Malicious re-direct on this forum
Malicious re-direct on this forum
Hi forum moderators,
When I try to post a message in the forums without NoScript allowed, I get a redirect on submitting to:
evil.hackademix.net/images/stallowned.jpg
Can anybody explain?
luntrus
When I try to post a message in the forums without NoScript allowed, I get a redirect on submitting to:
evil.hackademix.net/images/stallowned.jpg
Can anybody explain?
luntrus
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Browzar)
Re: Malicious re-direct on this forum
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090601 SeaMonkey/2.0b1pre
Re: Malicious re-direct on this forum
Not sure what you mean by "without NoScript allowed". Do you mean, without allowing scripts from Informaction.com? Do you mean, with NS disabled completely?
I posted this with scripting from informaction.com disabled. I used to keep it disabled all of the time, on general principle (*of course* I trust Giorgio! But there's "user-uploaded content" here, and some weird links we're asked to investigate), but lost the convenience of the toolbar above the message-compose box. Not to mention, the all-important smileys!
Are you sure you didn't accidentally include a filter-trigger word, perhaps in quoting a malicious user? Or Cyrillic, which is auto-filtered here?
I posted this with scripting from informaction.com disabled. I used to keep it disabled all of the time, on general principle (*of course* I trust Giorgio! But there's "user-uploaded content" here, and some weird links we're asked to investigate), but lost the convenience of the toolbar above the message-compose box. Not to mention, the all-important smileys!
Are you sure you didn't accidentally include a filter-trigger word, perhaps in quoting a malicious user? Or Cyrillic, which is auto-filtered here?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Malicious re-direct on this forum
That's the response of the anti-spam filter (no malicious redirect nor anything JavaScript related).
Use Firefox or another Gecko-based browser and try to rephrase your post, because you surely included some problematic term.
Use Firefox or another Gecko-based browser and try to rephrase your post, because you surely included some problematic term.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)
Re: Malicious re-direct on this forum
Hi Giorgio Maone,
Something else happened at the same time, I used the submit form at that particular time and place at another machine from inside Browzar2000 IE-shell browser with the normal ask search function, which is a priori unsafe. I found out this is underlying cause of the unsafe default search function in the Browzar browser:
http://www.xssed.com/mirror/59948
So your part of the story may also be valid, but the case was a bit complicated.
I therefore ask users to refrain from using Browzar, it is a gimmick and unsafe,
but the forum is secure and for you and the security folks here an additional 100 security bonus points
luntrus
Something else happened at the same time, I used the submit form at that particular time and place at another machine from inside Browzar2000 IE-shell browser with the normal ask search function, which is a priori unsafe. I found out this is underlying cause of the unsafe default search function in the Browzar browser:
http://www.xssed.com/mirror/59948
So your part of the story may also be valid, but the case was a bit complicated.
I therefore ask users to refrain from using Browzar, it is a gimmick and unsafe,
but the forum is secure and for you and the security folks here an additional 100 security bonus points
luntrus
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Browzar)
Re: Malicious re-direct on this forum
Am I understanding correctly?
You were using this Browzar "browser" (IE shell), & it was with that that you received the redirects?
You were using this Browzar "browser" (IE shell), & it was with that that you received the redirects?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090618 SeaMonkey/2.0b1pre
Re: Malicious re-direct on this forum
Hi therube,
I know this sounds weird for some-one in in-browser security, but the computer there had it installed and had/has this vulnerable search engine at it's default.
Sometimes it is good to alert to this vulnerabilities, and it further demonstrates that Browzar is adware and people should refrain from using it, it is popular with youngsters, because it claims to delete all browser traces,
luntrus
I know this sounds weird for some-one in in-browser security, but the computer there had it installed and had/has this vulnerable search engine at it's default.
Sometimes it is good to alert to this vulnerabilities, and it further demonstrates that Browzar is adware and people should refrain from using it, it is popular with youngsters, because it claims to delete all browser traces,
luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.9 (KHTML, like Gecko) Iron/2.0.178.0 Safari/530.9
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Malicious re-direct on this forum
Its based on IE, using IE control, using IE browser container, hence IE, what did you expect from it? Not IE? Common sense. You can't use a custom whack job of another whack job browser, at least security wise and before v8, and when it does something bad or weird looking you are surprised?luntrus wrote:Hi Giorgio Maone,
Something else happened at the same time, I used the submit form at that particular time and place at another machine from inside Browzar2000 IE-shell browser with the normal ask search function, which is a priori unsafe. I found out this is underlying cause of the unsafe default search function in the Browzar browser:
http://www.xssed.com/mirror/59948
So your part of the story may also be valid, but the case was a bit complicated.
I therefore ask users to refrain from using Browzar, it is a gimmick and unsafe,
but the forum is secure and for you and the security folks here an additional 100 security bonus points
luntrus
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Re: Malicious re-direct on this forum
Hi GµårÐïåñ,
Yes, my good friend, another urge not to click blue e, well we Europeans will soon learn how to live without it, because Windows 7 will sell without it now. There was another thing on that particular computer the admin at the firm still kept his users on IE6, I could have Clear Prog on that machine and a friendly admin from an outsourced security firm installed SafeXP there, so one at least runs lesser risk (using also normal user rights), but IE is not my kettle of fish. Next time I use a portable version of fx or flock from a USB stick/pen drive there.
Normally I never see these things, at home I use IE only for downloading MS updates and keep the browser fully patched because it is such a vital part inside the OS. Third party software I keep updated and patched through Secunia PSI, I run Foxit Reader, OO and various other open software proggies like VLC Media Player, not that over-bloated and with less well-known holes. When Playing YouTube I use YouTube History Bleach extension, etc. So you can say I am security aware, and play "SafeHex".
This here discussion demonstrates again that browsers were not developed a priori with security in mind or at heart, but with general user functionality as a set-out where blue e is a fine exponent of this, bending the rules and even setting its own standards. You miss NS when you cannot work it,
luntrus
Yes, my good friend, another urge not to click blue e, well we Europeans will soon learn how to live without it, because Windows 7 will sell without it now. There was another thing on that particular computer the admin at the firm still kept his users on IE6, I could have Clear Prog on that machine and a friendly admin from an outsourced security firm installed SafeXP there, so one at least runs lesser risk (using also normal user rights), but IE is not my kettle of fish. Next time I use a portable version of fx or flock from a USB stick/pen drive there.
Normally I never see these things, at home I use IE only for downloading MS updates and keep the browser fully patched because it is such a vital part inside the OS. Third party software I keep updated and patched through Secunia PSI, I run Foxit Reader, OO and various other open software proggies like VLC Media Player, not that over-bloated and with less well-known holes. When Playing YouTube I use YouTube History Bleach extension, etc. So you can say I am security aware, and play "SafeHex".
This here discussion demonstrates again that browsers were not developed a priori with security in mind or at heart, but with general user functionality as a set-out where blue e is a fine exponent of this, bending the rules and even setting its own standards. You miss NS when you cannot work it,
luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090618 Shiretoko/3.5pre
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Malicious re-direct on this forum
Yes my friend, the EU won that little battle. Although Win7 with IE8 would be an acceptable setup, not TOO bad, although I still prefer to stay away and when possible recommend others do the same. Yeap, you got it, that's why I always carry a special thumb drive (the size of a nickle) that has portable versions of my apps that I use to make sure I am not subject to whatever vulnerabilities exist on that machine. Those that don't allow non-admins to run, I use my mini-cd version of Knoppix live cd to bypass it and boot directly into memory on reboot. Anyway, nothing that happens with IE surprises me really, although they are getting better at plugging it and arguably, they already have accomplished some level of maturity with 8. Good times.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Re: Malicious re-direct on this forum
If you're interested, you can get your MS Updates with Fx.luntrus wrote:..., at home I use IE only for downloading MS updates
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
Re: Malicious re-direct on this forum
Then there's a problem with the anti-spam filter. I just encountered this same problem. Since when is "w!n32" (replace "!" with "i") a term that should be banned? That's the string that is preventing me from posting a message.Giorgio Maone wrote:That's the response of the anti-spam filter (no malicious redirect nor anything JavaScript related).
Use Firefox or another Gecko-based browser and try to rephrase your post, because you surely included some problematic term.
Phil
Opera/9.25 (Windows NT 6.0; U; en)
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Malicious re-direct on this forum
Just add "Gecko" somewhere in your user agent string.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Malicious re-direct on this forum
Often the spam comes from the people with stripped useragents so measures have been taken. If you add the proper extended information to your UA, you will be fine and will have less problems elsewhere as well.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Re: Malicious re-direct on this forum
pcalvert wrote:Then there's a problem with the anti-spam filter. I just encountered this same problem. Since when is "w!n32" (replace "!" with "i") a term that should be banned? That's the string that is preventing me from posting a message.
Phil
Opera/9.25 (Windows NT 6.0; U; en)
I wasn't aware that Opera supported NoScript. I *think* what Giorgio was trying to tell you, humorously, was that if you are using Opera, how would this forum be of use to you? So use a Firefox browser (or Seamonkey or other Gecko-based), not alter your user string on Opera. At least, I *think* that's what he meant. But I could be mistaken.Giorgio Maone wrote:Just add "Gecko" somewhere in your user agent string.
We get an awful lot of spam from IE users. The question is, if you're on IE, why are you here?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20