mudcat.org: Tech: 2345 piggybacking Mudcat
Lyrics & Knowledge Personal Pages Record Shop Auction Links Radio & Media Kids Membership Help
The Mudcat Cafeawe

Post to this Thread - Printer Friendly - Home
Page: [1] [2]


Tech: 2345 piggybacking Mudcat

McGrath of Harlow 20 Aug 13 - 08:27 PM
Jeri 19 Aug 13 - 11:01 PM
Mysha 19 Aug 13 - 10:41 PM
Bonnie Shaljean 13 Jul 13 - 10:51 AM
Mick Pearce (MCP) 12 Jul 13 - 07:24 PM
Mysha 12 Jul 13 - 06:44 PM
Jack Campin 12 Jul 13 - 06:05 PM
JohnInKansas 12 Jul 13 - 05:26 PM
Jack Campin 12 Jul 13 - 04:32 PM
GUEST,JHW 12 Jul 13 - 04:26 PM
GUEST,Grishka 12 Jul 13 - 03:00 PM
Jeri 12 Jul 13 - 02:51 PM
GUEST,Grishka 12 Jul 13 - 02:44 PM
Jeri 12 Jul 13 - 01:52 PM
GUEST,Grishka 12 Jul 13 - 10:11 AM
Jeri 12 Jul 13 - 09:40 AM
GUEST,Grishka 12 Jul 13 - 07:26 AM
GUEST,Grishka 12 Jul 13 - 05:00 AM
JohnInKansas 12 Jul 13 - 12:29 AM
GUEST 12 Jul 13 - 12:07 AM
JohnInKansas 11 Jul 13 - 11:51 PM
Bonnie Shaljean 11 Jul 13 - 05:44 AM
treewind 11 Jul 13 - 05:02 AM
GUEST,Grishka 10 Jul 13 - 02:49 PM
GUEST,Grishka 10 Jul 13 - 02:39 PM
Jeri 10 Jul 13 - 02:16 PM
bobad 10 Jul 13 - 01:54 PM
GUEST,Grishka 10 Jul 13 - 01:43 PM
Jack Campin 10 Jul 13 - 01:39 PM
Jeri 10 Jul 13 - 01:29 PM
Jack Campin 10 Jul 13 - 01:24 PM
bobad 10 Jul 13 - 01:17 PM
JohnInKansas 10 Jul 13 - 01:15 PM
Jeri 10 Jul 13 - 12:54 PM
Bill D 10 Jul 13 - 11:47 AM
Bill D 10 Jul 13 - 11:41 AM
bobad 10 Jul 13 - 11:38 AM
Jeri 10 Jul 13 - 11:29 AM
Jeri 10 Jul 13 - 11:25 AM
GUEST,Grishka 10 Jul 13 - 11:10 AM
Bob the Postman 10 Jul 13 - 10:44 AM
GUEST,Grishka 09 Jul 13 - 04:25 AM
Jack Campin 08 Jul 13 - 06:06 PM
Bill D 07 Jul 13 - 10:33 AM
GUEST,NIghtWing (cookie-less) 06 Jul 13 - 09:49 PM
Mick Pearce (MCP) 06 Jul 13 - 08:59 PM
Jeri 06 Jul 13 - 08:21 PM
GUEST,NIghtWing (cookie-less) 06 Jul 13 - 08:06 PM
GUEST,NIghtWing (cookie-less) 06 Jul 13 - 07:59 PM
michaelr 06 Jul 13 - 05:10 PM
Share Thread
more
Lyrics & Knowledge Search [Advanced]
DT  Forum
Sort (Forum) by:relevance date
DT Lyrics:






Subject: RE: Tech: 2345 piggybacking Mudcat
From: McGrath of Harlow
Date: 20 Aug 13 - 08:27 PM

A FUBAR is a SNAFU

And the Snark was a Boojum...


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 19 Aug 13 - 11:01 PM

Mysha, the '2345' iFrame thing was there when this thread was active in July. Max removed it 2 or 3 times, and it's gone now.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Mysha
Date: 19 Aug 13 - 10:41 PM

Hi,

Thanks Mick, but I tend to check such things with more than one browser. It's not a FireFox thing or a settings things; I really didn't, and don't, see an iframe.
                                                                  Mysha


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bonnie Shaljean
Date: 13 Jul 13 - 10:51 AM

> I haven't been able to access Mudcat AT ALL on the iPad, in any browser, and it was still doing this as of two or three days ago. I just checked it again now, and things seem to be back to normal, fingers crossed.

That was a couple of days ago. Guess what? It's baaaaaa-aaaaa-aack. Wahhh -

Just sayin' :-(


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Mick Pearce (MCP)
Date: 12 Jul 13 - 07:24 PM

Mysha - you won't see anything if you have javascript disabled. And if you're using something like AdBlock there won't be anything.

I'm using AdBlockPlus in Firefox and currently it's got 22 items from 345.com blocked and 2 from union2.50bang.org which are related. The ga_social_tracking.js currently contains the line:


  document.write("<iframe width='0' height='0' src='http://www.2345.com/?ktjwh202'></iframe>");

It looks like a hack and presumably Max is looking at it. (It it's deliberate I'm sure he would have reassured us that it was by now!).

Mick


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Mysha
Date: 12 Jul 13 - 06:44 PM

Hi,

I had problems with load time when the new MudCat was introduced. Haven't had it since, though. Then again, I don't see an iframe on the front page. (That's no surprise, but I don't see it in the source code of the front page either.)


Other than that:
HTML 4.01 is the latest standard, all HTML 4 versions have included iframe, after HTML 4, work commenced on XHTML, with HTML 5 being a development from 2004 onward.

                                                                  Mysha


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 12 Jul 13 - 06:05 PM

If the target of the attack is 2345.com - by a DDoS attack intended to overload their server - naturally there won't be any problem with that site.

It wouldn't be very considerate of someone setting up a test to use somebody else's site in that way. 2345.com has had thousands of completely unnecessary and profitless downloads of their home page thanks to this. If Max was testing something I'd expect him to use a test target he administered.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: JohnInKansas
Date: 12 Jul 13 - 05:26 PM

ga_social_tracking.js

This is a SAMPLE SCRIPT provided by Google.

It may be noted that numerous "edits" are suggested in comments. Of particular interest might be the comment at lines 40-42 noting that "it doesn't work for <iframe> links."

Anyone testing, and editing, the use of this script likely would remove parts not necessary to the test, and quite possibly would remove most or all the "comments" (everything between a "/**" and a subsequent "*/"), leaving a very much smaller script. Additional edits to incorporate features to be tested would of course increase the file size.

IFF one considers that use of the <iframe> might be under consideration, a test of the script would require a "target" known to work well with this kind of tag, and the 2345.com site is a known and verifiably (to the extent possible) "safe" target, so appearance of the iframe call to that site (in a zero zero frame) would be a reasonable part of a test setup.

Some additional "explanation" of "Google Analytics" is at:

Tracking Your Social Engagement With Google Analytics.

Since Max (and possibly some of his helpers) are known to do "experiments" without telling us much until they get a result they like, the mere appearance of this script, in sample form and/or edited, and of the iframe link to 2345.com, DOES NOT PROVIDE CONVINCING EVIDENCE OF NEFARIOUS ATTACKS ON MUDCAT.

The only thing suggesting malware in the several related threads here is the Kaspersky identification of "Trojan-Clicker.JS.Iframe.gb." This is a known threat, but no credible web comment has appeared since about 2005/06, most pages that provide verifiable information are tagged "obsolete," and most current AV programs would just block, quarantine, or delete it without immediate comment now.

Some AV programs, even if on paid subscriptions, will update signature files forever, but do not update the AV program version unless you ask them to. Old programs, and especially those that use only signature identifications may become prone to lots of "false warnings," while newer versions of the same program may include "signature-plus" methods that don't get suckered (as easily).

If you get a warning from your *** AV (in this case Kaspersky) your first response should be to got to *** (in this case Kaspersky) to see if they tell you why, and what you can do about it. Since in this case they identified a specific suspect, it should be easy to find their explanataion of what it does and how to handle it.

Nearly all AV providers provide "remote scan" utilities that you can use to let the AV site scan your computer for infections. You usually can have better assurance that the scan will be current and accurate than one run with the program on your own machine. (MOST AV providers recommmend removing all prior AV programs (uninstalling) before installing a new one, and recommend a remote scan before the new installation.)

If your AV program is more than a year or so old, even if it's been "updated" regularly, you probably should check for new program version upgrades occasionally. If a newer version is available (free or nominally at the same subscription cost) getting the upgrade is probably a very good idea and may eliminate lots of false positives.

My Norton (currently the latest Norton 360 version) updated with current signature/data files, finds NO MALWARE at mudcat. The Norton Safe Search accessory that scans popular sites in search results finds NO MALWARE at mudcat, or at the 2345.com/ page linked in the <iframe> tag sometimes here, or at any other sites I've visited while examining the complaints here. (I don't generally visit sites that don't get a green card from Norton.)

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 12 Jul 13 - 04:32 PM

Dick Gaughan's site got hit by an iframe attack a couple of years ago. His host, Gradwell, was highly reputable and you'd have thought they were one of the least likely to be compromised. Nonetheless it happened. I've no idea how and I can't guess how it's happened to Mudcat either.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,JHW
Date: 12 Jul 13 - 04:26 PM

For a week or two (in Mudcat) I kept getting a banner 'Firefox has prevented this site opening a new window' Clicking ok simply removed the banner and the page stayed the same. its stopped doing it now.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 12 Jul 13 - 03:00 PM

Jeri, have you done the googling I suggested, and read the relevant texts in just seven minutes??? You asked for my arguments, and I took quite an effort to explain them. Of course I don't know what exactly happened on Max's computer(s), since I was not the one who gained access.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 12 Jul 13 - 02:51 PM

That's pretty much what I thought your answer would be. You're going by "feelings" too. You're making a lot of assumptions. I don't see anything positive that can come from my further involvement right now. Enjoy speculating. I hope those reading these threads realize that, when it comes to reasons for the script being what and were it is, speculation is all anyone who isn't Max can do.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 12 Jul 13 - 02:44 PM

Sigh, Jeri. It happens every day, and is amply reported in the media. Google "Trojan-Clicker.JS.Iframe" - 142.000 hits. Even if I have no detailed explanation from my own expertise (as for many magicians' tricks) - proven facts remain.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 12 Jul 13 - 01:52 PM

Explain how someone could do it.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 12 Jul 13 - 10:11 AM

Jeri, our feelings are not valid arguments. We all have witnessed Max messing with things, and strange effects thereof. But why on earth should he clobber the file "ga_social_tracking.js", thus depriving himself of its original benefits that Joe made an effort to justify? If the 2345 line had been added somewhere, some intention by Max could be imagined, but not for clobbering the intended content.

If we exclude Max having turned zombie, the only explanation is that the clobbering was done without his consent. The aggressor may have operated on the server or on a computer Max uses for designing, by "finding" passwords or circumventing the need for them. The internet has lots of tips for Max to read. I hope he does not need our advice - he has rarely taken any in the past.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 12 Jul 13 - 09:40 AM

John, nice try.

They obviously don't always deliver themselves in PAIRS. The code itself seems to have had its most deleterious effect in activating one or more "alpha" NOIDS. The alpha NOIDS then lead a cluster of NOIDS, and so the problem transforms into a persistent cascade, often spreading through other ways, some of which can propagate cyberpoop exponentially.

Try to figure out how somebody can get into Mudcat's server and write a piece of code on one particular page that no one but Max (and designated geeks) ever actually sees that will hide itself in the right place to be effective but not bother trying to hide from the whole entire rest of us. My feeling is that Max is messing with things, and there is no hacking going on.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 12 Jul 13 - 07:26 AM

It's back. See the other thread.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 12 Jul 13 - 05:00 AM

The actual topic of this thread is well explained in the other thread as the result of someone hijacking either the Mudcat server or (more probably) Max's computer by a "Trojan-Clicker.JS.Iframe.gb". Obviously Max has now restored Mudcat to its intended function, so that things are back to normal for the time being.

JohnIK, your knowledge is admirable. Unfortunately non-techies like me often find it difficult to see what point you are arguing for. Assume a lady who lives on her own returns home and finds a glass of beer on her table that she did not put there: would she be interested in the health effects of beer?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: JohnInKansas
Date: 12 Jul 13 - 12:29 AM

The internet is densely populated by NOIDS.

NOIDS frequently appear in pairs.

It is inevitable that anyone who attempts to use the web will occasionally be affected by some Pairs-a-NOIDS that make rational understanding of the phenomena one sees difficult achieve.

Recent complaints here have shown concern about two or three related code peculiarities.

Multiple web advisors assert that the html <iframe> tag was "invented" in 1997. The latest version of the html standard to achieve "Adopted Standard" status was HTML4, which was accepted and published in 1997. It does not appear that the <iframe> tag appeared in that version.

An "adopted standard" means that everyone (who got to vote) has agreed that anything you can do in HTML4 is described in the printed copy, and as long as you do only what's in the standard any "HTML4 compliant browser" will give you consistent results.

Some historians(?) believe that a brief period of "peace in the browser wars" followed the release of HTML4, while others consider this only a legend. Most current web designers apparently think it's a fairy tale that never happened and can be ignored.

A new "sub-Committee" was formed almost immediately after the "finalizing" of the HTML4 standard, to create a "next generation" standard to be called HTML5. A "Final for Review" version of HTML5 was "released for comment" 5 or 6(?) years ago, but was eventually withdrawn over complaints that "you left out my toy." A SECOND "Final for Review" version was distributed several months ago, and will be considered for adoption, if sufficient favorable comment is returned, in about two years (2014 to 2016? - maybe). Until then, there IS NO HTML5 STANDARD. While HTML5 "doesn't really exist," it has been under consideration and in use long enough to be considered "customary practice" if used with some care. Use of some HTML5 code appears to be – as Douglas Adams said – "mostly harmless."

A separate "adjunct Committee" (Working Group?) has been working on an HTML6. Unfortunately (IMO) some web designers have been implementing the hallucinations produced by this group, resulting in "unusual results" for some users with some browsers.

A FUNDAMENTAL CONCEPT in html up to now has been called the "Graceful Failure" requirement. As previously and currently used, it requires that any compliant html interpreter that encounters code that it "doesn't understand" must completely ignore that code.

The HTML6 group appears to want to change that to "you can use anything you can pull out of your diaper as long as it doesn't change what any previously existing standard code does." I must have some reservations about whether an individual web page designer has the capability of verifying compliance with this condition, even with an immaculately clean diaper, but we'll have to wait a while to see how it works out.

A similar situation exists with style sheets, with CSS3 being the last officially "Adopted Standard" so far as I can tell, but with many designers insisting that CSS4 exists and should be used. Results for CSS4 use are largely similar to use of HTML5(?).

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST
Date: 12 Jul 13 - 12:07 AM

"Bottom line: FUBAR – but while the traditional interpretation is that a FUBAR is a SNAFU that's received Management Attention"

I know the subject is serious. However, that is the funniest thing I have read in many years.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: JohnInKansas
Date: 11 Jul 13 - 11:51 PM

Some information on 2345dotcom:

Top Chinese directory website 2345.com acquired

This is an established and reputable Directory website that is quite popular in China and probably across Asia. The fact that it's Chinese doesn't particularly suggest that it's any more subject to hosting malware than any of the similar sites that perform Directory Services elsewhere. I see no reason why a link that takes you to that site should be considered malicious. I do find it a bit puzzling that it should appear at mudcat, although there are possibly legitimate reasons why it might.

If one digs a little, it will be found that a major Chinese investor in Google mostly owns an associated company that is a "part holder" of this business. While that does not establish a Google interest or participation in the 2345 operations, it suggests that there may be some connection.

It may be noted further that multiple sites with names very similar to 2345.com DO SHOW WARNINGS from my "Norton Safe Search" (2345-com.com, 2345.com.com, etc). Anyone who wants to make direct examinations of the site should be very careful about spelling it "just right."

And on the <iframe> tag:

The <iframe> html tag is claimed by some to be a "legitimate" html feature, but it appeared after finalizing of the last HTML Standard to be officially "set in concrete."

So far as I can tell, the <iframe> tag does not appear in the HTML5 Proposed Standard that is now "distributed for review" (for the second time) and may be adopted in some final form sometime about two years from now. I've had some difficulty finding a complete copy of the "Second Revised Final Proposed HTML5" that's currently in review, so I can't be positive of what's in it.

The <iframe> tag may appear in some of the many versions of the HTML6 Hallucination that many web designers seem to be using. It appears that only those who are members of the Working Group have simple access to what's being proposed.

ALL OF THE BITS AND PIECES people are discussing here have at least the vague aura of "legitimacy," and while nobody really seems to know what's going on most of the "funny stuff" can be "explained" by anyone with sufficient psychotropic stimulation in ways that strongly suggest there's no malware evident in any of them.

Note that, as always, the appearance of only "legal" codes does not mean that a target the code takes you to cannot be malicious.

While there have been serious attempts to "standardize" html, many web designers have been using "new html" of various kinds, and the multiplicity of browsers have variously implemented some of the "latest things," even when the newer methods have little credibility among the general population of users. Differences in how a particular browser responds to a web site can be largely attributed to the extent to which "experimental" capabilities have been added in your browser, and in some cases, where you can choose to add "gadgets" to the browser, performance may vary with what add-ons you run.

The rush to cash in on the latest fadware has led to new operating systems that come in a number of different versions and flavors, with lots of gadgets having "unproven" reliability and security. Conservative advisors consider (some versions of) Android "unacceptably buggy" and others find varying numbers of vulnerabilites among others. Consistent and safe performance cannot be expected without some attention to the known weaknesses of the new OS types, and the device manufacturers who pump them out have paid less than admirable attention to patches and plugs for the unpredictable.

Bottom line: FUBAR – but while the traditional interpretation is that a FUBAR is a SNAFU that's received Management Attention in this case the offending influence (esp. for the new devices) more likely is Marketing Attention (Get the bucks before they catch on?).

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bonnie Shaljean
Date: 11 Jul 13 - 05:44 AM

I complained about this in the "Mudcat acting differently in Firefox" thread on 23rd June, but it only happens on the iPad:

The bookmark would bring up Mudcat as per normal, then after a few seconds would shift to a page full of Chinese text (no pictures, just a cartoon-y logo of some sort). I didn't click on anything but did reload numerous times, after having switched off and then back on and re-typed the address manually - but it kept doing it. It's like the URL (which was the normal one and didn't change) had been hijacked. But only on the iPad. Weird.

It meant that I haven't been able to access Mudcat AT ALL on the iPad, in any browser, and it was still doing this as of two or three days ago. I just checked it again now, and things seem to be back to normal, fingers crossed. I never did anything to try to fix it, because I had no idea what to do, and it wasn't happening on any of my laptops (64-bit Windows 7, Mac, and my itsy-bitsy-teenie-weenie "computerette" as JiK calls netbooks, also Windows 7 but the simple-minded edition).


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: treewind
Date: 11 Jul 13 - 05:02 AM

"Judging by how difficult I believe it would be to alter the code on Mudcat"

Web sites get hacked all the time. Why should Mudcat be different?

All you need is a user name and password once (or some other exploit that gives you access) for long enough to install a back door.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 10 Jul 13 - 02:49 PM

Max has just reinstalled the correct "ga_social_tracking.js". Let us hope the attack is over, without real damage.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 10 Jul 13 - 02:39 PM

This thread should be abandoned in favour of the "Trojan" thread, where I just posted my best explanation. Note that I do not claim any expertise at all and never ask anyone to "believe" me, just read my post and think.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 10 Jul 13 - 02:16 PM

Judging by how difficult I believe it would be to alter the code on Mudcat, I'd be more inclined to believe JiK than Grishka.

Max doesn't even explain the non-crazy shit around here. I expect him to avoid giving credence to the paranoid stuff by answering.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: bobad
Date: 10 Jul 13 - 01:54 PM

Hmm....seems to be some conflicting info here. I'm not overly concerned as my computer is working normally but it would be nice to know.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 10 Jul 13 - 01:43 PM

The line now no longer appears in the homepage code, but the camouflaged injection script is still there. This is not only believed, but proved to be the result of malware, very probably of the "Trojan-Clicker.JS.Iframe.gb" having infected the Mudcat server. Max seems to be working on it right now, as usually without deeming us worthy of an explanation.

Some arbitrary googling tells me that this Trojan may have serve for a "denial of service" attack on that Chinese catalogue. Indeed, making us download the same page over and over again does not seem to make sense if our PCs are the main targets. But I don't really know a lot about that topic; still waiting for an expert.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 10 Jul 13 - 01:39 PM

I have just blocked 42.62.4.61 (union2.50bang.org) as well. Again, things seem to work normally without it.

I don't tolerate sites doing stuff to my machine that I can't understand or control. It's a security risk, because the more of that clutter there is, the easier it is for something genuinely malicious to sneak in without me noticing.

I do care about the way Facebook operates, which is why I don't have an account with them and have no intention of ever having one.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 10 Jul 13 - 01:29 PM

No Bob.
The danger in blocking these things is that people can block things Mudcat needs to work because they're afraid of it. I think JohnInKansas is, as usual, making sense.

There's a bit of group freak-out going on because people don't understand something, but that happens every once in a while. The biggest problem is that we noticed it. If Mudcat collected a lot of stuff on us the way Facebook does, we wouldn't care.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 10 Jul 13 - 01:24 PM

I set my router to block all outgoing traffic to 61.148.147.* .

The result is that Firefox appears never to finish loading the Mudcat home page, but otherwise things behave as expected.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: bobad
Date: 10 Jul 13 - 01:17 PM

Jeri, when I block "www.mudcat.org/ga_social_tracking.js" it removes the Mudcat logo and links bar but is not itself removed. Any idea what that means?


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: JohnInKansas
Date: 10 Jul 13 - 01:15 PM

We now have at least 5 (probably more) separate threads that appear to relate, at the bottom line, to the appearance of an html "iframe" call to a Chinese site at 2345.com. This seems to be of great concern to lots of people.

I have been able quite easily to find the "offending" code here, but have seen NO VISIBLE EVIDENCE that it does anything in my browser or to my computer.

A check this morning finds that the "iframe" instruction has been removed from the front page source script, and so far as I've been able to tell it never appeared anywhere else at mudcat.

Maybe I missed out on all the fun, but I guess I can live with it.

The iframe tag is a legitimate (sort of) device in newer (non-standard) html versions, and shouldn't, in itself, cause problems. It inserts a frame in your page, and allows you to open another web page inside the frame. Just as when you open a new tab, nothing on the page in the tab - or on the page in the frame - should be able to affect you until you click the tab or click in the frame to make it the active view. There are some rather exotic ways that an open-but-inactive window could pass something, but they're rarely seen.

The 2345 website appears to be a "legitimate" DIRECTORY SITE (a little different than a catalog or archive) intended to tell where to find the ad needed for a particular viewing of a page that calls for one. It should not be expected that what appears in the frame is malware, unless you have reason to believe the 2345 site has been hacked, or the site where the page it actually calls up has been infected. In this respect the 2345 site is no different than the Google sites that pass their ads to you, although the two may have different standards of cleanliness and slightly different levels of risk.

It least that's what it looks like for one who's never seen most of it.

John


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 10 Jul 13 - 12:54 PM

Bobad, "www.mudcat.org/ga_social_tracking.js" goes to "http://www.2345.com/?ktjwh20"


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bill D
Date: 10 Jul 13 - 11:47 AM

BTW...someone also wrote a Proxo rule to deal with 'target=blank', which coders use to force a link to open in a new page. I didn't like that... it is perfectly easy to TELL your browser to 'open in a new page or tab' if you wish... but I like most pages to open in the same tab/page... allowing me to just use the 'back' button! I found where someone had written this rule and copied it and added it to MY rules sets.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bill D
Date: 10 Jul 13 - 11:41 AM

Ok... I 'seem' to have a partial solution, at least for me. I use The Proxomitron web filter. It has not been updated in several years, but its basic principle still works.

It has many 'rules' to control what you see, but you have to tell it how vigorously to enforce them and at what level. The code for writing a rule is not simple, but geeky experts have created quite a few. I have 6 levels of filters available... and level 6 about stops ANYTHING from being seen. I usually have only levels 2-3 working, which stops most javascript....but I have disable it (Proxomitron) to see some images, videos...etc. I do that on sites I trust. It blocks 'most' of the ads on Mudcat (and puts a tiny little [ad] in red to show me it is working- nice touch). I sometime DISable it in order to click ads to help Max.

Now... when I load Level 4 of the filters, I get a notice from the ad script saying "connection blocked by Proxomitron-- you are attempting to connect to a blocked URL...please try the following.."

So, the scripts are 'aware' they are being blocked (my term) and are objecting. This level 4 also seems to block 2345! At least the 'source' shows no evidence of it. The only 2345 I see in 'source' is our comments on it.

For those who wish to mess with Proxo, (a bit of a learning curve to get familiar with driving it), it can help with some things. You DO have to turn it off for doing some things... and remember to turn it on again.

I will be running level 4 a lot until Max gets this sorted.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: bobad
Date: 10 Jul 13 - 11:38 AM

What has it been renamed Jeri?

I blocked it with AdBlock Plus and I don't see any iframe on Page Source.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 10 Jul 13 - 11:29 AM

OK, it just got re-named. It's there.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 10 Jul 13 - 11:25 AM

It's BELIEVED to be.

I once was told that midis I'd created were infected. They weren't, but a particular anti-virus program wen nuts.

I'm not even seeing this 2345 script anymore. It's been there, but blocked. Now, it doesn't seem to be there.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 10 Jul 13 - 11:10 AM

It is now definitely known to be a malware attack via Mudcat ("Trojan-Clicker.JS.Iframe.gb" - google it); see the Trojan thread. Desinfect your PC if you can; disable JavaScript.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bob the Postman
Date: 10 Jul 13 - 10:44 AM

This morning my iPad's Safari browser has started opening 2345 not only on Mudcat's home page but on individual threads as well. 2345 also displays when I click the Personal Page link.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,Grishka
Date: 09 Jul 13 - 04:25 AM

Done that before, Jack. As we saw, it is a catalogue service, China's largest. As with all websites nowadays, there are two serious security problems, caused by the site itself or by embedded ads:
  • scripts, normally JavaScript, being executed by the browser, quite powerful by design and more powerful by exploiting leaks in browsers;
  • pictures and other "objects", meant to be just displayed, but frequently abused for malicious activities by exploiting leaks in browsers.
I would welcome someone who has the ability to analyze the scripts within reach, expecially the one that causes the problem observed by Don Firth. A statement from Max could perhaps help to reduce our considerable worry.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jack Campin
Date: 08 Jul 13 - 06:06 PM

Just for laughs: try saving the source of the Mudcat home page. Then change that iframe line to

<iframe src=http://www.2345.com/?ktjwh202 width=600 height=800></iframe>

and reload that source into your browser. It will put 2345's input in a window large enough for you to read. You can now save the frame and feed it into Google Translate - it does a very good job.

It doesn't appear to be malicious but it certainly isn't what anybody comes to Mudcat looking for.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Bill D
Date: 07 Jul 13 - 10:33 AM

ctrl-U 'usually' gets page source in any browser.


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,NIghtWing (cookie-less)
Date: 06 Jul 13 - 09:49 PM

Thanks, Jeri and Mick!!

I had actually looked (I think, several times) at the Web Developer menu without seeing "Page Source" there.

Maybe it's not short-term memory that's the first thing to go ... (What were we talking about? :-)

BB,
NightWing


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Mick Pearce (MCP)
Date: 06 Jul 13 - 08:59 PM

Right-click>View Page Source also works (in Ubuntu version of 22)

Mick


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: Jeri
Date: 06 Jul 13 - 08:21 PM

In Firefox 22:
Tools>Web Developer>Page Source


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,NIghtWing (cookie-less)
Date: 06 Jul 13 - 08:06 PM

Well, bloody! I spoke too soon.

When I went back to the main forum page ("Lyrics & Knowledge"), it somehow managed to load up FIFTEEN images from 2345.com. Several of them are Google logos: if someone tells Google, maybe they can drop a smartbomb on them :-(

(Google claims not to be evil, but you've got to have the capacity for evil before it's a virtue NOT to be so.)

BB,
NightWing (unhappy at the moment!)


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: GUEST,NIghtWing (cookie-less)
Date: 06 Jul 13 - 07:59 PM

I apparently cleared my cookie the last time I was in. While this is going on I'm not going to log back in.

Running Firefox 22.0, I'm actually seeing nothing. The image was captured by Firefox though. It's an (apparent?) GIF of a gray octopus.

I blocked the site from loading images at Tools / Page Info / Media tab. However, then I went to Tools / Options / Content tab and added the string

*.2345.com


to the Exceptions to "Load images automatically". So far (crossing fingers!!!), nothing else has followed it.

Erm, does anyone know how to view the Page Source in Firefox 22? I can't find an option for it anywhere?

BB,
NightWing


Post - Top - Home - Printer Friendly - Translate

Subject: RE: Tech: 2345 piggybacking Mudcat
From: michaelr
Date: 06 Jul 13 - 05:10 PM

What I'm seeing (in IE) are the little "Waiting for" thingies flashing at the bottom of my screen. There have been more and more of them as Max has loaded up ads and stuff, such as Facebook, Google ads and other crap. And now my browser has to additionally wait for 2345. After that it usually says "Done, but with errors on page". And when it says "Done", whatever I've clicked on still doesn't open for several seconds, to the point where the blue IE bar at the top of my screen says "(Not responding)".

That's annoying in itself. If this is something Max did on purpose, I don't like it. Why slow down the user experience? If it's malicious, it's much worse and should be dealt with forthwith.


Post - Top - Home - Printer Friendly - Translate
Next Page

  Share Thread:
More...

Reply to Thread
Subject:  Help
From:
Preview   Automatic Linebreaks   Make a link ("blue clicky")


Mudcat time: 8 July 10:08 PM EDT

[ Home ]

All original material is copyright © 1998 by the Mudcat Café Music Foundation, Inc. All photos, music, images, etc. are copyright © by their rightful owners. Every effort is taken to attribute appropriate copyright to images, content, music, etc. We are not a copyright resource.