 sj |
||
|
||
Tech: Mudcat Trojan warnings
|
|
|
Subject: RE: Tech: Mudcat Trojan warnings From: bobad Date: 03 Aug 13 - 01:35 PM It's gone - looks like Max is back to taking care of his baby. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: maeve Date: 02 Aug 13 - 03:55 PM It's not a computer problem being discussed in the other thread. Patience is advisable as Mick suggests. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Mick Pearce (MCP) Date: 02 Aug 13 - 01:39 PM Grishka - I'm as in the dark about the circumstances as you. I was making an inference from the tone of the other thread that he may have other higher priorities at the moment. In the meantime we take our own precautions. Mick |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 02 Aug 13 - 10:01 AM Mick, do you know more than we do? I understood that he did something on his computer or server ("The internet loves folly") which he regretted immediately, and which caused him to backup Mudcat. (I did not understand his phrase "Published by: The Balls to Hit Send Press" - did he have the balls to hit a button labeled "Send Press"??? Further explanation is welcome.) I totally agree with the posts on that thread that his health has top priority, and add my best wishes for him regardless of any computer stuff. However, freeing his computers from intrusion should be considered urgent as well, for many reasons including the risk of being blacklisted. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Mick Pearce (MCP) Date: 02 Aug 13 - 07:05 AM Grishka - from the Worst Idea Ever thread it seems that Max has some problems of his own at the moment. Sorting out the iframe may be quite low priority just now. Mick |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jim Carroll Date: 02 Aug 13 - 05:20 AM Thank you Grishka - all my own work, though heavily borrowed from the Classics Jim Carroll |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 02 Aug 13 - 05:13 AM Jim, good pun (particularly if you invented it). Always look at the bright side of life, as soon as the serious side has been taken care of. I sincerely hope that this is true in this case, but the "iframe" is still there. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jim Carroll Date: 02 Aug 13 - 04:53 AM "Mudcat Trojan warnings" Beware of geeks bearing gifts maybe? Jim Carroll |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Mick Pearce (MCP) Date: 01 Aug 13 - 04:59 AM Grishka - I sent Max a pm when I first first noticed it was back a couple of days ago. Mick |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 01 Aug 13 - 04:52 AM Has Max been informed? He can probably remove the <iframe ...> statement at the bottom of the page immediately, and thus buy us a couple of days rest. I wonder if his cryptic "Worst Idea Ever" thread is related to this one - it would not be surprising. Panic is certainly a bad idea if you have the choice (though there are much worse ideas), but well-advised action is required. Other websites have suffered and warded off similar attacks. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 30 Jul 13 - 07:37 AM This time the "iframe" statement appears directly in the thread list HTML, at its bottom. It looks as if the aggressor has obtained access to Max's computer, a so-called "back door", and uses it flexibly. A tough opponent indeed. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: doc.tom Date: 30 Jul 13 - 05:25 AM I dun do what treewind and grishka suggested byu adding code and it's solved the problem. Kasperski - I love it: now that the windows generic and avg keep missing so much stuff, at least Kasperski flags it up. I like to know when people are watching me. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Ironmule Date: 30 Jul 13 - 03:36 AM I can't seem to log on. I've just moved and been offline a long while and have to reset my cookies. Several different problems/fixes have been mentioned. I'm still using MS XP and when I get hit with Malware, I use the F8 key during the opening sequence, to get to where I can enter "Safe Mode". From there System Restore lets me reset to before I caught my fleas. Some of the latest malware uses very agressive popups to keep you from seeing your desktop even in safe mode. You can start System Restore but you can't click on anything there because it's hidden. Anyone else been told the FBI had locked them out and they had to pay $200? I now have another "Logon" to my computer. It's called "Jeff's Safety" and if the "Hostage Ware" locks up my normal system, I can log on to the safety persona and use system restore to go back to a safe time before I visited what I thought was an OK site. It's an extra couple seconds and a mouse click of delay when I start the computer, but better than the two weeks I spent fighting the worst of the hostage ware. Jeff Smith |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Mick Pearce (MCP) Date: 29 Jul 13 - 09:00 PM Just noticed I'm seeing 2345.com and 50bang.org on the main thread index page again. Mick |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 15 Jul 13 - 12:17 PM Thanks, Max, for informing us and applying first aid. For those who have not noticed: Max has completely removed the call to "ga_social_tracking.js" from the HTML, and has changed that script to a harmless content. It is of course only a matter of time that the attacker strikes again as before, so I would keep 2345 blocked at least until the whole story is over. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST Date: 15 Jul 13 - 11:06 AM Thank you, Max. I appreciate your efforts very much. I have now told Kaspersky this is a trusted site- I hope that is accurate, based on your first aid.tweak. I hope you can relax and enjoy your time on the lake. Maeve |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 15 Jul 13 - 10:31 AM I just added the Grishka-and-Anahata-as-approved-by-Max hosts file tweak. Makes a big difference to loading time, much more than the router block did. My guess is that DNS lookups for 2345 must be quite slow, either because they're away in China or because the attack is interfering. (And having zapped one site that way, my natural query is "what else can I hit with that?" - maybe the BBC's treacle-slow script-hosting site might get it). |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Max Date: 15 Jul 13 - 10:05 AM Grishka has it exactly right. This morning I have, for the 2nd time, thwarted the 2345 hijack of the Google social tracking script, this time by removing it altogether. I am however at a disadvantage being 1000 miles from home in a cabin on a lake in northern Wisconsin. I have limited abilities until I return home next week. I will do what I can from here for the rest of the week and assure you a full overhaul at the top of my priority list when I return home. I am very sorry for any trouble this has caused and next week will do what I can to remove as many of the doodads that I can that may annoy or have the potential to make us vulnerable for such a thing again. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: bobad Date: 15 Jul 13 - 08:14 AM I am the administrator of my computer but am still not allowed to save additions to the hosts file. Following treewind's advice I saved the changes to my desktop then drag and dropped it back into the hosts file and there it rests snugly. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 15 Jul 13 - 07:41 AM My recommendation is to add the lines 127.0.0.1 www.2345.comto the existing (essentially empty) "hosts" file, until Mudcat has solved the problem. I would not use the MVPS "hosts" file. It is possible that the malware only lurks on particular pages of 2345, not on the homepage. It could have been injected by a customer. Bobad: to make yourself admin if you aren't, you need Harry Potter's wand. Alternatively, log in to a user account with admin privileges (there is always at least one, as treewind writes) when starting Windows. If someone else has the password, ask her/him to do it. Phil: the Firefox "Back" button may be misbehaving because of the injected <iframe>, or objects injected inside it. Many reasons to block the 2345 page until further notice. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST Date: 15 Jul 13 - 07:21 AM Does anyone know how to make yourself administrator in Win 7? Control Panel\User Accounts and Family Safety\User Accounts\Manage Accounts\Create New Account |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 15 Jul 13 - 07:21 AM "Does anyone know how to make yourself administrator in Win 7?" When it's installed, the first user created always has admin privileges. However all that means is that you will sometimes get asked for permission to perform certain operations. Not all programs know how to ask for that permission. Sometimes, if I try to edit a file in a privileged folder, the editor simply says it couldn't save it, but doesn't have any way of asking for permission. I got round that by copying the file to a folder in my home area (full read/write access) editing it there, then copying it back to the privileged folder. The copy operation (done by a desktop click and drag, not on the command line) then pops up a windows asking for permission, if you have administrator rights. I presume that if you don't have admin, it simply refuses to do it. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 15 Jul 13 - 07:08 AM The huge hosts file may slow access down on legitimate sites, on the other hand for sites that contain a links to a domain listed in the hosts file, it's probably quicker to find the hosts entry than to do a DNS lookup for that domain. As for the denial-of-service theory, Kaspersky does claim in a support forum somewhere that 2345.com is a malware site. They don't say what malware is there, and nothing is proven, also attempting to go direct to that page on 2345.com doesn't trigger a Kaspersky warning. It's the URL in that IFRAME link that it's objecting to. Maybe 2345.com used to host malware. The fact remains that the Mudcat site has had unauthorized content inserted, and that's bad. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: bobad Date: 15 Jul 13 - 07:06 AM Windows 7 does not allow you to make additions to the hosts file unless you have administrator privileges which you don't by default. Does anyone know how to make yourself administrator in Win 7? |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Newport Boy Date: 15 Jul 13 - 06:55 AM I've just posted in the 'Mudcat/Firefox' thread, as below: Well - it looks like the changes to the page coding to include the 2345, etc calls are also the cause of the aberrant behaviour. This version of FF (19) on which I have blocked the 2345 addresses works correctly. FF22 on XP and all my other browsers, on which I've not blocked the addresses, behave wrongly. That's as I find it, anyway. Phil |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 15 Jul 13 - 06:30 AM The attacker wants us to download a particular page from 2345.com frequently, which we should definitely avoid. In other words, we should block it until Mudcat has got rid of the problem. Of the various methods suggested above, I think treewind's is easist: just add those two lines to the "hosts" file. Thanks, treewind. (Chinese Mudcatters who love 2345.com need some patience. As we saw, Max probably has a strong financial interest to reinstall his own "ga_social_tracking.js" quickly and permanently. He mey even find the services of a professional human ghostbuster worth their price.) |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Newport Boy Date: 15 Jul 13 - 06:19 AM @michaelr - Newport Boy wrote: "I've blocked all references to 2345 and union250bang and loading of all pages is significantly faster - about half the time to load." Could you PLEASE explain in PLAIN ENGLISH how to do this? (Maybe I'm dense - I asked JohninKansas upthread to explain something in layman's terms and could not understand his response at all - but have mercy. I'm a music geek, not a tech geek.) I'm using a version of Firefox with Adblock Plus. I haven't used Jack's nuclear option - I've only blocked the 2 addresses on the Mudcat front page. This is done in Adblock Plus. The location of buttons may be different in Windows, but the steps should be the same. 1. On Mudcat front page, click the down arrow by the ABP icon (bottom left of window for me). 2. Click 'Open blockable items' (shortcut Ctrl-Shift-V) 3. In the window that appears, right click on each target item and select 'Block this item'. You may find that 'Enter' does the same thing. 4 Done. Phil |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 15 Jul 13 - 05:26 AM I hada look at my /etc/hosts file and there's nothing there except a few trick entries used at bootup. I'd consider using MVPS but I have a couple of worries. On MacOS 9 a large hosts file (from a similar third-party provider of blacklists) slowed Internet access down quite a lot and had quite a few false positives - sites that were slipped in for right-wing ideological reasons. MacOS X users: Does this provide acceptable performance? Can you access everything you want to? I currently have 2345 and union.50bang blocked by IP in my router, which seems to work okay but wouldn't be feasible with too many addresses. Also, if 2345 is really the target of the attack, blocking by either means is ethically the wrong thing to do. It's giving the attackers exactly the result they want. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 15 Jul 13 - 03:18 AM Could you PLEASE explain in PLAIN ENGLISH how to do this? One way is to change your hosts file as I explained in either this thread or the "2345" thread - I don't remember which now... On Windows the file is here: C:\windows\System32\drivers\etc\hosts You can edit it with notepad - add the following lines to the end: 127.0.0.1 www.2345.com 127.0.0.1 2345.com ... for any other site you want to block, do similar 127.0.0.1 www.bad.malware.site The file downloadable from http://winhelp2002.mvps.org/ is a huge file to replace your hosts file, containing similar entries for several thousand malware and adware sites. Actually it doesn't currently include 2345.com, but it's easy enough to add more to the list as described above. On Mac OS X, Linux or other Unix-like systems, the same file is at /etc/hosts |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Andrez Date: 14 Jul 13 - 10:22 PM Thanks Jack, I'm running Safari V 6.04. I dont have an 'activity' window under the Window menu nor is there a page source option. I'm sure there used to be some time ago. Maybe in your version? One thing though, I do run a whole pile of extensions to block ads, tracking etc. So maybe thats why my Mudcat browsing is so straightforward. Not to worry, thanks for the info anyway. I did find the source page on Firefox though. Will check out and look through the coding for script info when I have a little more spare time. Cheers, Andre |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,.gargoyle Date: 14 Jul 13 - 10:15 PM Mister M Do not worry... Mudcat was never intended for those as innocent as you. Sincerely, Gargoyle With the advent of the mega cell phone explosion of the last 40 months....each system demands to be proprietary...I phone does not like....and neither likes MS .... however Lynix is universal candies everyone. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: michaelr Date: 14 Jul 13 - 06:11 PM Newport Boy wrote: "I've blocked all references to 2345 and union250bang and loading of all pages is significantly faster - about half the time to load." Could you PLEASE explain in PLAIN ENGLISH how to do this? (Maybe I'm dense - I asked JohninKansas upthread to explain something in layman's terms and could not understand his response at all - but have mercy. I'm a music geek, not a tech geek.) |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 14 Jul 13 - 05:38 PM At a guess, the http_referer may show the request originated from Mudcat but I can't really see that as being any different to say seeing someone clicked a link on Google to get to a site rather than going to it directly. If they go via Google, their ranking on Google will go up. If the download is initiated by a user running a Mudcat script, no ranking anywhere is affected at all. Sending the page is all cost and no benefit for 2345. As for DDoS, I wouldn't guess that this is generating enough traffic to break a site. If Mudcat has been hacked in this way, the chances are that thousands of other sites have been as well. Iframe-munging is a popular stunt to pull on Wordpress blogs. There are about 6o million of them, very few administered by anyone with much technical expertise. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 14 Jul 13 - 08:54 AM I'm running OSX 10.7.5 and Safari/Firefox as a browser but havent seen or experienced any of the above problems. You probably haven't looked. I only have a very old Safari here, but one of its features is an "Activity" window that you can bring up under the "Window" menu. I suppose it's still around somewhere. Open it, load Mudcat, click the triangle to expand the list of things being loaded, hit the reload button and watch. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Jon Date: 14 Jul 13 - 08:47 AM Jack it's our browsers that do the downloading. Basically they make another page request on our behalf. At a guess, the http_referer may show the request originated from Mudcat but I can't really see that as being any different to say seeing someone clicked a link on Google to get to a site rather than going to it directly. As for DDoS, I wouldn't guess that this is generating enough traffic to break a site. If you looked at the sites individually, you would probably not be concerned with the time it took to get your 2345 or bang.org site. At Mudcat though, we are having to get both of these on top of Mudcat's own pages. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Andrez Date: 14 Jul 13 - 08:42 AM Hmmmm interesting thread. Just adding for what its worth I'm running OSX 10.7.5 and Safari/Firefox as a browser but havent seen or experienced any of the above problems. I'm not doing a Mac vs PC thing but I wonder what the difference would be? Just a thought anyway. Good luck folks and hopefully Max or whoever sorts the problem out for all affected 'catters. Cheers, Andrez |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 14 Jul 13 - 08:26 AM As with the 2345 site, my feeling is that the site itself is just increasing its ratings through increased hits. How would that work? The only sites involved in those hits are the Mudcat user's and 2345 itself. No site that does ratings gets to find out about it. A DDoS attack makes more sense. Maybe organized by one of 2345's competitors, or as part of an extortion racket. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Newport Boy Date: 14 Jul 13 - 07:08 AM Confirming what treewind says: Even if that site is harmless, every Mudcat page you load will be slowed down by having to download all that extra trash. I've blocked all references to 2345 and union250bang and loading of all pages is significantly faster - about half the time to load. Phil |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Jon Date: 14 Jul 13 - 06:25 AM I'm also seeing union2.50bang.org which seems a bit odd and is also dropped by trojans. As with the 2345 site, my feeling is that the site itself is just increasing its ratings through increased hits. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 14 Jul 13 - 06:11 AM I've done some research and thought a bit...
|
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 13 Jul 13 - 06:25 PM No, Kaspersky is not responsible for the script file on Max's server getting changed. It has indeed been changed back to the fake script that pulls in 2345.com. There can't be a good reason for that to happen so Kaspersky is right to question it. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Stilly River Sage Date: 13 Jul 13 - 04:07 PM I think Kasperski is the problem. SRS |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Stilly River Sage Date: 13 Jul 13 - 04:06 PM Then, suddenly, I'm getting pop-up ads 'til hell won't have it. Then I get pop-up ads for stuff like "PC-Cleaner" and "Registry Fix" and warnings that my computer is running slow and I should buy their gizmo program that would fix it. Suspicious, I "X-ed" them off. Some of them wouldn't go away, and I had to do a computer restart. Some of which didn't ask me, they just started to download the bloody program! Don, if you get a popup you shouldn't "x" it with the x on the corner of the screen that popped up, you should open the task manager and close it from there. Often times that X has been doctored so it is actually like hitting return, it looks like you accepting the download of malware. There may be something at Mudcat that isn't playing well with your browser, but it sounds like when you hit X you inoculated yourself with a problem. See if you can download and install Malwarebytes/ and scan and remove the problem. You may have to use safe mode and rename the download file to trick malware. SRS |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 13 Jul 13 - 04:04 PM A minute of googling shows that Earthlink do have a browser software of their own, presumably based on one of the popular browser engines. Don, check all "Settings", "Options", "Properties" etc. in your browser, and disable them experimentally. Use some anti-virus software. If you want advice, you need not threaten to shoot yourself; a "please" suffices. Mudcat cannot be blamed for everything; Max does not owe us a perfect world. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Bill D Date: 13 Jul 13 - 03:33 PM "My web browser is Earthlink " Not really, Don.. Earthlink is a internet service provider...an ISP. Browsers are Internet Explorer, Firefox, Opera...and a dozen more. (Just a technical point....) |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,kendall Date: 13 Jul 13 - 03:27 PM Kasperski warns me of this trojan every time I come on line. It also says it has been blocked. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Don Firth Date: 13 Jul 13 - 03:18 PM For several days running, every time I accessed Mudcat, or tried to change from one thread to another, I'd get a message across the bottom of my screen telling me that Mudcat was not responding because it was running a long-running script, and gave me a box to click that said "Stop script." Every time I come on or tried to change from one thread to another. I even started a thread about it. Then, suddenly, I'm getting pop-up ads 'til hell won't have it. Then I get pop-up ads for stuff like "PC-Cleaner" and "Registry Fix" and warnings that my computer is running slow and I should buy their gizmo program that would fix it. Suspicious, I "X-ed" them off. Some of them wouldn't go away, and I had to do a computer restart. Some of which didn't ask me, they just started to download the bloody program! My web browser is Earthlink and I like to use Google for searches. When these unasked-for downloads got finished screwing up my computer, now, when I click the "Earthlink" icon, I get Bing, along with a pop-up ad for yet another "Registry Cleaner." I have to key in "Earthlink" to reach my web browser. NONE of this I wanted to download! Yet, there it is. Oh, yes! I have two e-mail boxes. One is Earthlink, and that one works. The other is Comcast, which I can still access, but now it won't let me open my e-mail. There is a very good service here in Seattle called "GeekServ," and they send a guy out to the house to exorcise demons like this from one's computer. Come Monday, I'm going to call them. Which, of course, is going to cost me. I don't know if this has anything to do with Mudcat, but it all started when I was on the 'cat. Don Firth P. S. By the way, I use neither Twitter nor Facebook. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: gnu Date: 13 Jul 13 - 02:52 PM SRS.... "This seems to be a tempest in a teapot." It sure is! But... my tea is spoiled and I expect it to be fixed by Mudcat and NOT by every Mudcatter. Is that too much to ask or am I just still technologically declined? In any case, I had three red boxes and warning tones before I could get to post this and I will only have tp put up with that shit one more time today... at my next click... submit. gnightgnu |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 13 Jul 13 - 02:19 PM The problem is real and remains as long as the file "http://www.mudcat.org/ga_social_tracking.js" has a length of just 93 bytes. You can use a download manager to test that. For those of us who do not block its execution, the damage is (at least) a dramatic increase in download traffic, everytime we open a thread. The damage for Max, apart from his presumably infested computer and loss of reputation, is that his "social tracking" no longer works. If we all block JavaScript, Mudcat will lose much of its ad revenue to boot. Max had best fix the problem quickly. Has he been informed that his first attempt was not permanently successful, since the Trojan or cracked password is still in force? |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 13 Jul 13 - 01:57 PM The iframe is not a virus, from the Mudcat user's viewpoint. What it does is entirely normal web coding - it just has no conceivable innocent purpose. There's no reason for any anti-virus program to flag it. If you aren't seeing it there's something wrong with your browser, since it should be loading iframes when it sees them. But it seems likely it was some sort of virus or trojan that put it there. Only someone with access to Max's hardware can figure out what happened and fix it. |
| Share Thread: |