Spyware etc

Valderra · Post by **Valderra** » Mon Feb 28, 2005 3:15 pm

NOW I understand why Beo has the "is NOT Chris Barrie" text in his ava. Yes, some of those images definitely resemble him - especially those where half of the face is in the shadow...

Florent · Post by **Florent** » Mon Feb 28, 2005 3:34 pm

That was changed very recently ! Super admin powers in full effect !

beowuuf · Post by **beowuuf** » Mon Feb 28, 2005 6:20 pm

yeah, and don't you forget it people! : ) people who look like people who look like people who look like chris barrie are not to be trifled with!

beowuuf · Post by **beowuuf** » Mon Feb 28, 2005 6:23 pm

Gambit37 wrote:I still maintain that you look more like my friend who looks like Chris Barrie, than Chris Barrie.

This is also the strangest comment/insult I have ever received : )

I not only look like someone els,e but somehow I dont' have the talent to look like someone famous, just like someone who is better at lookign like someone famous...or something ...!

So yeah, spyware...bad....

sucinum · Post by **sucinum** » Mon Feb 28, 2005 10:30 pm

http://www.crystalsrules.com/artistes/i ... mazone.jpg
what happens if you click this?

beowuuf · Post by **beowuuf** » Mon Feb 28, 2005 10:53 pm

re-direct

the original page seems harmless enough if you view the source though

PadTheMad · Post by **PadTheMad** » Mon Feb 28, 2005 10:59 pm

My virus software bleeps up with:

"WARNING - C:\DOCUMENTS AND SETTINGS\PATRICK\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\5WWFX1OL\DIRECTNICPARKING[1].HTM

The Trojan horse TR/StartPage.ES"

And asks me what to do... so I "Deny Access" then it redirects...

sucinum · Post by **sucinum** » Tue Mar 01, 2005 5:08 am

strange - i only see a bowazon. with ie i get redirected, though. i heard of different problems with it and seems to be browserbased. ...and spyware

Florent · Post by **Florent** » Tue Mar 01, 2005 7:10 am

With Firefox I get redirected. In what browser do you manage to actually see the picture Sucinum ?

Look at the HTML source code it's pretty interesting :

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
	<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
	<META http-equiv="Refresh" content="2;url=http://www.directnicparking.com/">
</HEAD>

<BODY>
	<!-- 403 Forbidden -->
	<!-- The file specified (/artistes/images/spine/amazone.jpg) may not be linked from web pages outside of this host (crystalsrules.com). -->
	<!-- tigershark/3.0.113 at <A href="http://www.directnic.com/">dn1.directnic.com</A> -->

	<!-- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -->
	<!-- XXXXXX  Extra bytes to force IE to display this page  XXXXXX -->
	<!-- XXXXXX      (instead of its internal error page)      XXXXXX -->
	<!-- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -->

</BODY>
</HTML>

beowuuf · Post by **beowuuf** » Tue Mar 01, 2005 7:43 am

i would have to assume its a vulnerability test, and also what you finally get sourced isn't necessarily the original page : )

PadTheMad · Post by **PadTheMad** » Tue Mar 01, 2005 10:24 am

It happens to me with both IE6 and Firefox, both redirect to the DirectNIC site. A similar thing has happened to me (the virus checker bleeping with a detected trojan) on other sites that don't redirect though. Never thought it was spyware, but now I know...

Post by **Gambit37** » Tue Mar 01, 2005 11:21 am

I believe it's this:

http://www.microsoft.com/technet/securi ... 4-028.mspx

Florent · Post by **Florent** » Tue Mar 01, 2005 11:39 am

I don't think so. If you look at the source, it says "The file specified (/artistes/images/spine/amazone.jpg) may not be linked from web pages outside of this host (crystalsrules.com)"

You can see the actual image without any virus in it by going to http://www.crystalsrules.com/artistes/spine2.html (it's the amazon on the left. Right click on it, select View image, and there you have it, the same URL without any redirection.

The problem here is that Sucinum gave us the direct URL of the image, which is called hotlinking, something the webhost probably doesn't want (banning hotlinking is supposed to save bandwidth) so their server is set up to redirect all the "hotlinks" to that weird spam site. I guess this makes anitvirus software tick, but there shouldn't be any danger.

sucinum · Post by **sucinum** » Tue Mar 01, 2005 12:03 pm

i can see the picture with firefox, but i seem to be the only one. very paranoid protection, as if there were 100s of people stealing valueable and rare bandwidth

Post by **Gambit37** » Tue Mar 01, 2005 1:53 pm

It's not paranoid -- hotlinking is a major and costly issue for webmasters. Disabling it is essential if you are to retain cost control.

Imagine you have a 100KB JPEG on your site and somebody links directly to it in a forum post. It's a popular forum, so maybe 200 people view that post during one day. That's at least 200 x 100Kb = 20,000Kb or 20MB of bandwidth used (rough calc!). Multiply that by new users, numbers of days or weeks or any other contributing factor and your allocated data transfer will soon be eaten up.

Any decent ISP costs money -- and in the scenario I've just depictedm, you as a webmaster are paying for a bunch of people who are not your customers to view one of your images for free. That's bandwidth theft and disabling hotlinking prevents it.

Florent · Post by **Florent** » Tue Mar 01, 2005 3:07 pm

Exactly. The weird part is that strange redirect.

But wait... now I can see the image through Suci's direct link !

PadTheMad · Post by **PadTheMad** » Tue Mar 01, 2005 4:12 pm

So can I, and the same if you copy and paste the link into the browser. Did you visit the site before Florent as opposed to clicking on the link. I'm thinking that the redirect doesn't occur if you;'ve already got the image in the Teporary Internet Files...

sucinum · Post by **sucinum** » Tue Mar 01, 2005 5:13 pm

my homepage had 4057 visits and 107195 visits, making a total traffic of 1.44 gb. i have 10 gb traffic with my webspace, so theres a lot of left. i store all my avatars and stuff on this webspace and also post some pictures from there in forums, but this doen't produce a mentionable amout of traffic (and it's 1000s of views of them). of course i don't have too much pics of interest on my webspace, a galery might have greater problems. if my host would block that to stop me wasting traffic (in their sense), i would change immediately. in january i used up 1.58 gb of traffic with only 3386 visitors, all due the change from tables to css (which also increases browser/user agent compliancy and allows to chance the font size in any degree, next to that).

i don't see a sense in preventing traffic in a dimension below 1 or 2 gb a month. it isn't THAT rare today. before cutting service (allowing hotlinks is a kind of) i would rather code my homepage correctly or compress pictures, which is something this host didn't care of.

but i don't get this protection. an avatar-collection-page has a 100% working hotlink-blocker which even blocks display via [img]-code in forums, which is afaik a htaccess-thing and quite easy to setup. this seems to be some java-script or similar and doesn't work too reliable. so why _this_ "protection"? or whatever it is...

Florent · Post by **Florent** » Tue Mar 01, 2005 7:41 pm

PadTheMad : You're right I checked the site directly (I even explained how to do it if you read closely), this explains that

PadTheMad · Post by **PadTheMad** » Tue Mar 01, 2005 10:21 pm

So you did. That'll teach me not to read posts fully if they contain code! Shame on me - I'm even doing a web development module on my course...

That's twice I've made a fool of myself today!

Post by **PaulH** » Thu Mar 03, 2005 9:06 am

Looks like some scumbag nicked my new switch card that the bank decided to spontaneously send me without warning. So they froze my old card when when it expired (6 months before its expiry date, but one month after this phantom new card was apparently sent). I say apparently, because they didn't actually know if they had sent me one or not, or where they sent it to. Eh? But they are both cancelled now, to be on the safe side. They wouldn't let me have my balance either, despite me giving them my mother's maiden name, and allsorts of other stuff. They even asked me for my phonenumber. Which I had given them the previous day, which they had just dialled so they could speak to me as they were doing at that moment.

I despair.

Post by **Gambit37** » Thu Mar 03, 2005 10:05 am

But if someone nicked your account details and stole all your money and you discovered it was because the bank didn't have *enough* security checks in place you'd be pretty angry wouldn't you? I appreciate that it's a pain and that some policies can be a bit silly, but I'd rather my bank made those checks than not.

Post by **PaulH** » Thu Mar 03, 2005 12:12 pm

Security to the extent that I can't get my own money is ridiculous. Its the way the checks are implemented that is the problem, and how the bank deals with problems and conducts is business.

Florent · Post by **Florent** » Thu Mar 03, 2005 12:50 pm

I agree with you both... It's all about balance between everything locked up by paranoia and overly loose security.

Last week I bought a 430 euros LCD monitor through the internet. When I picked it up, I had my ID and credit card ready as required by the website instructions, but the salesperson didn't ask me for anything except my order number... And the screen was already paid for ! Almost anyone could have picked it up... Kind of scary !