| View previous topic :: View next topic |
| Author |
Message |
QuietOne
Lieutenant
Joined: Dec 28, 2003
Posts: 227
Location: USA
|
 Posted: Sun Mar 07, 2004 1:54 pm Post subject: Another Hijack while logged in to CCSP |
|
|
I just got hijacked again!
I clicked on the "View last post" anchor symbol on my "Error Message when attempting to quote post" topic and got slammed with about 50-75 requests for personal info. I blocked all via Norton Personal Firewall 2004. Once I finally got past those requests, I ended up at a post with the below listed web address:
| Code: |
| http://www.computercops.biz/modules.php?name=Forums&file=viewtopic&p=102***#102*** |
It was entitled "Computer Forensics: Incident Response Essentials" with the first post submitted by "Paul" - or at least that's what it said -- AND I'M NOT KIDDING.
_________________
Stealth is the best weapon
|
|
| Back to top |
|
 |
Paul
Admin
Joined: Feb 22, 2002
Posts: 5154
Location: USA
|
| Posted: Sun Mar 07, 2004 2:03 pm Post subject: |
|
|
That link you have above is a valid post here at computer cops.
_________________
http://computercops.biz/ |
|
| Back to top |
|
|
QuietOne
Lieutenant
Joined: Dec 28, 2003
Posts: 227
Location: USA
|
| Posted: Sun Mar 07, 2004 2:25 pm Post subject: |
|
|
Hi Paul,
Don't doubt it for a second - but that's not the real problem.
I ended up VIEWING the topic located at that link after I had clicked on the view last post anchor symbol which SHOULD have taken me to your reply to my Error Message post.
IOW, when I click on the "View last post" anchor (of one topic) it's taking me to a post for a topic that it totally unrelated to the topic I'm clicking on.
To me, that means the "View last post" processing code has a bug in it - or at least that there is a bug related to that code somewhere. This is the second time in less than a week that this has happened.
_________________
Stealth is the best weapon |
|
| Back to top |
|
|
QuietOne
Lieutenant
Joined: Dec 28, 2003
Posts: 227
Location: USA
|
| Posted: Sun Mar 07, 2004 2:31 pm Post subject: |
|
|
PS to the above:
Until you confirmed that the address was valid, I wasn't certain - so I was calling it a Hijack?? attempt.
Now that you've confirmed the validity of the address, I need to change my terminology to a "Bug Report". 
Sorry Paul, for using that nasty phrase around CCSP.
_________________
Stealth is the best weapon |
|
| Back to top |
|
|
Paul
Admin
Joined: Feb 22, 2002
Posts: 5154
Location: USA
|
| Posted: Sun Mar 07, 2004 5:46 pm Post subject: |
|
|
LOL, you had me scared there for a second especially with all the hijacks running around. Let me test it out ... I presume you mean by clicking this in the forum index view  it takes you to another location then? |
|
| Back to top |
|
|
Paul
Admin
Joined: Feb 22, 2002
Posts: 5154
Location: USA
|
| Posted: Sun Mar 07, 2004 5:46 pm Post subject: |
|
|
I just tried clicking that last post link on this thread in this forum view, and it brought me to the right spot.
Can anyone else duplicate?
_________________
http://computercops.biz/ |
|
| Back to top |
|
|
QuietOne
Lieutenant
Joined: Dec 28, 2003
Posts: 227
Location: USA
|
| Posted: Sun Mar 07, 2004 7:12 pm Post subject: |
|
|
| Paul wrote: |
| ... I presume you mean by clicking this in the forum index view it takes you to another location then? |
I mean in a screen such as the Computer Cops Forum Index > Site Inbox view where all of the topics for the Site Inbox Forum are listed. And when someone has posted a reply to a given topic there is the graphic in front of the topic title. It's that graphic that I'm talking about.
On two separate occasions in the last week I've clicked on that lil' bugger and ended up viewing some post that wasn't even remotely associated with the post to which the lil' bugger was "Visually linked to (once from the Mailwasher - Beta Testing Forum to a completely different forum i.e."Virus-Worm Related"; and once again from the Mailwasher - Beta Testing Forum to wherever the link I copied in my initial message today concerning a "Hijack??" is/was located. The one you verified as a legitimate link).
The thing that get's me uptight about it is the fact that ASA I click on the it slams me with anywhere from 50-75 requests for personal info" according to my firewall and then takes me to wherever it's going to take me, link-wise.
Hope this has clarified the trouble I'm having. If you have any further questions or want any more specifics, don't hesitate to ask. And again, I'm sorry for using that dirty word around here.
_________________
Stealth is the best weapon
|
|
| Back to top |
|
|
Paul
Admin
Joined: Feb 22, 2002
Posts: 5154
Location: USA
|
| Posted: Sun Mar 07, 2004 7:20 pm Post subject: |
|
|
I'm not sure where these pop-ups are coming from, but note that computer cops doesn't have any external associations via cookies, links, pop-ups, or anything. Everything here is in-house only.
This leads me to wonder if there is something on your machine which is causing these effects to occur.
_________________
http://computercops.biz/ |
|
| Back to top |
|
|
QuietOne
Lieutenant
Joined: Dec 28, 2003
Posts: 227
Location: USA
|
| Posted: Sun Mar 07, 2004 8:03 pm Post subject: |
|
|
| Paul wrote: |
I'm not sure where these pop-ups are coming from, but note that computer cops doesn't have any external associations via cookies, links, pop-ups, or anything. Everything here is in-house only.
This leads me to wonder if there is something on your machine which is causing these effects to occur. |
If you mean my firewall popping up and saying that my computer is attempting to send personal info: Block/Permit? This is what's happening.
As for the question: Is it something on my system causing it or is it something else causing it? My answer is as follows:
- No I would NOT expect CCSP to run these types of spyware and I'm certainly NOT suggesting that you are. I'm merely letting you know that it IS occuring ONLY when I'm at your site in the hope that you can catch the (&@$(#@$ who IS doing it or find and fix the bug that's causing it;
- The only time I've ever gotten 50-75 personal info requests (ALL UNAUTHORIZED MIND YOU) all at the same time, like has occurred in these two cases, is in the last week and under tha described circumstances;
- Yes, I have OCCASSIONALLY gotten these firewall warnings for UNAUTHORIZED personal info requests when at other sites or doing other activities, but the number of requests at any one time or from any one site has been limited to 4-5 MAX not 50-75 like have occurred these two times in the last week here at CCSP; and
- I regularly scan (once/twice a week) my system with both anti-virus AND anti-spyware software to ensure my system is clean.
Again, I remain available to assist you in whatever way I can to resolve this very irritating occurrence ASAP. And thanks for your diligence in tracking it down. 
_________________
Stealth is the best weapon
|
|
| Back to top |
|
|
Paul
Admin
Joined: Feb 22, 2002
Posts: 5154
Location: USA
|
| Posted: Sun Mar 07, 2004 11:43 pm Post subject: |
|
|
Well first I'd hope that anyone else here who reads this would also hop on. In the meantime, since I cannot replicate this on any machine available to me, I cannot locate the problem.
In the meantime, if you could start running sniffing software while you are onsite it would be greatly appreciated.
Also, can you show me the link that you are taken to offsite? Please supply those too. For instance, in this episode, did you have a copy of those external site links?
_________________
http://computercops.biz/ |
|
| Back to top |
|
|
QuietOne
Lieutenant
Joined: Dec 28, 2003
Posts: 227
Location: USA
|
| Posted: Mon Mar 08, 2004 8:28 am Post subject: |
|
|
| Paul wrote: |
| Well first I'd hope that anyone else here who reads this would also hop on. In the meantime, since I cannot replicate this on any machine available to me, I cannot locate the problem. |
Fortunately, or UN-fortunately depending on your point of view it sounds like we've got a really good scavenger hunt started. 
| Paul wrote: |
| In the meantime, if you could start running sniffing software while you are onsite it would be greatly appreciated. |
Point me in the direction of a good one, that YOU trust for this purpose, and I'll be happy to.
| Paul wrote: |
| Also, can you show me the link that you are taken to offsite? Please supply those too. For instance, in this episode, did you have a copy of those external site links? |
You've lost me Paul. What link I've been taken to off-site? I've only had this happen twice TOTAL.
The first time it caught me a little unawares and I didn't write down or copy the ACTUAL web address - so I can't verify the web address I was taken to. I just got out of there ASAP. I will send you a PM with the exact text and all the specifics I sent RusticDog when the first one happened. He (RusticDog) later asked me to try to find the exact link I had been taken to in the Virus-Worm Related Forum because you and he were unable to find it. I looked at EVERY topic in the forum and couldn't find it either so I don't know what the deal is. All I can say is that it LOOKED like a web page from CCSP but since neither he, you or I can find the topic title I can't say whether it was or wasn't an ACTUAL CCSP web page.
The second time it happened is THIS time and I DID copy BOTH the web address AND the topic title. It's the one you verified as a LEGITIMATE CCSP address.
If there is some other link you are referring to, please clarify and I'll do what I can but as I said above, right now you've lost me. PM on it's way shortly.
TNX
_________________
Stealth is the best weapon
|
|
| Back to top |
|
|
Paul
Admin
Joined: Feb 22, 2002
Posts: 5154
Location: USA
|
| Posted: Mon Mar 08, 2004 9:38 am Post subject: |
|
|
Ok then not sure what to say. The link you supplied is correct. Try running ethereal, its an excellent windows sniffer. If this 'hijack' happens again, please take a screen snapshot after you are 'hijacked' so I can see what you see and attach it here.
Thanks
_________________
http://computercops.biz/ |
|
| Back to top |
|
|
QuietOne
Lieutenant
Joined: Dec 28, 2003
Posts: 227
Location: USA
|
| Posted: Mon Mar 08, 2004 9:43 am Post subject: |
|
|
| Paul wrote: |
Ok then not sure what to say. The link you supplied is correct. Try running ethereal, its an excellent windows sniffer. If this 'hijack' happens again, please take a screen snapshot after you are 'hijacked' so I can see what you see and attach it here.
Thanks |
Will do. One quick Q (well actually two)  :
Wher can I find a copy of Ethereal? Do you have a link to it on the download page or do I need to search the web for it?
_________________
Stealth is the best weapon
|
|
| Back to top |
|
|
Paul
Admin
Joined: Feb 22, 2002
Posts: 5154
Location: USA
|
| Posted: Mon Mar 08, 2004 9:46 am Post subject: |
|
|
Oh sorry, here you go:
http://www.ethereal.com/
_________________
http://computercops.biz/ |
|
| Back to top |
|
|
phoenix22
Site Admin
Premium Member
Joined: Mar 08, 2002
Posts: 4503
Location: "C & C Bird"
|
| Posted: Mon Mar 08, 2004 10:18 am Post subject: |
|
|
| Paul wrote: |
I just tried clicking that last post link on this thread in this forum view, and it brought me to the right spot.
Can anyone else duplicate? |
btdt.....
_________________
"De Oppresso Liber" (We Liberate the Oppressed) Got Cawotts?? Got Ammo?? Holy Shinola Bat Babe! ....for Buddy...who lived it!
|
|
| Back to top |
|
|
|
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
