Dodgy website?

Discussion in 'NZ Computing' started by Ernest_the_Sheep@hotmail.com, Oct 3, 2008.

  1. Guest

    Yesterday I was reading an article on the 'Kiwiblog' website which
    included a link to another website, 'The Standard', which I believe is
    related to the Labour party. Anyway upon clicking on this link I got a
    message from Norton AV informing me of something going by the name
    'Malicious Toolkit Variant Activity'. I am using IE7 as browser. From
    memory I think it may have also tried to open a pdf file but in the
    panic I'm not 100 percent sure of that. I think I did get a message
    saying about adobe 7.0 having to close, which I thought odd as I was
    not attempting to open any file at the time. I did a quick AV scan and
    every thing seemed fine. I was not sure whether it was coincidence
    that I got the AV warning on following the link to The Standard so I
    tried it a little later and exactly the same thing occurred. I've not
    tried it again since. Can anyone elaborate on what 'Malicious Toolkit
    Variant Activity' means and whether I should be worried?

    Thanks in advance for any help in this matter.
     
    , Oct 3, 2008
    #1
    1. Advertising

  2. Guest

    On Oct 3, 3:58 pm, Mark Robinson <2tod.net> wrote:
    > wrote:
    > > Yesterday I was reading an article on the 'Kiwiblog' website which
    > > included a link to another website, 'The Standard', which I believe is
    > > related to the Labour party. Anyway upon clicking on this link I got a
    > > message from Norton AV informing me of something going by the name
    > > 'Malicious Toolkit Variant Activity'. I am using IE7 as browser. From
    > > memory I think it may have also tried to open a pdf file but in the
    > > panic I'm not 100 percent sure of that. I think I did get a message
    > > saying about adobe 7.0 having to close, which I thought odd as I was
    > > not attempting to open any file at the time. I did a quick AV scan and
    > > every thing seemed fine. I was not sure whether it was coincidence
    > > that I got the AV warning on following the link to The Standard so I
    > > tried it a little later and exactly the same thing occurred. I've not
    > > tried it again since. Can anyone elaborate on what 'Malicious Toolkit
    > > Variant Activity' means and whether I should be worried?

    >
    > > Thanks in advance for any help in this matter.

    >
    > Let me see if I have this straight:
    >
    > You went to a site which is linked to the National Party.
    >
    >  From there you went to a site linked to the Labour Party.
    >
    > And there you found a pdf file which appeared malicious.
    >
    > So you downloaded it again.
    >
    > You don't know which file.
    >
    > You don't know where the file was linked from.
    >
    > You didn't think to Google 'Malicious Toolkit Variant Activity'.


    Not quite. I did google 'Malicious Toolkit Variant Activity' but it
    left me not much the wiser. What happened is that once I got the AV
    warning I 'backed' out of the link. I'm guessing that this may have
    caused adobe to crash. I did not attempt to download a pdf file, that
    happened automatically. I plucked up the courage to try it again just
    now and nothing happened so I guess the site is okay now. I checked my
    browser history and it looks as if there may have been an attempt to
    download a pdf from a website "golpii.com". I have no idea what the
    website might be and certainly don't recall having seen it previously.
     
    , Oct 3, 2008
    #2
    1. Advertising

  3. Guest

    On Oct 3, 4:19 pm, ""
    <> wrote:
    > On Oct 3, 3:58 pm, Mark Robinson <2tod.net> wrote:
    >
    >
    >
    >
    >
    > > wrote:
    > > > Yesterday I was reading an article on the 'Kiwiblog' website which
    > > > included a link to another website, 'The Standard', which I believe is
    > > > related to the Labour party. Anyway upon clicking on this link I got a
    > > > message from Norton AV informing me of something going by the name
    > > > 'Malicious Toolkit Variant Activity'. I am using IE7 as browser. From
    > > > memory I think it may have also tried to open a pdf file but in the
    > > > panic I'm not 100 percent sure of that. I think I did get a message
    > > > saying about adobe 7.0 having to close, which I thought odd as I was
    > > > not attempting to open any file at the time. I did a quick AV scan and
    > > > every thing seemed fine. I was not sure whether it was coincidence
    > > > that I got the AV warning on following the link to The Standard so I
    > > > tried it a little later and exactly the same thing occurred. I've not
    > > > tried it again since. Can anyone elaborate on what 'Malicious Toolkit
    > > > Variant Activity' means and whether I should be worried?

    >
    > > > Thanks in advance for any help in this matter.

    >
    > > Let me see if I have this straight:

    >
    > > You went to a site which is linked to the National Party.

    >
    > >  From there you went to a site linked to the Labour Party.

    >
    > > And there you found a pdf file which appeared malicious.

    >
    > > So you downloaded it again.

    >
    > > You don't know which file.

    >
    > > You don't know where the file was linked from.

    >
    > > You didn't think to Google 'Malicious Toolkit Variant Activity'.

    >
    > Not quite. I did google 'Malicious Toolkit Variant Activity' but it
    > left me not much the wiser. What happened is that once I got the AV
    > warning I 'backed' out of the link. I'm guessing that this may have
    > caused adobe to crash. I did not attempt to download a pdf file, that
    > happened automatically. I plucked up the courage to try it again just
    > now and nothing happened so I guess the site is okay now. I checked my
    > browser history and it looks as if there may have been an attempt to
    > download a pdf from a website "golpii.com". I have no idea what the
    > website might be and certainly don't recall having seen it previously.


    Well I foolishly tried it again and got another different AV alert,
    "HTTP SnapShot Viewer ActiveX File Download". My PC froze and I had to
    use the power button to turn it off. Now I'm too sh!t scared to try it
    again. My browsing habits are very conservative and getting messages
    such as this are rare so I tend to panic on the occasions that it does
    happen.

    Now could someone really brave and with expertise in the field please
    go to kiwiblog.co.nz and then proceed to the article 'Typical smears'
    about half-way down the page. The beginning words of the article also
    act as a link to an article on thestandard.org.nz website. Could they
    then click on the link (WARNING: could be dangerous to do so) and then
    report back on any unusual activity that results. Thanks.
     
    , Oct 3, 2008
    #3
  4. ~misfit~ Guest

    Somewhere on teh intarwebs "" typed:
    > On Oct 3, 4:19 pm, ""
    > <> wrote:
    >> On Oct 3, 3:58 pm, Mark Robinson <2tod.net> wrote:
    >>
    >>
    >>
    >>
    >>
    >>> wrote:
    >>>> Yesterday I was reading an article on the 'Kiwiblog' website which
    >>>> included a link to another website, 'The Standard', which I
    >>>> believe is related to the Labour party. Anyway upon clicking on
    >>>> this link I got a message from Norton AV informing me of something
    >>>> going by the name 'Malicious Toolkit Variant Activity'. I am using
    >>>> IE7 as browser. From memory I think it may have also tried to open
    >>>> a pdf file but in the panic I'm not 100 percent sure of that. I
    >>>> think I did get a message saying about adobe 7.0 having to close,
    >>>> which I thought odd as I was not attempting to open any file at
    >>>> the time. I did a quick AV scan and every thing seemed fine. I was
    >>>> not sure whether it was coincidence that I got the AV warning on
    >>>> following the link to The Standard so I tried it a little later
    >>>> and exactly the same thing occurred. I've not tried it again
    >>>> since. Can anyone elaborate on what 'Malicious Toolkit Variant
    >>>> Activity' means and whether I should be worried?

    >>
    >>>> Thanks in advance for any help in this matter.

    >>
    >>> Let me see if I have this straight:

    >>
    >>> You went to a site which is linked to the National Party.

    >>
    >>> From there you went to a site linked to the Labour Party.

    >>
    >>> And there you found a pdf file which appeared malicious.

    >>
    >>> So you downloaded it again.

    >>
    >>> You don't know which file.

    >>
    >>> You don't know where the file was linked from.

    >>
    >>> You didn't think to Google 'Malicious Toolkit Variant Activity'.

    >>
    >> Not quite. I did google 'Malicious Toolkit Variant Activity' but it
    >> left me not much the wiser. What happened is that once I got the AV
    >> warning I 'backed' out of the link. I'm guessing that this may have
    >> caused adobe to crash. I did not attempt to download a pdf file, that
    >> happened automatically. I plucked up the courage to try it again just
    >> now and nothing happened so I guess the site is okay now. I checked
    >> my browser history and it looks as if there may have been an attempt
    >> to download a pdf from a website "golpii.com". I have no idea what
    >> the website might be and certainly don't recall having seen it
    >> previously.

    >
    > Well I foolishly tried it again and got another different AV alert,
    > "HTTP SnapShot Viewer ActiveX File Download". My PC froze and I had to
    > use the power button to turn it off. Now I'm too sh!t scared to try it
    > again. My browsing habits are very conservative and getting messages
    > such as this are rare so I tend to panic on the occasions that it does
    > happen.
    >
    > Now could someone really brave and with expertise in the field please
    > go to kiwiblog.co.nz and then proceed to the article 'Typical smears'
    > about half-way down the page. The beginning words of the article also
    > act as a link to an article on thestandard.org.nz website. Could they
    > then click on the link (WARNING: could be dangerous to do so) and then
    > report back on any unusual activity that results. Thanks.


    Ok, I'm only "really brave", not so knowledgable. However, I imaged my OS
    partition, then did as you asked and I'm now on the standard.org website, at
    the article and AVG didn't do anything, nor did anything else out of the
    ordinary happen.

    Either I'm infected and don't know it yet, you have problems beyond this
    link or kiwiblog have cleaned up a previous problem. I'm using Firefox 3.02
    on XP Pro SP3.

    Cheers,
    --
    Shaun.

    DISCLAIMER: If you find a posting or message from me
    offensive, inappropriate, or disruptive, please ignore it.
    If you don't know how to ignore a posting, complain to
    me and I will be only too happy to demonstrate... ;-)
     
    ~misfit~, Oct 3, 2008
    #4
  5. On Sat, 4 Oct 2008 01:03:54 +1300, "~misfit~"
    <> wrote:

    >Somewhere on teh intarwebs "" typed:
    >> On Oct 3, 4:19 pm, ""
    >> <> wrote:
    >>> On Oct 3, 3:58 pm, Mark Robinson <2tod.net> wrote:
    >>>
    >>>
    >>>
    >>>
    >>>
    >>>> wrote:
    >>>>> Yesterday I was reading an article on the 'Kiwiblog' website which
    >>>>> included a link to another website, 'The Standard', which I
    >>>>> believe is related to the Labour party. Anyway upon clicking on
    >>>>> this link I got a message from Norton AV informing me of something
    >>>>> going by the name 'Malicious Toolkit Variant Activity'. I am using
    >>>>> IE7 as browser. From memory I think it may have also tried to open
    >>>>> a pdf file but in the panic I'm not 100 percent sure of that. I
    >>>>> think I did get a message saying about adobe 7.0 having to close,
    >>>>> which I thought odd as I was not attempting to open any file at
    >>>>> the time. I did a quick AV scan and every thing seemed fine. I was
    >>>>> not sure whether it was coincidence that I got the AV warning on
    >>>>> following the link to The Standard so I tried it a little later
    >>>>> and exactly the same thing occurred. I've not tried it again
    >>>>> since. Can anyone elaborate on what 'Malicious Toolkit Variant
    >>>>> Activity' means and whether I should be worried?
    >>>
    >>>>> Thanks in advance for any help in this matter.
    >>>
    >>>> Let me see if I have this straight:
    >>>
    >>>> You went to a site which is linked to the National Party.
    >>>
    >>>> From there you went to a site linked to the Labour Party.
    >>>
    >>>> And there you found a pdf file which appeared malicious.
    >>>
    >>>> So you downloaded it again.
    >>>
    >>>> You don't know which file.
    >>>
    >>>> You don't know where the file was linked from.
    >>>
    >>>> You didn't think to Google 'Malicious Toolkit Variant Activity'.
    >>>
    >>> Not quite. I did google 'Malicious Toolkit Variant Activity' but it
    >>> left me not much the wiser. What happened is that once I got the AV
    >>> warning I 'backed' out of the link. I'm guessing that this may have
    >>> caused adobe to crash. I did not attempt to download a pdf file, that
    >>> happened automatically. I plucked up the courage to try it again just
    >>> now and nothing happened so I guess the site is okay now. I checked
    >>> my browser history and it looks as if there may have been an attempt
    >>> to download a pdf from a website "golpii.com". I have no idea what
    >>> the website might be and certainly don't recall having seen it
    >>> previously.

    >>
    >> Well I foolishly tried it again and got another different AV alert,
    >> "HTTP SnapShot Viewer ActiveX File Download". My PC froze and I had to
    >> use the power button to turn it off. Now I'm too sh!t scared to try it
    >> again. My browsing habits are very conservative and getting messages
    >> such as this are rare so I tend to panic on the occasions that it does
    >> happen.
    >>
    >> Now could someone really brave and with expertise in the field please
    >> go to kiwiblog.co.nz and then proceed to the article 'Typical smears'
    >> about half-way down the page. The beginning words of the article also
    >> act as a link to an article on thestandard.org.nz website. Could they
    >> then click on the link (WARNING: could be dangerous to do so) and then
    >> report back on any unusual activity that results. Thanks.

    >
    >Ok, I'm only "really brave", not so knowledgable. However, I imaged my OS
    >partition, then did as you asked and I'm now on the standard.org website, at
    >the article and AVG didn't do anything, nor did anything else out of the
    >ordinary happen.
    >
    >Either I'm infected and don't know it yet, you have problems beyond this
    >link or kiwiblog have cleaned up a previous problem. I'm using Firefox 3.02
    >on XP Pro SP3.
    >
    >Cheers,


    I did it from my old OS/2 box using SeaMonkey, with all my protections
    turned on. That page appears to have been hijacked - it has a lot of
    automatic links to other sites, quite a few of which appear to be
    webcounters of some sort, and two that are just an IP addresses. There
    are a few .ru sites, which are always very suspicious. And a
    reference to an external .js: api.recaptcha.net/js/recaptcha.js.
    SeaMonkey eventually locked up on me, after the golpii.com site was
    referenced, and I had to kill it. Here is what my Privoxy log had for
    all the links:

    Oct 04 03:13:01 Privoxy(00003) Request:
    www.thestandard.org.nz/insulting/
    Oct 04 03:13:12 Privoxy(00005) Request:
    www.thestandard.org.nz/wp-content/themes/k2/style.css
    Oct 04 03:13:12 Privoxy(00004) Request:
    www.thestandard.org.nz/favicon.ico
    Oct 04 03:13:12 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-content/themes/k2/css/core.css.php
    Oct 04 03:13:13 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-content/themes/k2/styles/TheStandard/current.css
    Oct 04 03:13:13 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-includes/js/jquery/jquery.js?ver=1.2.3
    Oct 04 03:13:16 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-content/themes/k2/js/k2.functions.js.php?ver=1.0-RC5
    Oct 04 03:13:16 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-content/themes/k2/js/k2.slider.js.php?ver=1.0-RC5
    Oct 04 03:13:16 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-content/themes/k2/js/k2.trimmer.js.php?ver=1.0-RC5
    Oct 04 03:13:16 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-content/themes/k2/js/k2.rollingarchives.js.php?ver=1.0-RC5
    Oct 04 03:13:17 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-content/p...includes/wp-ajax-edit-comments.js.php?ver=1.1
    Oct 04 03:13:17 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-content/plugins/wp-ajax-edit-comments/css/editComments.css
    Oct 04 03:13:22 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-content/uploads/2008/04/standard_v2_30k.jpg
    Oct 04 03:13:24 Privoxy(00005) Request:
    www.thestandard.org.nz/wp-content/themes/k2/images/tag_blue.png
    Oct 04 03:13:24 Privoxy(00005) Request:
    www.thestandard.org.nz/wp-content/themes/k2/images/tag_blue.png
    Oct 04 03:13:24 Privoxy(00006) Request:
    www.thestandard.org.nz/wp-content/themes/k2/images/feed.png
    Oct 04 03:13:24 Privoxy(00004) Request:
    www.gravatar.com/avatar/8030d69e12183e3070a254871f0f66a2?s=32&d=identicon&r=PG
    Oct 04 03:13:25 Privoxy(00003) Request:
    www.gravatar.com/avatar/6f056d504b4ad193b4540c2541aa0cf4?s=32&d=identicon&r=PG
    Oct 04 03:13:25 Privoxy(00005) Request:
    www.gravatar.com/avatar/6043db9bb5f00ff8569131d982c23ffd?s=32&d=identicon&r=PG
    Oct 04 03:13:25 Privoxy(00006) Request:
    api.recaptcha.net/challenge?k=6LfZQwAAAAAAAHyPuxuDIaIeazBIje0AZOL49ktv
    Oct 04 03:13:26 Privoxy(00005) Request:
    www.gravatar.com/avatar/19da8bbeea1488b14b2911f275aae0d6?s=32&d=identicon&r=PG
    Oct 04 03:13:26 Privoxy(00003) Request:
    www.gravatar.com/avatar/6c889c5f9211616d622529473cf23e5d?s=32&d=identicon&r=PG
    Oct 04 03:13:26 Privoxy(00004) Request:
    www.gravatar.com/avatar/d3a05ca106c2a7eb1778cccbfde12b07?s=32&d=identicon&r=PG
    Oct 04 03:13:26 Privoxy(00005) Request:
    www.gravatar.com/avatar/7b4e5bec2d362edb232997b262c882e0?s=32&d=identicon&r=PG
    Oct 04 03:13:26 Privoxy(00003) Request:
    www.gravatar.com/avatar/cba19923be78611199fda456ab7703ae?s=32&d=identicon&r=PG
    Oct 04 03:13:26 Privoxy(00004) Request:
    www.gravatar.com/avatar/f41bcfb0fa3e07f85736d2b62a0611a9?s=32&d=identicon&r=PG
    Oct 04 03:13:26 Privoxy(00006) Request:
    www.gravatar.com/avatar/a53eba431cc8b5340ab39cdb9bfbe2cf?s=32&d=identicon&r=PG
    Oct 04 03:13:26 Privoxy(00005) Request:
    www.gravatar.com/avatar/1e6fa73428d4adc388a64e6e6e2b610e?s=32&d=identicon&r=PG
    Oct 04 03:13:27 Privoxy(00003) Request:
    www.thestandard.org.nz/wp-includes/images/smilies/icon_wink.gif
    Oct 04 03:13:27 Privoxy(00004) Request:
    www.gravatar.com/avatar/9c6468e173b4f7ff7f02a0148cffcb0f?s=32&d=identicon&r=PG
    Oct 04 03:13:27 Privoxy(00006) Request:
    www.gravatar.com/avatar/b856862d53c6ce9f8b8480a4aba4064d?s=32&d=identicon&r=PG
    Oct 04 03:13:27 Privoxy(00006) Request:
    www.gravatar.com/avatar/b856862d53c6ce9f8b8480a4aba4064d?s=32&d=identicon&r=PG
    Oct 04 03:13:27 Privoxy(00005) Request:
    www.gravatar.com/avatar/ccd536409c0ed4e9e4050d2d431081c2?s=32&d=identicon&r=PG
    Oct 04 03:13:27 Privoxy(00006) Request:
    www.gravatar.com/avatar/c68322e303060443af7733835e61f510?s=32&d=identicon&r=PG
    Oct 04 03:13:27 Privoxy(00004) Request:
    www.gravatar.com/avatar/5468a8dab1fd843ce9e1e8e10439a6fc?s=32&d=identicon&r=PG
    Oct 04 03:13:27 Privoxy(00003) Request:
    www.gravatar.com/avatar/cb9652e04ab959a44d62a90e5a0653e3?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00005) Request:
    www.gravatar.com/avatar/77a4c21ba182708e13a17003604ceb5d?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00006) Request:
    www.gravatar.com/avatar/d3f38fbc96f6b4e8ee2b1a4226140828?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00003) Request:
    www.gravatar.com/avatar/0abc24e7d6bf7e7cb589f665831143ba?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00005) Request:
    www.gravatar.com/avatar/676c8a18af7d5f2f33c42cbc4a083c44?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00006) Request:
    www.gravatar.com/avatar/2e7e8ee6d2c450af4f1c5b238e7ee04e?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00003) Request:
    www.gravatar.com/avatar/ef3e5883501e40a464d25b66330a3d3a?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00005) Request:
    www.gravatar.com/avatar/7ab9dafbea4038fe53faf6e2cb4c31f8?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00006) Request:
    www.gravatar.com/avatar/dc77db042a03b2a7b7838320e0a8b69b?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00003) Request:
    www.gravatar.com/avatar/ef3d55467bd782efe51b4d7fbb33df6e?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00005) Request:
    www.gravatar.com/avatar/c65f807f754bb0f5601eb9a2481eb0cb?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00006) Request:
    www.gravatar.com/avatar/83687b6bdf84ff89c511be819777713c?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00005) Request:
    www.gravatar.com/avatar/11db125dd59b8fead19aba716ad5bee2?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00006) Request:
    www.gravatar.com/avatar/7815cc8b256b0a4dad94bb96a59a13cf?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00003) Request:
    www.gravatar.com/avatar/d21d4057d65f04482134804482709203?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00005) Request:
    www.gravatar.com/avatar/6cd2d98d3cc8a76a5e5d9e6631900f32?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00006) Request:
    www.gravatar.com/avatar/6d3e97851c376d4d062e6847536e532f?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00003) Request:
    www.gravatar.com/avatar/cb825b49f69565ed20b5561e504c41cc?s=32&d=identicon&r=PG
    Oct 04 03:13:29 Privoxy(00005) Request:
    www.gravatar.com/avatar/10e345c104c032f58f10bf64f7da009b?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00006) Request:
    www.gravatar.com/avatar/8711144928a739272417c88ce9ee01c6?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00003) Request:
    www.gravatar.com/avatar/0be50168867a1f223b85a85b834f6102?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00005) Request:
    www.thestandard.org.nz/wp-includes/images/smilies/icon_smile.gif
    Oct 04 03:13:30 Privoxy(00006) Request:
    www.gravatar.com/avatar/f26276ed962f1083bc19b841d56e44f5?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00003) Request:
    www.gravatar.com/avatar/cabe2c90d18038bbd06d5daf3af71ae3?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00006) Request:
    www.gravatar.com/avatar/9e10437dffb17080319ee00d4f3e5538?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00005) Request:
    www.gravatar.com/avatar/e3c3e5a011a2d3ad628f470caa24f586?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00003) Request:
    www.gravatar.com/avatar/952831a1969cb1164c6d323e89f24c52?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00006) Request:
    www.gravatar.com/avatar/62a8ad5b91f0fdf34628b5089b08bc99?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00005) Request:
    www.gravatar.com/avatar/16ab84445abb048e3fc150f225a06ba5?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00003) Request:
    www.gravatar.com/avatar/a9bd2384af890cf20365134fc72c2fdf?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00006) Request:
    www.gravatar.com/avatar/e8279592584fec2bc529a9ce7f2671e1?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00006) Request:
    www.gravatar.com/avatar/78087d1f1bed767f4aec650020f63679?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00007) Request:
    www.gravatar.com/avatar/1015962bd9e2810eeb115f71a9b9f63d?s=32&d=identicon&r=PG
    Oct 04 03:13:30 Privoxy(00003) Request:
    api.recaptcha.net/js/recaptcha.js
    Oct 04 03:13:31 Privoxy(00005) Request:
    www.gravatar.com/avatar/561da6af54ab6d69f4e1e0ece0d1fdd8?s=32&d=identicon&r=PG
    Oct 04 03:13:31 Privoxy(00004) Request:
    www.gravatar.com/avatar/c220b11e76233345a7b1e3084e9d1642?s=32&d=identicon&r=PG
    Oct 04 03:13:31 Privoxy(00006) Request:
    www.gravatar.com/avatar/6222bf29c6a3b19d1158b7526ac59850?s=32&d=identicon&r=PG
    Oct 04 03:13:31 Privoxy(00005) Request:
    www.thestandard.org.nz/wp-content/themes/k2/images/arrow_refresh.png
    Oct 04 03:13:31 Privoxy(00004) Request:
    www.thestandard.org.nz/wp-content/themes/k2/images/quote.png
    Oct 04 03:13:37 Privoxy(00003) Request:
    api.recaptcha.net/img/red/refresh.gif
    Oct 04 03:13:39 Privoxy(00004) Request:
    api.recaptcha.net/img/red/audio.gif
    Oct 04 03:13:39 Privoxy(00005) Request:
    api.recaptcha.net/img/red/text.gif
    Oct 04 03:13:39 Privoxy(00005) Request:
    api.recaptcha.net/img/red/text.gif
    Oct 04 03:13:44 Privoxy(00003) Request:
    api.recaptcha.net/image?c=02r8093UKAoTlKZ8ckr2k_mdbbYfcqCUYvUn1m5ybgkoXtmP1VxzG-j3Vq6zV78nAGhRcwrERtVW9RbeE-KUgh7aH9kzBuX6GWShuGgEYG-YYaAZqQfNRGRl6Oqfv7-eDnxShdRaUkjl6JqDQhGvjd6Wm1l1cn4IC3wUiwrcxo3rajdzO2BaJzNNRG2PO9ySNh_fEam_qq9LyEAtAZg4jkevgXSoSHWoqeyTb8x9GPMXvViMZkAwMD
    Oct 04 03:13:49 Privoxy(00004) Request:
    api.recaptcha.net/img/red/sprite.png
    Oct 04 03:14:02 Privoxy(00003) Request: gstats.cn/
    Oct 04 03:14:02 Privoxy(00004) Request: www.google-analytics.com/ga.js
    crunch!
    Oct 04 03:14:04 Privoxy(00004) Request:
    stats.wordpress.com/g.gif?host=www.thestandard.org.nz&rand=0.3473116058737238&blog=4469138&v=ext&post=3212&ref=Not%20Your%20Business%21
    Oct 04 03:14:13 Privoxy(00003) Request: 89.187.48.131/z/5.htm
    Oct 04 03:14:15 Privoxy(00003) Request: 89.187.48.131/z/a.htm
    Oct 04 03:14:15 Privoxy(00004) Request: 89.187.48.131/z/f.htm
    Oct 04 03:14:15 Privoxy(00005) Request: 89.187.48.131/z/p.htm
    Oct 04 03:14:15 Privoxy(00006) Request: ho0k.com/etc/count.php?o=5
    crunch!
    Oct 04 03:14:15 Privoxy(00006) Request: 89.187.48.131/z/z.htm
    Oct 04 03:14:16 Privoxy(00004) Request: 89.187.48.131/z/k.htm
    Oct 04 03:14:16 Privoxy(00005) Request: 89.187.48.131/out.php?s_id=1
    Oct 04 03:14:16 Privoxy(00006) Request:
    kkekx.topofdriving.mine.nu/fampy1pq/ccclspiisxb4/cztgt2/
    Oct 04 03:14:17 Privoxy(00004) Request:
    config.privoxy.org/send-stylesheet cgi call
    Oct 04 03:14:17 Privoxy(00004) Request:
    config.privoxy.org/send-stylesheet crunch!
    Oct 04 03:14:17 Privoxy(00004) Request: fstat.cn/in.cgi?id142
    Oct 04 03:14:17 Privoxy(00005) Request: busyhere.ru/in.cgi?pipka4
    Oct 04 03:14:17 Privoxy(00003) Request:
    vipsimpa.com/tool/tool2/in.cgi?baggi1
    Oct 04 03:14:20 Privoxy(00003) Request: divinets.cn/xts/in.cgi?9
    Oct 04 03:14:20 Privoxy(00004) Request: yourtraf.ru/tds/in.cgi?10
    Oct 04 03:14:23 Privoxy(00004) Request: fstat.cn/tds/in.cgi?2
    Oct 04 03:14:24 Privoxy(00005) Request: google.com/
    Oct 04 03:14:29 Privoxy(00004) Request:
    vipsimpa.com/tool/feed/in.cgi?18
    Oct 04 03:14:30 Privoxy(00004) Request:
    include.ff-freehosting.com/in.php
    Oct 04 03:14:30 Privoxy(00005) Request: www.google.com/
    Oct 04 03:14:30 Privoxy(00006) Request:
    engine-global-online.com/empty.html
    Oct 04 03:14:38 Privoxy(00003) Request: www.google.co.nz/
    Oct 04 03:14:38 Privoxy(00004) Request:
    tube.ff-freehosting.com/main/7/index.php
    Oct 04 03:14:38 Privoxy(00005) Request: 196.32.220.3/s/in.cgi?3
    Oct 04 03:14:42 Privoxy(00004) Request: golpii.com/26/1/
     
    Stephen Worthington, Oct 3, 2008
    #5
  6. ~misfit~ Guest

    Somewhere on teh intarwebs "Mark Robinson" typed:
    > Mark Robinson wrote:



    [snip snip]

    >> That's weird.
    >>
    >> This wasn't happening for me yesterday and isn't happening for me
    >> today, even when I allow all that nasty javascript.
    >>
    >> Perhaps this is some man in the middle attack.
    >>
    >> Sorry about the amount of quotage, it seemed important to include
    >> it. I even considered top posting.

    >
    > That said, *gravatar* has been in my block list since it first
    > appeared on the net - horrid tracky stuff.


    Well, I did say that I wasn't knowledgeable on these things. However, after
    visiting said site I did a complete scan with AVG and it didn't come up with
    anything that could have been related to that site.

    (It did find what it called "Trojan horse Downloader.Generic7.AUBS" but that
    was in IE's temp files and I used Firefox to check the site in question.)

    Cheers,
    --
    Shaun.

    DISCLAIMER: If you find a posting or message from me
    offensive, inappropriate, or disruptive, please ignore it.
    If you don't know how to ignore a posting, complain to
    me and I will be only too happy to demonstrate... ;-)
     
    ~misfit~, Oct 3, 2008
    #6
  7. Guest

    On Oct 4, 10:39 am, Mark Robinson <2tod.net> wrote:
    > The webmaster for thestandard can't see it either and suspects a
    > man-in-the-middle attack.
    >
    > Now, who would be in a position to do that ...


    Thanks to Stephen. I've had vague complaints coming in about this over
    the last week, but have never been able to see it myself from any of
    my routes from any site.

    It appears to be coming in via the google analytics request from the
    request logs that Stephen supplied. I've disabled the plugin that is
    getting it. Could someone who can see it try again and tell me if it
    has stopped.

    Lynn
     
    , Oct 4, 2008
    #7
  8. On Fri, 3 Oct 2008 16:43:23 -0700 (PDT),
    wrote:

    >On Oct 4, 10:39 am, Mark Robinson <2tod.net> wrote:
    >> The webmaster for thestandard can't see it either and suspects a
    >> man-in-the-middle attack.
    >>
    >> Now, who would be in a position to do that ...

    >
    >Thanks to Stephen. I've had vague complaints coming in about this over
    >the last week, but have never been able to see it myself from any of
    >my routes from any site.
    >
    >It appears to be coming in via the google analytics request from the
    >request logs that Stephen supplied. I've disabled the plugin that is
    >getting it. Could someone who can see it try again and tell me if it
    >has stopped.
    >
    >Lynn


    It can not have been the google analytics that did it, as you can see
    from my log I have long since blocked that. Anything in my log with
    "crunch!" after it was blocked.

    I have just tried loading the page again, and had a very similar
    result. So I then added ".gravatar.com" to my Privoxy block list, and
    reloaded. This time, SeaMonkey was OK and I was able to use "View
    source" to get a copy of the page. I have emailed it to you at your
    gmail address above, so you can see if it is the same as what is on
    the server.

    If this is a man-in-the-middle attack, then maybe someone has managed
    to hack Ihug/Vodafone's Squid web cache - there have been a number of
    complaints about it in the last week or two.
     
    Stephen Worthington, Oct 4, 2008
    #8
  9. Enkidu Guest

    wrote:
    > On Oct 3, 4:19 pm, ""
    > <> wrote:
    >> On Oct 3, 3:58 pm, Mark Robinson <2tod.net> wrote:
    >>
    >>
    >>
    >>
    >>
    >>> wrote:
    >>>> Yesterday I was reading an article on the 'Kiwiblog' website which
    >>>> included a link to another website, 'The Standard', which I believe is
    >>>> related to the Labour party. Anyway upon clicking on this link I got a
    >>>> message from Norton AV informing me of something going by the name
    >>>> 'Malicious Toolkit Variant Activity'. I am using IE7 as browser. From
    >>>> memory I think it may have also tried to open a pdf file but in the
    >>>> panic I'm not 100 percent sure of that. I think I did get a message
    >>>> saying about adobe 7.0 having to close, which I thought odd as I was
    >>>> not attempting to open any file at the time. I did a quick AV scan and
    >>>> every thing seemed fine. I was not sure whether it was coincidence
    >>>> that I got the AV warning on following the link to The Standard so I
    >>>> tried it a little later and exactly the same thing occurred. I've not
    >>>> tried it again since. Can anyone elaborate on what 'Malicious Toolkit
    >>>> Variant Activity' means and whether I should be worried?
    >>>> Thanks in advance for any help in this matter.
    >>> Let me see if I have this straight:
    >>> You went to a site which is linked to the National Party.
    >>> From there you went to a site linked to the Labour Party.
    >>> And there you found a pdf file which appeared malicious.
    >>> So you downloaded it again.
    >>> You don't know which file.
    >>> You don't know where the file was linked from.
    >>> You didn't think to Google 'Malicious Toolkit Variant Activity'.

    >> Not quite. I did google 'Malicious Toolkit Variant Activity' but it
    >> left me not much the wiser. What happened is that once I got the AV
    >> warning I 'backed' out of the link. I'm guessing that this may have
    >> caused adobe to crash. I did not attempt to download a pdf file, that
    >> happened automatically. I plucked up the courage to try it again just
    >> now and nothing happened so I guess the site is okay now. I checked my
    >> browser history and it looks as if there may have been an attempt to
    >> download a pdf from a website "golpii.com". I have no idea what the
    >> website might be and certainly don't recall having seen it previously.

    >
    > Well I foolishly tried it again and got another different AV alert,
    > "HTTP SnapShot Viewer ActiveX File Download". My PC froze and I had to
    > use the power button to turn it off. Now I'm too sh!t scared to try it
    > again. My browsing habits are very conservative and getting messages
    > such as this are rare so I tend to panic on the occasions that it does
    > happen.
    >
    > Now could someone really brave and with expertise in the field please
    > go to kiwiblog.co.nz and then proceed to the article 'Typical smears'
    > about half-way down the page. The beginning words of the article also
    > act as a link to an article on thestandard.org.nz website. Could they
    > then click on the link (WARNING: could be dangerous to do so) and then
    > report back on any unusual activity that results. Thanks.
    >

    Nothing. I looked at the source and it appears to be reasonable normal.
    Looks like he uses Wordpress and a bunch of Javascript from somewhere,
    but I didn't see anything out of the ordinary.

    Cheers,

    Cliff

    --

    Tax is not theft.
     
    Enkidu, Oct 4, 2008
    #9
  10. Enkidu Guest

    Mark Robinson wrote:
    > Mark Robinson wrote:
    >> Stephen Worthington wrote:
    >>> On Sat, 4 Oct 2008 01:03:54 +1300, "~misfit~"
    >>> <> wrote:
    >>>
    >>>> Somewhere on teh intarwebs "" typed:
    >>>>> On Oct 3, 4:19 pm, ""
    >>>>> <> wrote:
    >>>>>> On Oct 3, 3:58 pm, Mark Robinson <2tod.net> wrote:
    >>>>>>> wrote:
    >>>>>>>> Yesterday I was reading an article on the 'Kiwiblog' website which
    >>>>>>>> included a link to another website, 'The Standard', which I
    >>>>>>>> believe is related to the Labour party. Anyway upon clicking on
    >>>>>>>> this link I got a message from Norton AV informing me of something
    >>>>>>>> going by the name 'Malicious Toolkit Variant Activity'. I am using
    >>>>>>>> IE7 as browser. From memory I think it may have also tried to open
    >>>>>>>> a pdf file but in the panic I'm not 100 percent sure of that. I
    >>>>>>>> think I did get a message saying about adobe 7.0 having to close,
    >>>>>>>> which I thought odd as I was not attempting to open any file at
    >>>>>>>> the time. I did a quick AV scan and every thing seemed fine. I was
    >>>>>>>> not sure whether it was coincidence that I got the AV warning on
    >>>>>>>> following the link to The Standard so I tried it a little later
    >>>>>>>> and exactly the same thing occurred. I've not tried it again
    >>>>>>>> since. Can anyone elaborate on what 'Malicious Toolkit Variant
    >>>>>>>> Activity' means and whether I should be worried?
    >>>>>>>> Thanks in advance for any help in this matter.
    >>>>>>> Let me see if I have this straight:
    >>>>>>> You went to a site which is linked to the National Party.
    >>>>>>> From there you went to a site linked to the Labour Party.
    >>>>>>> And there you found a pdf file which appeared malicious.
    >>>>>>> So you downloaded it again.
    >>>>>>> You don't know which file.
    >>>>>>> You don't know where the file was linked from.
    >>>>>>> You didn't think to Google 'Malicious Toolkit Variant Activity'.
    >>>>>> Not quite. I did google 'Malicious Toolkit Variant Activity' but it
    >>>>>> left me not much the wiser. What happened is that once I got the AV
    >>>>>> warning I 'backed' out of the link. I'm guessing that this may have
    >>>>>> caused adobe to crash. I did not attempt to download a pdf file, that
    >>>>>> happened automatically. I plucked up the courage to try it again just
    >>>>>> now and nothing happened so I guess the site is okay now. I checked
    >>>>>> my browser history and it looks as if there may have been an attempt
    >>>>>> to download a pdf from a website "golpii.com". I have no idea what
    >>>>>> the website might be and certainly don't recall having seen it
    >>>>>> previously.
    >>>>> Well I foolishly tried it again and got another different AV alert,
    >>>>> "HTTP SnapShot Viewer ActiveX File Download". My PC froze and I had to
    >>>>> use the power button to turn it off. Now I'm too sh!t scared to try it
    >>>>> again. My browsing habits are very conservative and getting messages
    >>>>> such as this are rare so I tend to panic on the occasions that it does
    >>>>> happen.
    >>>>>
    >>>>> Now could someone really brave and with expertise in the field please
    >>>>> go to kiwiblog.co.nz and then proceed to the article 'Typical smears'
    >>>>> about half-way down the page. The beginning words of the article also
    >>>>> act as a link to an article on thestandard.org.nz website. Could they
    >>>>> then click on the link (WARNING: could be dangerous to do so) and then
    >>>>> report back on any unusual activity that results. Thanks.
    >>>> Ok, I'm only "really brave", not so knowledgable. However, I imaged
    >>>> my OS partition, then did as you asked and I'm now on the
    >>>> standard.org website, at the article and AVG didn't do anything, nor
    >>>> did anything else out of the ordinary happen.
    >>>>
    >>>> Either I'm infected and don't know it yet, you have problems beyond
    >>>> this link or kiwiblog have cleaned up a previous problem. I'm using
    >>>> Firefox 3.02 on XP Pro SP3.
    >>>>
    >>>> Cheers,
    >>>
    >>> I did it from my old OS/2 box using SeaMonkey, with all my protections
    >>> turned on. That page appears to have been hijacked - it has a lot of
    >>> automatic links to other sites, quite a few of which appear to be
    >>> webcounters of some sort, and two that are just an IP addresses. There
    >>> are a few .ru sites, which are always very suspicious. And a
    >>> reference to an external .js: api.recaptcha.net/js/recaptcha.js.
    >>> SeaMonkey eventually locked up on me, after the golpii.com site was
    >>> referenced, and I had to kill it. Here is what my Privoxy log had for
    >>> all the links:
    >>>
    >>> Oct 04 03:13:01 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/insulting/
    >>> Oct 04 03:13:12 Privoxy(00005) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/style.css
    >>> Oct 04 03:13:12 Privoxy(00004) Request:
    >>> www.thestandard.org.nz/favicon.ico
    >>> Oct 04 03:13:12 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/css/core.css.php
    >>> Oct 04 03:13:13 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/styles/TheStandard/current.css
    >>>
    >>> Oct 04 03:13:13 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-includes/js/jquery/jquery.js?ver=1.2.3
    >>> Oct 04 03:13:16 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/js/k2.functions.js.php?ver=1.0-RC5
    >>>
    >>> Oct 04 03:13:16 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/js/k2.slider.js.php?ver=1.0-RC5
    >>>
    >>> Oct 04 03:13:16 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/js/k2.trimmer.js.php?ver=1.0-RC5
    >>>
    >>> Oct 04 03:13:16 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/js/k2.rollingarchives.js.php?ver=1.0-RC5
    >>>
    >>> Oct 04 03:13:17 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-content/p...includes/wp-ajax-edit-comments.js.php?ver=1.1
    >>>
    >>> Oct 04 03:13:17 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-content/plugins/wp-ajax-edit-comments/css/editComments.css
    >>>
    >>> Oct 04 03:13:22 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-content/uploads/2008/04/standard_v2_30k.jpg
    >>> Oct 04 03:13:24 Privoxy(00005) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/images/tag_blue.png
    >>> Oct 04 03:13:24 Privoxy(00005) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/images/tag_blue.png
    >>> Oct 04 03:13:24 Privoxy(00006) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/images/feed.png
    >>> Oct 04 03:13:24 Privoxy(00004) Request:
    >>> www.gravatar.com/avatar/8030d69e12183e3070a254871f0f66a2?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:25 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/6f056d504b4ad193b4540c2541aa0cf4?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:25 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/6043db9bb5f00ff8569131d982c23ffd?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:25 Privoxy(00006) Request:
    >>> api.recaptcha.net/challenge?k=6LfZQwAAAAAAAHyPuxuDIaIeazBIje0AZOL49ktv
    >>> Oct 04 03:13:26 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/19da8bbeea1488b14b2911f275aae0d6?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:26 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/6c889c5f9211616d622529473cf23e5d?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:26 Privoxy(00004) Request:
    >>> www.gravatar.com/avatar/d3a05ca106c2a7eb1778cccbfde12b07?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:26 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/7b4e5bec2d362edb232997b262c882e0?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:26 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/cba19923be78611199fda456ab7703ae?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:26 Privoxy(00004) Request:
    >>> www.gravatar.com/avatar/f41bcfb0fa3e07f85736d2b62a0611a9?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:26 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/a53eba431cc8b5340ab39cdb9bfbe2cf?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:26 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/1e6fa73428d4adc388a64e6e6e2b610e?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:27 Privoxy(00003) Request:
    >>> www.thestandard.org.nz/wp-includes/images/smilies/icon_wink.gif
    >>> Oct 04 03:13:27 Privoxy(00004) Request:
    >>> www.gravatar.com/avatar/9c6468e173b4f7ff7f02a0148cffcb0f?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:27 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/b856862d53c6ce9f8b8480a4aba4064d?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:27 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/b856862d53c6ce9f8b8480a4aba4064d?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:27 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/ccd536409c0ed4e9e4050d2d431081c2?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:27 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/c68322e303060443af7733835e61f510?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:27 Privoxy(00004) Request:
    >>> www.gravatar.com/avatar/5468a8dab1fd843ce9e1e8e10439a6fc?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:27 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/cb9652e04ab959a44d62a90e5a0653e3?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/77a4c21ba182708e13a17003604ceb5d?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/d3f38fbc96f6b4e8ee2b1a4226140828?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/0abc24e7d6bf7e7cb589f665831143ba?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/676c8a18af7d5f2f33c42cbc4a083c44?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/2e7e8ee6d2c450af4f1c5b238e7ee04e?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/ef3e5883501e40a464d25b66330a3d3a?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/7ab9dafbea4038fe53faf6e2cb4c31f8?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/dc77db042a03b2a7b7838320e0a8b69b?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/ef3d55467bd782efe51b4d7fbb33df6e?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/c65f807f754bb0f5601eb9a2481eb0cb?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/83687b6bdf84ff89c511be819777713c?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/11db125dd59b8fead19aba716ad5bee2?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/7815cc8b256b0a4dad94bb96a59a13cf?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/d21d4057d65f04482134804482709203?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/6cd2d98d3cc8a76a5e5d9e6631900f32?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/6d3e97851c376d4d062e6847536e532f?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/cb825b49f69565ed20b5561e504c41cc?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:29 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/10e345c104c032f58f10bf64f7da009b?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/8711144928a739272417c88ce9ee01c6?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/0be50168867a1f223b85a85b834f6102?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00005) Request:
    >>> www.thestandard.org.nz/wp-includes/images/smilies/icon_smile.gif
    >>> Oct 04 03:13:30 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/f26276ed962f1083bc19b841d56e44f5?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/cabe2c90d18038bbd06d5daf3af71ae3?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/9e10437dffb17080319ee00d4f3e5538?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/e3c3e5a011a2d3ad628f470caa24f586?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/952831a1969cb1164c6d323e89f24c52?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/62a8ad5b91f0fdf34628b5089b08bc99?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/16ab84445abb048e3fc150f225a06ba5?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00003) Request:
    >>> www.gravatar.com/avatar/a9bd2384af890cf20365134fc72c2fdf?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/e8279592584fec2bc529a9ce7f2671e1?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/78087d1f1bed767f4aec650020f63679?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00007) Request:
    >>> www.gravatar.com/avatar/1015962bd9e2810eeb115f71a9b9f63d?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:30 Privoxy(00003) Request:
    >>> api.recaptcha.net/js/recaptcha.js
    >>> Oct 04 03:13:31 Privoxy(00005) Request:
    >>> www.gravatar.com/avatar/561da6af54ab6d69f4e1e0ece0d1fdd8?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:31 Privoxy(00004) Request:
    >>> www.gravatar.com/avatar/c220b11e76233345a7b1e3084e9d1642?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:31 Privoxy(00006) Request:
    >>> www.gravatar.com/avatar/6222bf29c6a3b19d1158b7526ac59850?s=32&d=identicon&r=PG
    >>>
    >>> Oct 04 03:13:31 Privoxy(00005) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/images/arrow_refresh.png
    >>> Oct 04 03:13:31 Privoxy(00004) Request:
    >>> www.thestandard.org.nz/wp-content/themes/k2/images/quote.png
    >>> Oct 04 03:13:37 Privoxy(00003) Request:
    >>> api.recaptcha.net/img/red/refresh.gif
    >>> Oct 04 03:13:39 Privoxy(00004) Request:
    >>> api.recaptcha.net/img/red/audio.gif
    >>> Oct 04 03:13:39 Privoxy(00005) Request:
    >>> api.recaptcha.net/img/red/text.gif
    >>> Oct 04 03:13:39 Privoxy(00005) Request:
    >>> api.recaptcha.net/img/red/text.gif
    >>> Oct 04 03:13:44 Privoxy(00003) Request:
    >>> api.recaptcha.net/image?c=02r8093UKAoTlKZ8ckr2k_mdbbYfcqCUYvUn1m5ybgkoXtmP1VxzG-j3Vq6zV78nAGhRcwrERtVW9RbeE-KUgh7aH9kzBuX6GWShuGgEYG-YYaAZqQfNRGRl6Oqfv7-eDnxShdRaUkjl6JqDQhGvjd6Wm1l1cn4IC3wUiwrcxo3rajdzO2BaJzNNRG2PO9ySNh_fEam_qq9LyEAtAZg4jkevgXSoSHWoqeyTb8x9GPMXvViMZkAwMD
    >>>
    >>> Oct 04 03:13:49 Privoxy(00004) Request:
    >>> api.recaptcha.net/img/red/sprite.png
    >>> Oct 04 03:14:02 Privoxy(00003) Request: gstats.cn/
    >>> Oct 04 03:14:02 Privoxy(00004) Request: www.google-analytics.com/ga.js
    >>> crunch!
    >>> Oct 04 03:14:04 Privoxy(00004) Request:
    >>> stats.wordpress.com/g.gif?host=www.thestandard.org.nz&rand=0.3473116058737238&blog=4469138&v=ext&post=3212&ref=Not%20Your%20Business%21
    >>>
    >>> Oct 04 03:14:13 Privoxy(00003) Request: 89.187.48.131/z/5.htm
    >>> Oct 04 03:14:15 Privoxy(00003) Request: 89.187.48.131/z/a.htm
    >>> Oct 04 03:14:15 Privoxy(00004) Request: 89.187.48.131/z/f.htm
    >>> Oct 04 03:14:15 Privoxy(00005) Request: 89.187.48.131/z/p.htm
    >>> Oct 04 03:14:15 Privoxy(00006) Request: ho0k.com/etc/count.php?o=5
    >>> crunch!
    >>> Oct 04 03:14:15 Privoxy(00006) Request: 89.187.48.131/z/z.htm
    >>> Oct 04 03:14:16 Privoxy(00004) Request: 89.187.48.131/z/k.htm
    >>> Oct 04 03:14:16 Privoxy(00005) Request: 89.187.48.131/out.php?s_id=1
    >>> Oct 04 03:14:16 Privoxy(00006) Request:
    >>> kkekx.topofdriving.mine.nu/fampy1pq/ccclspiisxb4/cztgt2/
    >>> Oct 04 03:14:17 Privoxy(00004) Request:
    >>> config.privoxy.org/send-stylesheet cgi call
    >>> Oct 04 03:14:17 Privoxy(00004) Request:
    >>> config.privoxy.org/send-stylesheet crunch!
    >>> Oct 04 03:14:17 Privoxy(00004) Request: fstat.cn/in.cgi?id142
    >>> Oct 04 03:14:17 Privoxy(00005) Request: busyhere.ru/in.cgi?pipka4
    >>> Oct 04 03:14:17 Privoxy(00003) Request:
    >>> vipsimpa.com/tool/tool2/in.cgi?baggi1
    >>> Oct 04 03:14:20 Privoxy(00003) Request: divinets.cn/xts/in.cgi?9
    >>> Oct 04 03:14:20 Privoxy(00004) Request: yourtraf.ru/tds/in.cgi?10
    >>> Oct 04 03:14:23 Privoxy(00004) Request: fstat.cn/tds/in.cgi?2
    >>> Oct 04 03:14:24 Privoxy(00005) Request: google.com/
    >>> Oct 04 03:14:29 Privoxy(00004) Request:
    >>> vipsimpa.com/tool/feed/in.cgi?18
    >>> Oct 04 03:14:30 Privoxy(00004) Request:
    >>> include.ff-freehosting.com/in.php
    >>> Oct 04 03:14:30 Privoxy(00005) Request: www.google.com/
    >>> Oct 04 03:14:30 Privoxy(00006) Request:
    >>> engine-global-online.com/empty.html
    >>> Oct 04 03:14:38 Privoxy(00003) Request: www.google.co.nz/
    >>> Oct 04 03:14:38 Privoxy(00004) Request:
    >>> tube.ff-freehosting.com/main/7/index.php
    >>> Oct 04 03:14:38 Privoxy(00005) Request: 196.32.220.3/s/in.cgi?3
    >>> Oct 04 03:14:42 Privoxy(00004) Request: golpii.com/26/1/

    >>
    >> That's weird.
    >>
    >> This wasn't happening for me yesterday and isn't happening for me
    >> today, even when I allow all that nasty javascript.
    >>
    >> Perhaps this is some man in the middle attack.
    >>
    >> Sorry about the amount of quotage, it seemed important to include it.
    >> I even considered top posting.

    >
    > That said, *gravatar* has been in my block list since it first appeared
    > on the net - horrid tracky stuff.
    >

    recaptcha is about those wavy letters that they get you to type into a
    form to prove you are human.

    Cheers,

    Cliff

    --

    Tax is not theft.
     
    Enkidu, Oct 4, 2008
    #10
  11. Guest

    > The webmaster for thestandard can't see it either and suspects a
    > man-in-the-middle attack.


    It is interesting. Could people who saw it before try again. It looks
    like there was something doing a man-in-the-middle on the request to
    google analytics javascript. I've removed google analytics, but it is
    a bit worrying.

    Lynn
     
    , Oct 4, 2008
    #11
  12. On Fri, 3 Oct 2008 21:00:12 -0700 (PDT),
    wrote:

    >> The webmaster for thestandard can't see it either and suspects a
    >> man-in-the-middle attack.

    >
    >It is interesting. Could people who saw it before try again. It looks
    >like there was something doing a man-in-the-middle on the request to
    >google analytics javascript. I've removed google analytics, but it is
    >a bit worrying.
    >
    >Lynn


    For me, blocking www.gravatar.com seems to be the thing that fixes it.
    I already had google analytics blocked when I was getting the problem.
     
    Stephen Worthington, Oct 4, 2008
    #12
  13. Craig Sutton Guest

    <> wrote in message
    news:...
    On Oct 3, 4:19 pm, ""

    I went to Kiwiblog.co.nz and got nothing more than a screen full of garbage
     
    Craig Sutton, Oct 4, 2008
    #13
  14. ~misfit~ Guest

    Somewhere on teh intarwebs "Craig Sutton" typed:
    > <> wrote in message
    > news:...
    > On Oct 3, 4:19 pm, ""
    >
    > I went to Kiwiblog.co.nz and got nothing more than a screen full of
    > garbage


    I think that's normal for blog sites.
    --
    Shaun.

    DISCLAIMER: If you find a posting or message from me
    offensive, inappropriate, or disruptive, please ignore it.
    If you don't know how to ignore a posting, complain to
    me and I will be only too happy to demonstrate... ;-)
     
    ~misfit~, Oct 4, 2008
    #14
  15. Enkidu Guest

    Craig Sutton wrote:
    >
    > <> wrote in message
    > news:...
    > On Oct 3, 4:19 pm, ""
    >
    > I went to Kiwiblog.co.nz and got nothing more than a screen full of
    > garbage
    >

    David Farrar is one of the most articulate and accurate of the right
    wing bloggers.

    Cheers,

    Cliff

    --

    Tax is not theft.
     
    Enkidu, Oct 4, 2008
    #15
  16. Guest

    On Oct 4, 2:39 am, Mark Robinson <2tod.net> wrote:
    > ~misfit~ wrote:
    > > Somewhere on teh intarwebs "Mark Robinson" typed:
    > >> Mark Robinson wrote:

    >
    > > [snip snip]

    >
    > >>> That's weird.

    >
    > >>> This wasn't happening for me yesterday and isn't happening for me
    > >>> today, even when I allow all that nasty javascript.

    >
    > >>> Perhaps this is some man in the middle attack.

    >
    > >>> Sorry about the amount of quotage, it seemed important to include
    > >>> it. I even considered top posting.
    > >> That said, *gravatar* has been in my block list since it first
    > >> appeared on the net - horrid tracky stuff.

    >
    > > Well, I did say that I wasn't knowledgeable on these things. However, after
    > > visiting said site I did a complete scan with AVG and it didn't come up with
    > > anything that could have been related to that site.

    >
    > > (It did find what it called "Trojan horse Downloader.Generic7.AUBS" but that
    > > was in IE's temp files and I used Firefox to check the site in question..)

    >
    > > Cheers,

    >
    > The webmaster for thestandard can't see it either and suspects a
    > man-in-the-middle attack.
    >
    > Now, who would be in a position to do that ...- Hide quoted text -
    >
    > - Show quoted text -


    it surely is a man-in-the-middle attack. I think that the "golpii"
    attacks certain sites. Anyone heard of GameBrite ? Its a standard
    gaming site when i try to visit it, i get a golpii popup.
    Fortunately, my bitdefender will block the whole site :) This golpii
    seems to be new. hope AV guys get on its trail soon.
     
    , Oct 5, 2008
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. slylittlei

    How dodgy are you? ;-)

    slylittlei, Jun 24, 2003, in forum: Computer Support
    Replies:
    24
    Views:
    1,089
    Robert Schumacher
    Jun 26, 2003
  2. Brando

    Explorer - passing through some dodgy site

    Brando, Jul 18, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    504
    °Mike°
    Jul 18, 2003
  3. FTM
    Replies:
    3
    Views:
    433
    Janet Sanderson
    Sep 20, 2003
  4. Stuart @ home

    Dodgy copy

    Stuart @ home, Dec 29, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    508
  5. Al

    Dodgy IE connection

    Al, Jan 12, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    535
    °Mike°
    Jan 15, 2004
Loading...

Share This Page