Page 1 of 2

Malicious re-direct on this forum

Posted: Thu Jun 18, 2009 2:14 pm
by luntrus
Hi forum moderators,

When I try to post a message in the forums without NoScript allowed, I get a redirect on submitting to:
evil.hackademix.net/images/stallowned.jpg
Can anybody explain?

luntrus

Re: Malicious re-direct on this forum

Posted: Thu Jun 18, 2009 2:42 pm
by therube

Re: Malicious re-direct on this forum

Posted: Fri Jun 19, 2009 6:21 am
by Tom T.
Not sure what you mean by "without NoScript allowed". Do you mean, without allowing scripts from Informaction.com? Do you mean, with NS disabled completely?

I posted this with scripting from informaction.com disabled. I used to keep it disabled all of the time, on general principle (*of course* I trust Giorgio! But there's "user-uploaded content" here, and some weird links we're asked to investigate), but lost the convenience of the toolbar above the message-compose box. Not to mention, the all-important smileys! :grin:

Are you sure you didn't accidentally include a filter-trigger word, perhaps in quoting a malicious user? Or Cyrillic, which is auto-filtered here?

Re: Malicious re-direct on this forum

Posted: Fri Jun 19, 2009 9:41 am
by Giorgio Maone
That's the response of the anti-spam filter (no malicious redirect nor anything JavaScript related).
Use Firefox or another Gecko-based browser and try to rephrase your post, because you surely included some problematic term.

Re: Malicious re-direct on this forum

Posted: Fri Jun 19, 2009 11:40 am
by luntrus
Hi Giorgio Maone,

Something else happened at the same time, I used the submit form at that particular time and place at another machine from inside Browzar2000 IE-shell browser with the normal ask search function, which is a priori unsafe. I found out this is underlying cause of the unsafe default search function in the Browzar browser:
http://www.xssed.com/mirror/59948
So your part of the story may also be valid, but the case was a bit complicated.
I therefore ask users to refrain from using Browzar, it is a gimmick and unsafe,
but the forum is secure and for you and the security folks here an additional 100 security bonus points

luntrus

Re: Malicious re-direct on this forum

Posted: Fri Jun 19, 2009 3:54 pm
by therube
Am I understanding correctly?
You were using this Browzar "browser" (IE shell), & it was with that that you received the redirects?

Image

Re: Malicious re-direct on this forum

Posted: Fri Jun 19, 2009 4:04 pm
by luntrus
Hi therube,

I know this sounds weird for some-one in in-browser security, but the computer there had it installed and had/has this vulnerable search engine at it's default.
Sometimes it is good to alert to this vulnerabilities, and it further demonstrates that Browzar is adware and people should refrain from using it, it is popular with youngsters, because it claims to delete all browser traces,

luntrus

Re: Malicious re-direct on this forum

Posted: Fri Jun 19, 2009 8:58 pm
by GµårÐïåñ
luntrus wrote:Hi Giorgio Maone,

Something else happened at the same time, I used the submit form at that particular time and place at another machine from inside Browzar2000 IE-shell browser with the normal ask search function, which is a priori unsafe. I found out this is underlying cause of the unsafe default search function in the Browzar browser:
http://www.xssed.com/mirror/59948
So your part of the story may also be valid, but the case was a bit complicated.
I therefore ask users to refrain from using Browzar, it is a gimmick and unsafe,
but the forum is secure and for you and the security folks here an additional 100 security bonus points

luntrus
Its based on IE, using IE control, using IE browser container, hence IE, what did you expect from it? Not IE? Common sense. :roll: You can't use a custom whack job of another whack job browser, at least security wise and before v8, and when it does something bad or weird looking you are surprised? :shock:

Re: Malicious re-direct on this forum

Posted: Fri Jun 19, 2009 10:27 pm
by luntrus
Hi GµårÐïåñ,

Yes, my good friend, another urge not to click blue e, well we Europeans will soon learn how to live without it, because Windows 7 will sell without it now. There was another thing on that particular computer the admin at the firm still kept his users on IE6, I could have Clear Prog on that machine and a friendly admin from an outsourced security firm installed SafeXP there, so one at least runs lesser risk (using also normal user rights), but IE is not my kettle of fish. Next time I use a portable version of fx or flock from a USB stick/pen drive there.

Normally I never see these things, at home I use IE only for downloading MS updates and keep the browser fully patched because it is such a vital part inside the OS. Third party software I keep updated and patched through Secunia PSI, I run Foxit Reader, OO and various other open software proggies like VLC Media Player, not that over-bloated and with less well-known holes. When Playing YouTube I use YouTube History Bleach extension, etc. So you can say I am security aware, and play "SafeHex".

This here discussion demonstrates again that browsers were not developed a priori with security in mind or at heart, but with general user functionality as a set-out where blue e is a fine exponent of this, bending the rules and even setting its own standards. You miss NS when you cannot work it,

luntrus

Re: Malicious re-direct on this forum

Posted: Fri Jun 19, 2009 11:14 pm
by GµårÐïåñ
Yes my friend, the EU won that little battle. Although Win7 with IE8 would be an acceptable setup, not TOO bad, although I still prefer to stay away and when possible recommend others do the same. Yeap, you got it, that's why I always carry a special thumb drive (the size of a nickle) that has portable versions of my apps that I use to make sure I am not subject to whatever vulnerabilities exist on that machine. Those that don't allow non-admins to run, I use my mini-cd version of Knoppix live cd to bypass it and boot directly into memory on reboot. Anyway, nothing that happens with IE surprises me really, although they are getting better at plugging it and arguably, they already have accomplished some level of maturity with 8. Good times.

Re: Malicious re-direct on this forum

Posted: Sat Jun 20, 2009 3:44 am
by Tom T.
luntrus wrote:..., at home I use IE only for downloading MS updates
If you're interested, you can get your MS Updates with Fx.

Re: Malicious re-direct on this forum

Posted: Wed Oct 14, 2009 3:12 pm
by pcalvert
Giorgio Maone wrote:That's the response of the anti-spam filter (no malicious redirect nor anything JavaScript related).
Use Firefox or another Gecko-based browser and try to rephrase your post, because you surely included some problematic term.
Then there's a problem with the anti-spam filter. I just encountered this same problem. Since when is "w!n32" (replace "!" with "i") a term that should be banned? That's the string that is preventing me from posting a message.

Phil

Re: Malicious re-direct on this forum

Posted: Wed Oct 14, 2009 3:18 pm
by Giorgio Maone
Just add "Gecko" somewhere in your user agent string.

Re: Malicious re-direct on this forum

Posted: Wed Oct 14, 2009 9:44 pm
by GµårÐïåñ
Often the spam comes from the people with stripped useragents so measures have been taken. If you add the proper extended information to your UA, you will be fine and will have less problems elsewhere as well.

Re: Malicious re-direct on this forum

Posted: Thu Oct 15, 2009 2:30 am
by Tom T.
pcalvert wrote:Then there's a problem with the anti-spam filter. I just encountered this same problem. Since when is "w!n32" (replace "!" with "i") a term that should be banned? That's the string that is preventing me from posting a message.

Phil
Opera/9.25 (Windows NT 6.0; U; en)
Giorgio Maone wrote:Just add "Gecko" somewhere in your user agent string.
I wasn't aware that Opera supported NoScript. I *think* what Giorgio was trying to tell you, humorously, was that if you are using Opera, how would this forum be of use to you? So use a Firefox browser (or Seamonkey or other Gecko-based), not alter your user string on Opera. At least, I *think* that's what he meant. But I could be mistaken.

We get an awful lot of spam from IE users. The question is, if you're on IE, why are you here?