Spyware on FreeBSD!?
Frank Shute
frank at esperance-linux.co.uk
Tue Feb 8 10:16:20 PST 2005
Bad news, looks like my machine has been infected with some Spyware.
I noticed that on surfing to: http://news.bbc.co.uk/ or anything under
that domain, I was getting some outgoing activity and Firefox was
after a URL (as shown by the status bar) somewhere under the domain:
http://bbcnewscouk.112.2o7.net/
A quick Google on 2o7.net confirmed my worst fears: spyware!
and a 2o7.net cookie planted on my machine.
I cached some pages in my proxy <excerpt>:
http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bbc.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D
http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.uk/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D
Looks like some sort of perl script which returns a 2x2 gif, whilst
harvesting your browsing habits (and screen & windowsize - by calling
Javascript functions in Firefox?)
I wonder if they use different sub-domains to collect stats on
different sites. This particular variant seems to be only activated by
a visit to BBC news.
I had a grovel in the source of the BBC news homepage but found no
reference to 2o7.net (For a minute I thought the BBC had turned evil
on me!)
I'm going to do a little bit more investigation on it - I tried
removal by obliterating my Firefox profile but no joy. The only thing
I saved was my bookmarks file, which looks sound.
Spyware on a unix machine? Tell me it's not so! :(
BTW:
FreeBSD 4.11-PRERELEASE
firefox-1.0.r1,1
I know the latter has some vulnerabilities and I'll update it in due
course (and the OS).
I think I'm going to build Links/Lynx with SSL and use that for my
banking from now on (if I can).
Anybody aware of other reports of spyware infecting Unix machines?
Anyway, I'm gutted. I feel like I've been violated and humiliated. In
short, I feel like a Windows user does everyday!!
The truth: I feel a bit pissed off but I urge people to take no action
against 2o7.net like DOS or cracking their webserver and trashing
it.....I'll do that myself ;)
--
Frank
print "f r a n k @ e s p e r a n c e - l i n u x . c o . u k" | sed 's/ //g'
--->PGP keyID: 0x10BD6F4B<---
More information about the freebsd-chat
mailing list