Spyware on FreeBSD!?
Frank Shute
frank at esperance-linux.co.uk
Tue Feb 8 12:16:00 PST 2005
On Tue, Feb 08, 2005 at 06:39:48PM +0000, Mark Ovens wrote:
>
> Frank Shute wrote:
> >Bad news, looks like my machine has been infected with some Spyware.
> >
> >I noticed that on surfing to: http://news.bbc.co.uk/ or anything under
> >that domain, I was getting some outgoing activity and Firefox was
> >after a URL (as shown by the status bar) somewhere under the domain:
> >
> >http://bbcnewscouk.112.2o7.net/
> >
> >A quick Google on 2o7.net confirmed my worst fears: spyware!
> >
> >and a 2o7.net cookie planted on my machine.
> >
> >I cached some pages in my proxy <excerpt>:
> >
> >http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http%3A%2F%2Fnews.bbc.co.uk%2F&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D
> >
> >http://bbcnewscouk.112.2o7.net/b/ss/bbcnewscouk/1/G.7-Pd-R/s68107022286455?purl=http://news.bbc.co.uk/&pccr=true&%5BAQB%5D&ndh=1&t=8/1/2005+2:21:56+2+0&cdp=3&pageName=BBC+NEWS+|+News+Front+Page&g=http://news.bbc.co.uk/&cc=GBP&c1=1&s=1152x864&c=24&j=1.3&v=N&k=Y&bw=1129&bh=543&p=Default+Plugin%3B&%5BAQE%5D
> >
> >Looks like some sort of perl script which returns a 2x2 gif, whilst
> >harvesting your browsing habits (and screen & windowsize - by calling
> >Javascript functions in Firefox?)
> >
>
> % whois 2o7.net
>
> [....]
>
> Registrant:
> Omniture, Inc. (2O41-DOM)
> 550 East Timpanogos Cir
> Building G
> Orem, UT 84097
> US
>
> From BBC's Privacy and Cookies Policy (there's a link at the bottom of
> the main page) http://www.bbc.co.uk/privacy/
>
> 2. Visitor Information
>
> [....]
>
> "The BBC also uses a company called Omniture to track and analyse
> non-personally identifiable usage and statistical information about
> volume of visitors to the BBC News pages on bbc.co.uk in order to
> measure the effectiveness of the BBC News web pages and improve services
> to users. Please note that this is not personal information, only
> general summaries of the activities of visitors to bbc.co.uk. If you
> wish to reject the Omniture cookies, you can use the process set out
> below in point 7. Further information regarding Omniture's privacy
> statement can be found at http://www.omniture.com/policy.html#cookies."
>
> Blocking the cookies does not stop the site working.
Cheers Mark. I looked at that page too, skim read it and missed it. It
was only in the last few days that I'd noticed the behaviour I
described. It's probably been like that for months but I was too drunk
to notice it or something :)
Huge relief. I thought I'd installed a nefarious XPI - if such things
exist.
Apologies to all for any alarm caused! I think I'm a bit paranoid ATM
due to some unpleasant personal circumstances.
--
Frank
print "f r a n k @ e s p e r a n c e - l i n u x . c o . u k" | sed 's/ //g'
--->PGP keyID: 0x10BD6F4B<---
More information about the freebsd-chat
mailing list