Jon - something questionable

Author

Comment

satellitehead

Registered:1257988353
Posts: 3,687

Posted 1342926520	Reply with quote #1

Sorry for not emailing, no access to my email right this sec to report this properly. There is a new user signed up two days ago under the name "egptcountryboy" Every post this use is making is embedded with a script that hyperlinks items on the page. If you look at source of his posts, you will find the following, which forced loading of a Javascript script for an advertising company: Code: < scripttype="text/javascript"src="http://loading-resource.com/50.js.php?i=%7B40E1C7C6-37A4-4F48-9508-E7411BB63C75%7D"></script><scripttype="text/javascript"src="https://d3pzomt0ul12fo.cloudfront.net/items/loaders/loader_1032.js?aoi=1311798366&pid=1032&zoneid=10368&cid=US&rid=MD&ccid=Crownsville&ip=68.55.64.120"></script> This probably needs to be dealt with. Here are the two posts which need to be edited to remove the scripting: http://figs4funforum.websitetoolbox.com/post/show_single_post?pid=1274342694&postcount=5 http://figs4funforum.websitetoolbox.com/post/show_single_post?pid=1274342761&postcount=1 Hope you're able to do something. __________________ Jason Atlanta/Grant Park area - z8

OttawanZ5

Registered:1192897779
Posts: 2,551

Posted 1342928233	Reply with quote #2

Jasson What caution do you suggest for those who have not yet opened his posts. __________________ Ottawan-Z5a, Canada

satellitehead

Registered:1257988353
Posts: 3,687

Posted 1342928642	Reply with quote #3

There is a script file being posted in the posts, and it's referencing an IP address of a computer using Comcast cable in Crownsville, Maryland. Looks to be an advertising script. Very curious. Submitting the source on the Javascript to a couple of security vendors to inspect. My advice is ... don't click on the links inside his posts or any other subsequent members posts on that page, simply put. And for the new forum user above (Abraham/egptcountryboy), I'd recommend you go download a tool like MalwareBytes and perform a full scan on your system if you have no idea what I'm talking about. NOTE: NOBODY ELSE NEEDS TO SCAN THEIR SYSTEM. __________________ Jason Atlanta/Grant Park area - z8

OttawanZ5

Registered:1192897779
Posts: 2,551

Posted 1342933886	Reply with quote #4

Thanks Jason. Now we can overcome the curiosity.... __________________ Ottawan-Z5a, Canada

pitangadiego

Moderator
Registered:1188871011
Posts: 5,447

Posted 1342933910	Reply with quote #5

I'm checking on it. The poster seems legit. I deleted everything in the post, and replaced it with a clean text file, but the link returns. Same issue shows up in post by BLB, who we know is legit. __________________ Encanto Farms Nursery http://encantofarms.com http://figs4fun.com http://webebananas.com "pitangadiego" everywhere

satellitehead

Registered:1257988353
Posts: 3,687

Posted 1342959000	Reply with quote #6

Still waiting on the script file to be dissected. Will let you know what I find out. It is true that there are links on two posts, but technically, any script will load once and affect everything on the page. __________________ Jason Atlanta/Grant Park area - z8

satellitehead

Registered:1257988353
Posts: 3,687

Posted 1342959038	Reply with quote #7

(I need to look at the source - it may be embedded in the user signature - can you check? __________________ Jason Atlanta/Grant Park area - z8

BLB

Registered:1214341548
Posts: 2,936

Posted 1342968832	Reply with quote #8

What??? What is showing up in my posts?? I have a Macafee system to prevent any stuff like this what do I do?

BLB

Registered:1214341548
Posts: 2,936

Posted 1342970238	Reply with quote #9

I am running Malwarebytes, the program Jason recommended.

The_celt

Registered:1291260537
Posts: 874

Posted 1342971739	Reply with quote #10

Blb legit? Lol sure. __________________ http://sumosteaks.com/

northeastnewbie

Registered:1267756970
Posts: 407

Posted 1342974886	Reply with quote #11

Barry is a SPY>>>>>>in the famous words of Charlie Brown AAGGGHHHHHHH... __________________ Al Richer zone 7 nj EBAY ID--06picl member: back yard fruit growers association

BLB

Registered:1214341548
Posts: 2,936

Posted 1342976771	Reply with quote #12

I'm spying on the fig people so I can report back to the pomegranate people. Seriously though, I am running the malware thing recommended by Jason, it's found nothing in nearly 2 hours but is still going. Anything I've posted on this forum was a picture taken from my cell phone. I don't know how these Malware or virus things work, not one clue, but I don't want to cause any problems for my friends or myself.

BLB

Registered:1214341548
Posts: 2,936

Posted 1342981828	Reply with quote #13

The scan just completed, no malitious malware detected.

satellitehead

Registered:1257988353
Posts: 3,687

Posted 1342986714	Reply with quote #14

Yes, there is no malware, I'm talking about a tracking script which is embedded in every post that user makes. It hyperlinks here: http://loading-resource.com/50.js.php?i=%7B40E1C7C6-37A4-4F48-9508-E7411BB63C75%7D If you click that link, you will see that your city and IP address are being supplied out to some arbitrary website, and it appears it allows the recipient to see information about every person who reads a thread he posts in. It also appears to load the "TEXT ENHANCE" flash script that appears every time you mouse over an underlined word in one of the posts on the page. I can't tell you how it's being done... I just know that it is directly tied to that specific user, the Javascript code is being inserted at the end of his posts, just above his signature line (you can't see it via the post, only by looking at the source code behind the actual webpage), and it's affecting the entire webpage; all posts on the same page as his. I don't know what to do about it either, unfortunately. Unfortunately, I don't have a lot of time to dig into this right now. __________________ Jason Atlanta/Grant Park area - z8

BLB

Registered:1214341548
Posts: 2,936

Posted 1342990514	Reply with quote #15

I downloaded the program you suggested, ran a full scan and it found nothing. I have Macafee and it updates automatically and again nothing.

shah8

Registered:1339623766
Posts: 657

Posted 1342992435	Reply with quote #16

Frankly, that sounds like an issue with some kind of tracking cookie? Spybot, or some other anti-advertising program might be more of use. __________________ Especially desired figs: UCD 187-25, UCD 200-48, UCD 157-17, UCD 309-B1, Princesa, Black Madeira, high quality sugar fig that ripens Sept-Oct. Probable desired fig: Smith, St Jean, JH Adriatic, CddB, Gulbun, Pastilliere, Sucrette Rooting: Smith, CDDB--this pretty much means I have my fun tries (tho' important since they are truly desirable), and only interested for this year: Gulbun, BM, 187-25, or something wildly exotic or precious that nobody has any good reason to send me.

satellitehead

Registered:1257988353
Posts: 3,687

Posted 1343003474	Reply with quote #17

Malware Bytes is such a program; Spybot S&D and MalwareBytes are both competent programs, both with their own perks. MalwareBytes tends to do better with browser hijackers after an infection happens, Spybot S&D is better to prevent browser hijackers. Confused why folks are scanning their computers? There is no need, folks. This has nothing to do with your system. It appears either the user (egptcountryboy) is manually embedding tracking scripts into his posts, or he's infected with (and/or has installed) something that is automatically dropping this hidden scripting into his posts. __________________ Jason Atlanta/Grant Park area - z8

satellitehead

Registered:1257988353
Posts: 3,687

Posted 1343004205	Reply with quote #18

Just want to show what is going on. This is the source code behind his first post (see attached image). The portion of source code I highlighted between his name "-Abe" and his actual signature (everything after below the ---------------) is the offending script call that appears to be causing the underlined links in everyone's posts. After picking apart the linked script (.js) that's linked between the end of his post content and his signature, it appears it's using Macromedia Flash to show the popups when you hover over the links. If you run your browser with Flash plugin off, it stops. The script calls only exist in his posts, nobody elses. The underlined links only show up in threads he has posted in, as a result of the script calls. The scripts being called affect all posts inside a thread, not just his. All of the script calls redirect people to an external search engine. Reaks of advertising bot/rogue advertising. Inline image Attached Images* abescript.jpg (239.52 KB, 75 views) __________________ Jason Atlanta/Grant Park area - z8

BLB

Registered:1214341548
Posts: 2,936

Posted 1343007259	Reply with quote #19

Ok I responded to his post. So perhaps because of that it showed up as it sounds like you're saying it showed up in the whole thread. Anyway, Jon said something was showing up on my posts. Jason suggested Malwarebytes to the other guy, but I'm thinking I have a problem so I downloaded that and ran it. It found nothing. Just to set the record straight.

hoosierbanana

Registered:1287901146
Posts: 2,186

Posted 1343023928	Reply with quote #20

Gonna keep my eye on you Barry, lol. Jason, I noticed a link I am sure Herman2 did not choose to include in this thread. http://figs4funforum.websitetoolbox.com/post/Maltese-Falcon-5938125. Edit: Nevermind, I read that you figured this one out already. Funny it only links the word Ischia. __________________ 7a, DE

Previous Topic | Next Topic

Modal title

Insert Code

Please paste your code into the box below: