Apple Discussions hacked by Tiger-Mate

Unfortunately running 5.1 under Snow Leopard is beset with problems and one can't downgrade because the relevant installers then refuse to install under Mac Os X 10.6.8.

Anyway, the hacking issue. I've just tried to replicate what happened to me and I can't ...the links do indeed seem to work as intended. The problem happened in Firefox 6 and my immediate reaction was to quit, trash the app and support files and disconnect Airport. I did not note any of the details at that moment.

I subsequently searched the remaining cache files to identify the links that I drew attention to in my original post, the relevant code is as follows though I do not profess to be an expert.

N!FN!F7i HTTP:http://www.google.co.uk/search?q=safari+5.1+broken&hl=en&client=firefox-a&hs=Qa9&rls=org.mozilla:en-US:official&prmd=imvnsfd&ei=_R 9_TsPfFoWl0QXXjJ3UCQ&start=10&sa=N&bav=on.2,or.r_gc.r_pw.&fp=87213740e194cfba&bi w=1550&bih=815&tch=1&ech=1&psi=_R9_TsPfFoWl0QXXjJ3UCQ.1316954397715.3request-met hodGETresponse-headHTTP/1.1 200 OK

Date: Sun, 25 Sep 2011 12:40:38 GMT

Expires: -1

Cache-Control: private, max-age=0

Content-Type: application/json; charset=UTF-8

Content-Disposition: attachment

Content-Encoding: gzip

Server: gws

X-XSS-Protection: 1; mode=block

N!FN!G @˜HTTP:http://www.google.co.uk/csi?v=3&s=web&action=&ei=RiF_TtnFGsi_0QX7pqDMCQ&e=17259, 17291,28936,30316,30465,30542,31803,32034,32271,32445,32459,32465,32538,32867,33 020,33022,33027,33046,33064&cp=false&imp=0&pfa=n.1,ttfc.155,ttlc.0,cbt.77&pfm=n. 1,ttfc.155,ttlc.0,cbt.77&imn=6&rt=prt.209,pprt.209,ol.209,jsrt.274,iml.210reques t-methodGETresponse-headHTTP/1.1 204 No Content

Content-Length: 0

Date: Wed, 21 Jan 2004 19:51:30 GMT

Pragma: no-cache

Cache-Control: private, no-cache

Expires: Wed, 17 Sep 1975 21:32:10 GMT

Content-Type: image/gif

Server: Golfe

ã ˇµPAN√0 ¸J°m§:Nê R W‚¿ ¡•¿ ÷Œ¶±Íÿ∆qR°®«Ö ¯@/;´ù—Ïh™^z¬ˆ®LmèŸfi⁄Ω∆' ·ı˚æ√ZyîÅ õï’å#¯ ∏ è&¨≈ºÃ k…µï î5•jVp√¸ ëNÒ 2üNqºÑÏ¢ÃZè

'm n√òlU 23 ÿm^ ,øè»zh¿+zG *mÁ4 ‘üTx{@C S£ß:ZQpë£˝‡úı·,Ì £Ç¬ûëRf ù â+ ¬ a#4ò IÀ” uè”?˛⁄Y‚œÚØXc/€À„€Cr~NÒcP#'± è}K iMà=síóÔªgæºr¬%ŸVÏ7◊ Ÿ~á˘- N!aN!a MHTTP:http://www.google.co.uk/url?sa=t&source=web&cd=15&ved=0CEIQFjAEOAo&url=http%3A%2 F%2Fchimac.net%2F2011%2F07%2F20%2Fsafari-5-1-completely-broken-under-lion-apple- support-communities%2F&rct=j&q=safari%205.1%20broken&ei=RiF_TtnFGsi_0QX7pqDMCQ&u sg=AFQjCNFEksY1qxptxFuVErICOBOyDENbhwrequest-methodGETresponse-headHTTP/1.1 200 OK

Date: Sun, 25 Sep 2011 12:41:05 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, must-revalidate

Content-Type: text/html; charset=UTF-8

Content-Encoding: gzip

Server: gws

Content-Length: 281

X-XSS-Protection: 1; mode=block

charsetUTF-8 N!aN!b0—e±HTTP:http://chimac.net/2011/07/20/safari-5-1-completely-broken-under-lion-apple-suppo rt-communities/necko:classified1request-methodGETresponse-headHTTP/1.1 200 OK

Date: Sun, 25 Sep 2011 12:41:04 GMT

Server: Apache

Content-Type: text/html; charset=utf-8

charsetUTF-8 N!bN!cNòkæ,Ω;„HTTP:http://www.fotonons.ru/images/17.03.11/bytigermte.jpgrequest-methodGETresponse-h eadHTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Sun, 25 Sep 2011 13:24:27 GMT

Content-Type: image/jpeg

Content-Length: 11453

Last-Modified: Thu, 17 Mar 2011 17:25:06 GMT

Accept-Ranges: bytes

<html><script type="text/javascript">

window.location = "http://www.google.com/search?q=hacked+by+tiger-m%40te"

</script></html> N!bN!xÇ% 1HTTP:http://77.247.69.68/.../404.phprequest-methodGETresponse-headHTTP/1.1 200 OK

Date: Sun, 25 Sep 2011 12:41:24 GMT

Server: Apache

X-Powered-By: PHP/5.2.0-8+etch16

Cache-Control: no-cache, must-revalidate

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Content-Length: 130

Content-Type: text/html; charset=ISO-8859-1

charsetISO-8859-1

I started at google.co.uk and only selected the link to the Apple Discussion, no other interaction. If someone can explain to me how by itself the link redirected then please please do.

Why the Lion forum? ....it has nothing to do with Lion !

I think you misunderstood. I made no mention of Lion and specifically refered to Mac OS X 10.6.8.

I have managed to track down some information regarding these hacks and they are attacks on the server, not on the client, therefore it does not appear to be my system that is at fault.

I can't explain why the links redirected as shown in the code above, or why replicating what I did now results in the links working as they should do.

There have been user reports that other servers have also been hit today.

WZZZ, thanks for your response. I don't usually use Firefox and only installed it yesterday (ver. 6.0.2) because of the problems I'd had with Safari 5.1.

I'm perhaps naive, but should Firefox be this vulnerable out of the box, so to speak ? ....no add-ons, etc.

Meg. I am looking at other forums as well. This is my first post and I don't appreciate being patrtonised. I thought I'd been clear on the subject of the discussion and if you have a solution or genuine insight to offer then please contribute, otherwise it's not at all helpful having to respond when you've misread the post.

Thanks for that WZZZ. I must admit I do prefer Safari and regularly use Cosmopod and LittleSnapper extentions that are not available for Firefox .... it also seems that the rapid release policy that has been adopted by Firefox is proving controversial with the tech support community, as is Chrome, which I'm reluctantly using to write this.

@tonyafromcarpinteria

I'm not going mad then?? Like you I'm wondering whether my system is at risk. I've done some research into XSS attacks as mentioned by WZZZ and it would suggest that the attacks are based on the exploitation of server-side vulnerabilities rather than malware on the client-side but it's not conclusive. This particular attack would seem to be non-malicious, there are no links on the redirected page at chimac.net and no apparent activity once the page is loaded ...it appears it's more of a calling-card, to satisfy the ego of tiger-m@ate ...let's hope so anyway.

I have always assumed that as much as I try to protect my network and my computers from physical theft, my data is still at risk of being compromised. To this end I use 1Password for log-in security, Knox for encrypting my documents and data (whilst retaining portability) and Espionage for securing application data.