Pop-ups? - Page 3

**DiscipleDOC** · 08-21-07, 03:32 PM

So, did someone hijack the forum?

evilghost · 08-21-07, 03:36 PM

Remote code URL is http://nvnews.us.intellitxt.com/v3/d...ews.net/forum/

The offending ad is coming from amch.questionmarket.com

Redeemed · 08-21-07, 03:38 PM

Ghost- you never cease to amaze me with how much you know.

I'm betting Mike is glad he has you as a friend instead of an enemy...

**DiscipleDOC** · 08-21-07, 03:40 PM

Ghost is teaching me Debian. 'nuff said.

evilghost · 08-21-07, 03:45 PM

Here is the solution. MikeC gets some money from Intellitxt I'm sure (why else would it be there). If you want to support Intellitxt as a revenue source but do not want some worthless Flash driven spam flying across your browser window, simply add the following line to your HOSTS file:

Code:

127.0.0.1     amch.questionmarket.com

Your HOSTS file is in %WINDIR%\System32\drivers\etc\hosts. An easy way to edit it is to simply open a CMD window and type:

Code:

echo 127.0.0.1     amch.questionmarket.com >> %windir%\system32\drivers\etc\hosts
exit

%WINDIR% is an environment variable for the Windows installation directory, type it as-is. Close and re-open IE and the changes should be cached/loaded.

**DiscipleDOC** · 08-21-07, 03:47 PM

Dang...I had to deal with a host file today to allow stuff to go out of our firewall....

This should be moved to our Networking/Security Forum.

evilghost · 08-21-07, 03:56 PM

Here's over the wire, as you can see, I was right about the cookie.

Code:

GET /static/sc_trans2_black_li-350x250-1l-eng-nul.swf?clickTag=javascript:DL_GotoSurvey();&clickTag2=javascript:DL_Close(); HTTP/1.1

Accept: */*
Referer: http://www.nvnews.net/vbulletin/
x-flash-version: 9,0,16,0
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: amch.questionmarket.com
Connection: Keep-Alive
Cookie: linkjumptest=1

Here's the direct link to the annoying worthless flash that flies across your screen:

Code:

http://amch.questionmarket.com/static/sc_trans2_black_li-350x250-1l-eng-nul.swf?clickTag=javascript:DL_GotoSurvey();&clickTag2=javascript:DL_Close();

And here's me owning that same link with a blatant XSS vulnerability:

Code:

http://amch.questionmarket.com/static/sc_trans2_black_li-350x250-1l-eng-nul.swf?clickTag=javascript:DL_GotoSurvey();&clickTag2=javascript:alert('evilghost is your daddy');

Go ahead, open it, and click the 'Close' button

MikeC, if you want to engage intellitxt, this post is what you need. It's the direct URL to the flash they are serving up.

**MikeC** · 08-21-07, 04:27 PM

Thanks for the detective work evil. I will pass on your findings to the folks at Intellitxt.

In addition to maintaining a local hosts file, another recommendation that I have for visitors is that they review their browsers security settings. As I mentioned earlier, I have yet to receive a pop-up and believe that it is a result of changing a few default settings.

For example, accept cookies manually and use the restricted web site feature. Also, review security settings and disable automatic downloading of ActiveX controls. If you are not sure about disabling a specific setting, request that you be prompted instead.

Bman212121 · 08-21-07, 04:39 PM

Quote:

Originally Posted by MikeC

Thanks for the detective work evil. I will pass on your findings to the folks at Intellitxt.

In addition to maintaining a local hosts file, another recommendation that I have for visitors is that they review their browsers security settings. As I mentioned earlier, I have yet to receive a pop-up and believe that it is a result of changing a few default settings.

For example, accept cookies manually and use the restricted web site feature. Also, review security settings and disable automatic downloading of ActiveX controls. If you are not sure about disabling a specific setting, request that you be prompted instead.

Sounds like a great tutorial brewing for the Network and security forum.

evilghost · 08-21-07, 05:07 PM

Quote:

Originally Posted by MikeC

Thanks for the detective work evil. I will pass on your findings to the folks at Intellitxt.

Always glad to help.

evilghost · 08-22-07, 02:00 PM

For what it's worth, it appears fixed, Intellitext must have pulled that ad (good). Good work MikeC.

08-22-07, 02:37 PM

Quote:

Originally Posted by evilghost

For what it's worth, it appears fixed, Intellitext must have pulled that ad (good). Good work MikeC.

Ya, it appears to be gone now. I was getting it earlier in the day and now I am not.

08-21-07, 03:32 PM	#25
DiscipleDOC Join Date: Dec 2002 Location: Alabama, Planet Earth Posts: 5,933	Re: Pop-ups? So, did someone hijack the forum?

08-21-07, 03:36 PM	#26
evilghost Registered User Join Date: Jul 2005 Posts: 3,606	Re: Pop-ups? Remote code URL is http://nvnews.us.intellitxt.com/v3/d...ews.net/forum/ The offending ad is coming from amch.questionmarket.com

08-21-07, 03:38 PM	#27
Redeemed Registered User Join Date: May 2005 Posts: 17,986	Re: Pop-ups? Ghost- you never cease to amaze me with how much you know. I'm betting Mike is glad he has you as a friend instead of an enemy...

08-21-07, 03:40 PM	#28
DiscipleDOC Join Date: Dec 2002 Location: Alabama, Planet Earth Posts: 5,933	Re: Pop-ups? Ghost is teaching me Debian. 'nuff said.

08-21-07, 03:45 PM	#29
evilghost Registered User Join Date: Jul 2005 Posts: 3,606	Re: Pop-ups? Here is the solution. MikeC gets some money from Intellitxt I'm sure (why else would it be there). If you want to support Intellitxt as a revenue source but do not want some worthless Flash driven spam flying across your browser window, simply add the following line to your HOSTS file: Code: 127.0.0.1 amch.questionmarket.com Your HOSTS file is in %WINDIR%\System32\drivers\etc\hosts. An easy way to edit it is to simply open a CMD window and type: Code: echo 127.0.0.1 amch.questionmarket.com >> %windir%\system32\drivers\etc\hosts exit %WINDIR% is an environment variable for the Windows installation directory, type it as-is. Close and re-open IE and the changes should be cached/loaded.

08-21-07, 03:47 PM	#30
DiscipleDOC Join Date: Dec 2002 Location: Alabama, Planet Earth Posts: 5,933	Re: Pop-ups? Dang...I had to deal with a host file today to allow stuff to go out of our firewall.... This should be moved to our Networking/Security Forum.

08-21-07, 04:27 PM	#32
MikeC Administrator Join Date: Jan 1997 Location: Virginia Posts: 2,831	Re: Pop-ups? Thanks for the detective work evil. I will pass on your findings to the folks at Intellitxt. In addition to maintaining a local hosts file, another recommendation that I have for visitors is that they review their browsers security settings. As I mentioned earlier, I have yet to receive a pop-up and believe that it is a result of changing a few default settings. For example, accept cookies manually and use the restricted web site feature. Also, review security settings and disable automatic downloading of ActiveX controls. If you are not sure about disabling a specific setting, request that you be prompted instead.

08-22-07, 02:00 PM	#35
evilghost Registered User Join Date: Jul 2005 Posts: 3,606	Re: Pop-ups? For what it's worth, it appears fixed, Intellitext must have pulled that ad (good). Good work MikeC.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Shootmania beta sign ups	Logical	Gaming Central	5	07-10-12 03:16 PM
4-Star Stocks Poised to Pop: NVIDIA	News	Latest Tech And Game Headlines	0	06-15-12 12:30 AM
Nvidia: Nomura Ups to Buy; Likely Beat on FYQ1	News	Latest Tech And Game Headlines	0	05-07-12 05:40 PM
UPS Question	FastM	General Hardware	2	10-02-02 02:21 PM