Date: Tue, 8 Feb 2005 20:13:59 +0000 From: "Frank Shute" <frank@esperance-linux.co.uk> To: Mark Ovens <marko@freebsd.org> Cc: FreeBSD UK <freebsd-users@uk.freebsd.org> Subject: Re: Spyware on FreeBSD!? Message-ID: <20050208201359.GA9104@peach.veggie.com> In-Reply-To: <42090774.2070805@freebsd.org> References: <20050208181532.GA8508@peach.veggie.com> <42090774.2070805@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 08, 2005 at 06:39:48PM +0000, Mark Ovens wrote: > > Frank Shute wrote: > >Bad news, looks like my machine has been infected with some Spyware. > > > >I noticed that on surfing to: http://news.bbc.co.uk/ or anything under > >that domain, I was getting some outgoing activity and Firefox was > >after a URL (as shown by the status bar) somewhere under the domain: > > > >http://bbcnewscouk.112.2o7.net/ > > > >A quick Google on 2o7.net confirmed my worst fears: spyware! > > > >and a 2o7.net cookie planted on my machine. > > > >I cached some pages in my proxy <excerpt>: > > > >http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bbc.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D > > > >http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.uk/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D > > > >Looks like some sort of perl script which returns a 2x2 gif, whilst > >harvesting your browsing habits (and screen & windowsize - by calling > >Javascript functions in Firefox?) > > > > % whois 2o7.net > > [....] > > Registrant: > Omniture, Inc. (2O41-DOM) > 550 East Timpanogos Cir > Building G > Orem, UT 84097 > US > > From BBC's Privacy and Cookies Policy (there's a link at the bottom of > the main page) http://www.bbc.co.uk/privacy/ > > 2. Visitor Information > > [....] > > "The BBC also uses a company called Omniture to track and analyse > non-personally identifiable usage and statistical information about > volume of visitors to the BBC News pages on bbc.co.uk in order to > measure the effectiveness of the BBC News web pages and improve services > to users. Please note that this is not personal information, only > general summaries of the activities of visitors to bbc.co.uk. If you > wish to reject the Omniture cookies, you can use the process set out > below in point 7. Further information regarding Omniture's privacy > statement can be found at http://www.omniture.com/policy.html#cookies." > > Blocking the cookies does not stop the site working. Cheers Mark. I looked at that page too, skim read it and missed it. It was only in the last few days that I'd noticed the behaviour I described. It's probably been like that for months but I was too drunk to notice it or something :) Huge relief. I thought I'd installed a nefarious XPI - if such things exist. Apologies to all for any alarm caused! I think I'm a bit paranoid ATM due to some unpleasant personal circumstances. -- Frank print "f r a n k @ e s p e r a n c e - l i n u x . c o . u k" | sed 's/ //g' --->PGP keyID: 0x10BD6F4B<---
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050208201359.GA9104>