PM Looking at the status display of what Firefox is loading, 2345.com is always involved when I reload Mudcat (it helps to have a connection slow enough that I can see that). This line appears in the Mudcat homepage source: <iframe src=http://www.2345.com/?ktjwh202 width=0 height=0></iframe> Did Max put that there, or has it been sneaked in? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 03 Jul 13 - 03:54 PM I found it days ago.... and there is another URL associated with it. I have tried refusing 2345 any access in my firewall, but so far, haven't found the right combination. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: McGrath of Harlow Date: 03 Jul 13 - 04:02 PM You should be alright as regards Syria these days I'd say. They've had to transfer the arrangement to some other subcontractor. Maybe Libya? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bob the Postman Date: 04 Jul 13 - 08:29 AM Thanks for the reponses. It's good to know that top brains like Bill and Jack are on the case. If I disappear, I ask that the government of Newfoundland close its airspace to overflights by unscheduled planes with the numbers painted out. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 04 Jul 13 - 08:47 AM It's in Mudcat's code on the main threads page, which means Max put it in there. AdBlock Plus says it's a frame. I don't see it on individual threads. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 04 Jul 13 - 09:04 AM It is an "iframe" (embedded object) of size 0*0, not meant to be seen. Obviously Bob's ipad browser has its own ideas about how to interpret those size specifications. Since the page is normally not being seen, loading it is the point, presumably for Mr. 2345 to collect our IP addresses, or for Mr. ktjwh202 to collect apparent "clicks". I guess someone pays Max for this service - correct me if I am wrong. Summary: we are being iframed. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 04 Jul 13 - 09:44 AM It seems to be adding a lot to the loading time. And "iframe attacks" are a common and very nasty distribution mechanism for malware - I wouldn't know how to tell an innocent one from a malicious one. We can't tell just by looking at what comes out of Mudcat whether Max or some Chinese or NSA hacker put it there. 2345.com seems to have no redeeming value from what I can see, so my bet is this is malicious. I'd block it if I could, but like Bill I can't see how. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: JohnInKansas Date: 04 Jul 13 - 10:49 AM A discussion/tutorial on the <iframe> tag is at: The Magical <iframe> Tag: An Introduction. (Norton gives this site a "safe" tag.) The article suggests some interesting things that might be done with the tag, but doesn't suggest (to me) anything useful for the form in which it appears at mudcat. It could be something Max is "testing" that's just a "placeholder" for now, but the uses described in the article at the link would seem "incompatible with mudcat traditions." Since I like to save "interesting stuff" for future consideration, I verified that Copy and Paste (into Word) does not capture any of the <iframe> embedded objects. Printing to a pdf file shows some but not all of the embeds, and none of them of course carry "active properties" to the printed file. The article indicates "protections" built into the tag that are claimed to prevent linked objects from changing calling pages, or calling pages from making changes to linked objects, but detail is insufficient to be fully reassuring with my sparse understanding of web page design. The website "2345dotcom" is claimed to exist by several sources, but nobody gives a sufficiently clear purpose to justify why, and other sources seem to think it may be mythical. It appears to be "Chinese" and hence "inscrutible" for me. May be Max will comment if he decides it's sufficiently important? First attempt to post this comment failed. Second attempt returned "this post contains a forbidden HTML tag." Coding <iframe> as <iframe> might let the post go through? John |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: JohnInKansas Date: 04 Jul 13 - 10:50 AM Is it reassuring that mudcat apparently blocks the <iframe> tag in posts? John |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: michaelr Date: 04 Jul 13 - 02:08 PM Has anyone PM'd Max? It would be good of him to come in here and explain. This sounds like it could be serious. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Joe Offer Date: 04 Jul 13 - 04:23 PM I started to e-mail Max about this, but I got distracted. By the time I got back to what I started doing, SRS had already e-mailed Max. She has a tad more presence of mind than I have... |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 05 Jul 13 - 12:34 PM I managed to change my setting about cookies from 2345 to 'refuse all'....then it began to contact the associated URL ..union2.50bang |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 05 Jul 13 - 02:08 PM The only way I can see to zap this is to use the firewall in my router, which only blocks by IP. Anybody got a list of relevant IPs? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 05 Jul 13 - 02:14 PM It probably generates some income for Max, but I have enough marketing bullshit in my life, so I blocked it. It's only on the main threads page, though--as far as I can tell. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 05 Jul 13 - 02:31 PM using "CountryTraceRoute" from NirSoft-starting at my IP..first one is where it enters US, then all from China. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 8 157.130.230.38 chinaunicom-gw.customer.alter.net United States 86 ms 80 ms 80 ms 82 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 9 219.158.27.153 China 326 ms * 320 ms 323 ms The request timed out. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 10 219.158.19.193 China Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 11 219.158.23.1 China 312 ms 310 ms 330 ms 317 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 12 219.158.100.161 China 369 ms 357 ms 360 ms 362 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 13 202.96.12.30 China 373 ms 375 ms 372 ms 373 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 13 202.96.12.30 China 373 ms 375 ms 372 ms 373 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 13 202.96.12.30 China 373 ms 375 ms 372 ms 373 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 14 124.65.60.74 China * * 370 ms 370 ms The request timed out. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 15 61.148.147.86 China 369 ms 370 ms 365 ms 368 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 15 61.148.147.86 China 369 ms 370 ms 365 ms 368 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 15 61.148.147.86 China 369 ms 370 ms 365 ms 368 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 18 42.62.19.137 China * 285 ms 285 ms 285 ms The request timed out. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 18 42.62.19.137 China * 285 ms 285 ms 285 ms The request timed out. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 19 42.62.19.86 China * * 290 ms 290 ms The request timed out. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 20 42.62.19.117 China 289 ms 290 ms 290 ms 290 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 21 42.62.4.52 China 287 ms 287 ms 290 ms 288 ms |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 05 Jul 13 - 02:32 PM sorry... I copied several of those twice. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 05 Jul 13 - 03:53 PM So it looks like we can block them pretty thoroughly by just blocking 42.62.*.* 61.148.147.* which should zap both 2345.com and whoever provides them with their connectivity. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 05 Jul 13 - 07:12 PM My Firefox has been waiting for union2.50bang to finish for about half an hour now. And the slowdown from this 2345.com link is intolerable, even if it isn't doing anything really malicious. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 05 Jul 13 - 07:43 PM Jack, figure out how many IP addresses you're blocking. I can't, other than a few tens of thousands, but it's a lot. I just blocked the script with AdBlock Plus (Firefox). |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Mick Pearce (MCP) Date: 05 Jul 13 - 08:26 PM I just had a look at the list of blocked items on my Firefox (22.0 under Ubuntu 12.04lts) with AdblockPlus. It's blocking about 15 or so items from 2345 and related sites on default settings, a mixture of scripts, images and css Mick |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: michaelr Date: 06 Jul 13 - 03:08 AM Could someone please explain in layman's terms what all this means? How concerned should we be? And where the hell is Max? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: JohnInKansas Date: 06 Jul 13 - 05:25 AM On the mudcat front page (thread index page) if you right click in a blank area and choose "view source" you will get a new window that shows the html code for the page. At line 137 you will find: <iframe src=http://www.2345.com/?ktjwh202 width=0 height=0> The "iframe" command inserts a "frame" that can contain a "page" or parts of one from another site or from another place on the same site. This is a "new" addition to legitimate html code that appeared ca. 1997. The "src" identifies where the stuff displayed inside the frame comes from. The "width" and "height" define how big the frame is to be. In this case, both width and height are zero, so the frame should NOT BE VISIBLE ON THE PAGE. Information I've found is insufficient to be sure, but most browsers do permit you to set a preference to "open links in new window" or "open links in a new tab" and since the "src" spec is a legitimate link either of these might open the "src" link otherwise than as specified by the iframe command, permitting it to be displayed in a "normal" window/tab rather than in a zero-zero sized frame. With information at hand, I don't know if this could happen ... At the link given at "04 Jul 13 - 10:49 AM" you can see a proper use of the iframe html command, with a fully functional "Weather Service" page inserted, complete with scroll bars and all the rest, in an iframe filled by a "call" from the the originally linked page that explains it all. It is asserted that "browsers isolate the main page from the iframe page" so that neither can affect the other. Of course if you click inside the iframe, anything the page that's linked into it can do can be done to you. Hypothetically, it would appear that setting the iframe size to zero-zero dimensions should prevent you from seeing it, and from clicking on anything the iframe target page contains. (? ? ?) IFF you don't see the iframe content, as in my IE, it probably is harmless. IFF you do see something, it would contribute to my understanding of what's going on if you could identify: 1. What browser you're using 2. What "open links as ..." settings you have set. 3. Behaviour that conserns you in fairly specific detail Since at present I'm having no particular difficulty with this, other than mild curiosity, you may consider whether it's of use to exchange information or just to continue to babel and fret. Where to go next is useless if you don't know where you're at now (although one major aircraft maker didn't think it mattered when deciding what parts to fix next - which is why I didn't work there long after I found it out.) NOTE: [preview bounced because I copied the <iframe> line from source code. Mudcate blocks use of that html command in a post. "Coded" so it doesn't look legit gets the post up.] John |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Peter Date: 06 Jul 13 - 08:09 AM I see it too, either it was put there by Max or the site has been hacked. If nobody's firewalls have been screaming so its probably not harmful in its own right but it does enable 2345 to log all of the IP addresses that visit Mudcat. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Pete Jennings Date: 06 Jul 13 - 09:57 AM I can see the line 137 iframe code that JiK has identified but I haven't seen anything of 2345 and my ESET security (on a PC) is not reporting any blocked attacks. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Mick Pearce (MCP) Date: 06 Jul 13 - 11:57 AM Pete You shouldn't normally see anything of the site as the size is set to 0 in the iframe. You'd only know it's there if you look at the source for the page or if you have something like Adblock that can show you things it's blocking. It may be doing nothing more than racking up hits for the 2345 site or collecting ip info as mentioned above. Nothing more malicious seems to be emanating from it at the moment (though it's never a good thing if people are collecting your ip addresses!) Mick |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: michaelr Date: 06 Jul 13 - 12:59 PM JiK -- thanks for trying, but I did ask for "layman's terms"... lol. What I am noticing is that threads load quite a bit slower. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 06 Jul 13 - 01:08 PM I am not convinced of the idea that a loaded site is harmless if you don't see it or don't click on it. Malware can be hidden in commercial ads; not even executable "scripts" are required. Websites of even higher reputation than Mudcat (in terms of content and technology) frequently have to admit that they - unwittingly but carelessly - transported vicious malware in ads. Since neither Max nor the other Admins have reacted yet, I do not think that the iframe got there without their consent. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 06 Jul 13 - 01:17 PM Grishka, Max is the only one who would know. Michaelr, again, that iframe is only on the main forum page, not on individual threads. Something else may be why they're taking longer than usual to load. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: leeneia Date: 06 Jul 13 - 02:39 PM Wikipedia says: 2345.com is a Chinese web directory founded in 2005.[1] The website is the second most used web directory in China.[2] It is ranked 47th place in China and has a world wide ranking of 419 on Alexa.[3][4] It is hosted at Abitcool China Inc. Beijing, China. That was last updated in October, 2012. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: leeneia Date: 06 Jul 13 - 02:40 PM Mudcat is pretty slow for me, too. I put it down to the usual things - small site, gallant volunteer help. Need more contributions. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 06 Jul 13 - 03:20 PM Like all catalogue sites, even in China, that one is financed by ads designed by the advertisers. Such advertisers have been known to smuggle malware even into sites of perfect reputation. An explanation by Max would be helpful, but experience tells us that he keeps silence about his policy. I have no insight into possible business connections. Anyone who has, and can convince us? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: michaelr Date: 06 Jul 13 - 05:10 PM What I'm seeing (in IE) are the little "Waiting for" thingies flashing at the bottom of my screen. There have been more and more of them as Max has loaded up ads and stuff, such as Facebook, Google ads and other crap. And now my browser has to additionally wait for 2345. After that it usually says "Done, but with errors on page". And when it says "Done", whatever I've clicked on still doesn't open for several seconds, to the point where the blue IE bar at the top of my screen says "(Not responding)". That's annoying in itself. If this is something Max did on purpose, I don't like it. Why slow down the user experience? If it's malicious, it's much worse and should be dealt with forthwith. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,NIghtWing (cookie-less) Date: 06 Jul 13 - 07:59 PM I apparently cleared my cookie the last time I was in. While this is going on I'm not going to log back in. Running Firefox 22.0, I'm actually seeing nothing. The image was captured by Firefox though. It's an (apparent?) GIF of a gray octopus. I blocked the site from loading images at Tools / Page Info / Media tab. However, then I went to Tools / Options / Content tab and added the string *.2345.com to the Exceptions to "Load images automatically". So far (crossing fingers!!!), nothing else has followed it. Erm, does anyone know how to view the Page Source in Firefox 22? I can't find an option for it anywhere? BB, NightWing |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,NIghtWing (cookie-less) Date: 06 Jul 13 - 08:06 PM Well, bloody! I spoke too soon. When I went back to the main forum page ("Lyrics & Knowledge"), it somehow managed to load up FIFTEEN images from 2345.com. Several of them are Google logos: if someone tells Google, maybe they can drop a smartbomb on them :-( (Google claims not to be evil, but you've got to have the capacity for evil before it's a virtue NOT to be so.) BB, NightWing (unhappy at the moment!) |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 06 Jul 13 - 08:21 PM In Firefox 22: Tools>Web Developer>Page Source |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Mick Pearce (MCP) Date: 06 Jul 13 - 08:59 PM Right-click>View Page Source also works (in Ubuntu version of 22) Mick |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,NIghtWing (cookie-less) Date: 06 Jul 13 - 09:49 PM Thanks, Jeri and Mick!! I had actually looked (I think, several times) at the Web Developer menu without seeing "Page Source" there. Maybe it's not short-term memory that's the first thing to go ... (What were we talking about? :-) BB, NightWing |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 07 Jul 13 - 10:33 AM ctrl-U 'usually' gets page source in any browser. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 08 Jul 13 - 06:06 PM Just for laughs: try saving the source of the Mudcat home page. Then change that iframe line to <iframe src=http://www.2345.com/?ktjwh202 width=600 height=800></iframe> and reload that source into your browser. It will put 2345's input in a window large enough for you to read. You can now save the frame and feed it into Google Translate - it does a very good job. It doesn't appear to be malicious but it certainly isn't what anybody comes to Mudcat looking for. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 09 Jul 13 - 04:25 AM Done that before, Jack. As we saw, it is a catalogue service, China's largest. As with all websites nowadays, there are two serious security problems, caused by the site itself or by embedded ads:
|
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bob the Postman Date: 10 Jul 13 - 10:44 AM This morning my iPad's Safari browser has started opening 2345 not only on Mudcat's home page but on individual threads as well. 2345 also displays when I click the Personal Page link. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 10 Jul 13 - 11:10 AM It is now definitely known to be a malware attack via Mudcat ("Trojan-Clicker.JS.Iframe.gb" - google it); see the Trojan thread. Desinfect your PC if you can; disable JavaScript. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 10 Jul 13 - 11:25 AM It's BELIEVED to be. I once was told that midis I'd created were infected. They weren't, but a particular anti-virus program wen nuts. I'm not even seeing this 2345 script anymore. It's been there, but blocked. Now, it doesn't seem to be there. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 10 Jul 13 - 11:29 AM OK, it just got re-named. It's there. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: bobad Date: 10 Jul 13 - 11:38 AM What has it been renamed Jeri? I blocked it with AdBlock Plus and I don't see any iframe on Page Source. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 10 Jul 13 - 11:41 AM Ok... I 'seem' to have a partial solution, at least for me. I use The Proxomitron web filter. It has not been updated in several years, but its basic principle still works. It has many 'rules' to control what you see, but you have to tell it how vigorously to enforce them and at what level. The code for writing a rule is not simple, but geeky experts have created quite a few. I have 6 levels of filters available... and level 6 about stops ANYTHING from being seen. I usually have only levels 2-3 working, which stops most javascript....but I have disable it (Proxomitron) to see some images, videos...etc. I do that on sites I trust. It blocks 'most' of the ads on Mudcat (and puts a tiny little [ad] in red to show me it is working- nice touch). I sometime DISable it in order to click ads to help Max. Now... when I load Level 4 of the filters, I get a notice from the ad script saying "connection blocked by Proxomitron-- you are attempting to connect to a blocked URL...please try the following.." So, the scripts are 'aware' they are being blocked (my term) and are objecting. This level 4 also seems to block 2345! At least the 'source' shows no evidence of it. The only 2345 I see in 'source' is our comments on it. For those who wish to mess with Proxo, (a bit of a learning curve to get familiar with driving it), it can help with some things. You DO have to turn it off for doing some things... and remember to turn it on again. I will be running level 4 a lot until Max gets this sorted. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 10 Jul 13 - 11:47 AM BTW...someone also wrote a Proxo rule to deal with 'target=blank', which coders use to force a link to open in a new page. I didn't like that... it is perfectly easy to TELL your browser to 'open in a new page or tab' if you wish... but I like most pages to open in the same tab/page... allowing me to just use the 'back' button! I found where someone had written this rule and copied it and added it to MY rules sets. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 10 Jul 13 - 12:54 PM Bobad, "www.mudcat.org/ga_social_tracking.js" goes to "http://www.2345.com/?ktjwh20" |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: JohnInKansas Date: 10 Jul 13 - 01:15 PM We now have at least 5 (probably more) separate threads that appear to relate, at the bottom line, to the appearance of an html "iframe" call to a Chinese site at 2345.com. This seems to be of great concern to lots of people. I have been able quite easily to find the "offending" code here, but have seen NO VISIBLE EVIDENCE that it does anything in my browser or to my computer. A check this morning finds that the "iframe" instruction has been removed from the front page source script, and so far as I've been able to tell it never appeared anywhere else at mudcat. Maybe I missed out on all the fun, but I guess I can live with it. The iframe tag is a legitimate (sort of) device in newer (non-standard) html versions, and shouldn't, in itself, cause problems. It inserts a frame in your page, and allows you to open another web page inside the frame. Just as when you open a new tab, nothing on the page in the tab - or on the page in the frame - should be able to affect you until you click the tab or click in the frame to make it the active view. There are some rather exotic ways that an open-but-inactive window could pass something, but they're rarely seen. The 2345 website appears to be a "legitimate" DIRECTORY SITE (a little different than a catalog or archive) intended to tell where to find the ad needed for a particular viewing of a page that calls for one. It should not be expected that what appears in the frame is malware, unless you have reason to believe the 2345 site has been hacked, or the site where the page it actually calls up has been infected. In this respect the 2345 site is no different than the Google sites that pass their ads to you, although the two may have different standards of cleanliness and slightly different levels of risk. It least that's what it looks like for one who's never seen most of it. John |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: bobad Date: 10 Jul 13 - 01:17 PM Jeri, when I block "www.mudcat.org/ga_social_tracking.js" it removes the Mudcat logo and links bar but is not itself removed. Any idea what that means? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 10 Jul 13 - 01:24 PM I set my router to block all outgoing traffic to 61.148.147.* . The result is that Firefox appears never to finish loading the Mudcat home page, but otherwise things behave as expected. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 10 Jul 13 - 01:29 PM No Bob. The danger in blocking these things is that people can block things Mudcat needs to work because they're afraid of it. I think JohnInKansas is, as usual, making sense. There's a bit of group freak-out going on because people don't understand something, but that happens every once in a while. The biggest problem is that we noticed it. If Mudcat collected a lot of stuff on us the way Facebook does, we wouldn't care. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 10 Jul 13 - 01:39 PM I have just blocked 42.62.4.61 (union2.50bang.org) as well. Again, things seem to work normally without it. I don't tolerate sites doing stuff to my machine that I can't understand or control. It's a security risk, because the more of that clutter there is, the easier it is for something genuinely malicious to sneak in without me noticing. I do care about the way Facebook operates, which is why I don't have an account with them and have no intention of ever having one. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 10 Jul 13 - 01:43 PM The line now no longer appears in the homepage code, but the camouflaged injection script is still there. This is not only believed, but proved to be the result of malware, very probably of the "Trojan-Clicker.JS.Iframe.gb" having infected the Mudcat server. Max seems to be working on it right now, as usually without deeming us worthy of an explanation. Some arbitrary googling tells me that this Trojan may have serve for a "denial of service" attack on that Chinese catalogue. Indeed, making us download the same page over and over again does not seem to make sense if our PCs are the main targets. But I don't really know a lot about that topic; still waiting for an expert. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: bobad Date: 10 Jul 13 - 01:54 PM Hmm....seems to be some conflicting info here. I'm not overly concerned as my computer is working normally but it would be nice to know. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 10 Jul 13 - 02:16 PM Judging by how difficult I believe it would be to alter the code on Mudcat, I'd be more inclined to believe JiK than Grishka. Max doesn't even explain the non-crazy shit around here. I expect him to avoid giving credence to the paranoid stuff by answering. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 10 Jul 13 - 02:39 PM This thread should be abandoned in favour of the "Trojan" thread, where I just posted my best explanation. Note that I do not claim any expertise at all and never ask anyone to "believe" me, just read my post and think. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 10 Jul 13 - 02:49 PM Max has just reinstalled the correct "ga_social_tracking.js". Let us hope the attack is over, without real damage. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: treewind Date: 11 Jul 13 - 05:02 AM "Judging by how difficult I believe it would be to alter the code on Mudcat" Web sites get hacked all the time. Why should Mudcat be different? All you need is a user name and password once (or some other exploit that gives you access) for long enough to install a back door. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bonnie Shaljean Date: 11 Jul 13 - 05:44 AM I complained about this in the "Mudcat acting differently in Firefox" thread on 23rd June, but it only happens on the iPad: The bookmark would bring up Mudcat as per normal, then after a few seconds would shift to a page full of Chinese text (no pictures, just a cartoon-y logo of some sort). I didn't click on anything but did reload numerous times, after having switched off and then back on and re-typed the address manually - but it kept doing it. It's like the URL (which was the normal one and didn't change) had been hijacked. But only on the iPad. Weird. It meant that I haven't been able to access Mudcat AT ALL on the iPad, in any browser, and it was still doing this as of two or three days ago. I just checked it again now, and things seem to be back to normal, fingers crossed. I never did anything to try to fix it, because I had no idea what to do, and it wasn't happening on any of my laptops (64-bit Windows 7, Mac, and my itsy-bitsy-teenie-weenie "computerette" as JiK calls netbooks, also Windows 7 but the simple-minded edition). |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: JohnInKansas Date: 11 Jul 13 - 11:51 PM Some information on 2345dotcom: Top Chinese directory website 2345.com acquired This is an established and reputable Directory website that is quite popular in China and probably across Asia. The fact that it's Chinese doesn't particularly suggest that it's any more subject to hosting malware than any of the similar sites that perform Directory Services elsewhere. I see no reason why a link that takes you to that site should be considered malicious. I do find it a bit puzzling that it should appear at mudcat, although there are possibly legitimate reasons why it might. If one digs a little, it will be found that a major Chinese investor in Google mostly owns an associated company that is a "part holder" of this business. While that does not establish a Google interest or participation in the 2345 operations, it suggests that there may be some connection. It may be noted further that multiple sites with names very similar to 2345.com DO SHOW WARNINGS from my "Norton Safe Search" (2345-com.com, 2345.com.com, etc). Anyone who wants to make direct examinations of the site should be very careful about spelling it "just right." And on the <iframe> tag: The <iframe> html tag is claimed by some to be a "legitimate" html feature, but it appeared after finalizing of the last HTML Standard to be officially "set in concrete." So far as I can tell, the <iframe> tag does not appear in the HTML5 Proposed Standard that is now "distributed for review" (for the second time) and may be adopted in some final form sometime about two years from now. I've had some difficulty finding a complete copy of the "Second Revised Final Proposed HTML5" that's currently in review, so I can't be positive of what's in it. The <iframe> tag may appear in some of the many versions of the HTML6 Hallucination that many web designers seem to be using. It appears that only those who are members of the Working Group have simple access to what's being proposed. ALL OF THE BITS AND PIECES people are discussing here have at least the vague aura of "legitimacy," and while nobody really seems to know what's going on most of the "funny stuff" can be "explained" by anyone with sufficient psychotropic stimulation in ways that strongly suggest there's no malware evident in any of them. Note that, as always, the appearance of only "legal" codes does not mean that a target the code takes you to cannot be malicious. While there have been serious attempts to "standardize" html, many web designers have been using "new html" of various kinds, and the multiplicity of browsers have variously implemented some of the "latest things," even when the newer methods have little credibility among the general population of users. Differences in how a particular browser responds to a web site can be largely attributed to the extent to which "experimental" capabilities have been added in your browser, and in some cases, where you can choose to add "gadgets" to the browser, performance may vary with what add-ons you run. The rush to cash in on the latest fadware has led to new operating systems that come in a number of different versions and flavors, with lots of gadgets having "unproven" reliability and security. Conservative advisors consider (some versions of) Android "unacceptably buggy" and others find varying numbers of vulnerabilites among others. Consistent and safe performance cannot be expected without some attention to the known weaknesses of the new OS types, and the device manufacturers who pump them out have paid less than admirable attention to patches and plugs for the unpredictable. Bottom line: FUBAR – but while the traditional interpretation is that a FUBAR is a SNAFU that's received Management Attention in this case the offending influence (esp. for the new devices) more likely is Marketing Attention (Get the bucks before they catch on?). John |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST Date: 12 Jul 13 - 12:07 AM "Bottom line: FUBAR – but while the traditional interpretation is that a FUBAR is a SNAFU that's received Management Attention" I know the subject is serious. However, that is the funniest thing I have read in many years. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: JohnInKansas Date: 12 Jul 13 - 12:29 AM The internet is densely populated by NOIDS. NOIDS frequently appear in pairs. It is inevitable that anyone who attempts to use the web will occasionally be affected by some Pairs-a-NOIDS that make rational understanding of the phenomena one sees difficult achieve. Recent complaints here have shown concern about two or three related code peculiarities. Multiple web advisors assert that the html <iframe> tag was "invented" in 1997. The latest version of the html standard to achieve "Adopted Standard" status was HTML4, which was accepted and published in 1997. It does not appear that the <iframe> tag appeared in that version. An "adopted standard" means that everyone (who got to vote) has agreed that anything you can do in HTML4 is described in the printed copy, and as long as you do only what's in the standard any "HTML4 compliant browser" will give you consistent results. Some historians(?) believe that a brief period of "peace in the browser wars" followed the release of HTML4, while others consider this only a legend. Most current web designers apparently think it's a fairy tale that never happened and can be ignored. A new "sub-Committee" was formed almost immediately after the "finalizing" of the HTML4 standard, to create a "next generation" standard to be called HTML5. A "Final for Review" version of HTML5 was "released for comment" 5 or 6(?) years ago, but was eventually withdrawn over complaints that "you left out my toy." A SECOND "Final for Review" version was distributed several months ago, and will be considered for adoption, if sufficient favorable comment is returned, in about two years (2014 to 2016? - maybe). Until then, there IS NO HTML5 STANDARD. While HTML5 "doesn't really exist," it has been under consideration and in use long enough to be considered "customary practice" if used with some care. Use of some HTML5 code appears to be – as Douglas Adams said – "mostly harmless." A separate "adjunct Committee" (Working Group?) has been working on an HTML6. Unfortunately (IMO) some web designers have been implementing the hallucinations produced by this group, resulting in "unusual results" for some users with some browsers. A FUNDAMENTAL CONCEPT in html up to now has been called the "Graceful Failure" requirement. As previously and currently used, it requires that any compliant html interpreter that encounters code that it "doesn't understand" must completely ignore that code. The HTML6 group appears to want to change that to "you can use anything you can pull out of your diaper as long as it doesn't change what any previously existing standard code does." I must have some reservations about whether an individual web page designer has the capability of verifying compliance with this condition, even with an immaculately clean diaper, but we'll have to wait a while to see how it works out. A similar situation exists with style sheets, with CSS3 being the last officially "Adopted Standard" so far as I can tell, but with many designers insisting that CSS4 exists and should be used. Results for CSS4 use are largely similar to use of HTML5(?). John |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 12 Jul 13 - 05:00 AM The actual topic of this thread is well explained in the other thread as the result of someone hijacking either the Mudcat server or (more probably) Max's computer by a "Trojan-Clicker.JS.Iframe.gb". Obviously Max has now restored Mudcat to its intended function, so that things are back to normal for the time being. JohnIK, your knowledge is admirable. Unfortunately non-techies like me often find it difficult to see what point you are arguing for. Assume a lady who lives on her own returns home and finds a glass of beer on her table that she did not put there: would she be interested in the health effects of beer? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 12 Jul 13 - 07:26 AM It's back. See the other thread. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 12 Jul 13 - 09:40 AM John, nice try. They obviously don't always deliver themselves in PAIRS. The code itself seems to have had its most deleterious effect in activating one or more "alpha" NOIDS. The alpha NOIDS then lead a cluster of NOIDS, and so the problem transforms into a persistent cascade, often spreading through other ways, some of which can propagate cyberpoop exponentially. Try to figure out how somebody can get into Mudcat's server and write a piece of code on one particular page that no one but Max (and designated geeks) ever actually sees that will hide itself in the right place to be effective but not bother trying to hide from the whole entire rest of us. My feeling is that Max is messing with things, and there is no hacking going on. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 12 Jul 13 - 10:11 AM Jeri, our feelings are not valid arguments. We all have witnessed Max messing with things, and strange effects thereof. But why on earth should he clobber the file "ga_social_tracking.js", thus depriving himself of its original benefits that Joe made an effort to justify? If the 2345 line had been added somewhere, some intention by Max could be imagined, but not for clobbering the intended content. If we exclude Max having turned zombie, the only explanation is that the clobbering was done without his consent. The aggressor may have operated on the server or on a computer Max uses for designing, by "finding" passwords or circumventing the need for them. The internet has lots of tips for Max to read. I hope he does not need our advice - he has rarely taken any in the past. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 12 Jul 13 - 01:52 PM Explain how someone could do it. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 12 Jul 13 - 02:44 PM Sigh, Jeri. It happens every day, and is amply reported in the media. Google "Trojan-Clicker.JS.Iframe" - 142.000 hits. Even if I have no detailed explanation from my own expertise (as for many magicians' tricks) - proven facts remain. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 12 Jul 13 - 02:51 PM That's pretty much what I thought your answer would be. You're going by "feelings" too. You're making a lot of assumptions. I don't see anything positive that can come from my further involvement right now. Enjoy speculating. I hope those reading these threads realize that, when it comes to reasons for the script being what and were it is, speculation is all anyone who isn't Max can do. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 12 Jul 13 - 03:00 PM Jeri, have you done the googling I suggested, and read the relevant texts in just seven minutes??? You asked for my arguments, and I took quite an effort to explain them. Of course I don't know what exactly happened on Max's computer(s), since I was not the one who gained access. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,JHW Date: 12 Jul 13 - 04:26 PM For a week or two (in Mudcat) I kept getting a banner 'Firefox has prevented this site opening a new window' Clicking ok simply removed the banner and the page stayed the same. its stopped doing it now. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 12 Jul 13 - 04:32 PM Dick Gaughan's site got hit by an iframe attack a couple of years ago. His host, Gradwell, was highly reputable and you'd have thought they were one of the least likely to be compromised. Nonetheless it happened. I've no idea how and I can't guess how it's happened to Mudcat either. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: JohnInKansas Date: 12 Jul 13 - 05:26 PM ga_social_tracking.js This is a SAMPLE SCRIPT provided by Google. It may be noted that numerous "edits" are suggested in comments. Of particular interest might be the comment at lines 40-42 noting that "it doesn't work for <iframe> links." Anyone testing, and editing, the use of this script likely would remove parts not necessary to the test, and quite possibly would remove most or all the "comments" (everything between a "/**" and a subsequent "*/"), leaving a very much smaller script. Additional edits to incorporate features to be tested would of course increase the file size. IFF one considers that use of the <iframe> might be under consideration, a test of the script would require a "target" known to work well with this kind of tag, and the 2345.com site is a known and verifiably (to the extent possible) "safe" target, so appearance of the iframe call to that site (in a zero zero frame) would be a reasonable part of a test setup. Some additional "explanation" of "Google Analytics" is at: Tracking Your Social Engagement With Google Analytics. Since Max (and possibly some of his helpers) are known to do "experiments" without telling us much until they get a result they like, the mere appearance of this script, in sample form and/or edited, and of the iframe link to 2345.com, DOES NOT PROVIDE CONVINCING EVIDENCE OF NEFARIOUS ATTACKS ON MUDCAT. The only thing suggesting malware in the several related threads here is the Kaspersky identification of "Trojan-Clicker.JS.Iframe.gb." This is a known threat, but no credible web comment has appeared since about 2005/06, most pages that provide verifiable information are tagged "obsolete," and most current AV programs would just block, quarantine, or delete it without immediate comment now. Some AV programs, even if on paid subscriptions, will update signature files forever, but do not update the AV program version unless you ask them to. Old programs, and especially those that use only signature identifications may become prone to lots of "false warnings," while newer versions of the same program may include "signature-plus" methods that don't get suckered (as easily). If you get a warning from your *** AV (in this case Kaspersky) your first response should be to got to *** (in this case Kaspersky) to see if they tell you why, and what you can do about it. Since in this case they identified a specific suspect, it should be easy to find their explanataion of what it does and how to handle it. Nearly all AV providers provide "remote scan" utilities that you can use to let the AV site scan your computer for infections. You usually can have better assurance that the scan will be current and accurate than one run with the program on your own machine. (MOST AV providers recommmend removing all prior AV programs (uninstalling) before installing a new one, and recommend a remote scan before the new installation.) If your AV program is more than a year or so old, even if it's been "updated" regularly, you probably should check for new program version upgrades occasionally. If a newer version is available (free or nominally at the same subscription cost) getting the upgrade is probably a very good idea and may eliminate lots of false positives. My Norton (currently the latest Norton 360 version) updated with current signature/data files, finds NO MALWARE at mudcat. The Norton Safe Search accessory that scans popular sites in search results finds NO MALWARE at mudcat, or at the 2345.com/ page linked in the <iframe> tag sometimes here, or at any other sites I've visited while examining the complaints here. (I don't generally visit sites that don't get a green card from Norton.) John |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 12 Jul 13 - 06:05 PM If the target of the attack is 2345.com - by a DDoS attack intended to overload their server - naturally there won't be any problem with that site. It wouldn't be very considerate of someone setting up a test to use somebody else's site in that way. 2345.com has had thousands of completely unnecessary and profitless downloads of their home page thanks to this. If Max was testing something I'd expect him to use a test target he administered. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Mysha Date: 12 Jul 13 - 06:44 PM Hi, I had problems with load time when the new MudCat was introduced. Haven't had it since, though. Then again, I don't see an iframe on the front page. (That's no surprise, but I don't see it in the source code of the front page either.) Other than that: HTML 4.01 is the latest standard, all HTML 4 versions have included iframe, after HTML 4, work commenced on XHTML, with HTML 5 being a development from 2004 onward. Mysha |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Mick Pearce (MCP) Date: 12 Jul 13 - 07:24 PM Mysha - you won't see anything if you have javascript disabled. And if you're using something like AdBlock there won't be anything. I'm using AdBlockPlus in Firefox and currently it's got 22 items from 345.com blocked and 2 from union2.50bang.org which are related. The ga_social_tracking.js currently contains the line: document.write("<iframe width='0' height='0' src='http://www.2345.com/?ktjwh202'></iframe>"); It looks like a hack and presumably Max is looking at it. (It it's deliberate I'm sure he would have reassured us that it was by now!). Mick |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bonnie Shaljean Date: 13 Jul 13 - 10:51 AM > I haven't been able to access Mudcat AT ALL on the iPad, in any browser, and it was still doing this as of two or three days ago. I just checked it again now, and things seem to be back to normal, fingers crossed. That was a couple of days ago. Guess what? It's baaaaaa-aaaaa-aack. Wahhh - Just sayin' :-( |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Mysha Date: 19 Aug 13 - 10:41 PM Hi, Thanks Mick, but I tend to check such things with more than one browser. It's not a FireFox thing or a settings things; I really didn't, and don't, see an iframe. Mysha |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 19 Aug 13 - 11:01 PM Mysha, the '2345' iFrame thing was there when this thread was active in July. Max removed it 2 or 3 times, and it's gone now. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: McGrath of Harlow Date: 20 Aug 13 - 08:27 PM A FUBAR is a SNAFU And the Snark was a Boojum... |
| Share Thread: |