 sj |
||
|
||
Tech: 2345 piggybacking Mudcat
|
|
|
Subject: Tech: 2345 piggybacking Mudcat From: Bob the Postman Date: 03 Jul 13 - 12:56 PM The Chinese web archive site 2345(dot)com has attached itself to Mudcat on my iPad. When I open Mudcat, I get 2345 at the top of the page. Scrolling down there is the usual Mudcat home page. I understand that 2345 has a reputation for this sort of thing, but even so I don't know why this is happening to me, because I've always been a good person. What's gonna happen when the NSA realises I'm loading a Chinese site umpteen times a day? It won't matter that I got good marks in high school and always paid my taxes on time, I could be on a rendition flight to Syria by lunchtime. Any ideas how I got this tick on me and how to get rid of it? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Richard Bridge Date: 03 Jul 13 - 03:23 PM Try Ad-Aware or Spybot Search and Destroy - or possibly a rollback? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 03 Jul 13 - 03:50 PM Looking at the status display of what Firefox is loading, 2345.com is always involved when I reload Mudcat (it helps to have a connection slow enough that I can see that). This line appears in the Mudcat homepage source: <iframe src=http://www.2345.com/?ktjwh202 width=0 height=0></iframe> Did Max put that there, or has it been sneaked in? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 03 Jul 13 - 03:54 PM I found it days ago.... and there is another URL associated with it. I have tried refusing 2345 any access in my firewall, but so far, haven't found the right combination. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: McGrath of Harlow Date: 03 Jul 13 - 04:02 PM You should be alright as regards Syria these days I'd say. They've had to transfer the arrangement to some other subcontractor. Maybe Libya? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bob the Postman Date: 04 Jul 13 - 08:29 AM Thanks for the reponses. It's good to know that top brains like Bill and Jack are on the case. If I disappear, I ask that the government of Newfoundland close its airspace to overflights by unscheduled planes with the numbers painted out. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 04 Jul 13 - 08:47 AM It's in Mudcat's code on the main threads page, which means Max put it in there. AdBlock Plus says it's a frame. I don't see it on individual threads. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 04 Jul 13 - 09:04 AM It is an "iframe" (embedded object) of size 0*0, not meant to be seen. Obviously Bob's ipad browser has its own ideas about how to interpret those size specifications. Since the page is normally not being seen, loading it is the point, presumably for Mr. 2345 to collect our IP addresses, or for Mr. ktjwh202 to collect apparent "clicks". I guess someone pays Max for this service - correct me if I am wrong. Summary: we are being iframed. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 04 Jul 13 - 09:44 AM It seems to be adding a lot to the loading time. And "iframe attacks" are a common and very nasty distribution mechanism for malware - I wouldn't know how to tell an innocent one from a malicious one. We can't tell just by looking at what comes out of Mudcat whether Max or some Chinese or NSA hacker put it there. 2345.com seems to have no redeeming value from what I can see, so my bet is this is malicious. I'd block it if I could, but like Bill I can't see how. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: JohnInKansas Date: 04 Jul 13 - 10:49 AM A discussion/tutorial on the <iframe> tag is at: The Magical <iframe> Tag: An Introduction. (Norton gives this site a "safe" tag.) The article suggests some interesting things that might be done with the tag, but doesn't suggest (to me) anything useful for the form in which it appears at mudcat. It could be something Max is "testing" that's just a "placeholder" for now, but the uses described in the article at the link would seem "incompatible with mudcat traditions." Since I like to save "interesting stuff" for future consideration, I verified that Copy and Paste (into Word) does not capture any of the <iframe> embedded objects. Printing to a pdf file shows some but not all of the embeds, and none of them of course carry "active properties" to the printed file. The article indicates "protections" built into the tag that are claimed to prevent linked objects from changing calling pages, or calling pages from making changes to linked objects, but detail is insufficient to be fully reassuring with my sparse understanding of web page design. The website "2345dotcom" is claimed to exist by several sources, but nobody gives a sufficiently clear purpose to justify why, and other sources seem to think it may be mythical. It appears to be "Chinese" and hence "inscrutible" for me. May be Max will comment if he decides it's sufficiently important? First attempt to post this comment failed. Second attempt returned "this post contains a forbidden HTML tag." Coding <iframe> as <iframe> might let the post go through? John |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: JohnInKansas Date: 04 Jul 13 - 10:50 AM Is it reassuring that mudcat apparently blocks the <iframe> tag in posts? John |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: michaelr Date: 04 Jul 13 - 02:08 PM Has anyone PM'd Max? It would be good of him to come in here and explain. This sounds like it could be serious. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Joe Offer Date: 04 Jul 13 - 04:23 PM I started to e-mail Max about this, but I got distracted. By the time I got back to what I started doing, SRS had already e-mailed Max. She has a tad more presence of mind than I have... |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 05 Jul 13 - 12:34 PM I managed to change my setting about cookies from 2345 to 'refuse all'....then it began to contact the associated URL ..union2.50bang |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 05 Jul 13 - 02:08 PM The only way I can see to zap this is to use the firewall in my router, which only blocks by IP. Anybody got a list of relevant IPs? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 05 Jul 13 - 02:14 PM It probably generates some income for Max, but I have enough marketing bullshit in my life, so I blocked it. It's only on the main threads page, though--as far as I can tell. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 05 Jul 13 - 02:31 PM using "CountryTraceRoute" from NirSoft-starting at my IP..first one is where it enters US, then all from China. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 8 157.130.230.38 chinaunicom-gw.customer.alter.net United States 86 ms 80 ms 80 ms 82 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 9 219.158.27.153 China 326 ms * 320 ms 323 ms The request timed out. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 10 219.158.19.193 China Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 11 219.158.23.1 China 312 ms 310 ms 330 ms 317 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 12 219.158.100.161 China 369 ms 357 ms 360 ms 362 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 13 202.96.12.30 China 373 ms 375 ms 372 ms 373 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 13 202.96.12.30 China 373 ms 375 ms 372 ms 373 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 13 202.96.12.30 China 373 ms 375 ms 372 ms 373 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 14 124.65.60.74 China * * 370 ms 370 ms The request timed out. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 15 61.148.147.86 China 369 ms 370 ms 365 ms 368 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 15 61.148.147.86 China 369 ms 370 ms 365 ms 368 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 15 61.148.147.86 China 369 ms 370 ms 365 ms 368 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 18 42.62.19.137 China * 285 ms 285 ms 285 ms The request timed out. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 18 42.62.19.137 China * 285 ms 285 ms 285 ms The request timed out. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 19 42.62.19.86 China * * 290 ms 290 ms The request timed out. Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 20 42.62.19.117 China 289 ms 290 ms 290 ms 290 ms Hop IP Address Host Name Country Time 1 Time 2 Time 3 Average Time Error 21 42.62.4.52 China 287 ms 287 ms 290 ms 288 ms |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 05 Jul 13 - 02:32 PM sorry... I copied several of those twice. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 05 Jul 13 - 03:53 PM So it looks like we can block them pretty thoroughly by just blocking 42.62.*.* 61.148.147.* which should zap both 2345.com and whoever provides them with their connectivity. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 05 Jul 13 - 07:12 PM My Firefox has been waiting for union2.50bang to finish for about half an hour now. And the slowdown from this 2345.com link is intolerable, even if it isn't doing anything really malicious. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 05 Jul 13 - 07:43 PM Jack, figure out how many IP addresses you're blocking. I can't, other than a few tens of thousands, but it's a lot. I just blocked the script with AdBlock Plus (Firefox). |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Mick Pearce (MCP) Date: 05 Jul 13 - 08:26 PM I just had a look at the list of blocked items on my Firefox (22.0 under Ubuntu 12.04lts) with AdblockPlus. It's blocking about 15 or so items from 2345 and related sites on default settings, a mixture of scripts, images and css Mick |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: michaelr Date: 06 Jul 13 - 03:08 AM Could someone please explain in layman's terms what all this means? How concerned should we be? And where the hell is Max? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: JohnInKansas Date: 06 Jul 13 - 05:25 AM On the mudcat front page (thread index page) if you right click in a blank area and choose "view source" you will get a new window that shows the html code for the page. At line 137 you will find: <iframe src=http://www.2345.com/?ktjwh202 width=0 height=0> The "iframe" command inserts a "frame" that can contain a "page" or parts of one from another site or from another place on the same site. This is a "new" addition to legitimate html code that appeared ca. 1997. The "src" identifies where the stuff displayed inside the frame comes from. The "width" and "height" define how big the frame is to be. In this case, both width and height are zero, so the frame should NOT BE VISIBLE ON THE PAGE. Information I've found is insufficient to be sure, but most browsers do permit you to set a preference to "open links in new window" or "open links in a new tab" and since the "src" spec is a legitimate link either of these might open the "src" link otherwise than as specified by the iframe command, permitting it to be displayed in a "normal" window/tab rather than in a zero-zero sized frame. With information at hand, I don't know if this could happen ... At the link given at "04 Jul 13 - 10:49 AM" you can see a proper use of the iframe html command, with a fully functional "Weather Service" page inserted, complete with scroll bars and all the rest, in an iframe filled by a "call" from the the originally linked page that explains it all. It is asserted that "browsers isolate the main page from the iframe page" so that neither can affect the other. Of course if you click inside the iframe, anything the page that's linked into it can do can be done to you. Hypothetically, it would appear that setting the iframe size to zero-zero dimensions should prevent you from seeing it, and from clicking on anything the iframe target page contains. (? ? ?) IFF you don't see the iframe content, as in my IE, it probably is harmless. IFF you do see something, it would contribute to my understanding of what's going on if you could identify: 1. What browser you're using 2. What "open links as ..." settings you have set. 3. Behaviour that conserns you in fairly specific detail Since at present I'm having no particular difficulty with this, other than mild curiosity, you may consider whether it's of use to exchange information or just to continue to babel and fret. Where to go next is useless if you don't know where you're at now (although one major aircraft maker didn't think it mattered when deciding what parts to fix next - which is why I didn't work there long after I found it out.) NOTE: [preview bounced because I copied the <iframe> line from source code. Mudcate blocks use of that html command in a post. "Coded" so it doesn't look legit gets the post up.] John |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Peter Date: 06 Jul 13 - 08:09 AM I see it too, either it was put there by Max or the site has been hacked. If nobody's firewalls have been screaming so its probably not harmful in its own right but it does enable 2345 to log all of the IP addresses that visit Mudcat. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Pete Jennings Date: 06 Jul 13 - 09:57 AM I can see the line 137 iframe code that JiK has identified but I haven't seen anything of 2345 and my ESET security (on a PC) is not reporting any blocked attacks. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Mick Pearce (MCP) Date: 06 Jul 13 - 11:57 AM Pete You shouldn't normally see anything of the site as the size is set to 0 in the iframe. You'd only know it's there if you look at the source for the page or if you have something like Adblock that can show you things it's blocking. It may be doing nothing more than racking up hits for the 2345 site or collecting ip info as mentioned above. Nothing more malicious seems to be emanating from it at the moment (though it's never a good thing if people are collecting your ip addresses!) Mick |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: michaelr Date: 06 Jul 13 - 12:59 PM JiK -- thanks for trying, but I did ask for "layman's terms"... lol. What I am noticing is that threads load quite a bit slower. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 06 Jul 13 - 01:08 PM I am not convinced of the idea that a loaded site is harmless if you don't see it or don't click on it. Malware can be hidden in commercial ads; not even executable "scripts" are required. Websites of even higher reputation than Mudcat (in terms of content and technology) frequently have to admit that they - unwittingly but carelessly - transported vicious malware in ads. Since neither Max nor the other Admins have reacted yet, I do not think that the iframe got there without their consent. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 06 Jul 13 - 01:17 PM Grishka, Max is the only one who would know. Michaelr, again, that iframe is only on the main forum page, not on individual threads. Something else may be why they're taking longer than usual to load. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: leeneia Date: 06 Jul 13 - 02:39 PM Wikipedia says: 2345.com is a Chinese web directory founded in 2005.[1] The website is the second most used web directory in China.[2] It is ranked 47th place in China and has a world wide ranking of 419 on Alexa.[3][4] It is hosted at Abitcool China Inc. Beijing, China. That was last updated in October, 2012. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: leeneia Date: 06 Jul 13 - 02:40 PM Mudcat is pretty slow for me, too. I put it down to the usual things - small site, gallant volunteer help. Need more contributions. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 06 Jul 13 - 03:20 PM Like all catalogue sites, even in China, that one is financed by ads designed by the advertisers. Such advertisers have been known to smuggle malware even into sites of perfect reputation. An explanation by Max would be helpful, but experience tells us that he keeps silence about his policy. I have no insight into possible business connections. Anyone who has, and can convince us? |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: michaelr Date: 06 Jul 13 - 05:10 PM What I'm seeing (in IE) are the little "Waiting for" thingies flashing at the bottom of my screen. There have been more and more of them as Max has loaded up ads and stuff, such as Facebook, Google ads and other crap. And now my browser has to additionally wait for 2345. After that it usually says "Done, but with errors on page". And when it says "Done", whatever I've clicked on still doesn't open for several seconds, to the point where the blue IE bar at the top of my screen says "(Not responding)". That's annoying in itself. If this is something Max did on purpose, I don't like it. Why slow down the user experience? If it's malicious, it's much worse and should be dealt with forthwith. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,NIghtWing (cookie-less) Date: 06 Jul 13 - 07:59 PM I apparently cleared my cookie the last time I was in. While this is going on I'm not going to log back in. Running Firefox 22.0, I'm actually seeing nothing. The image was captured by Firefox though. It's an (apparent?) GIF of a gray octopus. I blocked the site from loading images at Tools / Page Info / Media tab. However, then I went to Tools / Options / Content tab and added the string *.2345.com to the Exceptions to "Load images automatically". So far (crossing fingers!!!), nothing else has followed it. Erm, does anyone know how to view the Page Source in Firefox 22? I can't find an option for it anywhere? BB, NightWing |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,NIghtWing (cookie-less) Date: 06 Jul 13 - 08:06 PM Well, bloody! I spoke too soon. When I went back to the main forum page ("Lyrics & Knowledge"), it somehow managed to load up FIFTEEN images from 2345.com. Several of them are Google logos: if someone tells Google, maybe they can drop a smartbomb on them :-( (Google claims not to be evil, but you've got to have the capacity for evil before it's a virtue NOT to be so.) BB, NightWing (unhappy at the moment!) |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 06 Jul 13 - 08:21 PM In Firefox 22: Tools>Web Developer>Page Source |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Mick Pearce (MCP) Date: 06 Jul 13 - 08:59 PM Right-click>View Page Source also works (in Ubuntu version of 22) Mick |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,NIghtWing (cookie-less) Date: 06 Jul 13 - 09:49 PM Thanks, Jeri and Mick!! I had actually looked (I think, several times) at the Web Developer menu without seeing "Page Source" there. Maybe it's not short-term memory that's the first thing to go ... (What were we talking about? :-) BB, NightWing |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 07 Jul 13 - 10:33 AM ctrl-U 'usually' gets page source in any browser. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jack Campin Date: 08 Jul 13 - 06:06 PM Just for laughs: try saving the source of the Mudcat home page. Then change that iframe line to <iframe src=http://www.2345.com/?ktjwh202 width=600 height=800></iframe> and reload that source into your browser. It will put 2345's input in a window large enough for you to read. You can now save the frame and feed it into Google Translate - it does a very good job. It doesn't appear to be malicious but it certainly isn't what anybody comes to Mudcat looking for. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 09 Jul 13 - 04:25 AM Done that before, Jack. As we saw, it is a catalogue service, China's largest. As with all websites nowadays, there are two serious security problems, caused by the site itself or by embedded ads:
|
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bob the Postman Date: 10 Jul 13 - 10:44 AM This morning my iPad's Safari browser has started opening 2345 not only on Mudcat's home page but on individual threads as well. 2345 also displays when I click the Personal Page link. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: GUEST,Grishka Date: 10 Jul 13 - 11:10 AM It is now definitely known to be a malware attack via Mudcat ("Trojan-Clicker.JS.Iframe.gb" - google it); see the Trojan thread. Desinfect your PC if you can; disable JavaScript. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 10 Jul 13 - 11:25 AM It's BELIEVED to be. I once was told that midis I'd created were infected. They weren't, but a particular anti-virus program wen nuts. I'm not even seeing this 2345 script anymore. It's been there, but blocked. Now, it doesn't seem to be there. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 10 Jul 13 - 11:29 AM OK, it just got re-named. It's there. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: bobad Date: 10 Jul 13 - 11:38 AM What has it been renamed Jeri? I blocked it with AdBlock Plus and I don't see any iframe on Page Source. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 10 Jul 13 - 11:41 AM Ok... I 'seem' to have a partial solution, at least for me. I use The Proxomitron web filter. It has not been updated in several years, but its basic principle still works. It has many 'rules' to control what you see, but you have to tell it how vigorously to enforce them and at what level. The code for writing a rule is not simple, but geeky experts have created quite a few. I have 6 levels of filters available... and level 6 about stops ANYTHING from being seen. I usually have only levels 2-3 working, which stops most javascript....but I have disable it (Proxomitron) to see some images, videos...etc. I do that on sites I trust. It blocks 'most' of the ads on Mudcat (and puts a tiny little [ad] in red to show me it is working- nice touch). I sometime DISable it in order to click ads to help Max. Now... when I load Level 4 of the filters, I get a notice from the ad script saying "connection blocked by Proxomitron-- you are attempting to connect to a blocked URL...please try the following.." So, the scripts are 'aware' they are being blocked (my term) and are objecting. This level 4 also seems to block 2345! At least the 'source' shows no evidence of it. The only 2345 I see in 'source' is our comments on it. For those who wish to mess with Proxo, (a bit of a learning curve to get familiar with driving it), it can help with some things. You DO have to turn it off for doing some things... and remember to turn it on again. I will be running level 4 a lot until Max gets this sorted. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Bill D Date: 10 Jul 13 - 11:47 AM BTW...someone also wrote a Proxo rule to deal with 'target=blank', which coders use to force a link to open in a new page. I didn't like that... it is perfectly easy to TELL your browser to 'open in a new page or tab' if you wish... but I like most pages to open in the same tab/page... allowing me to just use the 'back' button! I found where someone had written this rule and copied it and added it to MY rules sets. |
|
Subject: RE: Tech: 2345 piggybacking Mudcat From: Jeri Date: 10 Jul 13 - 12:54 PM Bobad, "www.mudcat.org/ga_social_tracking.js" goes to "http://www.2345.com/?ktjwh20" |
| Share Thread: |