Monday, 29 August 2005

Statcounter users: hacker warning!






If you use Statcounter for your hit counter, beware.

Previously I'd noticed that sometimes I got referrals to my blog from statcounter.com/counter/counter.js and there wasn't any real explanation that made sense for it, on the Statcounter forum (e.g. see this thread.) So when I wrote up a summary of common Statcounter referers, I left that as a mystery.

In fact, I've since heard that that referral signifies an attempted account hijack. Apparently it's very easy for hackers to retrieve your counter info and they might even hold your account and sniff for keystrokes, pretending to be a .cgi page at Statcounter. Techie details are at this insecure.org page (and no, I don't understand most of it myself!).

Bottom line is, hackers could find out your Statcounter username and password.

That insecure.org page says that Statcounter have fixed this vulnerability. But I know that some people aren't too sure about how secure they really are, still.

What to do? For starters, if you installed your Statcounter code before April 2005, get ye to the Statcounter installation page pronto and update the Statcounter code in your template (it's the spanner icon next to the project for your blog in the projects list, or in the left hand top corner of the page in most views, click Install Code and make sure you update the Statcounter code in your template to the latest version of the code).

Second, if you use the same username/password for Statcounter as you do for your other Web accounts, don't! Change them (especially if you've encountered the statcounter.com/counter/counter.js referer in your own Statcounter logs). Make sure your Statcounter user/password are different from what you use for your other online accounts.

Finally, you might think twice about continuing to use Statcounter for your hit counter, unless they can assure us all that they have really secured their site and their code. I'm still using them for now because my password for Statcounter is unique and my Statcounter account as far as I can see hasn't been messed with, but I'm certainly going to reconsider my use of Statcounter.

(Thanks to Tab for the heads up on this).


Technorati Tags: , , , , , , , , , , , ,

39 comments:

Peter said...

Hello,

I'm an engineer with StatCounter.com - just to clarify for you, regarding the insecure.org vulnerability, this was promptly and completely fixed at the time it was reported. A company called StationX initially highlighted the vulnerability and reported it to us, and insecure.org simply copied and pasted it - however, they neglected to copy from the StationX report that this vulnerability was fixed. Please see the original StationX report here, along with the solution at the bottom:

http://www.stationx.net/downloads/statcounter_script_injection_user_session_hijack.pdf

The solution reads:

"Aodhan Cullen of statcounter fixed this vulnerability after we informed them. The fix was written using the PHP function htmlentities(). So no more worries.
Attempt now returns a security error in a gif.
HTTP/1.1 200 OK
Date: Fri, 29 Apr 2005 10:10:42 GMT
P3P: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Set-Cookie: session_633549=1114769442%260; expires=Wed, 28-Apr-2010 10:10:42 GMT; path=/; domain=.statcounter.com
Content-Type: image/gif
X-Transfer-Encoding: chunked
Content-length: 49"

So this issue is no longer an issue :)

Regarding the "mystery" statcounter.com/counter/counter.js referrer, counter.js is simply our own script that receives data from your site when someone visits it. Sometimes browsers interpret it incorrectly as a referring link, but it's not, although this does not happen too often.

Thanks!

Anonymous said...

Peter... why is statcounter.com down again? It's been unaccessable for over a week now. What the hell!? I'm paying for extended services and can't even get on the site. Buy more bandwith or pull the plug.

Matthew
nixcreations2003@yahoo.com

Improbulus said...

Peter thanks for your comment, but I know someone who has had the .js referral script showing up on her awstats (server dependent) and your explanation seems to make no sense, because if she doesn't have the .js on her page then why is she getting ref hits from one?

Matthew I haven't had any problems with Statcounter being down myself, maybe you've been unlucky with your particular server?

Nix said...

When I try to go to www.statcounter.com the page does not load and says "Refresh Page" on the upper left blue strip of the window. I deleted all my cookies and made sure statcounter was not being blocked. Anyone ever have this problem?

Matthew

Improbulus said...

Sorry no Matthew - have you tried asking at the Statcounter forums?

Anonymous said...

Hey matthew, I am currently having the sam problem. It has over 3 days now and I don't know if statcounter is really down or not. I did the samething you did-deleted cookies, cleared temp files etc, still unaccessable. If anyoneesle has or had this problem, and fixed it, please share with us how you did it or what is causeing the problem. As of now, i truely believe the server is down due to 2006 updates maybe.

Ronald said...

I'm having the same problem, the site does load but without any content, it's blank, and page title says "Refresh Page".

Improbulus said...

This is a mystery to me, I've not been having problems myself. Maybe it's a particular server? I can only suggest you try Statcounter forums or their support. Good luck!

Anonymous said...

I Have found the solution,
Here Are the steps to take to fix the problem

Go to network connections
Chose and open the connection you use to access the internet
Go to the properties
in the general tab, go to the Internet protocal (TCP/IP)
Highlight and click properties
In the General Tab, click obtain Ip Address automatically
Also click obtain DNS Server Address automatically
Click ok
In the wireless conection properties main tab
click ok
Restart your computer because it may not work instantly
Then you are done
I hope I have been a good help because I have been in the same
situation and it is frustrating
Take care!!

Improbulus said...

Thanks for the comment anon. Hmm I'm not quite sure how this solves the problem Ronald etc are having but if it worked for you, great and thanks for sharing the suggestion!

Anonymous said...

I'll be damned... the suggestion above works. I've been trying to get to statcounter for a month now with no luck. Thanks for the info.

Improbulus said...

Still stumped as to how & why that suggestion would work, but hey if it works for you, good stuff!

mvs said...

I had to remove the code from my web after I got into my friend's mailbox (following the visitor's link). I could see his e-mails -- it scared **it out of me -- it seems my account had been hijacked. Those who visited my site had cookies installed on their puters & one computer crashed after following the link from me ... ughm ... I'm not a computer person but I don't think statcounter is safe. And they never answered my e-mails. Too bad cause I really liked it

Improbulus said...

mvs, not sure what you mean by "following the visitor's links"? Anyway it doesn't look like people are very happy with Statcounter right now...

Anonymous said...

Hi
Ive had the same problem described above regarding being unable to connect to ANY pages related to statcounter.com for a week nowi just get a blank page, i had tried clearing and scanning everything, lowering security settings,dropping firewall to no avail, I tried the suggestion above with the connection settings to obtain the IP auto ect, restarted and bingo! im back into my stats account.
Thanks to the anonymous person who posted it, dont know what it did but it worked :-)

Improbulus said...

Gotta say I have no idea why it would work but I'm glad it does!

Princess Kiki said...

hackers suck lol

Anonymous said...

The easier fix if statcounter.com is not loading:

just go to your c:\windows\systme32\drivers\etc folder
open the file called "HOSTS" in notepad
if you find "127.0.0.1 c1.statcounter.com" or "127.0.0.1 www.statcounter.com", put a # in front of the line, like:
#127.0.0.1 c1.statcounter.com
#127.0.0.1 www.statcounter.com

save the file and reload ur browser, it will work fine.
changing ur DNS settings could unblock other potentially harmful sites that were blocked using HOSTS.

Anonymous said...

The solution to change TCP/IP to auto works! For weeks I've had statcounter.com saying forbidden access and blank pages. Statcounter worked on my laptop but didn't work on my desktop. I was stumped. Until I saw this blog.
Thanks to Anonymous for help fixing this issue.

For some reason, all of my connections including wireless had DNS pointing to 85.255.112.217 and 85.255.115.53. I removed them and now statcounter.com works.

I think the DNS was added when I experienced Google.com search links was hijacked. I found a fix that removed my machine from google hijackings. But I guess it didn't remove the DNS settings.

I do believe that this was the cause to the DNS change.

Anonymous said...

You folks need to understand much better your browsers/firewalls/anti-virus/anti-spyware programs you so religiously use.

They are instrumental in blocking your access to sites based on quirks - like if a site uses third party cookies, anti-spyware programs flag it as unsafe and plonk it into the hosts file which is used to manipulate domain resolution to ip address.

In addition to that, some ISP's have DNS problems and on and off you find you cannot reach a certain site simply because the ISP's DNS doesn't have the information at that moment.

That is why "obtain DNS automatically" works better as it picks a different DNS server if the initial one is down or doesn’t have the information. Otherwise you always look in the same "reference" which doesn’t have it - and you'll never find it until that DNS server gets updated correctly, which may be a month of Sundays.

Improbulus said...

Thanks for improving that understanding Anon.

But I think it's better to religiously use firewalls, antiviruses etc than not at all, myself!

Anonymous said...

Why is my password (secured and encrypted) for www.help2go.com being send to cX.Statcounter.com (X=1 to 20) ??
I can block it now but 'something' is still trying to send it....

Improbulus said...

Anon, sorry I don't know, have you tried asking on the Statcounter forums? People are pretty knowledgeable and helpful there, and they'll know a lot more about Statcounter than I do.

Twin Ports said...

I see it's been 3 months since the last post. I suppose the problems are solved.

I have used StatCounter since 2004 and have never had any experience like these.

You can read more about StatCounter experience of the worlds most loved blogger.

Jeff Hubbard Sr said...

thanx for the solution Anonymous it sorted the issue for me as well,I was a week without any access to statcounter.com, all I got was a blank page,I called my isp and they said it was a "microsoft problem" (Rollseyes)my answer to them is "how can it be a microsoft issue when it does it in firefox 2.0 as well?" they had no answer..thanks again.

Jim Crabtree said...

I am also having major problems with my StatCounter and I sometimes can't even access their main URL page. Is this a recurring problem?

Jim

www.crabtreephoto.com

john alex said...

I can't get onto statcounter either. What is the solution for Mac users. Anyone know? Thanks

BOB HOWLETT said...

I registered with Statcounter recently and I was able to access it for a while now I cant even access the main URL page. I use a Mac. Does anyone know a solution?
Thanks.

Ruben Esq said...

I've had this problem continuously since March, and I still experience it. I use a Mac, but I also tried it on a PC a few weeks ago and I still get a blank where the main page should be.

Ed Gauthier said...

Statcounter has far worse problems then any mere temporary server glitches, arguments with PayPal or anyone else! Their entire site went down in early July 2008, after being in business for 8 years on the net. (I had been using them for the last 6.)

Without any warning, all my pages went blank where the Statcounter numbers should be showing, and link pages to them, even including their blogs and forums, now all either come up blank or redirect to an unrelated fake search engine company.

Just look at Alexa, and you'll see that their graph chart for Statcounter clearly shows visits to the Statcounter site started dropping like a rock in July.

So what happened to Statcounter, anyway? I heard something in June about them converting to some improved system then, but that should have long since taken effect. If it didn't work, why didn't they just stick with their current version? At any rate, it's a total mess, and I have yet to get even ONE email from Statcounter about this!

I can only assume at this point that they've gone out of business.

Improbulus said...

Yes Statcounter are very erratic at the moment, I've had blips myself the last few days but it seems to be up and running again now.. obviously with some loss of stats. I use Google Analytics too so at least that's captured the lost details. You could always duplicate and use two services - slows down the page loading a bit but is probably worth it for something like this.

Aimee said...

Okay this is CRAZY! I've been trying to get to Stat counter's website (any page) and it loads as a blank white page. I tried to follow the several different directions above #1 Host in Notebook I couldn't save, it wouldn't let me. I tried to change the TCP/IP and My General tab doesn't have the rest of the tabs and such to take me the rest of the way, and yes I did it right. (smile)

But that isn't what concerns me the most. I've read about all the problems going back to 2005, many issues and several people found answers here..... BUT TELL EM THIS.

WHY is my stat counter gone from my website. it's clearly on my SiteBuilder, but it doesn't show up anymore on the actual site. Like the whole company just disappeared from the face of the earth. Taking my counter at the bottom of my pages with them.

Are they still in business? Does anyone know anything about them as of this moment? AUGUST 12, 2008.

Please help me out with this. Thanks

www.KobiKobis-Island.com

நம்பி.பா. said...

well this is happening even today, I tried logging into Statcounter, but it shows up with a blank page! tried with different browsers, no luck!

anyone has any idea about this?

-Nambi.

Ed Gauthier said...

Ya, after its major crash a long while back, I noticed that Statcounter much later tried getting back on the service grid again, but still kept blinking on and off - mostly off.

(Can't say with any certainty if any of that was caused strictly by hackers or not.)

But I solved the whole problem months ago by simply switching my account (and my stat numbers) to EASYCOUNTER - which is also FREE.

Haven't had any site trouble since. I guess Easycounter must have much better "hacker-proof" technology in place than Statcounter ever did. Try it - you'll thank me in the morning!

நம்பி.பா. said...

Hi Ed,
Thanks for your followup on my question, I found that Kaspersky just blocks the pages from statcounter. I paused the Kaspersky activity and I didn't have any problem with the statcounter during that time. I believe Kaspersky could have some solutions for this.
Nambi B

Website Designer said...

Well I'm glad it's fixed, I've been a long time SC user.

mittens said...

im having a serious communication problem myself with Stat counter--it will not allow me into the forums (someone else is using that email, they tell me--well, duhhh), and when I try to delete the project properly I see 'error on the page' which is computer talk for "I dont THINK so".
Nor can I delete the html at blogger.

this is not good.

John Henderson said...

I have been without statcounter stats for quite a few months now and it has been frustrating. I can confirm that changing the DNS settings to automatic fixed the problem immediately. Thanks for the tip Anonymous.

Anonymous said...

But hackers can always change the ip address. it happened to me, i had a lot of tidserv activity so i scanned my computer and tracking cookies came up, i looked at details and found it camefrom user@statcounter.com so im guessing that someone was hacked and given my ip address so they went to statcounter and tracked the ip address down although it was the wrong one. i think you can also google ip addresses, so if no ip addresses come up on google its probably fake as well