Symantec says that Blackhole affects "various Windows platforms". Does Cryptome run on Windows?
Whether or not cryptome runs in windows is not for me to say, however I do believe that cryptome was compromised and made to distribute the blackhole exploit. The following is found on TFA:
Although I'm not a full fledged security researcher, I could shed some
light on the script that you found on your server.
The basic program flow goes like this when a client loads the script (in
your case every time anyone visits one of your pages):
the client IP address is compared against a list (net_match(...)) and
if it falls within the range of the list it is in scope
the client OS is determined and if it is a windows machine, it is in
scope
the client browser is determined and if it is a internet explorer
(6.0 until 8.0) it is in scope
if the client is in scope (i.e. all three of the previous are true),
a file is created on your webserver (empty text file), the filename is
the IP address of the client (probably for later retrieval)
an iFrame is loaded in the browser of the client that will be
impossible to see (width and height of 1 pixel) and that iframe points
to the webpage of 'http://65.75.137.243/Home/index.php'
After step 5 probably the browser is under attack and it will probably
be a successful attack since the attackers knows the client to be a
windows machine running an internet explorer browser, my guess would be
that the client is now infected and part of a botnet to be used in other
attacks.
The IP address of the attacker is a webserver for the domain http://absolutely-free-meeting.com/ I'm not sure they have anything to
do with this attack, probably they are a comprimised server like your
webserver was compromised.
The WHOIS information for this domain is registered by godady and I
include their data and the registrants data below, it would be best to
contact both so that they can clean up their server also.
Conclusion:
your webserver was compromised and a file was uploaded (the attacking script)
the attacker was only interested in certain IP address (probably only
a certain location)
the clients that are infected are infected from another web server
(no idea why since that attack script could have been put on your
webserver also)
PS: I tried to format that as best I could but slashdot was having none of it
It has been awhile since I used Adsense but I believe Google's Terms of Use specify a set number of Adsense ads per page and the number cannot be exceeded without breaking said terms. Perhaps they no longer do that though.
True enough. There are many advanced features you find in NoScript but not NotScripts, and I can see how one would miss them. But if all you're looking for is to block flash and ad network/tracking scripts, it gets the job done.
It mostly gets the job done. The inline javascript is huge. On the developers own site he admits he cannot currently block inline javascript. Which means a simple <script>while(1){alert('trolololol')}</script> would defeat it. I know Chrome detects this and will not allow an infinite number of alerts but my point is inline scripting is used a lot and NotScripts cannot protect against that.
See my post above, I've used NoScript, I use NotScripts on Chrome now, and I don't miss any functionality.
While an average user might not miss any functionality with NotScripts the overwhelming truth is that there are limitations to what NotScripts can do with the limited Chrome API. Let me list some features I use daily:
Clickjacking protection
inline script blocking
Script Surrogates
XSS Filtering
Application Boundary Enforcement
HTTPS Enforcement
Secure Cookie Enforcement
I could go on but lets discuss ABE for a moment. Singularly the most awesome part of NoScript. Lets say you allow Facebook.com scripts to run since you have a facebook account. Now lets say you allow slashdot.org scripts to run because you are a masochist. Facebook inclusions will run on slashdot.org because you trust both facebook and slashdot. But not with ABE: # Facebook XSS
Site.facebook.com.fbcdn.net.facebook.net
Accept from.facebook.com.fbcdn.net.facebook.net
Deny INCLUSION
I normally don't post offhand comments but I just feel really compelled to say how good I feel about the donations I've made to Mozilla. I felt good about them before, but this just makes it that much better!
Slashdot Mirror
A UAV based MMOG? Priceless.
Someone get this man the start up capital and a lifetime supply of mountain dew and hot pockets. This is happening.
Beavers aside, I don't actually see what the problem is. What if the situation were reversed? Way, way worse.
You mean if Venus mistook the pilot for another planet?
Really? Aren't we just getting a little paranoid? Why not take it one step further and suggest to sandbox every application inside the VM OS?
Great idea! Is someone working on that?
Symantec says that Blackhole affects "various Windows platforms". Does Cryptome run on Windows?
Whether or not cryptome runs in windows is not for me to say, however I do believe that cryptome was compromised and made to distribute the blackhole exploit. The following is found on TFA:
Although I'm not a full fledged security researcher, I could shed some light on the script that you found on your server. The basic program flow goes like this when a client loads the script (in your case every time anyone visits one of your pages):
After step 5 probably the browser is under attack and it will probably be a successful attack since the attackers knows the client to be a windows machine running an internet explorer browser, my guess would be that the client is now infected and part of a botnet to be used in other attacks. The IP address of the attacker is a webserver for the domain http://absolutely-free-meeting.com/ I'm not sure they have anything to do with this attack, probably they are a comprimised server like your webserver was compromised. The WHOIS information for this domain is registered by godady and I include their data and the registrants data below, it would be best to contact both so that they can clean up their server also. Conclusion:
PS: I tried to format that as best I could but slashdot was having none of it
It has been awhile since I used Adsense but I believe Google's Terms of Use specify a set number of Adsense ads per page and the number cannot be exceeded without breaking said terms. Perhaps they no longer do that though.
True enough. There are many advanced features you find in NoScript but not NotScripts, and I can see how one would miss them. But if all you're looking for is to block flash and ad network/tracking scripts, it gets the job done.
It mostly gets the job done. The inline javascript is huge. On the developers own site he admits he cannot currently block inline javascript. Which means a simple <script>while(1){alert('trolololol')}</script> would defeat it. I know Chrome detects this and will not allow an infinite number of alerts but my point is inline scripting is used a lot and NotScripts cannot protect against that.
See my post above, I've used NoScript, I use NotScripts on Chrome now, and I don't miss any functionality.
While an average user might not miss any functionality with NotScripts the overwhelming truth is that there are limitations to what NotScripts can do with the limited Chrome API. Let me list some features I use daily:
I could go on but lets discuss ABE for a moment. Singularly the most awesome part of NoScript. Lets say you allow Facebook.com scripts to run since you have a facebook account. Now lets say you allow slashdot.org scripts to run because you are a masochist. Facebook inclusions will run on slashdot.org because you trust both facebook and slashdot. But not with ABE: .facebook.com .fbcdn.net .facebook.net .facebook.com .fbcdn.net .facebook.net
# Facebook XSS
Site
Accept from
Deny INCLUSION
I could still go on but you get the point right?
AdBlock Plus runs on Chrome. It's in Google's Chrome Web Store.
Get back to me when they have a fully functioning NoScript.
A strange coincidence that I happen to be reading Rainbows End right now.
I'm sure cryptologist's agree! What could possibly go wrong?!
Fabrice Ballard already wrote an x86 emulator in javascript. Just install the standard x86 JVM inside of that and you're good to go.
Yes, that's why this is completely unnecessary.
I'd be interested in the further development of this storyline.
I've always wondered why Alice and Bob are so secretive.
I normally don't post offhand comments but I just feel really compelled to say how good I feel about the donations I've made to Mozilla. I felt good about them before, but this just makes it that much better!