 ironwalker World RenownedPremium,MVM
join:2001-08-31
Keansburg, NJ | reply to eburger68
Re: News: Major Exploit Underway... Someone have a sygate dat file People can import to block most of these sites?
Does IESpyad block these? |
|
 TheJokerPremium,VIP,MVM
join:2001-04-26
Alexandria, VA
kudos:5
1 edit | Already posted in the thread. IE-SYPAD does indeed block all the sites listed in Eric's first post in this thread. To check to see if IE-SPYAD blocks a specific site, just open ie-ads.reg in Notepad, hit CTRL+F, and paste in the name of the site you want to check for.
--
TheJoker |
|
1 edit | reply to eburger68
I find this interesting and feel sorry for all non-geeks who put out good money to buy a computer and have it ruined because they lack the knowledge to combat these intrusions. That said, does anyone have any links to other sites that actually will do what the author has shown? On my computer, XP pro, patched but w/o SP 1 or 2 and no active firewall besides Windows, I couldn't get on to any of those sites and I was wondering if it's just because I use the latest Hosts file from this forum and Opera instead of IE or if it's because I don't hit the right porn sites. Any way I'd like to try it in IE and see what happens (I'm a glutton for punishment).:D
Forgot to say to IM links rather than post. Tks |
|
ironwalker World RenownedPremium,MVM
join:2001-08-31
Keansburg, NJ | reply to eburger68
Thanx...missed it. |
|
|
|
4 edits | reply to Formeister
Most/all of the domains originally identified as exploiting this vulnerability have been taken down. I think if you look around there are some sites that demonstrate the IFRAME buffer overflow vulnerability without actually hosing your system.
As for the great unwashed masses, I'm cleaning 4-5 PCs a month for friends and family. A friend who used to be in the PC OEM business (aka, Mom & Pop) now makes his living cleaning up Windows computers, and he's working six days a week, 12 hours a day. Better money than he ever made as a screwdriver shop.
The average user doesn't have Windows autoupdate turned on. They don't on AV software, or they do (only because it came from the OEM with a trial subscription) but they let the subscription lapse and don't even realize they are surfing naked. They have been conditioned by IE to believe that annoying popups are "normal." Their kids and spouses are using the computer for God knows what-- especially for AIM, where "autodownload files sent to me" is a default setting!
Back in the good old days, the threat to your computer was sneakerware-- stuff on floppies and CDs. Today, it's any website you visit, anyone on your "buddy" list, anyone who gets a mailer virus and has one of your email addresses in their address book, and whether there are unpatched OS or IE vulnerabilities already being used by malware.
As recently as two years ago, I didn't have any AV software. I used a software firewall when I had dial up, and still use a router/fw with broadband. And I never had a virus infection on any of the five PCs here, all but one running windows (my main WS has run Linux since 1998). I know today that most computers are hosed to one extent or another by malware--and I'm not even counting tracking cookies. If they are on the net, without a firewall, OS patches, and antivirus, I would bet that anyone with broadband is hosed, and even most dialup users are hosed. With threats like the IFRAMEs exploit, even people with AV software, anti-spyware utilities, a firewall, and the system fully patched can get hosed just by visiting a website with banner ads. |
|
| reply to Formeister
said by Formeister: I couldn't get on to any of those sites and I was wondering if it's just because I use the latest Hosts file from this forum From earlier posts in this thread, it appears that hpguru  's/IE-SYPAD would stop you from getting on the sites, even if they were still active.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
 MagManLife is simpler when you tell the truth.Premium
join:2003-10-01
Westlake, OH | reply to eburger68
Nice info Thanks;) |
|
2 edits | reply to BillBigus
Hi BillBigus , well that is not good at all! Unfortunately, I do not know. The prevention I was addressing was on the surfing end, not the web server itself. Hopefully someone will come along that is able to address this, short of trying to simply turn off all 3ed Party Objects served to a site's users until this calms down - which actually might be the safest route, but which might entail lost revenue and contractual complications on a commercial site.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
 SolarPupHardware GodPremium
join:2002-03-07
Greeley, CO
1 edit | reply to eburger68
Interesting Whois Output:
Request: sp2fucked.biz
whois server for *.biz is whois.neulevel.biz ...
connected to whois.neulevel.biz [209.173.53.169:43] ...
Domain Name: SP2FUCKED.BIZ
Domain ID: D7921805-BIZ
Sponsoring Registrar: DIRECT INFORMATION PVT. LTD., (D.
A. DIRECTI.COM)
Sponsoring Registrar IANA ID: 303
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant ID: DI_937571
Registrant Name: John Miller
Registrant Organization: Liber Inc
Registrant Address1: 135/2 Washington str
Registrant City: Limasson
Registrant Postal Code: 06432
Registrant Country: Cyprus
Registrant Country Code: CY
Registrant Phone Number: +944.8735673
Registrant Email: support@coolsearch.biz
Administrative Contact ID: DI_937571
Administrative Contact Name: John Miller
Administrative Contact Organization: Liber Inc
Administrative Contact Address1: 135/2 Washington str
Administrative Contact City: Limasson
Administrative Contact Postal Code: 06432
Administrative Contact Country: Cyprus
Administrative Contact Country Code: CY
Administrative Contact Phone Number: +944.8735673
Administrative Contact Email: support@coolsearch.biz
Billing Contact ID: DI_937571
Billing Contact Name: John Miller
Billing Contact Organization: Liber Inc
Billing Contact Address1: 135/2 Washington str
Billing Contact City: Limasson
Billing Contact Postal Code: 06432
Billing Contact Country: Cyprus
Billing Contact Country Code: CY
Billing Contact Phone Number: +944.8735673
Billing Contact Email: support@coolsearch.biz
Technical Contact ID: DI_937571
Technical Contact Name: John Miller
Technical Contact Organization: Liber Inc
Technical Contact Address1: 135/2 Washington str
Technical Contact City: Limasson
Technical Contact Postal Code: 06432
Technical Contact Country: Cyprus
Technical Contact Country Code: CY
Technical Contact Phone Number: +944.8735673
Technical Contact Email: support@coolsearch.biz
Name Server: NS1.SP2FUCKED.BIZ
Name Server: NS2.SP2FUCKED.BIZ
Created by Registrar: DIRECT INFORMATION PVT. LTD., (D.
A. DIRECTI.COM)
Last Updated by Registrar: DIRECT INFORMATION PVT. LTD., (D.
A. DIRECTI.COM)
Domain Registration Date: Sat Oct 09 17:54:48 GMT 2004
Domain Expiration Date: Sat Oct 08 23:59:59 GMT 2005
Domain Last Updated Date: Tue Nov 16 23:03:13 GMT 2004
>>>> Whois database was last updated on: Sun Nov 21 23:24:33 GMT 2004
Here's what Symantec speaks of it:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: MHTMLRedir.Exploit
File: C:\Documents and Settings\userid.DOMAIN\Local Settings\Temporary Internet Files\Content.IE5\VR1NRTW4\adv65[1].htm
Location: Quarantine
Computer: PEGASUS
User: casey
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sun Nov 21 16:21:54 2004 |
|
| reply to eburger68
Bofra exploit hits The Register 21st November 2004
Important notice Early on Saturday morning some banner advertising served for The Register by third party ad serving company Falk AG became infected with the Bofra/IFrame exploit. The Register suspended ad serving by this company on discovery of the problem.
If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software
http://www.theregister.co.uk/2004/11/21/register_adserver_attack/ |
|
 Doctor FourMy other vehicle is a TARDISPremium
join:2000-09-05
Dallas, TX | reply to Mei Guo Ren
Re: News: Major Exploit Underway... It is getting worse out there, and has gotten so since the
first RPC worms started coming out. Now an unpatched system
can get infected in less than a minute after being connected
to the Internet.
As for the Reg's adserver being infected by Bofra, I was
on their site yesterday during the time frame they mentioned,
but since Falk-AG's URLs are all in my hosts file, the site
was prevented from fetching the infected code. And I was
running Mozilla anyway.
But I think I'll be very careful about what sites I visit
from my workstation, which while protected, may not offer
the same degree as Mozilla (it uses IE w/no popup blocker.)
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. |
|
TeMerc
join:2004-01-22
Phoenix, AZ | reply to eburger68
Well, it seems CNET picked up the article from the Register:
»news.com.com/2001-9373_3-0.html?···efd.xtra
Maybe now it will get even more ink.
Bump:D
--
Remember............You can NEVER be OVERPROTECTED!! |
|
| Dammit! Now I find this thread. I am still completely Windows 2000 patched and I ended up getting infected. The only day this week I used IE I got infected. (I always use Firefox)
»IDS CPU/Memory usage
That will teach me not to ever run IE again or forget to update my Blackice signatures. |
|
| Internet Explorer has simply become a browser that has more holes than a cheese grater. My freakin mother that does nothing more than browse the internet and read her email (doesn't download anything) has become infected by 4 different spyware programs using exploits from IE. This is EVEN with the latest patches from microsoft.
The real failure here is Microsoft, they have let everyone down with lack of security in their internet explorer program. Maybe it is high time they get off their asses and sandbox internet explorer from the windows interface, I knew eventually the intergation of IE would be a HUGE mistake.
I am sick of the argument for internet explorer fans, it can BE secure. Why would I waste my time trying to configure internet explorer to be "secure" through trial and error, when I can switch to a healthy alternative like Kmeleon, Mozilla, Firefox, Opera, etc. that are secure out of the box.
The other argument, Internet Explorer is FASTER! Sure it might be slightly faster, but the time wasted clearing the scumware off your machine through the holes in it is much more time consuming/difficult than waiting 1 or 2 seconds longer for a page to load. Since when does SPEED rule over SECURITY? come on now.
These are exploits that Microsoft seems to have refused to fix, because a lot of these exploits have been around for awhile now. It seems like to me that microsoft takes longer and longer to release patches for internet explorer when they should be putting them out much quicker.
--
- paranoidxe (textsource.org) |
|
suziPremium
join:2004-05-01
1 edit | reply to SolarPup
To find out where the domain is hosted and the pages are being served, the nameserver info is needed.
Name: ns1.sp2fucked.biz
Address: 69.50.168.146
Name: ns2.sp2fucked.biz
Address: 69.50.168.147
The IP lookup for those nameservers shows they are hosted by this company:
OrgName: Atrivo
OrgID: ATRIV
Address: 200 Paul Avenue
City: San Francisco
StateProv: CA
PostalCode: 94124
Country: US
NetRange: 69.50.160.0 - 69.50.191.255
CIDR: 69.50.160.0/19
NetName: ATRIVOTECHNOLOGIES
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM
Comment:
Comment: ## Comments listed here will appear in ARIN's WHOIS database.
RegDate: 2003-06-04
Updated: 2003-08-21
NOCHandle: EKA4-ARIN
NOCName: Kacperski, Emil
NOCPhone: +1-925-550-3947
NOCEmail: abuse@atrivo.com
OrgAbuseHandle: ABUSE658-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-925-550-3947
OrgAbuseEmail: abuse@atrivo.com
OrgNOCHandle: NETWO601-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-925-550-3947
OrgNOCEmail: noc@atrivo.com
OrgTechHandle: EKA4-ARIN
OrgTechName: Kacperski, Emil
OrgTechPhone: +1-925-550-3947
OrgTechEmail: abuse@atrivo.com
A Google search for Atrivo and Atrivotechnologies does *not* put the company in a good light:
»www.google.com/search?sourceid=n···q=Atrivo
»www.google.com/search?sourceid=n···nologies
Atrivotechnologies is listed on a number of spam block lists, among other things.
The owner, Emil Kacperski, is reportedly a 26 year old in California. He posts at »webhostingtalk.com/ forums using the name "goose". (The forum seems to be down at the moment). From what I read there, he and Atrivo are well regarded on that forum, but Google search results for the name Emil Kacperski paint a different picture of him and it's not pretty.
»www.google.com/search?sourceid=n···erski%22
Emails to the abuse department at Atrivo might be in order.
(edited to correct grammar)
--
aka Suzi, Spyware Warrior |
|
 ctripIslam is a Religion of PeacePremium
join:2002-07-16
New Cumberland, PA
 ·Comcast
1 edit | reply to eburger68
Could someone answer a simple question for me? Is this being caused by unscrupulous companies intentionaly serving these exploits from their webservers to the unwary visitors?
Or is it unscrupulous individuals that are infecting blameless companies who happen to be running Apache webservers?
--
I actually voted for John Kerry...
before I voted against him. |
|
SolarPupHardware GodPremium
join:2002-03-07
Greeley, CO | reply to suzi
Whoa... he's the guy that hosts my colocate... wham bang! |
|
 BubbaGIT-R-DONEPremium,MVM
join:2002-08-19
St. Andrews
 ·DIRECTV
·Pickwick Cablevi..
·Comcast
1 edit | reply to ctrip
said by ctrip:Could someone answer a simple question for me? Is this being caused by unscrupulous companies intentionaly serving these exploits from their webservers to the unwary visitors? If I'm understanding your question as it relates to the beginning of this thread....I believe the answer is in Eric's first post ?
said by eburger68
It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains: |
|
| reply to ctrip
> Is this being caused by unscrupulous companies intentionaly serving these exploits [...] Or is it unscrupulous individuals that are infecting blameless companies
In the case of the sp2f*cked/sp2admin/etc. exploits, seems to be "both". Some 'affiliates' are putting the exploits on their own dodgy properties, whilst some are apparently r00ting other webservers to inject the iframes.
culverj:
> Most/all of the domains originally identified as exploiting this vulnerability have been taken down.
Absolutely not. Some of the most widely-publicised URLs have been removed, and a bogus 'deactivated' message put up on the main sp2f*cked root page, but most of the other URLs we've seen used by these exploits are still very much active.
Similar sites (CWS havens) have been known for months and have not been taken down. We are dealing with rogue ISPs here. |
|
| reply to eburger68
Hi All:
An article in appeared in The Register today about this exploit:
http://www.theregister.co.uk/2004/11/22/apache_hijack_serves_iframe_exploit/
Best,
Eric L. Howes |
|
