Kaspersky Adsense reports as containing malicious code

Written by Claudio Matarrelli in category Security February 5, 2010 | Be first to comment

Well you are the 3:00 at night, I suddenly Kaspersky report on any Adsense site with the presence of malicious code in this script http://pagead2.googlesyndication.com/pagead/show_ads.js

The first time the warning was red, now it locks automatically and display this blue.

Kaspersky will give a false positive or is that Google has made holes?

Common sites hacked by spammers to post links

Written by Claudio Matarrelli in category Security October 12, 2009 | Be first to comment

A little curiosity from the world of black hat seo.

I happened to notice a site of a commune in my province with links to sites selling the famous blue anti-impotence pills (not to mention to prevent us think badly of this site). Of course I imagine there was some "hacker" (so to speak) that exploited the bug (classic SQL injection) site to insert links entirely illegal.

Take a look at this SERP and notice how many sites of the Italian communes were punctured to insert links on those pills. Surely there are also many other topics.

Doing a search on your sites like mine may help to identify links abusive, input from some spammers often due to penalties from Google, just as Google suggests .

False job offer, careful deception could end up in court

Written by Claudio Matarrelli in category Security September 7, 2009 | Be first to comment

If you receive an email like this, know that these people are trying to deceive the naive.

Offer a job that is to charge their customers on a current account. Obviously, customers will be cheated and if you do not pay directly on their behalf is for this reason.

So spread the word, it is unfortunate to find themselves in court having to demonstrate its good faith because of these infamous.

Among other small detail that is always when you notice strange characters in emails (like this и) instead of accented letters, pricked his ears at once, because it almost always means that the text written by someone who uses a different encoding type the Cyrillic.

The Society D *** **** AND HAS ON SRL Italy looking for a Book-Keeper/Representative

И The activity was designed so as not to burden your work
main and contains no stress in helping bensм
solve problems related to the cost of current life. D *** **** ON AND HAS SRL и a small company that is trading in different
crafts and art, like paintings and sculptures, produced
handicrafts and textiles from Africa and more
Asia, ties and dyes. It 'was found by the Society
a significant delay in payments by companies
Customers who prefer to make payment of bills
Cheques and circulars, which can hardly be
received outside Europe .5.000 Ђ month so I need someone
encompassing the figure of the legal representative of our Society and
to follow the whole process of payments coming from my various
customers and that take place every week. И This is why I
decided to appoint a representative in Italy, which helps in
collect the payments, which could hardly be followed by the country where I am.

I hope to find a positive response from you. EVERYTHING 'THAT
Have to do is' RECEIVE PAYMENTS FROM MY CUSTOMERS IN EUROPE
(Determined by the destination 'where you are) and COLLECT IN YOUR
BANK. DEDURRAI figures from 10% AS COMMISSION FOR THE YEAR
CARRIED BY YOU, OR TRANSFERRED TO THE REST OF THE COMPANY ACCOUNTANT 'FOR
MEANS OF WESTERN UNION MONEY TRANSFER, ETC.

Payments that arrive will be issued in your name as cosм
inform my customers do. My former representative Paul Mura и moved with her family in New Zealand
и and for this reason that I try another representative. Avrт
need from you the following information:

Name ________________________________
Surname_______________________ First
Eta_________________________________
Address / N0_____________________
Zip _________________________________
City _______________________________
Province __________________________
Mobile ___________________________
provision of a current account (optional).

If you are interested in this offer and want to work for us, thank you kindly provide the following information via e-mail

Sincerely,

D *** **** ON AND HAS SRL

Surf anonymous, safe, really?

Written by Claudio Matarrelli in category Security August 2, 2009 | Be first to comment

There are dozens of online services, some free, some for sale, offering navigation "anonymous".

The question arises: is truly anonymous using this site?
The answer is somewhat obvious: on the Internet, there may be varying degrees of anonymity, but never anonymity in an absolute sense.

On sites that I manage it happened very often receive visits from Anonymouse.org .

In particular, in one case a user of a forum that he wanted to send insults without being traced.
But he only had the merit of stimulating my fancy computer ...

The method explained below, designed by me, but the weather may have been used by others, I need to stop and identify that attacker who was playing hide and seek.

The example will be developed to outline his recital Anonymouse.org, but the method can be adapted, expanded and used for other services.

Analysis of the service:

Site http://anonymouse.org/ is a field where you can type any web address to view anonymously.

The web page is then called by Anonymouse server, which acts as a proxy.
All links on the page (text links, reminders of css and javascript and images) are replaced with other filters, to avoid losing anonymity. That is, for example, if you visit a page www.matarrelli.com, links to home page html code contained in all become like this:

http://anonymouse.org/cgi-bin/anon-www.cgi/http//www.matarrelli.com/

So even clicking it remains shielded. The same applies to all links to other pages and javascript references and images that become like this:

http://anonymouse.org/cgi-bin/anon-www.cgi/http//www.matarrelli.com/script.js

http://anonymouse.org/cgi-bin/anon-www.cgi/http//www.matarrelli.com/immagine.jpg

Thus it remains anonymous browsing, including scripts and images are retrieved with its own IP and user agent, but to Anonymouse ..
Put simply never allows him to track because no request is made directly from the browser to the destination server.

So how do you recognize?

We act in a hybrid, combining operations with server-side Javascript, which acts known to the client side.

The server requests made by Anonymouse have two characteristics:

1. Ip, although it might change over time. I have carried out checks in this regard;
2. User Agent, which is always the same and is http://Anonymouse.org/ (Unix);

Pause our attention on the user agent, which is constant over time.
We can instruct the server to recognize it and perform operations as "special".
We can, if we are on platform Apache, set the htaccess so whenever the user agent Anonymouse It contains the word instead of showing the page request, show a page called ad hoc anonimo.php

RewriteEngine On
RewriteCond% (HTTP_USER_AGENT) Anonymouse
RewriteRule (.*) anonimo.php

With this step we have inhibited access to the site, because the user does not see the requested page, but always page anonimo.php

But we want to do more, we find the real IP of the user. Here comes the Javascript code that will be put in the file anonimo.php.

As previously stated, any reference javascript is replaced on screen version, then the original code:

<script type="text/javascript" language="javascript" src=" http//www.matarrelli.com/script.js "> </ script>

is replaced with:

<script type="text/javascript" language="javascript" src=" http://anonymouse.org/cgi-bin/anon-www.cgi/http//www.matarrelli.com/script.js "> < / script>

We must necessarily fool the bot making substitutions.
One way to do it, very simple and effective, would not you like to address recall, but to make the javascript call to same, chip properly. Here's what I mean:

<script type="text/javascript" language="javascript">
document.write ('<script type = "text / javascript"' + 'language = "javascript" s' +' rc ="');
document.write ('ht' + 'tp'+'://'+' ww' + 'w');
document.write ('matarrelli' + '. com');
document.write ('/ script.j' + 's ">');
</ Script>

In this case javascript that calls another script, reconstructing the original address for more pieces of string. Anonymouse unable to identify the transaction, which will therefore screen.

The reference to the file script.js is made directly from your browser to the server that contains the web page. Anonymous is completely bypassed.

Script.js file can include several things, the easiest thing is to enter a file to redirect processing to store the ip and the user agent's original:

document.location.href = "http://www.matarrelli.com/log.php;

Log.php file can be constructed very simply:

<? Php

$ Filename = "anonimi.php;

/ Fishing / user data
$ Ua = $ _SERVER ["HTTP_USER_AGENT"] / / UA
$ Ip = getenv ('REMOTE_ADDR'), / / ip address

/ / Identifies the exact time and date
$ Day = date ("D");
$ Date = date ("d");
$ Hour = date ("H");
$ Minutes = date ("i");
$ Month = date ("F");
$ Year = date ("Y");

/ / Stores the data in the file name $ filename
if (($ fp = fopen ($ filename, "a"))) die ("can not open or create file");
$ Html = "<p style=\"font-size:9px;\">".. "$ Date".. "$ Month".. "$ Year." - ". .":". $ Hours $ minutes. "\ n". "User Agent". $ ua. "\ n". "IP". $ ip. "\ n". "</ p>";
fwrite ($ fp, $ html);
fclose ($ fp);

?>

Anonimi.php is stored in the file date and time of the visit, along with original IP and user agent.

Mission accomplished, the anonymous is unmasked.

PS by identifying ip (do not know what satisfaction ) The user was banned from my forum is anonymous with the nickname he had created with what is normally used for writing.

Safety issues on site 155.it

Written by Claudio Matarrelli in category Security July 18, 2009 | 2 comments

Mental strain, or perhaps years of experience, but when navigating on any site that keeps my personal information, I sometimes wonder what is safe.

Thus, the first time when I joined the 155.it, I could not help but noticing some oversights rather trivial, which allow you to access certain information on any Wind line, even non-registered users to site.

For that I want to talk, but not before reporting accurately and given the time to fix all technical Wind ... I already sent a request through their contact form.

So the appointment was postponed to next month ...