Ulterior motive in 1-4a Rename's web site?

[Steven Burn]

Is it some sort of scam? (Just paranoid of course. ;-)

If a website is causing this behaviour, and it only happens on this site
then personally, I'd be very suspicious.

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Disclaimer:
I know I'm probably wrong, I just like taking part ;o)

 

[Phred]

G'day mates,

A recent article in alt.msdos.batch recommended the freeware program
1-4a Rename for major file renaming projects. So I went to the URL
<http://www.1-4a.com/rename/> to have a squiz at the thing.

For some reason, when I first went there, and subsequently when I went
"back", I got a warning message (presumably from Norton Internet
Security Firewall) that "Microsoft Internet Explorer is attempting to
access the Internet" (or something pretty close to that phrasing).

Now this was pretty obvious, as that's what I sent it off to do.

However, I *don't* get this message when I browse any other sites.
In fact, until tonight, I hadn't seen that message since I set up the
firewall 12 months ago.

So what's so bloody different about http://www.1-4a.com/rename/ ?

Is it some sort of scam? (Just paranoid of course. ;-)


Cheers, Phred.

 

[Art Iculos Libres]

G'day mates,

A recent article in alt.msdos.batch recommended the freeware program
1-4a Rename for major file renaming projects. So I went to the URL
<http://www.1-4a.com/rename/> to have a squiz at the thing.

For some reason, when I first went there, and subsequently when I went
"back", I got a warning message (presumably from Norton Internet
Security Firewall) that "Microsoft Internet Explorer is attempting to
access the Internet" (or something pretty close to that phrasing).

Now this was pretty obvious, as that's what I sent it off to do.

However, I *don't* get this message when I browse any other sites.
In fact, until tonight, I hadn't seen that message since I set up the
firewall 12 months ago.

So what's so bloody different about http://www.1-4a.com/rename/ ?

Is it some sort of scam? (Just paranoid of course. ;-)

<snip>

The only two things I see about this website:

1) Using DNSKong and monitoring the AutoFilter window, I see
that it sends the browser off to "webcounter.goweb.de",
presumably a third-party page counter service; this can be confirmed by
looking at the webpage source which has an "href" to webcounter.goweb.de
and places the typical 1x1 pixel "image" on the page to do the "load"
counting.
2) The page attempts to load an ActiveX object, but since I have MS IE set
to prompt on ActiveX, I declined the prompt to allow loading. The
ActiveX control appears to be a Flash animation.

I added "goweb" to my DNSKong "named.txt" file and the page loads fine
without it or the Flash animation. Not sure if any of this is related to
your situation, but this is all I can provide after a cursory look.

 

[Ted Davis]

G'day mates,

A recent article in alt.msdos.batch recommended the freeware program
1-4a Rename for major file renaming projects. So I went to the URL
<http://www.1-4a.com/rename/> to have a squiz at the thing.

For some reason, when I first went there, and subsequently when I went
"back", I got a warning message (presumably from Norton Internet
Security Firewall) that "Microsoft Internet Explorer is attempting to
access the Internet" (or something pretty close to that phrasing).

Now this was pretty obvious, as that's what I sent it off to do.

However, I *don't* get this message when I browse any other sites.
In fact, until tonight, I hadn't seen that message since I set up the
firewall 12 months ago.

So what's so bloody different about http://www.1-4a.com/rename/ ?

Is it some sort of scam? (Just paranoid of course. ;-)

I suspect it has something to do with this bit of code from the page:

<OBJECT classid="clsid27CDB6E-AE6D-11cf-96B8-444553540000"

codebase="http://active.macromedia.com/flash2/cabs/swflash.cab#version=4,0,0,0"
ID=1_4arename WIDTH=124 HEIGHT=25>
<PARAM NAME=movie VALUE="1_4arename.swf">
<PARAM NAME=quality VALUE=high>
<PARAM NAME=wmode VALUE=transparent>
<PARAM NAME=bgcolor VALUE=#FFFFFF>
<EMBED src="1_4arename.swf" quality=high bgcolor=#FFFFFF
wmode=transparent
WIDTH=124 HEIGHT=25
TYPE="application/x-shockwave-flash"

PLUGINSPAGE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">
</EMBED>
</OBJECT>



T.E.D. ([email protected])
SPAM filter: Messages to this address *must* contain "T.E.D."
somewhere in the body or they will be automatically rejected.

 

[Fred]

I suspect it has something to do with this bit of code from the page:

<OBJECT classid="clsid27CDB6E-AE6D-11cf-96B8-444553540000"

codebase="http://active.macromedia.com/flash2/cabs/swflash.cab#version=4,0,0
,0"
ID=1_4arename WIDTH=124 HEIGHT=25>
<PARAM NAME=movie VALUE="1_4arename.swf">
<PARAM NAME=quality VALUE=high>
<PARAM NAME=wmode VALUE=transparent>
<PARAM NAME=bgcolor VALUE=#FFFFFF>
<EMBED src="1_4arename.swf" quality=high bgcolor=#FFFFFF
wmode=transparent
WIDTH=124 HEIGHT=25
TYPE="application/x-shockwave-flash"

PLUGINSPAGE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_
Version=ShockwaveFlash">
</EMBED>
</OBJECT>

That'a a point. Phred can you see the flash movie at
http://www.1-4a.com/rename/1_4arename.swf

 

[Phred]

That'a a point. Phred can you see the flash movie at
http://www.1-4a.com/rename/1_4arename.swf

Okay, I played around a bit and ended up closing my MSIE6 SP1, then
reopening it and deleting Temporary Internet files and clearing
history. Then I went to your "test" site above and could see a
sequence of floating letters etc. (Is that the "flash movie"?)

Then I trimmed the URL back to http://www.1-4a.com/rename/ (i.e. the
same address that started this thread) and up popped that warning
message again. Also, I haven't managed to detect any difference
depending on whether I say to allow access to MSIE or to block it!

I'm afraid that viewing "Source" for the page doesn't do much for me
as I'm not fluent in HTML. But I gather from what you said, Fred,
that my being able to see the "movie test" probably implies Ted's
diagnosis is not the full story?

I also originally planned to post this to
symantec.support.network.nortonantivirus.firewalls
because I'm using the NIS firewall, and that seemed the most
appropriate group for it. But, although that group is listed in my
copy of the "newsrc" file from DFN-CIS, the server claims the group
doesn't exist!


Cheers, Phred.

 

[Phred]

G'day mate,

I'm forwarding your response to aus.computers as I see you've trimmed
newsgroups to a.c.f and there were a couple of blokes elsewhere who
took an interest in this topic. They might be interested in your
comments too.

Thanks very much for your input.

<snip>

The only two things I see about this website:

1) Using DNSKong and monitoring the AutoFilter window, I see
that it sends the browser off to "webcounter.goweb.de",
presumably a third-party page counter service; this can be confirmed by
looking at the webpage source which has an "href" to webcounter.goweb.de
and places the typical 1x1 pixel "image" on the page to do the "load"
counting.
2) The page attempts to load an ActiveX object, but since I have MS IE set
to prompt on ActiveX, I declined the prompt to allow loading. The
ActiveX control appears to be a Flash animation.

I added "goweb" to my DNSKong "named.txt" file and the page loads fine
without it or the Flash animation. Not sure if any of this is related to
your situation, but this is all I can provide after a cursory look.

Cheers, Phred.

 

[Ted Davis]

I'm afraid that viewing "Source" for the page doesn't do much for me
as I'm not fluent in HTML. But I gather from what you said, Fred,
that my being able to see the "movie test" probably implies Ted's
diagnosis is not the full story?

If you see it when you specifically access it, but not when the parent
page loads, it is an indication that it is the problem, or rather, the
way it's included in the page is the problem.



T.E.D. ([email protected])
SPAM filter: Messages to this address *must* contain "T.E.D."
somewhere in the body or they will be automatically rejected.