Remote Data Services Data Control. Exploit or no?

Presmar · 2008-08-08, 03:03 PM

Hope I posted in correct forum.

Got this message when opening a freesite.

"This website wants to run the following add-on "remote data services data control" from Microsoft Corporation...."

I need more info before I take action. Anyone know what this is?

Cleo · 2008-08-08, 03:08 PM

Something bad
http://www.google.com/search?client=...UTF-8&oe=UTF-8

Presmar · 2008-08-12, 12:50 PM

Quote:

Originally Posted by Cleo

Something bad
http://www.google.com/search?client=...UTF-8&oe=UTF-8

Thanks, I'm just wondering if this is intentional or done by a third party. You have any idea?

cd34 · 2008-08-12, 01:36 PM

I would think it would depend on the age of the freesite.

If it was submitted, and you went to review it, and it had that code on it, the window of opportunity for a hacker to have coincidentally corrupted a newly authored freesite would be pretty small. That's not to say we haven't seen hackers leave cron jobs behind that continued to modify files every 10 minutes, but, that is rather rare behavior.

If the freesite had been there for ages, and you stumbled across it, I would say that the likelihood is much greater for it to have been placed there by someone other than the original webmaster.

The thing that makes things like this easy to do on a large scale is foreign counters/iframes, etc. If someone distributes code that is pasted on a website, and that site is later compromised (either by hackers or integrity), everywhere that banner/advertisement/counter is, becomes a distributor.

Code can also be easily distributed through RSS feeds to blog networks. The kvantservice hack originally infected 12k sites, but, through the wonders of RSS and people pulling feeds blindly, at last count, 27k sites have repeated the affected posts.

Then you have linklists and webmasters that are embracing the CPI model and intentionally modifying their own sites to distribute malware and toolbars.

Difficult to say without knowing the reputation of the site author.

We have seen a number of FTP compromises recently with one common thread being the FTP user/password had been handed to a particular credit card billing company who stores their data in the clear in their admin. Odd as that company usually is only hacked every 18 months -- they only made 12 months this time.

Presmar · 2008-08-12, 01:50 PM

Quote:

Originally Posted by cd34

I would think it would depend on the age of the freesite.

If it was submitted, and you went to review it, and it had that code on it, the window of opportunity for a hacker to have coincidentally corrupted a newly authored freesite would be pretty small. That's not to say we haven't seen hackers leave cron jobs behind that continued to modify files every 10 minutes, but, that is rather rare behavior.

If the freesite had been there for ages, and you stumbled across it, I would say that the likelihood is much greater for it to have been placed there by someone other than the original webmaster.

The thing that makes things like this easy to do on a large scale is foreign counters/iframes, etc. If someone distributes code that is pasted on a website, and that site is later compromised (either by hackers or integrity), everywhere that banner/advertisement/counter is, becomes a distributor.

Code can also be easily distributed through RSS feeds to blog networks. The kvantservice hack originally infected 12k sites, but, through the wonders of RSS and people pulling feeds blindly, at last count, 27k sites have repeated the affected posts.

Then you have linklists and webmasters that are embracing the CPI model and intentionally modifying their own sites to distribute malware and toolbars.

Difficult to say without knowing the reputation of the site author.

We have seen a number of FTP compromises recently with one common thread being the FTP user/password had been handed to a particular credit card billing company who stores their data in the clear in their admin. Odd as that company usually is only hacked every 18 months -- they only made 12 months this time.

Well, the domain was created in dec 2007, the freesite was subbed june 2008. I never had any problem with this guy before and I consider him to be a trusted submitter so for now I'll give him the benefit of the doubt until I here back from him.

Thanks alot for your information, I appreciate it.

2008-08-08, 03:03 PM	#1
Presmar My wife is not a doobie to be passed around! On our wedding day I promised to bogart her for life! Join Date: Dec 2004 Location: Cleveland Ohio Posts: 272	Remote Data Services Data Control. Exploit or no? Hope I posted in correct forum. Got this message when opening a freesite. "This website wants to run the following add-on "remote data services data control" from Microsoft Corporation...." I need more info before I take action. Anyone know what this is? __________________ Free Targeted Teen SE Traffic! Submit your Free Sites Here! sex-free-teen.com

2008-08-08, 03:08 PM	#2
Cleo Subversive filth of the hedonistic decadent West Join Date: Mar 2003 Location: Southeast Florida Posts: 27,936	Something bad http://www.google.com/search?client=...UTF-8&oe=UTF-8 __________________ Free Rides on Uber and Lyft Uber Car: uberTzTerri Lyft Car: TZ896289

2008-08-12, 01:36 PM	#4
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	I would think it would depend on the age of the freesite. If it was submitted, and you went to review it, and it had that code on it, the window of opportunity for a hacker to have coincidentally corrupted a newly authored freesite would be pretty small. That's not to say we haven't seen hackers leave cron jobs behind that continued to modify files every 10 minutes, but, that is rather rare behavior. If the freesite had been there for ages, and you stumbled across it, I would say that the likelihood is much greater for it to have been placed there by someone other than the original webmaster. The thing that makes things like this easy to do on a large scale is foreign counters/iframes, etc. If someone distributes code that is pasted on a website, and that site is later compromised (either by hackers or integrity), everywhere that banner/advertisement/counter is, becomes a distributor. Code can also be easily distributed through RSS feeds to blog networks. The kvantservice hack originally infected 12k sites, but, through the wonders of RSS and people pulling feeds blindly, at last count, 27k sites have repeated the affected posts. Then you have linklists and webmasters that are embracing the CPI model and intentionally modifying their own sites to distribute malware and toolbars. Difficult to say without knowing the reputation of the site author. We have seen a number of FTP compromises recently with one common thread being the FTP user/password had been handed to a particular credit card billing company who stores their data in the clear in their admin. Odd as that company usually is only hacked every 18 months -- they only made 12 months this time. __________________ SnapReplay.com a different way to share photos - iPhone & Android