From owner-freebsd-chat@FreeBSD.ORG Tue Feb 8 18:41:38 2005 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C82E416A4CE for ; Tue, 8 Feb 2005 18:41:38 +0000 (GMT) Received: from ptb-relay02.plus.net (ptb-relay02.plus.net [212.159.14.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6648743D45 for ; Tue, 8 Feb 2005 18:41:38 +0000 (GMT) (envelope-from marko@freebsd.org) Received: from movens.plus.com ([80.229.231.20] helo=[127.0.0.1]) by ptb-relay02.plus.net with esmtp (Exim) id 1CyaIk-0003eO-T0; Tue, 08 Feb 2005 18:41:31 +0000 Message-ID: <42090774.2070805@freebsd.org> Date: Tue, 08 Feb 2005 18:39:48 +0000 From: Mark Ovens User-Agent: Mozilla Thunderbird 7.0 (Windows/20050113) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Frank Shute References: <20050208181532.GA8508@peach.veggie.com> In-Reply-To: <20050208181532.GA8508@peach.veggie.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 0506-0, 08/02/2005), Outbound message X-Antivirus-Status: Clean cc: FreeBSD UK cc: FreeBSD chat Subject: Re: Spyware on FreeBSD!? X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 18:41:38 -0000 Frank Shute wrote: > Bad news, looks like my machine has been infected with some Spyware. > > I noticed that on surfing to: http://news.bbc.co.uk/ or anything under > that domain, I was getting some outgoing activity and Firefox was > after a URL (as shown by the status bar) somewhere under the domain: > > http://bbcnewscouk.112.2o7.net/ > > A quick Google on 2o7.net confirmed my worst fears: spyware! > > and a 2o7.net cookie planted on my machine. > > I cached some pages in my proxy : > > http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bbc.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D > > http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.uk/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D > > Looks like some sort of perl script which returns a 2x2 gif, whilst > harvesting your browsing habits (and screen & windowsize - by calling > Javascript functions in Firefox?) > % whois 2o7.net [....] Registrant: Omniture, Inc. (2O41-DOM) 550 East Timpanogos Cir Building G Orem, UT 84097 US From BBC's Privacy and Cookies Policy (there's a link at the bottom of the main page) http://www.bbc.co.uk/privacy/ 2. Visitor Information [....] "The BBC also uses a company called Omniture to track and analyse non-personally identifiable usage and statistical information about volume of visitors to the BBC News pages on bbc.co.uk in order to measure the effectiveness of the BBC News web pages and improve services to users. Please note that this is not personal information, only general summaries of the activities of visitors to bbc.co.uk. If you wish to reject the Omniture cookies, you can use the process set out below in point 7. Further information regarding Omniture's privacy statement can be found at http://www.omniture.com/policy.html#cookies." Blocking the cookies does not stop the site working. Regards, Mark --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0506-0, 08/02/2005 Tested on: 08/02/2005 18:39:49 avast! - copyright (c) 2000-2004 ALWIL Software. http://www.avast.com