mudcat.org: Tech: 2345 piggybacking Mudcat
Lyrics & Knowledge Personal Pages Record Shop Auction Links Radio & Media Kids Membership Help
The Mudcat Cafeawe

Post to this Thread - Printer Friendly - Home
Page: [1] [2]


Tech: 2345 piggybacking Mudcat

Bob the Postman 03 Jul 13 - 12:56 PM
Richard Bridge 03 Jul 13 - 03:23 PM
Jack Campin 03 Jul 13 - 03:50 PM
Bill D 03 Jul 13 - 03:54 PM
McGrath of Harlow 03 Jul 13 - 04:02 PM
Bob the Postman 04 Jul 13 - 08:29 AM
Jeri 04 Jul 13 - 08:47 AM
GUEST,Grishka 04 Jul 13 - 09:04 AM
Jack Campin 04 Jul 13 - 09:44 AM
JohnInKansas 04 Jul 13 - 10:49 AM
JohnInKansas 04 Jul 13 - 10:50 AM
michaelr 04 Jul 13 - 02:08 PM
Joe Offer 04 Jul 13 - 04:23 PM
Bill D 05 Jul 13 - 12:34 PM
Jack Campin 05 Jul 13 - 02:08 PM
Jeri 05 Jul 13 - 02:14 PM
Bill D 05 Jul 13 - 02:31 PM
Bill D 05 Jul 13 - 02:32 PM
Jack Campin 05 Jul 13 - 03:53 PM
Jack Campin 05 Jul 13 - 07:12 PM
Jeri 05 Jul 13 - 07:43 PM
Mick Pearce (MCP) 05 Jul 13 - 08:26 PM
michaelr 06 Jul 13 - 03:08 AM
JohnInKansas 06 Jul 13 - 05:25 AM
GUEST,Peter 06 Jul 13 - 08:09 AM
Pete Jennings 06 Jul 13 - 09:57 AM
Mick Pearce (MCP) 06 Jul 13 - 11:57 AM
michaelr 06 Jul 13 - 12:59 PM
GUEST,Grishka 06 Jul 13 - 01:08 PM
Jeri 06 Jul 13 - 01:17 PM
leeneia 06 Jul 13 - 02:39 PM
leeneia 06 Jul 13 - 02:40 PM
GUEST,Grishka 06 Jul 13 - 03:20 PM
michaelr 06 Jul 13 - 05:10 PM
GUEST,NIghtWing (cookie-less) 06 Jul 13 - 07:59 PM
GUEST,NIghtWing (cookie-less) 06 Jul 13 - 08:06 PM
Jeri 06 Jul 13 - 08:21 PM
Mick Pearce (MCP) 06 Jul 13 - 08:59 PM
GUEST,NIghtWing (cookie-less) 06 Jul 13 - 09:49 PM
Bill D 07 Jul 13 - 10:33 AM
Jack Campin 08 Jul 13 - 06:06 PM
GUEST,Grishka 09 Jul 13 - 04:25 AM
Bob the Postman 10 Jul 13 - 10:44 AM
GUEST,Grishka 10 Jul 13 - 11:10 AM
Jeri 10 Jul 13 - 11:25 AM
Jeri 10 Jul 13 - 11:29 AM
bobad 10 Jul 13 - 11:38 AM
Bill D 10 Jul 13 - 11:41 AM
Bill D 10 Jul 13 - 11:47 AM
Jeri 10 Jul 13 - 12:54 PM
Share Thread
more
Lyrics & Knowledge Search [Advanced]
DT  Forum
Sort (Forum) by:relevance date
DT Lyrics:






Subject: Tech: 2345 piggybacking Mudcat
From: Bob the Postman
Date: 03 Jul 13 - 12:56 PM

The Chinese web archive site 2345(dot)com has attached itself to Mudcat on my iPad.

When I open Mudcat, I get 2345 at the top of the page. Scrolling down there is the usual Mudcat home page. I understand that 2345 has a reputation for this sort of thing, but even so I don't know why this is happening to me, because I've always been a good person. What's gonna happen when the NSA realises I'm loading a Chinese site umpteen times a day? It won't matter that I got good marks in high school and always paid my taxes on time, I could be on a rendition flight to Syria by lunchtime.

Any ideas how I got this tick on me and how to get rid of it?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Richard Bridge
Date: 03 Jul 13 - 03:23 PM

Try Ad-Aware or Spybot Search and Destroy - or possibly a rollback?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 03 Jul 13 - 03:50 PM

Looking at the status display of what Firefox is loading, 2345.com is always involved when I reload Mudcat (it helps to have a connection slow enough that I can see that).

This line appears in the Mudcat homepage source:

<iframe src=http://www.2345.com/?ktjwh202 width=0 height=0></iframe>

Did Max put that there, or has it been sneaked in?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bill D
Date: 03 Jul 13 - 03:54 PM

I found it days ago.... and there is another URL associated with it. I have tried refusing 2345 any access in my firewall, but so far, haven't found the right combination.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: McGrath of Harlow
Date: 03 Jul 13 - 04:02 PM

You should be alright as regards Syria these days I'd say. They've had to transfer the arrangement to some other subcontractor. Maybe Libya?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bob the Postman
Date: 04 Jul 13 - 08:29 AM

Thanks for the reponses.   It's good to know that top brains like Bill and Jack are on the case. If I disappear, I ask that the government of Newfoundland close its airspace to overflights by unscheduled planes with the numbers painted out.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 04 Jul 13 - 08:47 AM

It's in Mudcat's code on the main threads page, which means Max put it in there. AdBlock Plus says it's a frame. I don't see it on individual threads.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 04 Jul 13 - 09:04 AM

It is an "iframe" (embedded object) of size 0*0, not meant to be seen. Obviously Bob's ipad browser has its own ideas about how to interpret those size specifications.

Since the page is normally not being seen, loading it is the point, presumably for Mr. 2345 to collect our IP addresses, or for Mr. ktjwh202 to collect apparent "clicks". I guess someone pays Max for this service - correct me if I am wrong.

Summary: we are being iframed.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 04 Jul 13 - 09:44 AM

It seems to be adding a lot to the loading time. And "iframe attacks" are a common and very nasty distribution mechanism for malware - I wouldn't know how to tell an innocent one from a malicious one. We can't tell just by looking at what comes out of Mudcat whether Max or some Chinese or NSA hacker put it there.

2345.com seems to have no redeeming value from what I can see, so my bet is this is malicious. I'd block it if I could, but like Bill I can't see how.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: JohnInKansas
Date: 04 Jul 13 - 10:49 AM

A discussion/tutorial on the <iframe> tag is at:

The Magical <iframe> Tag: An Introduction. (Norton gives this site a "safe" tag.)

The article suggests some interesting things that might be done with the tag, but doesn't suggest (to me) anything useful for the form in which it appears at mudcat. It could be something Max is "testing" that's just a "placeholder" for now, but the uses described in the article at the link would seem "incompatible with mudcat traditions."

Since I like to save "interesting stuff" for future consideration, I verified that Copy and Paste (into Word) does not capture any of the <iframe> embedded objects. Printing to a pdf file shows some but not all of the embeds, and none of them of course carry "active properties" to the printed file.

The article indicates "protections" built into the tag that are claimed to prevent linked objects from changing calling pages, or calling pages from making changes to linked objects, but detail is insufficient to be fully reassuring with my sparse understanding of web page design.

The website "2345dotcom" is claimed to exist by several sources, but nobody gives a sufficiently clear purpose to justify why, and other sources seem to think it may be mythical. It appears to be "Chinese" and hence "inscrutible" for me.

May be Max will comment if he decides it's sufficiently important?

First attempt to post this comment failed.
Second attempt returned "this post contains a forbidden HTML tag."
Coding <iframe> as &lt;iframe&gt; might let the post go through?

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: JohnInKansas
Date: 04 Jul 13 - 10:50 AM

Is it reassuring that mudcat apparently blocks the <iframe> tag in posts?

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: michaelr
Date: 04 Jul 13 - 02:08 PM

Has anyone PM'd Max? It would be good of him to come in here and explain. This sounds like it could be serious.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Joe Offer
Date: 04 Jul 13 - 04:23 PM

I started to e-mail Max about this, but I got distracted. By the time I got back to what I started doing, SRS had already e-mailed Max. She has a tad more presence of mind than I have...


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bill D
Date: 05 Jul 13 - 12:34 PM

I managed to change my setting about cookies from 2345 to 'refuse all'....then it began to contact the associated URL ..union2.50bang


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 05 Jul 13 - 02:08 PM

The only way I can see to zap this is to use the firewall in my router, which only blocks by IP.

Anybody got a list of relevant IPs?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 05 Jul 13 - 02:14 PM

It probably generates some income for Max, but I have enough marketing bullshit in my life, so I blocked it.

It's only on the main threads page, though--as far as I can tell.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bill D
Date: 05 Jul 13 - 02:31 PM

using "CountryTraceRoute" from NirSoft-starting at my IP..first one is where it enters US, then all from China.


Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
8        157.130.230.38        chinaunicom-gw.customer.alter.net        United States        86 ms        80 ms        80 ms        82 ms                
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
9        219.158.27.153                China        326 ms        *        320 ms        323 ms        The request timed out.        
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
10        219.158.19.193                China        
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
11        219.158.23.1                China        312 ms        310 ms        330 ms        317 ms                
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
12        219.158.100.161                China        369 ms        357 ms        360 ms        362 ms        
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
13        202.96.12.30                China        373 ms        375 ms        372 ms        373 ms                
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
13        202.96.12.30                China        373 ms        375 ms        372 ms        373 ms                
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
13        202.96.12.30                China        373 ms        375 ms        372 ms        373 ms                
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
14        124.65.60.74                China        *        *        370 ms        370 ms        The request timed out.        
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
15        61.148.147.86                China        369 ms        370 ms        365 ms        368 ms                
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
15        61.148.147.86                China        369 ms        370 ms        365 ms        368 ms                
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
15        61.148.147.86                China        369 ms        370 ms        365 ms        368 ms        
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
18        42.62.19.137                China        *        285 ms        285 ms        285 ms        The request timed out.        
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
18        42.62.19.137                China        *        285 ms        285 ms        285 ms        The request timed out.        
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
19        42.62.19.86                China        *        *        290 ms        290 ms        The request timed out.        
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
20        42.62.19.117                China        289 ms        290 ms        290 ms        290 ms                
Hop        IP Address        Host Name        Country        Time 1        Time 2        Time 3        Average Time        Error        
21        42.62.4.52                China        287 ms        287 ms        290 ms        288 ms


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bill D
Date: 05 Jul 13 - 02:32 PM

sorry... I copied several of those twice.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 05 Jul 13 - 03:53 PM

So it looks like we can block them pretty thoroughly by just blocking

42.62.*.*
61.148.147.*

which should zap both 2345.com and whoever provides them with their connectivity.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 05 Jul 13 - 07:12 PM

My Firefox has been waiting for union2.50bang to finish for about half an hour now.

And the slowdown from this 2345.com link is intolerable, even if it isn't doing anything really malicious.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 05 Jul 13 - 07:43 PM

Jack, figure out how many IP addresses you're blocking. I can't, other than a few tens of thousands, but it's a lot.

I just blocked the script with AdBlock Plus (Firefox).


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Mick Pearce (MCP)
Date: 05 Jul 13 - 08:26 PM

I just had a look at the list of blocked items on my Firefox (22.0 under Ubuntu 12.04lts) with AdblockPlus. It's blocking about 15 or so items from 2345 and related sites on default settings, a mixture of scripts, images and css

Mick


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: michaelr
Date: 06 Jul 13 - 03:08 AM

Could someone please explain in layman's terms what all this means?
How concerned should we be? And where the hell is Max?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: JohnInKansas
Date: 06 Jul 13 - 05:25 AM

On the mudcat front page (thread index page) if you right click in a blank area and choose "view source" you will get a new window that shows the html code for the page.

At line 137 you will find:

<iframe src=http://www.2345.com/?ktjwh202 width=0 height=0>

The "iframe" command inserts a "frame" that can contain a "page" or parts of one from another site or from another place on the same site. This is a "new" addition to legitimate html code that appeared ca. 1997.

The "src" identifies where the stuff displayed inside the frame comes from.

The "width" and "height" define how big the frame is to be. In this case, both width and height are zero, so the frame should NOT BE VISIBLE ON THE PAGE. Information I've found is insufficient to be sure, but most browsers do permit you to set a preference to "open links in new window" or "open links in a new tab" and since the "src" spec is a legitimate link either of these might open the "src" link otherwise than as specified by the iframe command, permitting it to be displayed in a "normal" window/tab rather than in a zero-zero sized frame. With information at hand, I don't know if this could happen ...

At the link given at "04 Jul 13 - 10:49 AM" you can see a proper use of the iframe html command, with a fully functional "Weather Service" page inserted, complete with scroll bars and all the rest, in an iframe filled by a "call" from the the originally linked page that explains it all.

It is asserted that "browsers isolate the main page from the iframe page" so that neither can affect the other. Of course if you click inside the iframe, anything the page that's linked into it can do can be done to you. Hypothetically, it would appear that setting the iframe size to zero-zero dimensions should prevent you from seeing it, and from clicking on anything the iframe target page contains. (? ? ?)

IFF you don't see the iframe content, as in my IE, it probably is harmless. IFF you do see something, it would contribute to my understanding of what's going on if you could identify:

1. What browser you're using
2. What "open links as ..." settings you have set.
3. Behaviour that conserns you in fairly specific detail

Since at present I'm having no particular difficulty with this, other than mild curiosity, you may consider whether it's of use to exchange information or just to continue to babel and fret.

Where to go next is useless if you don't know where you're at now (although one major aircraft maker didn't think it mattered when deciding what parts to fix next - which is why I didn't work there long after I found it out.)

NOTE:

[preview bounced because I copied the <iframe> line from source code. Mudcate blocks use of that html command in a post. "Coded" so it doesn't look legit gets the post up.]

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Peter
Date: 06 Jul 13 - 08:09 AM

I see it too, either it was put there by Max or the site has been hacked.
If nobody's firewalls have been screaming so its probably not harmful in its own right but it does enable 2345 to log all of the IP addresses that visit Mudcat.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Pete Jennings
Date: 06 Jul 13 - 09:57 AM

I can see the line 137 iframe code that JiK has identified but I haven't seen anything of 2345 and my ESET security (on a PC) is not reporting any blocked attacks.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Mick Pearce (MCP)
Date: 06 Jul 13 - 11:57 AM

Pete

You shouldn't normally see anything of the site as the size is set to 0 in the iframe. You'd only know it's there if you look at the source for the page or if you have something like Adblock that can show you things it's blocking.

It may be doing nothing more than racking up hits for the 2345 site or collecting ip info as mentioned above. Nothing more malicious seems to be emanating from it at the moment (though it's never a good thing if people are collecting your ip addresses!)

Mick


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: michaelr
Date: 06 Jul 13 - 12:59 PM

JiK -- thanks for trying, but I did ask for "layman's terms"... lol.

What I am noticing is that threads load quite a bit slower.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 06 Jul 13 - 01:08 PM

I am not convinced of the idea that a loaded site is harmless if you don't see it or don't click on it. Malware can be hidden in commercial ads; not even executable "scripts" are required. Websites of even higher reputation than Mudcat (in terms of content and technology) frequently have to admit that they - unwittingly but carelessly - transported vicious malware in ads.

Since neither Max nor the other Admins have reacted yet, I do not think that the iframe got there without their consent.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 06 Jul 13 - 01:17 PM

Grishka, Max is the only one who would know.

Michaelr, again, that iframe is only on the main forum page, not on individual threads. Something else may be why they're taking longer than usual to load.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: leeneia
Date: 06 Jul 13 - 02:39 PM

Wikipedia says:

2345.com is a Chinese web directory founded in 2005.[1] The website is the second most used web directory in China.[2] It is ranked 47th place in China and has a world wide ranking of 419 on Alexa.[3][4] It is hosted at Abitcool China Inc. Beijing, China.

That was last updated in October, 2012.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: leeneia
Date: 06 Jul 13 - 02:40 PM

Mudcat is pretty slow for me, too. I put it down to the usual things - small site, gallant volunteer help. Need more contributions.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 06 Jul 13 - 03:20 PM

Like all catalogue sites, even in China, that one is financed by ads designed by the advertisers. Such advertisers have been known to smuggle malware even into sites of perfect reputation. An explanation by Max would be helpful, but experience tells us that he keeps silence about his policy. I have no insight into possible business connections. Anyone who has, and can convince us?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: michaelr
Date: 06 Jul 13 - 05:10 PM

What I'm seeing (in IE) are the little "Waiting for" thingies flashing at the bottom of my screen. There have been more and more of them as Max has loaded up ads and stuff, such as Facebook, Google ads and other crap. And now my browser has to additionally wait for 2345. After that it usually says "Done, but with errors on page". And when it says "Done", whatever I've clicked on still doesn't open for several seconds, to the point where the blue IE bar at the top of my screen says "(Not responding)".

That's annoying in itself. If this is something Max did on purpose, I don't like it. Why slow down the user experience? If it's malicious, it's much worse and should be dealt with forthwith.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,NIghtWing (cookie-less)
Date: 06 Jul 13 - 07:59 PM

I apparently cleared my cookie the last time I was in. While this is going on I'm not going to log back in.

Running Firefox 22.0, I'm actually seeing nothing. The image was captured by Firefox though. It's an (apparent?) GIF of a gray octopus.

I blocked the site from loading images at Tools / Page Info / Media tab. However, then I went to Tools / Options / Content tab and added the string

*.2345.com


to the Exceptions to "Load images automatically". So far (crossing fingers!!!), nothing else has followed it.

Erm, does anyone know how to view the Page Source in Firefox 22? I can't find an option for it anywhere?

BB,
NightWing


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,NIghtWing (cookie-less)
Date: 06 Jul 13 - 08:06 PM

Well, bloody! I spoke too soon.

When I went back to the main forum page ("Lyrics & Knowledge"), it somehow managed to load up FIFTEEN images from 2345.com. Several of them are Google logos: if someone tells Google, maybe they can drop a smartbomb on them :-(

(Google claims not to be evil, but you've got to have the capacity for evil before it's a virtue NOT to be so.)

BB,
NightWing (unhappy at the moment!)


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 06 Jul 13 - 08:21 PM

In Firefox 22:
Tools>Web Developer>Page Source


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Mick Pearce (MCP)
Date: 06 Jul 13 - 08:59 PM

Right-click>View Page Source also works (in Ubuntu version of 22)

Mick


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,NIghtWing (cookie-less)
Date: 06 Jul 13 - 09:49 PM

Thanks, Jeri and Mick!!

I had actually looked (I think, several times) at the Web Developer menu without seeing "Page Source" there.

Maybe it's not short-term memory that's the first thing to go ... (What were we talking about? :-)

BB,
NightWing


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bill D
Date: 07 Jul 13 - 10:33 AM

ctrl-U 'usually' gets page source in any browser.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 08 Jul 13 - 06:06 PM

Just for laughs: try saving the source of the Mudcat home page. Then change that iframe line to

<iframe src=http://www.2345.com/?ktjwh202 width=600 height=800></iframe>

and reload that source into your browser. It will put 2345's input in a window large enough for you to read. You can now save the frame and feed it into Google Translate - it does a very good job.

It doesn't appear to be malicious but it certainly isn't what anybody comes to Mudcat looking for.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 09 Jul 13 - 04:25 AM

Done that before, Jack. As we saw, it is a catalogue service, China's largest. As with all websites nowadays, there are two serious security problems, caused by the site itself or by embedded ads:
  • scripts, normally JavaScript, being executed by the browser, quite powerful by design and more powerful by exploiting leaks in browsers;
  • pictures and other "objects", meant to be just displayed, but frequently abused for malicious activities by exploiting leaks in browsers.
I would welcome someone who has the ability to analyze the scripts within reach, expecially the one that causes the problem observed by Don Firth. A statement from Max could perhaps help to reduce our considerable worry.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bob the Postman
Date: 10 Jul 13 - 10:44 AM

This morning my iPad's Safari browser has started opening 2345 not only on Mudcat's home page but on individual threads as well. 2345 also displays when I click the Personal Page link.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 10 Jul 13 - 11:10 AM

It is now definitely known to be a malware attack via Mudcat ("Trojan-Clicker.JS.Iframe.gb" - google it); see the Trojan thread. Desinfect your PC if you can; disable JavaScript.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 10 Jul 13 - 11:25 AM

It's BELIEVED to be.

I once was told that midis I'd created were infected. They weren't, but a particular anti-virus program wen nuts.

I'm not even seeing this 2345 script anymore. It's been there, but blocked. Now, it doesn't seem to be there.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 10 Jul 13 - 11:29 AM

OK, it just got re-named. It's there.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: bobad
Date: 10 Jul 13 - 11:38 AM

What has it been renamed Jeri?

I blocked it with AdBlock Plus and I don't see any iframe on Page Source.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bill D
Date: 10 Jul 13 - 11:41 AM

Ok... I 'seem' to have a partial solution, at least for me. I use The Proxomitron web filter. It has not been updated in several years, but its basic principle still works.

It has many 'rules' to control what you see, but you have to tell it how vigorously to enforce them and at what level. The code for writing a rule is not simple, but geeky experts have created quite a few. I have 6 levels of filters available... and level 6 about stops ANYTHING from being seen. I usually have only levels 2-3 working, which stops most javascript....but I have disable it (Proxomitron) to see some images, videos...etc. I do that on sites I trust. It blocks 'most' of the ads on Mudcat (and puts a tiny little [ad] in red to show me it is working- nice touch). I sometime DISable it in order to click ads to help Max.

Now... when I load Level 4 of the filters, I get a notice from the ad script saying "connection blocked by Proxomitron-- you are attempting to connect to a blocked URL...please try the following.."

So, the scripts are 'aware' they are being blocked (my term) and are objecting. This level 4 also seems to block 2345! At least the 'source' shows no evidence of it. The only 2345 I see in 'source' is our comments on it.

For those who wish to mess with Proxo, (a bit of a learning curve to get familiar with driving it), it can help with some things. You DO have to turn it off for doing some things... and remember to turn it on again.

I will be running level 4 a lot until Max gets this sorted.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bill D
Date: 10 Jul 13 - 11:47 AM

BTW...someone also wrote a Proxo rule to deal with 'target=blank', which coders use to force a link to open in a new page. I didn't like that... it is perfectly easy to TELL your browser to 'open in a new page or tab' if you wish... but I like most pages to open in the same tab/page... allowing me to just use the 'back' button! I found where someone had written this rule and copied it and added it to MY rules sets.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 10 Jul 13 - 12:54 PM

Bobad, "www.mudcat.org/ga_social_tracking.js" goes to "http://www.2345.com/?ktjwh20"


Post - Top - Home - Printer Friendly - Translate
Next Page

  Share Thread:
More...

Reply to Thread
Subject:  Help
From:
Preview   Automatic Linebreaks   Make a link ("blue clicky")


Mudcat time: 8 July 10:41 PM EDT

[ Home ]

All original material is copyright © 1998 by the Mudcat Café Music Foundation, Inc. All photos, music, images, etc. are copyright © by their rightful owners. Every effort is taken to attribute appropriate copyright to images, content, music, etc. We are not a copyright resource.