Hey Dave, I was looking at information on the Mirc website and I happened to come across a link called ircnick.com. Since the link came from an official website, I clicked on the link only to be redirected to a site called eta.us. Ever since hearing about phishing and malicious websites (e.g. Googkle) I was concerned as to whether or not the site I was redirected to was insidious in any kind of way (whether or not I had spyware, adware, trojans, etc.). I scanned my computer using various virus and adware scanners (everything was clean). Still feeling uneasy, I need advice, therefore I’m asking you.
I can understand your concern, but fortunately there are some tools available that make tracking down this sequence pretty straightforward. I’m going to use a Unix command-line based tool called lynx to step through the sequence of what was sent from the site. I’m actually doing this on the Mac OS X command line by using the Terminal application that’s included with the operating system (it’s in Applications –> Utilities).
The first step is to recognize that when you visit a Web page you get two things sent back to you, a HEAD and an actually web page. The header is the http protocol handshake, and you can view it with lynx by using the following command:
$ lynx -head -dump http://www.ircnick.com/ HTTP/1.1 200 OK Connection: close Date: Wed, 25 May 2005 15:24:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: ASP.NET_SessionId=32sgufnkkyppad2nkpcqnd45; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 644
Nothing untoward here, no suspicious redirects, but do note that there’s a Cookie set and that it’s obviously from a Windows server (which is confirmed by the fact that it’s running Microsoft’s IIS server).
Next step is to see the HTML itself, which can be done from lynx too:
$ lynx -source http://www.ircnick.com/ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN"> <html> <head> <title>ircnick.com</title> <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1"> <meta name="CODE_LANGUAGE" Content="C#"> <meta name="vs_defaultClientScript" content="JavaScript"> <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5"> <noframes> <body> IRCNICK.COM <a href='www1.eta.us/default.aspx?a=ircnick.com'> </body> </noframes> </head> <frameset rows="*"> <frame src='http://www1.eta.us/default.aspx?a=ircnick.com&ref=*&rs='> </frameset> <!-- #11 --> </html>
You can see the link to the ETA site, so let’s now traverse that with the same set of commands…
$ lynx -head -dump http://www1.eta.us/default.aspx?a=ircnick.com HTTP/1.1 200 OK Connection: close Date: Wed, 25 May 2005 15:34:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 p3p: CP="CAO PSA OUR" Set-Cookie: ASP.NET_SessionId=ghuy3yqeu4roesak3bveykyc; path=/ Set-Cookie: tengnikrap=domain=ircnick.com:ref=:refst=; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 11471
Again, no big deal. But when I go to actually view their page, phew! Lots of dense code, but it all looks benign to me. Here’s how I can test this hypothesis: if there were anything bad going on, we’d find some JavaScript or similar scripting code, so we can just look for a few key words or phrases in the HTML source itself, again, easily doable with lynx when coupled with the pattern matching grep command:
$ lynx -source http://www1.eta.us/default.aspx?a=ircnick.com | \ grep -iE '(java|form|action| on|object)' <form id="parking_form" method="post" action="Default.aspx"> </form>
Looks like you’re clear this time, but you might well want to check out my recent article on Safe Web Surfing and also seriously consider using a Web browser other than Internet Explorer for better security.
Oh, and if you are surfing the web – which you’re obviously doing since you’re here on my site! — then you must have both a solid antivirus solution and anti-spyware solution. I recommend AVG Antivirus for the former and Spy Sweeper for the latter.
Although Macs are less attacked by viruses Mac users can also use the free virus checker http://www.clamxav.com to make sure that their machines are not misused as virus safe havens.
People surfing the web with Windows should probably use Firefox to start with, and should probably use whatever they can in the way of filters – ad blockers, etc.
So Dave, there are scads of these filtering plugins for Windows, but some of them are undoubtedly vehicles for delivering “preferred” adware and spyware. What do you recommend to Windows users?
PC users ask me all the time, and I always say, “Sell your PC on eBay and buy a Macintosh.” If they want to keep the Windows PC, what else can they do for prevention of browser based malware?