6 replies to this topic

[CodeCat]

After getting the nth 'is this you?' + link message, I thought I would make a short guide and a list of dangerous or suspicious URLs that I got from others in MSN messages.

First of all, if someone sends you a dangerous link, and you're unsure whether to click it, you can always visit it in a safe way using telnet. Here's what you do:

1. Note down two parts of the URL: the hostname and the path. In the URL http://www.example.c...ex.php?test=bla the hostname is www.example.com and /index.php?test=bla is the path. If the URL is just http://www.example.com then the path is / .

2. Open a command prompt by going to Start > Run, then typing cmd.exe into the box.

3. Right click the title of the window, select Properties, then go to the Layout tab and set Height under Screen Buffer Size to 2000. This is to prevent the text from disappearing after too much of it later. If it still happens later on then you might want to set it even higher.

4. Before you continue, you must type this in somewhere for safekeeping so you can copy and paste it easily:

GET (the path you wrote down) HTTP/1.1
Host: (the hostname you wrote down)

5. Type

telnet (the hostname you wrote down) 80

Then press enter, and you'll get a blank screen. Telnet is now connected to that server.

6. You can now type text that is sent to the server you are connected to, but the text is invisible. Backspace will also not work. This is why you typed that bit out earlier, so you could copy-paste it quickly. Copy the text you wrote in step 4, then paste it in the window by right clicking the title bar of the prompt window and going to Edit > Paste.

7. Now press enter twice.

8. The server will send a reply, and this is where things get interesting. The reply will consist of a first line which contains the status code (200 means all ok, 404 means not found etc.), a few lines called 'headers', then a blank line, and finally the actual content.

You'll have to see whether the reply is proper HTML or something else. This is what I got for one virus URL I tried:

HTTP/1.1 200 OK
Date: Wed, 27 Feb 2008 23:46:12 GMT
Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7d SE/0.5.2
Content-Disposition: attachment; filename=PIC006.JPG-live.messenger.com;
X-Powered-By: PHP/4.4.0
Connection: close
Content-Type: application/octet-stream


MZP☻♦ ╕@☺║►▼┤   ═!╕☺L═!ÉÉThis program must be run under Win32
$7cæ?Pcæ?PPEL↓^B*αÄü
					☺☻↓Lb'►0¶↓►☻♦♦α♦☻►@►►►P$☻Ç$A╨└☺pCODEh▬►♦ `DATAp0☻∟@└BSSQ☺@▲└
etc.

Here are the danger signs of this particular case:
- Header contains Content-Type: application/octet-stream. This means that the server is trying to send a file to you rather than a webpage.
- Header contains Content-Disposition: attachment; filename=<some file name>. The server is trying to send you a file as an attachment.
- The first two letters after the blank line are 'MZ', and a bit further on it says 'This program must be run under Win32'. These denote a Windows .exe file, in other words a program. Any proper site would put those in a zip, so if you see this, you can be pretty much sure it's a virus of some kind!

-----------------------------

Now here are some dangerous links that have been discovered already. If you have any to add, post them as well. But BE CAREFUL!!

Before you post a link first put an underscore _ before every link, so that the forum does not automatically turn it into a clickable link!

You never know what kind of idiots click these links anyway and help spread the problem. Better to be safe than sorry.


Whatever you do, do NOT visit any of these links!

is this really you? :S _http://photoshare.cogia.net/?=<your email>
Downloads an .exe file to your computer. Crashed one of my friends' systems as well.

this looks alot like you :S _http://photos.hollosite.com/viewimage.php?=<your email>
Downloads an .exe file to your computer.

Edited by CodeCat, 28 February 2008 - 13:29.

[Dauth]

A very good idea, making an informative list of known badware sites should help with my computer problems thread.

[Jazzie Spurs]

And the Anti Virus does not detect this thread?

[CodeCat]

Added more.

[Umbrella Secrets]

This site poped out of know where and it had a photoshop for free link, don't fall for it because I did, but then I found it before it could take effect, it will take you to differnet websites and things and ask for your email address and stuff. I you ever see this website pop up out of nowhere then get out. www[Dot]programs4free.info/photoshop/?g...CFQwuHgodTR1nRw. My Anti-Virus caught it and it sent an email saying it destroyed it, when I got the file my computer was running really slow. Its better now though.

Dr Edit: Don't link to the virus.

Edited by The Dr, 27 July 2008 - 23:15.

[Sicarius]

Found another one:

_http://www.bonusgiftropicana.net/

Basically, it claims to be a site where you can see who has blocked you on MSN.

[Waris]

Telneting...

HTTP/1.1 200 OK
Date: Tue, 21 Oct 2008 06:10:14 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
Last-Modified: Thu, 18 Sep 2008 19:45:05 GMT
ETag: "20852-14ea-45730d24ab240"
Accept-Ranges: bytes
Content-Length: 5354
Connection: close
Content-Type: text/html

<html>

<head>
<meta http-equiv="Content-Language" content="tr">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="Fro
ntPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>MSN block or delete checker</title>
</head>

<bo
dy topmargin="0" leftmargin="0" style="text-align: center">

<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" borderc
olor="#111111" width="100%" height="578">
<tr>
<td width="100%" height="204">
<table border="0" cellpadding="0" cellspacing="0" style="border-c
ollapse: collapse" bordercolor="#111111" width="111%" background="arkaplan.gif">
<tr>
<td width="63%">&nbsp;</td>
<td width="49%">&
nbsp;</td>
</tr>
</table>
</td>
</tr>
<tr>
<td width="100%" height="19">&nbsp;<font face="Verdana"><b>&nbsp;&nbsp;&nbsp;
<font
colo
r="#4CAD4E">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</font>
</b></font><font color="#4CAD4E"><b>
<span style="font-family: Times New Roman"><font size="5">You</font><font size="5">
can see who has bloock
edd or deleeeted you from his/her MSN with our completely
free service</font></span><span lang="EN-US" style="font-family: Times New Roman"><font
size="5">.
</font></span></b></font></td>
</tr>
<tr>
<td width="100%" height="336" valign=top>
<table border="0" cellpadding="0" cellspacin
g="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" height="336">
<tr>
<td width="15%" height="336" valign=top alig
n=center>



</td>
<td width="51%" valign=top height="336">
<br>


<form id=aa method="
POST" action="msnengel.php" onsubmit="a=document.getElementById('aa').style;a.display='none';b=document.getElementById('part2').style;b.display='inlin
e';">
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" height="132">

<tr>
<br>
<td width="28%" height="19">
<p align="right">
<span lang="EN-US" style="font-size: 12.0pt; f
ont-family: Times New Roman">
Your MSN ID</span><font face="Verdana" size="2"> :&nbsp;&nbsp;
</font> </td>
<td
width="172%" height="19">
<font face="Verdana">
<input type="text" style="border: 1px solid gray" name="T1" size="43"></font
></td>
</tr>
<tr>
<td width="28%" height="26">&nbsp;</td>
<td width="172%" height="26" valign=top>

<font face="Verdana" size="1" color="#808080">&nbsp;(username@hotmail.com)</font></td>
</tr>
<tr>
<td wid
th="28%" height="19">
<p align="right">
<span lang="EN-US" style="font-size: 12.0pt; font-family: Times New Roman">

Password</span><font face="Verdana" size="2"> :&nbsp;&nbsp;
</font> </td>
<td width="172%" height="19">
<f
ont face="Verdana">
<input type="password" style="border: 1px solid gray" name="T2" size="43"></font></td>
</tr>
<t
r>
<td width="28%" height="19">&nbsp;</td>
<td width="172%" height="19">
<input type="checkbox" name="C1" value
="ON" checked><span lang="EN-US" style="font-size: 12.0pt; font-family: Times New Roman">I
have read and accepted the Agreement</span></
td>
</tr>
<tr>
<td width="28%" height="25">&nbsp;</td>
<td width="172%" height="25">
<fon
t face="Verdana">
<input type="submit" value="Check who has blocked you" name="B1"></font></td>
</tr>
</table>

<br><br><br>
</form>

<div align=Center id="part2" style="display: none;">
<script language="javascript" src="progressbar.js"></script><br><br
><br><br><br><br>
<span lang="EN-US" style="font-size: 12.0pt; font-family: Times New Roman">
Connecting to your MSN List. This may take several minutes
. Please wait until
the process is completed......</span><font face=verdana size=2><BR><BR>
<script type="text/javascript">
var bar1= createBar(300,15,'
white',1,'black','blue',85,7,3,"");
</script><br><br>
</div>
</td>
<td width="34%" height="336" valign=top>



</td>

</tr>
</table>
</td>
</tr>
<tr>
<td width="100%" height="19"><hr noshade color="#808080" size="1">
<font color="#808080">&nbsp;</fon
t><font size="1" face="Verdana" color="#808080">&nbsp;
copyright © 2007 blockcheckerca.com</font></td>
</tr>


</table>

</body>

</html>



* <span style
="font-size: 12.0pt; font-family: Times New Roman">You can see who
has blocked or deleted you from his/her MSN with our completely free service</span>
<span lang="EN-US" style="font-size: 12.0pt; font-family: Times New Roman">.
</span>
<p><span lang="EN-US" style="font-size: 12.0pt; font-family: Times
New Roman">
<a href="sozlesme.htm">Agreement</a>&nbsp;
<a href="mailto:blockadministrator@gmail.com">Contact Us</a></span></p>


Connection to host lost.

It asks for your login info... definitely not legit.

Edited by Waris, 21 October 2008 - 06:15.