Remote code URL is http://nvnews.us.intellitxt.com/v3/door.jsp?ts=118772773245&pagecl=5659&ias=b27fe9b5b32b428686d930def434ae3e&ipid=1882&mk=9&refurl=http://www.nvnews.net/forum/

The offending ad is coming from amch.questionmarket.com

Ghost- you never cease to amaze me with how much you know. :wonder:

I'm betting Mike is glad he has you as a friend instead of an enemy... :firedevil :p

Ghost is teaching me Debian. 'nuff said.

Here is the solution. MikeC gets some money from Intellitxt I'm sure (why else would it be there). If you want to support Intellitxt as a revenue source but do not want some worthless Flash driven spam flying across your browser window, simply add the following line to your HOSTS file:


127.0.0.1 amch.questionmarket.com


Your HOSTS file is in %WINDIR%\System32\drivers\etc\hosts. An easy way to edit it is to simply open a CMD window and type:

echo 127.0.0.1 amch.questionmarket.com >> %windir%\system32\drivers\etc\hosts
exit

%WINDIR% is an environment variable for the Windows installation directory, type it as-is. Close and re-open IE and the changes should be cached/loaded.

Dang...I had to deal with a host file today to allow stuff to go out of our firewall....


This should be moved to our Networking/Security Forum.

Here's over the wire, as you can see, I was right about the cookie.


GET /static/sc_trans2_black_li-350x250-1l-eng-nul.swf?clickTag=JAVASCRIPT:DL_GotoSurvey();&clickTag2=JAVASCRIPT:DL_Close(); HTTP/1.1

Accept: */*
Referer: http://www.nvnews.net/vbulletin/
x-flash-version: 9,0,16,0
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: amch.questionmarket.com
Connection: Keep-Alive
Cookie: linkjumptest=1


Here's the direct link to the annoying worthless flash that flies across your screen:


http://amch.questionmarket.com/static/sc_trans2_black_li-350x250-1l-eng-nul.swf?clickTag=JAVASCRIPT:DL_GotoSurvey();&clickTag2=JAVASCRIPT:DL_Close();


And here's me owning that same link with a blatant XSS vulnerability:


http://amch.questionmarket.com/static/sc_trans2_black_li-350x250-1l-eng-nul.swf?clickTag=JAVASCRIPT:DL_GotoSurvey();&clickTag2=JAVASCRIPT:alert('evilghost is your daddy');


Go ahead, open it, and click the 'Close' button :)

MikeC, if you want to engage intellitxt, this post is what you need. It's the direct URL to the flash they are serving up.

Thanks for the detective work evil. I will pass on your findings to the folks at Intellitxt.

In addition to maintaining a local hosts file, another recommendation that I have for visitors is that they review their browsers security settings. As I mentioned earlier, I have yet to receive a pop-up and believe that it is a result of changing a few default settings.

For example, accept cookies manually and use the restricted web site feature. Also, review security settings and disable automatic downloading of ActiveX controls. If you are not sure about disabling a specific setting, request that you be prompted instead.

Thanks for the detective work evil. I will pass on your findings to the folks at Intellitxt.

In addition to maintaining a local hosts file, another recommendation that I have for visitors is that they review their browsers security settings. As I mentioned earlier, I have yet to receive a pop-up and believe that it is a result of changing a few default settings.

For example, accept cookies manually and use the restricted web site feature. Also, review security settings and disable automatic downloading of ActiveX controls. If you are not sure about disabling a specific setting, request that you be prompted instead.

Sounds like a great tutorial brewing for the Network and security forum. :)

Thanks for the detective work evil. I will pass on your findings to the folks at Intellitxt.

Always glad to help.

For what it's worth, it appears fixed, Intellitext must have pulled that ad (good). Good work MikeC.

For what it's worth, it appears fixed, Intellitext must have pulled that ad (good). Good work MikeC.
Ya, it appears to be gone now. I was getting it earlier in the day and now I am not.