From owner-freebsd-chat@FreeBSD.ORG Tue Feb 8 20:16:00 2005 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F02F316A4CE for ; Tue, 8 Feb 2005 20:15:59 +0000 (GMT) Received: from mailout.zetnet.co.uk (mailout.zetnet.co.uk [194.247.47.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5709E43D2D for ; Tue, 8 Feb 2005 20:15:59 +0000 (GMT) (envelope-from frank@esperance-linux.co.uk) Received: from irwell.zetnet.co.uk ([194.247.47.48] helo=zetnet.co.uk) by mailout.zetnet.co.uk with esmtp (Exim 3.36 #1 (Debian)) id 1CybmA-0003Ix-00 for ; Tue, 08 Feb 2005 20:15:58 +0000 Received: from esperance.zetnet.co.uk (bts-0050.dialup.zetnet.co.uk [194.247.48.50])j18KFs1x017337 for ; Tue, 8 Feb 2005 20:15:57 GMT Received: (qmail 9530 invoked by uid 1001); 8 Feb 2005 20:13:59 -0000 From: "Frank Shute" Date: Tue, 8 Feb 2005 20:13:59 +0000 To: Mark Ovens Message-ID: <20050208201359.GA9104@peach.veggie.com> Mail-Followup-To: Mark Ovens , FreeBSD chat , FreeBSD UK References: <20050208181532.GA8508@peach.veggie.com> <42090774.2070805@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <42090774.2070805@freebsd.org> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 4.11-PRERELEASE i386 X-Organisation: 'Esperance Linux' cc: FreeBSD chat cc: FreeBSD UK Subject: Re: Spyware on FreeBSD!? X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Frank Shute List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 20:16:00 -0000 On Tue, Feb 08, 2005 at 06:39:48PM +0000, Mark Ovens wrote: > > Frank Shute wrote: > >Bad news, looks like my machine has been infected with some Spyware. > > > >I noticed that on surfing to: http://news.bbc.co.uk/ or anything under > >that domain, I was getting some outgoing activity and Firefox was > >after a URL (as shown by the status bar) somewhere under the domain: > > > >http://bbcnewscouk.112.2o7.net/ > > > >A quick Google on 2o7.net confirmed my worst fears: spyware! > > > >and a 2o7.net cookie planted on my machine. > > > >I cached some pages in my proxy : > > > >http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bbc.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D > > > >http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.uk/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D > > > >Looks like some sort of perl script which returns a 2x2 gif, whilst > >harvesting your browsing habits (and screen & windowsize - by calling > >Javascript functions in Firefox?) > > > > % whois 2o7.net > > [....] > > Registrant: > Omniture, Inc. (2O41-DOM) > 550 East Timpanogos Cir > Building G > Orem, UT 84097 > US > > From BBC's Privacy and Cookies Policy (there's a link at the bottom of > the main page) http://www.bbc.co.uk/privacy/ > > 2. Visitor Information > > [....] > > "The BBC also uses a company called Omniture to track and analyse > non-personally identifiable usage and statistical information about > volume of visitors to the BBC News pages on bbc.co.uk in order to > measure the effectiveness of the BBC News web pages and improve services > to users. Please note that this is not personal information, only > general summaries of the activities of visitors to bbc.co.uk. If you > wish to reject the Omniture cookies, you can use the process set out > below in point 7. Further information regarding Omniture's privacy > statement can be found at http://www.omniture.com/policy.html#cookies." > > Blocking the cookies does not stop the site working. Cheers Mark. I looked at that page too, skim read it and missed it. It was only in the last few days that I'd noticed the behaviour I described. It's probably been like that for months but I was too drunk to notice it or something :) Huge relief. I thought I'd installed a nefarious XPI - if such things exist. Apologies to all for any alarm caused! I think I'm a bit paranoid ATM due to some unpleasant personal circumstances. -- Frank print "f r a n k @ e s p e r a n c e - l i n u x . c o . u k" | sed 's/ //g' --->PGP keyID: 0x10BD6F4B<---