Malicious re-direct on this forum

Discussion about the board itself, forums organization and site bugs.
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Malicious re-direct on this forum

Post by luntrus » Thu Jun 18, 2009 2:14 pm

Hi forum moderators,

When I try to post a message in the forums without NoScript allowed, I get a redirect on submitting to:
evil.hackademix.net/images/stallowned.jpg
Can anybody explain?

luntrus
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Browzar)

User avatar
therube
Ambassador
Posts: 7470
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Malicious re-direct on this forum

Post by therube » Thu Jun 18, 2009 2:42 pm

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090601 SeaMonkey/2.0b1pre

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Malicious re-direct on this forum

Post by Tom T. » Fri Jun 19, 2009 6:21 am

Not sure what you mean by "without NoScript allowed". Do you mean, without allowing scripts from Informaction.com? Do you mean, with NS disabled completely?

I posted this with scripting from informaction.com disabled. I used to keep it disabled all of the time, on general principle (*of course* I trust Giorgio! But there's "user-uploaded content" here, and some weird links we're asked to investigate), but lost the convenience of the toolbar above the message-compose box. Not to mention, the all-important smileys! :grin:

Are you sure you didn't accidentally include a filter-trigger word, perhaps in quoting a malicious user? Or Cyrillic, which is auto-filtered here?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
Giorgio Maone
Site Admin
Posts: 8743
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Malicious re-direct on this forum

Post by Giorgio Maone » Fri Jun 19, 2009 9:41 am

That's the response of the anti-spam filter (no malicious redirect nor anything JavaScript related).
Use Firefox or another Gecko-based browser and try to rephrase your post, because you surely included some problematic term.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Malicious re-direct on this forum

Post by luntrus » Fri Jun 19, 2009 11:40 am

Hi Giorgio Maone,

Something else happened at the same time, I used the submit form at that particular time and place at another machine from inside Browzar2000 IE-shell browser with the normal ask search function, which is a priori unsafe. I found out this is underlying cause of the unsafe default search function in the Browzar browser:
http://www.xssed.com/mirror/59948
So your part of the story may also be valid, but the case was a bit complicated.
I therefore ask users to refrain from using Browzar, it is a gimmick and unsafe,
but the forum is secure and for you and the security folks here an additional 100 security bonus points

luntrus
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Browzar)

User avatar
therube
Ambassador
Posts: 7470
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Malicious re-direct on this forum

Post by therube » Fri Jun 19, 2009 3:54 pm

Am I understanding correctly?
You were using this Browzar "browser" (IE shell), & it was with that that you received the redirects?

Image
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090618 SeaMonkey/2.0b1pre

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Malicious re-direct on this forum

Post by luntrus » Fri Jun 19, 2009 4:04 pm

Hi therube,

I know this sounds weird for some-one in in-browser security, but the computer there had it installed and had/has this vulnerable search engine at it's default.
Sometimes it is good to alert to this vulnerabilities, and it further demonstrates that Browzar is adware and people should refrain from using it, it is popular with youngsters, because it claims to delete all browser traces,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.9 (KHTML, like Gecko) Iron/2.0.178.0 Safari/530.9

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Malicious re-direct on this forum

Post by GµårÐïåñ » Fri Jun 19, 2009 8:58 pm

luntrus wrote:Hi Giorgio Maone,

Something else happened at the same time, I used the submit form at that particular time and place at another machine from inside Browzar2000 IE-shell browser with the normal ask search function, which is a priori unsafe. I found out this is underlying cause of the unsafe default search function in the Browzar browser:
http://www.xssed.com/mirror/59948
So your part of the story may also be valid, but the case was a bit complicated.
I therefore ask users to refrain from using Browzar, it is a gimmick and unsafe,
but the forum is secure and for you and the security folks here an additional 100 security bonus points

luntrus


Its based on IE, using IE control, using IE browser container, hence IE, what did you expect from it? Not IE? Common sense. :roll: You can't use a custom whack job of another whack job browser, at least security wise and before v8, and when it does something bad or weird looking you are surprised? :shock:
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Malicious re-direct on this forum

Post by luntrus » Fri Jun 19, 2009 10:27 pm

Hi GµårÐïåñ,

Yes, my good friend, another urge not to click blue e, well we Europeans will soon learn how to live without it, because Windows 7 will sell without it now. There was another thing on that particular computer the admin at the firm still kept his users on IE6, I could have Clear Prog on that machine and a friendly admin from an outsourced security firm installed SafeXP there, so one at least runs lesser risk (using also normal user rights), but IE is not my kettle of fish. Next time I use a portable version of fx or flock from a USB stick/pen drive there.

Normally I never see these things, at home I use IE only for downloading MS updates and keep the browser fully patched because it is such a vital part inside the OS. Third party software I keep updated and patched through Secunia PSI, I run Foxit Reader, OO and various other open software proggies like VLC Media Player, not that over-bloated and with less well-known holes. When Playing YouTube I use YouTube History Bleach extension, etc. So you can say I am security aware, and play "SafeHex".

This here discussion demonstrates again that browsers were not developed a priori with security in mind or at heart, but with general user functionality as a set-out where blue e is a fine exponent of this, bending the rules and even setting its own standards. You miss NS when you cannot work it,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090618 Shiretoko/3.5pre

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Malicious re-direct on this forum

Post by GµårÐïåñ » Fri Jun 19, 2009 11:14 pm

Yes my friend, the EU won that little battle. Although Win7 with IE8 would be an acceptable setup, not TOO bad, although I still prefer to stay away and when possible recommend others do the same. Yeap, you got it, that's why I always carry a special thumb drive (the size of a nickle) that has portable versions of my apps that I use to make sure I am not subject to whatever vulnerabilities exist on that machine. Those that don't allow non-admins to run, I use my mini-cd version of Knoppix live cd to bypass it and boot directly into memory on reboot. Anyway, nothing that happens with IE surprises me really, although they are getting better at plugging it and arguably, they already have accomplished some level of maturity with 8. Good times.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Malicious re-direct on this forum

Post by Tom T. » Sat Jun 20, 2009 3:44 am

luntrus wrote:..., at home I use IE only for downloading MS updates

If you're interested, you can get your MS Updates with Fx.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

pcalvert
Posts: 4
Joined: Fri Oct 02, 2009 3:19 am

Re: Malicious re-direct on this forum

Post by pcalvert » Wed Oct 14, 2009 3:12 pm

Giorgio Maone wrote:That's the response of the anti-spam filter (no malicious redirect nor anything JavaScript related).
Use Firefox or another Gecko-based browser and try to rephrase your post, because you surely included some problematic term.

Then there's a problem with the anti-spam filter. I just encountered this same problem. Since when is "w!n32" (replace "!" with "i") a term that should be banned? That's the string that is preventing me from posting a message.

Phil
Opera/9.25 (Windows NT 6.0; U; en)

User avatar
Giorgio Maone
Site Admin
Posts: 8743
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Malicious re-direct on this forum

Post by Giorgio Maone » Wed Oct 14, 2009 3:18 pm

Just add "Gecko" somewhere in your user agent string.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Malicious re-direct on this forum

Post by GµårÐïåñ » Wed Oct 14, 2009 9:44 pm

Often the spam comes from the people with stripped useragents so measures have been taken. If you add the proper extended information to your UA, you will be fine and will have less problems elsewhere as well.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Malicious re-direct on this forum

Post by Tom T. » Thu Oct 15, 2009 2:30 am

pcalvert wrote:Then there's a problem with the anti-spam filter. I just encountered this same problem. Since when is "w!n32" (replace "!" with "i") a term that should be banned? That's the string that is preventing me from posting a message.

Phil
Opera/9.25 (Windows NT 6.0; U; en)

Giorgio Maone wrote:Just add "Gecko" somewhere in your user agent string.

I wasn't aware that Opera supported NoScript. I *think* what Giorgio was trying to tell you, humorously, was that if you are using Opera, how would this forum be of use to you? So use a Firefox browser (or Seamonkey or other Gecko-based), not alter your user string on Opera. At least, I *think* that's what he meant. But I could be mistaken.

We get an awful lot of spam from IE users. The question is, if you're on IE, why are you here?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20

Post Reply