From owner-freebsd-chat@FreeBSD.ORG Tue Feb 8 18:16:20 2005 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A588716A4CE for ; Tue, 8 Feb 2005 18:16:20 +0000 (GMT) Received: from mailout.zetnet.co.uk (mailout.zetnet.co.uk [194.247.47.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF55B43D31 for ; Tue, 8 Feb 2005 18:16:17 +0000 (GMT) (envelope-from frank@esperance-linux.co.uk) Received: from irwell.zetnet.co.uk ([194.247.47.48] helo=zetnet.co.uk) by mailout.zetnet.co.uk with esmtp (Exim 3.36 #1 (Debian)) id 1CyZuK-0006le-00 for ; Tue, 08 Feb 2005 18:16:16 +0000 Received: from esperance.zetnet.co.uk (bts-0510.dialup.zetnet.co.uk [194.247.49.254])j18IGD5F011208 for ; Tue, 8 Feb 2005 18:16:15 GMT Received: (qmail 8524 invoked by uid 1001); 8 Feb 2005 18:15:33 -0000 From: "Frank Shute" Date: Tue, 8 Feb 2005 18:15:32 +0000 To: FreeBSD UK Message-ID: <20050208181532.GA8508@peach.veggie.com> Mail-Followup-To: FreeBSD UK , FreeBSD chat Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 4.11-PRERELEASE i386 X-Organisation: 'Esperance Linux' cc: FreeBSD chat Subject: Spyware on FreeBSD!? X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Frank Shute List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 18:16:20 -0000 Bad news, looks like my machine has been infected with some Spyware. I noticed that on surfing to: http://news.bbc.co.uk/ or anything under that domain, I was getting some outgoing activity and Firefox was after a URL (as shown by the status bar) somewhere under the domain: http://bbcnewscouk.112.2o7.net/ A quick Google on 2o7.net confirmed my worst fears: spyware! and a 2o7.net cookie planted on my machine. I cached some pages in my proxy : http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bbc.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.uk/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D Looks like some sort of perl script which returns a 2x2 gif, whilst harvesting your browsing habits (and screen & windowsize - by calling Javascript functions in Firefox?) I wonder if they use different sub-domains to collect stats on different sites. This particular variant seems to be only activated by a visit to BBC news. I had a grovel in the source of the BBC news homepage but found no reference to 2o7.net (For a minute I thought the BBC had turned evil on me!) I'm going to do a little bit more investigation on it - I tried removal by obliterating my Firefox profile but no joy. The only thing I saved was my bookmarks file, which looks sound. Spyware on a unix machine? Tell me it's not so! :( BTW: FreeBSD 4.11-PRERELEASE firefox-1.0.r1,1 I know the latter has some vulnerabilities and I'll update it in due course (and the OS). I think I'm going to build Links/Lynx with SSL and use that for my banking from now on (if I can). Anybody aware of other reports of spyware infecting Unix machines? Anyway, I'm gutted. I feel like I've been violated and humiliated. In short, I feel like a Windows user does everyday!! The truth: I feel a bit pissed off but I urge people to take no action against 2o7.net like DOS or cracking their webserver and trashing it.....I'll do that myself ;) -- Frank print "f r a n k @ e s p e r a n c e - l i n u x . c o . u k" | sed 's/ //g' --->PGP keyID: 0x10BD6F4B<---