> ok, i went back and visited all the threads since this started and these 2
> threads cause the attack for the de site on my machine
>
> http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1370
> http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1477

OK, from what I can gather from these 2 threads it looks like it is *probably* being caused by the mirroring of Neil's signatures. In loading these 2 threads, many images were loaded by www.gr-crew.de, however none of the final images link to www.gr-crew.de. I went through 1 by 1 and disabled the source for each image, and when I disabled Neil's sig images, no more images were loaded from gr-crew.de.

If that is the cause, it would make sense that Norton thinks YOU are attacking THEM, because you're suddenly accessing that page when nothing in the forum here would have sent you there (only the mirroring instructions would have routed you there).

I'll check with Neil and see if he thinks his mirrors might be causing it, and ask him to post back into this thread to let everyone know. If that's what it is, I can assure you it's nothing malicious or harmful.

Everyone who runs Windows 2000, or Windows 2003 (either workstation or server
versions), Windows XP Home, Windows XP Professional, or Windows XP 64-bit Edition should also make absolutely SURE that they have ALL the latest critical updates from the Windows Update site. Without these critical updates, there are several gaping security holes in these O/S's that can allow an attacker ro run scripts or other programs on an unpatched machine, and possibly take full control over it.

Regards, Daniel.

> > ok, i went back and visited all the threads since this started and these
> 2
> > threads cause the attack for the de site on my machine
> >
> > http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1370
> > http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1477
>
> OK, from what I can gather from these 2 threads it looks like it is *probably*
> being caused by the mirroring of Neil's signatures. In loading these 2
> threads, many images were loaded by www.gr-crew.de, however none of the final
> images link to www.gr-crew.de. I went through 1 by 1 and disabled the source
> for each image, and when I disabled Neil's sig images, no more images were
> loaded from gr-crew.de.
>
> If that is the cause, it would make sense that Norton thinks YOU are attacking
> THEM, because you're suddenly accessing that page when nothing in the forum
> here would have sent you there (only the mirroring instructions would have
> routed you there).
>
> I'll check with Neil and see if he thinks his mirrors might be causing it, and
> ask him to post back into this thread to let everyone know. If that's what it
> is, I can assure you it's nothing malicious or harmful.
>
>
>

I really don't know what is going on with that jpg, but I doubt a normal jpg image file would trigger IE's cookie blocker. Given the fact that recently a virus (see download.ject exploit) was infecting PC's by executing code embedded in images, I posit this theory:

Guido is using the Goggle image finder to find his pictures, and it accidently found an infected jpg on EA's website, which he subsequently posted to that forum thread.

Thats my conspiracy theory, for what its worth.

-----------------

To be honnest that was my first thaugh when the discussion point out that it could be a somehow related to some images. If that is the case then it's a strong argument in the balance for those complaining about Guido's pics.

It is interesting that the picture in question came from Electronic Arts. If that really is true, then I don't think EA would be very happy about that if they knew. The theory for the problem seems to be a decent theory, but it does not have anything to do with complaints for his pictures though. I don't think there was an mal intent, just an honest accident. Especially considering the server that the picture is located on. It could have happened to anyone anytime anywhere. I still support the pictures, but I would suggest images found to cause security problems be removed by their authors or the SETI staff.

Chris


> -----------------
>
> The be honnest that was my first thaugh we the discussion point out that it
> could be a somehow related to some images. If that is the case then it's a
> strong argument in the balance for those complaining about Guido's pics.
>
>
>
>
>

It could have happened to anyone anytime anywhere. I still support the pictures,

-------------

I agree with those supporting pictures for they could be sometimes funny or usefull in a technical discussion for example. But I do not agree posting pictures just for posting pictures. It is pretty anoying and sometimes irespecfull. The problem with Guido's behavior is that He join a discussion with
a "and now for something completely different" message with a hughes pics of bill gates. What the f..k does it bring to the discussion. To who he is adressing, what is it he wanted to express, does it contain any personal attack that only him can understand ? I have nothing personnal against him. It's just that the very vast majority of people here have asked him politely to stop doing
that but he just keep on posting more and more. He says he wants to improve his English well that very good for him and discussion board is a good place to practice, thats what I'm doing right now, but he wont improve anything by posting pics.

Hi all,

The two sites you mention, the UK and German one are sites that provide mirrors for http://seti2.mundayweb.com.

When your browser sends a request to http://seti2.mundayweb.com/stats.php?userID=1 for example, the script randomly chooses a mirror to redirect the user to in order to generate the graphic.

It would seem that Norton is over zealous. There is nothing to fear - these sites are not trying to hack your PCs.

Unfortunately, the current mirroring system is the only solution I have to my bandwidth problem, unless I win the lottery, or someone else does and donates their winnings to my site :)

Please let me know if the mirror system is going to cause you problems.

Neil Munday

http://seti.mundayweb.com
http://seti2.mundayweb.com
http://www.mundayweb.com/setigraph

> Hi all,
>
> The two sites you mention, the UK and German one are sites that provide
> mirrors for http://seti2.mundayweb.com.
>
> When your browser sends a request to
> http://seti2.mundayweb.com/stats.php?userID=1 for example, the script randomly
> chooses a mirror to redirect the user to in order to generate the graphic.
>
> It would seem that Norton is over zealous. There is nothing to fear - these
> sites are not trying to hack your PCs.
>
> Unfortunately, the current mirroring system is the only solution I have to my
> bandwidth problem, unless I win the lottery, or someone else does and donates
> their winnings to my site :)
>
> Please let me know if the mirror system is going to cause you problems.
>
> Neil Munday
>
> http://seti.mundayweb.com
> http://seti2.mundayweb.com
> <a> href="http://www.mundayweb.com/setigraph">http://www.mundayweb.com/setigraph[/url]
>
Actually Neil, Norton says we are attacking there site if i am reading what nortons says correctly. I will run with your answer because now that you said they were your mirrors i remember you saying you did some updating in pearl to your site or something to that effect,
Thank you for clearing that up for us.

Well that is the most sound argument/reason that I have seen yet. I do understand really frequent posts like that could be a bit excessive and perhaps should be limited some. But I do think that periodic random posts are kind of fun. Shakes things up a bit. And things do need to be shaken sometimes. :)


> It could have happened to anyone anytime anywhere. I still support the
> pictures,
>
> -------------
>
> I agree with those supporting pictures for they could be sometimes funny or
> usefull in a technical discussion for example. But I do not agree posting
> pictures just for posting pictures. It is pretty anoying and sometimes
> irespecfull. The problem with Guido's behavior is that He join a discussion
> with
> a "and now for something completely different" message with a hughes pics of
> bill gates. What the f..k does it bring to the discussion. To who he is
> adressing, what is it he wanted to express, does it contain any personal
> attack that only him can understand ? I have nothing personnal against him.
> It's just that the very vast majority of people here have asked him politely
> to stop doing
> that but he just keep on posting more and more. He says he wants to improve
> his English well that very good for him and discussion board is a good place
> to practice, thats what I'm doing right now, but he wont improve anything by
> posting pics.
>
>
>
>

I don't think there's any relation to the name of the image (goggle~1) and the goggle software. The image from Sim City actually exists on their server by that name. The goggle software doesn't allow you to search for images yourself, it runs on your own computer and just changes your desktop wallpaper to a random image it found through google. Google allows you to search for pictures, but goggle doesn't.

The cookie is easy to explain. Remember that the forum here does not have any actual pictures on it except the ones that it uses itself (the seti logo at the top and the little heads beside usernames with profiles). Every other picture you see is called from a remote location by your computer. The forum only sends you the html code to allow your computer to go to the remote site to fetch the image the code calls for. When you load any page with any images at all, your computer is directly contacting the site that hosts that image to get it.

The Sim City site put a session cookie on my system when it fetched the image. Nothing harmful in that.

> Actually Neil, Norton says we are attacking there site if i am reading what
> nortons says correctly. I will run with your answer because now that you said
> they were your mirrors i remember you saying you did some updating in pearl to
> your site or something to that effect,
> Thank you for clearing that up for us.
>
>

No problem.

No Perl scripts are used to interact with users - you cannot access them. The only Perl script I run is used to update http://www.mundayweb.com/setigraph daily as a cron job and has nothing to do with http://seti2.mundayweb.com.

Regards,

Neil Munday

http://seti.mundayweb.com
http://seti2.mundayweb.com
http://www.mundayweb.com/setigraph

Drrr! That makes perfect sense. I'm surprised I didn't pick up on the cookie thing earlier. Although I don't know anything about goggle so I will just have to take your word for that but it makes sense especially since it came straight from EA.

It's good that it is just a matter of the site mirroring, and kind of ironic that the images that WEREN'T being complained about actually caused it rather than the images what were. Hmmm...

Just for the record, my last post in this thread is still one I stand by even though the pictures in question seem to have been cleared.

> I don't think there's any relation to the name of the image (goggle~1) and the
> goggle software. The image from Sim City actually exists on their server by
> that name. The goggle software doesn't allow you to search for images
> yourself, it runs on your own computer and just changes your desktop wallpaper
> to a random image it found through google. Google allows you to search for
> pictures, but goggle doesn't.
>
> The cookie is easy to explain. Remember that the forum here does not have any
> actual pictures on it except the ones that it uses itself (the seti logo at
> the top and the little heads beside usernames with profiles). Every other
> picture you see is called from a remote location by your computer. The
> forum only sends you the html code to allow your computer to go to the remote
> site to fetch the image the code calls for. When you load any page with any
> images at all, your computer is directly contacting the site that hosts that
> image to get it.
>
> The Sim City site put a session cookie on my system when it fetched the image.
> Nothing harmful in that.
>

Thanks for chiming in Neil. That thought DID occur to me but I was just following those two threads posted earlier. Now that the mystery Norton script attack has been exposed, I am still left wondering what the weird image file from EA site was trying to do. Seems now that the two issues were unrelated.

On a side note, I apologize to Guido - I never meant to imply that he either purposely linked a compromised image or was acting maliciously in any way. Also, I didn't mean to fuel the 'Guido image bashing' threads. I simply pointed out that it was his post that included the suspect image so others could find what I was talking about (that particular forum is rather large). Sorry.

If anyone finds an answer to this mystery, I'm interested in hearing it.


<a>

Seems to me, if the sigs are causing a "Norton flag", they should be discontinued.

Not a popular view, I'm sure....

But consider:

1) Norton is used by a whole bunch of folks

2) if a new user starts getting warnings from norton the first time they hit this set of forums, they won't read this thread, and will just get "concerned", will back out, and not come back! "Heck I went to the forum and got all these messages from Norton" "I'm not going back!" (for each question here, there could have been 20 that got the error and won't come back!)

This is what my Norton Personal Firewall 2004 caught.

7/15/2004 7:15:43 PM,Intrusion: HTTP_ActivePerl_Overflow,"Intrusion: HTTP_ActivePerl_Overflow Intruder: localhost(3116). Risk Level: Medium
Protocol: TCP. Attacked IP: www.wuschelkiste.de(81.209.148.203) Attacked Port: http(80)."


inetnum: 81.209.148.0 - 81.209.148.255
netname: LNCDE-ALL-INKL
descr: Customer Server all-inkl.com
country: DE
admin-c: RM1862-RIPE
tech-c: RM1862-RIPE
tech-c: LNCD-RIPE
status: ASSIGNED PA
notify: hostmaster@de.lambdanet.net
mnt-by: LNCD-MNT
mnt-lower: LNCD-MNT
changed: michael.strunz-kroll@lambdanet.net 20030127
changed: karsten.koepp@lambdanet.net 20031230
source: RIPE

Fred
BOINC Alpha Tester
BOINC Beta Tester

Edit: on page
http://setiweb.ssl.berkeley.edu/forum_thread.php?id=1595

7/15/2004 7:44:33 PM,Intrusion: HTTP_ActivePerl_Overflow,"Intrusion: HTTP_ActivePerl_Overflow Intruder: localhost(3281). Risk Level: Medium
Protocol: TCP. Attacked IP: www.gr-crew.de(217.195.36.7) Attacked Port: http(80)."

Edit # 2

7/15/2004 7:43:53 PM,Ad,http://www.wuschelkiste.de/down2/,"Content Blocked: Date Time: 7/15/2004 7:43:53 PM User: Action: Blocked Type: Ad
URL: http://www.wuschelkiste.de/down2/ Data: IMG src=""http://images-eu.amazon.com/images/G/03/associates/recommends/468x60.gif"" (Reason:
width=468 height=60) "

> Seems to me, if the sigs are causing a "Norton flag", they should be
> discontinued.
>

It's not the sigs themselves, AZ. If you'd taken the time to read Neil's answer, you'd have found out it is the mirror sites for the sigs, or at least the German one.

If you want to be helpful, then give Neil some help on a mirror site that won't let Norton go into cardiac arrest.
----------------------
Jordâ„¢

Maybe Norton should fix the firewall software so it's more intelligent.


It's got to be a fairly common problem no matter what forum you visit.


If something can be done it will be. A firewall should be able to disern better what's good and bad.

see my Edit # 2 to my post below
BOINC Alpha Tester
BOINC Beta Tester

> Maybe Norton should fix the firewall software so it's more intelligent.
>
>
> It's got to be a fairly common problem no matter what forum you visit.

Based on what I've read here, not real common. It has to do with re-directs in perl due to limited bandwith.. The re-directs are seen in the same way as a "re-direct" for bad reasons!

> > Seems to me, if the sigs are causing a "Norton flag", they should be
> > discontinued.
> >
>
> It's not the sigs themselves, AZ. If you'd taken the time to read Neil's
> answer, you'd have found out it is the mirror sites for the sigs, or at least
> the German one.

The problem is the mirroring! I did read and do understand! Did you? More mirrors will just make the problem worse!