as well as surfing youtube, i use some other similar-type sites.
like:
http://watchfilms.com/ and http://publicdomainmovies.info/ for things in the Public Domain, etc.
(i also use a few different image-hosting services, i don't like the idea of relying on any 1 single site.)
* anyway.
one place i sometimes visit is:
http://www.guba.com/
* it seems benign; i've never had any problems, but lately i've noticed sometimes when i click to approve videos from guba, i see on the bottom left of the screem, "downloading from {edit numbnuts}
:blink:
* ICK! * (skinvideo is as bad as it sounds, by the way. i did a whois lookup.)
* what's weird is that, i have ADBLOCK, FLASHBLOCK and NOscript on FIREFOX -- and i ONLY ok "GUBA" -- which hasn't been any trouble.
THEN i notice, i've been re-directed to SKIN, somehow, which is DOWNLOADING something to me.
EEEEEK!
* QUESTIONS:
1) there's obviously some kind of flaw of quirk that allows me to OK Guba and GET the OTHER site. any ideas on how this is happening, and how to stop it?
2) i don't allow FLASH on any of my other browsers. only FF, and then it's always BLOCKED, unless i specifically allow it.
HOW DANGEROUS CAN VIDEOS BE? in terms of malware?
- i won't fall for re-directs to phishing scams, but... can they download adware, steal passwords, etc?
(i have spyware blaster, spybot SandD and use its' Tea-Timer, a router and the norton internet security.)
* guba used to be a respectable site, but they've evidently fallen on hard times. i know the "adult"-type sites are the WORST, in terms of spreading nasty-ware, so i freaked when i saw the re-direct.
if i could allow guba, and not get re-directed, i'd probably be okay.
(if not, i probably will just stop visiting the Gube.)
once you click, you are providing permission for anything to happen.
that is how most malware gets on a pc:
wouldn't you like a free weather report on your desktop? free dinner at applebees? free visa card?
why yes!! then you click! instant malware.
how you get from nice-video.com to pr0n.com?
you click, and the html, java, php or other script sends you there.
you clicked, after all..
thanks temmu.
- skinvideo.com has figured out a way to trick FIREFOX.
i SET FF TO BLOCK ALL skinvideo cookies -- and, despite that, when i just clicked on a GUBA link (allowing FLASH), it says TRANSFERRING DATA from , {edit numbnuts} and i ended up with {edit numbnuts }!
* (as far as i know, this has never happened before. the FF add-on seems rock-solid in this regard; a lot of times i have problems with a page, i'll scan my cookies exceptions list, and see AHA! I had BLOCKED COOKIES some mos. back.)
...pretty disturbing.
- oh GREAT.
i just checked my WHITELIST in the NoScript addon -- and there was a TON of stuff in there I NEVER WHITE-LISTED (including GUBA).
{edit numbnuts} WASN'T WHITE-LISTED, but having Guba in there must've allowed the redirect.
DAMMMMMM!
(i had better run all my security scans now.)
* WHAt CREEPS.
:smash:
i'm not sure how all this garbarge got white-listed in NoScript -- but some of it i recognize as nastiness that spybot s&d scans for, and Spyware Blocker is suppsed to block.
THERE'S NO WAY I OK'ed these to Whitelist.
- how'd they get in there, i wonder? i'm so careful.
:thud:
Lot's of good questions here.
LzD Staff, I would suggest for purposes of continued discussion, that the Admins remove the site address above: { edit numbnuts} (including mine) even though it is not clickable as it goes directly to a prOn site.
Discussion can continue referring to it as say: "S" site.
Babyoh,
What version of Fx & NS are you using?
Clear your cookies, clear your cache, open NS options> Whitelist and either 1) Remove Selected Site(s) or 2) Revoke Temporary Permissions (any site(s) allowed on a temporary per site/domain basis will be listed in italics).
Unfortunately, some "benign" sites place links directly in plain sight to adult content on their pages. While the initial video site has a mixture of harmless categories of the usual videos, some are somewhat questionable and lacking taste...I suppose the same could be said for YouTube.
Deliberately clicking on a link entitled adult content whether the initial site is whitelisted or NOT in NS, will transfer you to that site, unless it was a cross site forgery, at which point it wouldn't have loaded.
Not all items on the "S" pages are just Flash content as you noticed.
The only domains/sites in your Whitelist of NoScript were ones that were (you) "Allowed" and persist until you remove them. "Temp Allow" permissions are there in the whitelist, in italics as I said above, but do not persist after you've closed that browser session.
Note, there were some sites placed in there by default when you first installed NoScript. I don't remember which they were specifically.
Those "default ones" are not re-added with any subsequent update to NS.
There have been numerous security options & enhancements to NoScript over time, esp in the last 6 months. I control my Flash content exclusively through NS & am not familiar w/ Flashblock.
I keep an eye on my whitelist from time to time, so "culling" it might be in order for you. Also, maybe spending some time reviewing the newer capabilities of NoScript would be helpful > http://noscript.net/features
And specifically the section on "Content Blocking" for Flash & other plugins > http://noscript.net/features#contentblocking
Edit done ripley.. if you spot anything else lets us know ... Good catch .. :thumbsup:
Paddy... :hug:
The video site links aren't clickable so no need to edit out.
Websites get hacked. People upload infected links. Just like a phishing email that the link appears to be going to PayPal, YourBank, U.S. Treasury, etc., what you see is not what you get. For example, where do these links take you to?
Cat World USA! (http://www.landzdown.com/index.php)
Safe Downloads! (http://www.landzdown.com/index.php)
Movie World (http://www.landzdown.com/index.php)
Reports of website hacks at Castle Cops: http://www.castlecops.com/modules.php?name=WsIRT&fp=attack
Just a few quick examples of hacked sites:
http://sunbeltblog.blogspot.com/2008/02/nautica-apparel-website-hacked.html
http://msmvps.com/blogs/spywaresucks/archive/2008/02/11/1507600.aspx
http://msmvps.com/blogs/spywaresucks/archive/2008/01/19/1469701.aspx
http://www.theregister.co.uk/2008/01/23/embassy_sites_serve_malware/
http://msmvps.com/blogs/spywaresucks/archive/2008/01/10/1451028.aspx
Absolutely any time a person goes to a site for "free downloads", "free music", "free videos" they are taking a chance. Embedded flash infections are very common.
You need all your armor when visiting such sites.
might not be clickable but they are cut and pasteable..
in to a browser I would think ...
Paddy... :wub:
True, but the links in HJT logs are worse.
Quotei SET FF TO BLOCK ALL skinvideo cookies
Blocking cookies does not block the site from loading. That action only blocks the site recording that you visited.
QuoteHOW DANGEROUS CAN VIDEOS BE? in terms of malware?
Extremely dangerous -- need a codec to view the video? Oops! Infected. Oh, not really a video being downloaded, flash infection at a minimum, rooted at the worst.
ok, 1st-off, thanx everybody, for helping out.
i'm running:
FF 2.0.0.12, noscript 1.4, flashblock 1.5.5, adblock plus 0.7.5.3, and Add N Edit Cookies 0.2.1.2
- all are up-to-date, (when i click "CHECK FOR UPDATES" it says there are none).
i ran norton and spybot scans, and i'm clean as a whistle (should i do a HJT scan to be extra safe?)
* i'd already done most of what ripley suggested, but i took a 2nd stab at it (cleared cache, opened NS options> Whitelist, Remove Selected Sites, etc.)
NOTE: I KEEP DELETING A COOKIE FOR NING.com, THAT KEEPS MYSTERIOUSLY RETURNING, each time i close and re-open FF.
i was able to delete over 100 cookies that STAYED deleted. but NING keeps coming back. - do i have to worry about them now? (i'd been allowing them for SESSION cookies - NOT Persistent ones. EEEK!)
* i probably wasn't clear before, so let me explain better:
when i clicked some Guba links, they were fine.
FF alerts me to a potential cross-site scripting issue, by providing that code (i think it's of a "re-direct.")
anyway, THE CRUMMY LINKS, that re-directed to the "S" domain ALSO had "GUBA.com" in them.
But * SURPRISE * SURPRISE * they took me to the OTHER ("S") place.
(GUBA owns BOTH domains, i found out by Googling. the "S" one they charge for, and is NASTY. stay away, fellow landzdownzians!)
* i'd NEVER download a video, or anything suspicious. i don't even open pix my friends email me.
*** OH, Corinne. a little clarification on something, please.
- I WROTE: "i SET FF TO BLOCK ALL skinvideo cookies"
YOU WROTE: "Blocking cookies does not block the site from loading. That action only blocks the site recording that you visited."
THIS IS WHAT I DID.
in FF i went into Options - Cookies - Exceptions - and i BLOCKED Cookies from the "S" place.
then i DELETED a bunch of cookies, closed and opened my brower -- the "S" COOKIES: GONE.
i visited GUBA - "S" again, by visiting GUBE and getting re-directed to "S"
THEN, When i closed all that down -- I HAD NEW "S" COOKIES !
(it shouldn't be able to create them, if i BLOCK them, right?)
* so: i can get terrible infections just from clicking to VIEW a video -- even on youtube...?
they're probably the most reputable and well-known, of the vid hosters i visit -- but they certainly don't go over and "OK" each video that people upload.
EEEKS.
Although certainly far from a guarantee, it is worth a check at SiteAdvisor to see what has been reported: http://www.siteadvisor.com/sites/guba.com
Online Affiliations are sites linked to from the site you are checking. Guba includes links to this site http://www.siteadvisor.com/sites/moviecodec.com/summary/ which had some questionable links, particularly to one found to be a distributor of downloads considered adware, spyware or other pups (potentially unwanted programs).
If that is the most reputable site, you may want to check the others you visit.
corrine,
thanx for that siteadvisor link.- it's excellent
* i don't know if i should open a new thread or not...
i have a COOKIE that mysteriously keeps re-appearing.
- does it sound like a security threat at all?
*** in FF, i delete ALL COOKIES and offline content.
I specifically BLOCK the cookie for ning.com (privacy - cookies - exceptions...)
(it's not whitelisted anywhere- in NoScript, etc.)
* and...
I DELETE the NING COOKIE
the ONLY WAY i can keep the cookie from re-appearing, is by going OFFLINE and deleting it.
- once i go back online, the COOKIE RE-APPEARS.
(launching FF gets it back. It also comes back ON ITS' OWN, if i'm online for a few minutes.)
it's the only cookie i can't control. (I delete it in Opera, and it STAYS deleted.)
I'm concerned, because it seems like there must be something hiding on my drive, that makes contact with NING.
(it appears WITHOUT me visiting their pages- if i didn't already make that clear.)
i delete it, it comes back. i delete it, it comes back. over and over and over.
* how is the cookie working this "magic"?
is it dangerous?
this is it-
COOKIE NAME: xn_visitor
Content: (OMITTED, IN CASE IT'S PASSWORDS OR SOMETHING)
Domain: .ning.com
Path: /
Send for: Any type of connection
Expires: at end of session
* it's a mystery
:blink:
Seems strange that cookie would be re-appearing...
Basic info on Fx and cookie management > http://kb.mozillazine.org/Cookies
Ning's privacy policy > http://www.ning.com/about/privacy.html
Mystery to me too.
Hhm, I see that it's a session cookie, which should mean it's not much of a threat. But why it won't stay deleted is wierd!
I wonder if you tried to use something else to remove the cookie, like WinPatrol or something? I know Ad-Aware is no longer supported, but maybe there's another program...OH, or what about CCleaner?
I'm not that familiar with Firefox, so that's about all I could add.
Good luck!
Kinda similar, but not w/ a cookie.
Kept finding these files showing up here >Local Settings\Temp\clclean.0001.dir.0000
They would grow exponentially with each re-boot. Whether I deleted them manually, or with CCleaner in normal as well as safe mode, they would always re-appear.
Finally tracked it down to a pre-installed media player from Dell, whether I was using the player or not.
Solution #1 Stop the player from starting with a program like WinPatrol or Spybot S & D advanced tools, which allowed the player to function but with crippled capabilities.
Solution #2 Leave it as is and continue to "clean" my temp files on a regular basis to reduce the littering that program did.
Solution #3 Uninstall the media player and use another.
babyoh, I hope you track down what is re-creating that cookie. It would bug me too, but as Brynn mentioned, a cookie wouldn't be dangerous as they are just text files. And even if it was a "tracking cookie" it would be more of a "privacy" issue. Sites that could "track" you as you go from one to another. Tracking cookies bug me too, but I wouldn't call them dangerous.
thanx for the input.
looks like i'm stuck with the cookies, for now. (i did write NING about it; i hope they have insights.)
* ripley, i SEARCHed my drive for xn_visitor, ning.com etc- nothing showed up.
*** each time i delete them, when they come back they have a different Content Value.
this bothers me, since SOMETHING on my drive must be contacting those servers (against my wishes).
i can do that, over and over and over... the cookie keeps coming back, with new values.
* i used cookie editor to change the value to "0" -- but, it turned into another regular, long Value within a minute or 2.
then i edited the EXPIRE DATE to 1980 -- the cookie DELETED, and then just re-generated again.
*** btw: ning has free accounts, and they let users go hogwild with the API, PHP, etc.
it's been good for me, since i can tinker and learn in my "sandbox" account; not devastating if i make a mistake or 2, even if it locks up the account.
* anyway. i was thinking: maybe this isn't NING's doing- i've visited and registered for a couple independently run accounts.
maybe one of those planted something on me.
i don't run any of their widgets, and won't download anything... but SOMETHING must have gotten through.
no idea how to find it...
would a HJT scan show what's out of kilter, you think??