Cenzic 232 Patent
Paid Advertising
web application security lab

Ha.ckers.org Breaches Browser Security - Says McAfee

Update: Apparently this is super old, but no one noticed. I guess not that many people use that service because it’s been around since Feb. Which also means some of these may have been pointing to us at that time - so maybe Dean isn’t as inept as I initially thought he was - except for the whole thinking we are spreading destruction without warning people ahead of time. Uhm, ya.

Here we go again. People who have been reading this blog for a while will remember that we have been told we were hacking websites by hosting JavaScript and we have been marked as a phishing site as well. Well, as Michael pointed out, McAfee has marked ha.ckers.org as a site that attempts to exploit you. Way to go guys, very nice indeed.

So let’s dissect what I think happened here. At some point someone looked at one of the examples and said, “Wow this site is bad.” because they are clueless and didn’t bother to even look at the rest of the site. A gentleman by the name of “mr.anderson” then put up a stunning review of the site:

Exploit server

Wow… amazingly thorough review! I wish they would at least put which page they thought was owning them, that would have been amusing to make fun of him at least. But alas, no such luck. Then the big gun arrived. His name is dean and he has been marked as a “experienced reviewer”. Thank god, I’m saved, right? Someone who knows what they’re doing at least?

What mr.anderson said… According to Exploit Prevention Labs’ LinkScanner, this site contains malicious code. The IP address of this domain is 69.12.144.65 and it is shared by seven other domains. These sites are listed below:

advicegalaxy.com
barbarycoastfilms.com
fthe.net
mydickisbiggerthanyours.com
s-alchemy.com
secureseo.com
seodymanics.com

And then just to make sure he’s gotten his point across dean writes:

I forgot to add in my previous review that the other sites listed also contain exploits.

Wow. Just. Wow. Let’s actually take a look at this great find here that dean, our experienced reviewer came up with. Let’s look at advicegalaxy.com:

Name: advicegalaxy.com
Address: 8.15.231.1

Uhm… doesn’t appear to be on 69.12.144.65 to me and it looks like some domain squatter. But maybe that’s just an anomaly. Let’s look at another one:

Name: barbarycoastfilms.com
Address: 69.12.144.101

At least this one is on the right subnet, but still, wrong IP. And it appears to be a movie review site. Alas, not the malware spewing site I had hoped to find.

Name: fthe.net
Address: 69.12.144.99

Again! Close! But alas, wrong IP and even still, it’s a site that is supposed to be funny (we do try, but alas, sometimes we just fail miserably). Hardly the browser exploit factory.

Name: mydickisbiggerthanyours.com
Address: 69.12.144.101

Yes, id sure does have a good sense of humor, doesn’t he? Same deal as fthe.net.

Name: s-alchemy.com
Address: 69.12.144.65

There we go! Finally a match with the IP address that dean listed. Let’s go check it out. Wait, nothing there? How is it going to spread malware when it’s not even alive? Strange….

Name: secureseo.com
Address: 69.12.144.99

Okay, now we’re getting somewhere. It’s at least talking about browsers. But wait, it’s only got a few posts and alas one of them is about helping browser companies detect blackhat SEO tactics. Weird. There has GOT to be malware here! Dean said so! And that man is experienced!

Name: seodymanics.com
Address: 69.25.212.153

Whoah, not even close to the right IP range, and also looks like domain squatting. Alas, nothing to do with us. So now let’s look at ha.ckers.org since that appears to be the offending site.

Name: ckers.org
Address: 69.12.144.99

But wait! Dean clearly said ha.ckers.org was living on .65, not on .99! Maybe they have the wrong site? Now I’m just confused! Just because you use handy dandy outdated IP to hostname lookup and correlation tools doesn’t make you experienced. In fact, it makes you lazy and wrong it turns out. However, let’s get back to the matter at hand. Apparently Exploit Prevention Labs’ LinkScanner thinks I’m a bad bad man. So I go ahead and run it against every URL on ha.ckers.org I think could possibly be scaring it. Alas, nothing. Everything I can think to test comes up as thumbs up, as nice as rainbows and lollipops.

Okay, enough sarcasm. Herein lies some serious problems. How one site can maintain the reputation of other sites in such a way obviously leads to all sorts of false positives and false negatives. Even if you think this site is bad, without contacting me, or explaining what exactly is wrong with the site, how can I even fix the problem to get it up to snuff?

Now we are relying on the reputation of someone named, “dean” and “mr.anderson” to make judgment calls, when it’s clear the more experienced of the two doesn’t have a clue about the site he is reviewing or the other sites (all of the sites listed have now been reviewed as bad by dean including s-alchemy which is not even online and hasn’t been since our server crash months ago). Great job guys. I hope someone at McAfee is reading this and fixes it. Also, if anyone has a copy of Exploit Prevention Labs’ LinkScanner Pro, I’d appreciate a heads up as to what it found on ha.ckers.org that it thinks is bad.

Until we get to the bottom of this, maybe you should take McAfee’s word for it and steer clear of this site and the .65 IP address - they wouldn’t mark this site bad if it weren’t. If I can’t figure out how we’re exploiting you, you should be afraid - very afraid!

22 Responses to “Ha.ckers.org Breaches Browser Security - Says McAfee”

  1. Wesley McGrew Says:

    Very weird. It’d be interesting to see what other security sites and blogs they block.

    Googling around, it seems like a handful of people have been using http:/ckers.org/s in their XSS demos/POC for sites that might not have appreciated the glory of being stallowned. Maybe that’s what set this off?

  2. Johann Says:

    Maybe trying to stop stealth crawling would help?

    Btw: There’s also Secure Computing with their own share of stupid ideas. And don’t get me started on WebSense.

  3. tenest Says:

    funny…. siteadvisor.com has XSS holes… LOL!

  4. tenest Says:

    I guess maybe i should explain where… do a search for a totally non-existent site. You should end up with a text input where you can submit a domain for review. If you enter in:

    ‘ onmouseover=’location.href=”http://ha.ckers.org/”;alert(/xss/)’ title=’xss

    and submit, on the resulting page, if you hover over the text input… 8^D

    That’s some pretty lax input filtering for a site that is supposed to be advising you on what sites are “secure”…

  5. Pat Bitton Says:

    FWIW, I’m running LinkScanner Pro and there are no alerts on ha.ckers.org.

  6. TT Says:

    I’m not too sure why your so surprised about this, we’ve known for years that Mcafee target ignorant users with the usual scaremongering tactics.

    It’s got to be expected from a company who relies on the ignorant\novice users to buy it’s shady software for usually outrageous prices.

    We should review some of Mcafee’s software and do the exact same as them and just make ‘mistakes’ and unsubstansiated claims about it.

    “If I can’t figure out how we’re exploiting you, you should be afraid - very afraid!”

    lol, congrats on creating the first server that thinks and works by itself, was always wondering how SkyNet was created. =D

  7. Bipin 3~ Upadhyay Says:

    I am not sure if they fixed it; McAfee used to flag Nmap as a “potentially unwanted program”.
    Link: http://seclists.org/nmap-dev/2005/q3/0097.html :)

  8. Sceptomaniac Says:

    ironically user “dean” actually cites ha.ckers.org when reviewing other sites :-)

    http://www.siteadvisor.com/sites/goodtraff.biz/postid/?p=464173#post464173

  9. Carl Says:

    That’s okay. Apparently, going to a hacked Bank site is safe, so there’s no problem there.

    People are starting (slowly) to take notice of the fatal flaws that these systems tend to have, but unfortunately they seem to be using them for their own advantage.

  10. Roger Thompson Says:

    Hi,

    I don’t think we mark your site as bad, or as hosting exploits. Why do you think we do?

    Cheers

    Roger
    CTO at LinkScanner.com

  11. Erwin Says:

    Funny to read this RSnake. Last night I gave a presentation about web security where I said that in the near future everyone will be using a white list of the sites they visit daily and block access to anything else. It just started :)

    I read today that there are even organizations that block access to social networking sites like LinkedIn because of the risks involved….

  12. RSnake Says:

    @Roger - I never thought I was, until the post made by dean that I cut and pasted. See above. I will send you an email on this as well.

  13. Roger Thompson Says:

    Cheers RSnake … we’ll sort it out.

    Roger

  14. RSnake Says:

    The email should be in your inbox. Our mail ends up in a lot of spam buckets if you don’t see it. Annoying, but something that should be rectified when we make our next move of the equipment in the next month or so.

  15. hackathology Says:

    funny, i hate cooperate “Big Shots”. They think they are experienced so what they say is always right. I got two words for them f**k you

  16. chillervalley Says:

    RSnake i KNEW you are a BAD BAD man!

    As in my latest emails to you said: i don’t want to kill you, i just want to hurt you … very very bad :)

  17. qwaxys Says:

    http://user.siteadvisor.com/forums/search.php?searchid=107888

    looks to me like dean is posting the same crap everywhere

    and at the same time? (bot ?)

  18. drear Says:

    Dear mr.anderson and McAfee,

    could you please try to fix your terrible coding practices in your own software before harassing other people.

    And dear McAfee, next time someone contacts you regarding your own security vulnerabilities, could you please try to act professionally.

    Please.

    Tracebacks:

    http://my.opera.com/taviso/blog/mcafee-updat
    http://my.opera.com/taviso/blog/month-of-mcafee-bugs

    with the pearl of

    http://marc.info/?l=full-disclosure&m=116614318521807&w=2

  19. qwaxys Says:

    update: ckers.org went from “RED” to “YELLOW”

  20. RSnake Says:

    Interesting! Thanks for the update, qwaxys… swaying McAfee one vote at a time!

  21. qwaxys Says:

    I’m happy to help :)

    thought the McAfee system doesn’t look like a democratic one to me…

  22. Tony Says:

    My website just got tagged by Dean as well. He published untrue statements about my site and now I have some damn red x associated with it. It blows my mind how a site like Mcafee can allow someone write such false statements. Not one word is true? Mcafee just can’t keep doing without some type of repercussion!!!