Every now and then I notice that image fields on webpages I visit are
being
hijacked to show unrelated advertising.  This can be quite annoying --
for example, an image on CNN news or a weather map might be replaced
by SPAM.  It does not happen all the time. This occurs under windows
98.... I use both IE 6.0 and Netscape 4.7 and have not kept notes on
which browser is affected.

Does anyone have a website describing the likely causes and remedies
of image hijacking?

---

Clarification of Question by drpauljbrewer-ga on 03 Sep 2002 00:59 PDT

Thanks for the comments.  My home page preferences are not affected.

Also, I have been running AdAware (a spamware detection tool) and it
has not identied/fixed this particular problem.

It is intermittent.  Malicious java applet or browser virus, perhaps?

---

Clarification of Question by drpauljbrewer-ga on 03 Sep 2002 09:25 PDT

When images are hijacked, they are fed through atwola.com.

Also, atwola.com seems to have started a HTTP server on port 1026 of
my machine.
(locahost:1026).  This was verified by running telnet localhost:1026

As I do not have Bonzai buddy, or anything similar detected by
adaware, I am becoming more and more curious about what this could be.

---

Request for Question Clarification by sublime1-ga on 19 Sep 2002 22:04 PDT

drpaul...

Did I answer this for you, and should I therefore post the
answer formally, or is something still unclear?

I answered a similar question here:
https://answers.google.com/answers/main?cmd=threadview&id=45117
My guess is that it's the same cause.

Can't say as to the HTTP server that you feel is running on your
system. As for ar.atwola.com, a lot of ads are run through that
server. It's owned by AOL.com. Whenever your at netscpae.com,
netscape.net, aol.com, cnn.com, cnnsi.com, cnnfn.com, or other
time-warner properties, you see a lot of advertising coming through
the atwola.com servers. Don't exactly know why it would replace
something like a weather map, though. Hope this was of some help.

Additional: Make sure javascript and cookies are ENABLED. Some
websites won't display properly without them, especially javascript.

The Mozilla browser ( http://www.mozilla.org/ ) free download has the
option only to run images from the webserver that is serving the
page... would that help? (it also kills popups) - set in the
preferences.

drpauljbrewer...

From the IANA (Internet Assigned Numbers Authority),
that port number is used for Calendar Access Protocol.

Keyword         Decimal    Description
-------         -------    -----------
cap             1026/tcp   Calender Access Protocol
cap             1026/udp   Calender Access Protocol

Calendar Access Protocol is a protocol intended to 
produce calendars, and alterations thereto, by way
of PHP commands:
 
PHP:
"A server-side scripting language. The PHP commands, 
which are embedded in the web page's HTML, are 
executed on the web server to generate dynamic HTML
pages. See php.net."    ....from:
http://www.webhosts4free.com/definitions/php.php

"PHP is a widely-used general-purpose scripting 
language that is especially suited for Web 
development and can be embedded into HTML." ...from:
http://www.php.net/

So it seems that atwola.com is utilizing this language
via a little-used port to activate scripts which
show up on the webpages you visit.

If you're using a PC, you could install the free version
of ZoneAlarm from http://www.zonelabs.com
which will alert you to activity on that port and
permit you to disallow it.

If this satisfies your interest, let me know, and I'll
post it as a formal answer.

sublime1-ga

drpaul...

P.S. ZoneAlarm will also tell you what file on
your computer (if any) is involved accessing 
port 1026, which will allow you to delete it.
ZoneAlarm requests your permission in relation
to every program which attempts to access the
internet. You can give blanket permission to
trusted applications, and temporary or permanent
denial to anything that looks fishy.

sublime -- you are on the right track and your answer is worth about
4*.

I am comparing how several different computers react to ar.atwola.com,
and I'll post some more info soon.

drpaul...

I stand (sit?) corrected (I wear orthopaedic pants).
Per this post, ZoneAlarm does not have the ability
to block IPs:

"It is strongly recommended that you download and install
 a firewall capable of blocking IPs, like Tiny Personal
 Firewall. Some firewalls (like Zone Alarm) do not have
 the ability to filter (block) IPs. TPF works well with
 other firewalls (it works beautifully with ZA.)..."
From: 
http://groups.google.com/groups?selm=a56peg%24nk4%241%40bob.news.rcn.net&oe=UTF-8&output=gplain
which is a long page, but very relevant to your concern,
and worth the read. It goes on to say:

"DNSKong blocklist DNSKong is available from
 www.pyrenean.com. The companion program, eDexter,
 may be necessary, but this is one of the most
 effective security measures in existence and
 its use is strongly recommended.
 A few notes:
 This is a blocklist for use with DNSKong and has
 been optimized for speed. Simply cut and paste this
 into Windows Notepad, and save it in
 C:\PROGRA~1\PYRENEAN\DNSKONG as NAMED.TXT. If you
 use any other program, make sure to save it as an
 MS-DOS text file.
 You may want to remove Microsoft, msft, Netscape,
 and AOL (but I recommend you leave in
 ads.web.aol.com) to access these services. You
 will be unable to access MSNBC because MSNBC tracks
 you using MSID and a unique identifier unless you
 remove the item in the list below called MSID,
 which will allow all Microsoft and related sites to
 assign you a unique identifer. Be warned: this
 identifier can track you across sessions and will
 function even if you have permanent cookies disabled."

sublime1-ga

drpaul...

P.S.
Here's another informative discourse:
http://accs-net.com/hosts/what_is_hosts.html