Topic 'Is sp2fucked shut down or not?' in forum 'Security' - dslreports.com http://www.dslreports.com/forum/Is-sp2fucked-shut-down-or-not-11904374 en Tue, 18 Jun 2013 20:46:50 EDT Tue, 18 Jun 2013 20:46:50 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11945083 »regfreeze.freeserverhost.com/ ;)]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11945083 Wed, 24 Nov 2004 04:43:50 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11935925 »news.com.com/Attackers+strike+us···l?tag=nl
--
Remember............You can NEVER be OVERPROTECTED!!]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11935925 Tue, 23 Nov 2004 02:52:53 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11934071 said by TerryMiller:

As long as the user doesn't have permission to install applications. Terry, thanks for the answer, that is what I thought.

BTW, I made the jump to installing a HOSTS file. Thanks for your helpful answers!]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11934071 Mon, 22 Nov 2004 22:21:33 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11933835 said by Indy Sabre:

Would surfing in IE on a limited user account in W2000 likely prevent damage from these exploits?
As long as the user doesn't have permission to install applications.
--
My family site]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11933835 Mon, 22 Nov 2004 22:00:57 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11933165 http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11933165 Mon, 22 Nov 2004 20:59:10 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11933004
problem is, of course, that only the most recent requests are cached. so if the offsite service goes down or is otherwise unreachable, the protection isn't there anymore. and i don't think most of the offsite services would allow their entire list to be locally cached..

and i don't know how these offsite services deal with any kind of litgation over whether or not a site is labeled correctly.

i suppose it would be interesting if a hardware manufacturer sold a product that had some general ability to upload what is in effect a hosts file. general enough so that they couldn't get sued over someones site getting put into one of the various lists and uploaded to the router. and upgradeable memory. that would be enough, but the next step would be to have various sets of lists that could be applied to subnets in various combinations.

the more i think about it though, most of the appliances that have even the beginning of the right kinds of resources already cost as much as the cheapest dell, which has more than enough umph to do all the above AND much more.

still, i'd buy an appliance that did everything above for $300 or less. appliance = something without moving parts (no fan or hard drive).]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11933004 Mon, 22 Nov 2004 20:44:22 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11932168
Nothing smart, nothing elegant,no smart rules, pure brute force. Simpler than messing around with hosts files (which BTW doesn't work well with Win2K where a big hosts file just seems to kill performance). And yes, I know, woe to whoever is accidentally listed--this is why it has to be updating continuously. It should also update continuously so that phishing sites can be listed as soon as they are detected, not days or weeks after they've been taken down.

I bet by now there are hundreds of thousands of people and small companies who would gladly pay $50-$100 for such a gadget, along with a $1/month subscription to the update service. Hint hint.]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11932168 Mon, 22 Nov 2004 19:32:28 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11931482
An article in appeared in The Register today about this exploit:

http://www.theregister.co.uk/2004/11/22/apache_hijack_serves_iframe_exploit/

Best,

Eric L. Howes]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11931482 Mon, 22 Nov 2004 18:27:16 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11929176 Is this being caused by unscrupulous companies intentionaly serving these exploits [...] Or is it unscrupulous individuals that are infecting blameless companies

In the case of the sp2f*cked/sp2admin/etc. exploits, seems to be "both". Some 'affiliates' are putting the exploits on their own dodgy properties, whilst some are apparently r00ting other webservers to inject the iframes.

culverj:

> Most/all of the domains originally identified as exploiting this vulnerability have been taken down.

Absolutely not. Some of the most widely-publicised URLs have been removed, and a bogus 'deactivated' message put up on the main sp2f*cked root page, but most of the other URLs we've seen used by these exploits are still very much active.

Similar sites (CWS havens) have been known for months and have not been taken down. We are dealing with rogue ISPs here.]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11929176 Mon, 22 Nov 2004 14:24:19 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11929101 said by ctrip:


Could someone answer a simple question for me? Is this being caused by unscrupulous companies intentionaly serving these exploits from their webservers to the unwary visitors?If I'm understanding your question as it relates to the beginning of this thread....I believe the answer is in Eric's first post ?

said by eburger68 See Profile
It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:
]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11929101 Mon, 22 Nov 2004 14:13:39 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11929011 http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11929011 Mon, 22 Nov 2004 14:01:18 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11928897
Or is it unscrupulous individuals that are infecting blameless companies who happen to be running Apache webservers?
--
I actually voted for John Kerry...

before I voted against him.]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11928897 Mon, 22 Nov 2004 13:45:16 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11928806
Name: ns1.sp2fucked.biz
Address: 69.50.168.146

Name: ns2.sp2fucked.biz
Address: 69.50.168.147

The IP lookup for those nameservers shows they are hosted by this company:

OrgName: Atrivo
OrgID: ATRIV
Address: 200 Paul Avenue
City: San Francisco
StateProv: CA
PostalCode: 94124
Country: US

NetRange: 69.50.160.0 - 69.50.191.255
CIDR: 69.50.160.0/19
NetName: ATRIVOTECHNOLOGIES
NetHandle: NET-69-50-160-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: MAIL.ATRIVO.COM
NameServer: PAVEL.ATRIVO.COM
Comment:
Comment: ## Comments listed here will appear in ARIN's WHOIS database.
RegDate: 2003-06-04
Updated: 2003-08-21

NOCHandle: EKA4-ARIN
NOCName: Kacperski, Emil
NOCPhone: +1-925-550-3947
NOCEmail: abuse@atrivo.com

OrgAbuseHandle: ABUSE658-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-925-550-3947
OrgAbuseEmail: abuse@atrivo.com

OrgNOCHandle: NETWO601-ARIN
OrgNOCName: Network Operations
OrgNOCPhone: +1-925-550-3947
OrgNOCEmail: noc@atrivo.com

OrgTechHandle: EKA4-ARIN
OrgTechName: Kacperski, Emil
OrgTechPhone: +1-925-550-3947
OrgTechEmail: abuse@atrivo.com

A Google search for Atrivo and Atrivotechnologies does *not* put the company in a good light:

»www.google.com/search?sourceid=n···q=Atrivo

»www.google.com/search?sourceid=n···nologies

Atrivotechnologies is listed on a number of spam block lists, among other things.

The owner, Emil Kacperski, is reportedly a 26 year old in California. He posts at »webhostingtalk.com/ forums using the name "goose". (The forum seems to be down at the moment). From what I read there, he and Atrivo are well regarded on that forum, but Google search results for the name Emil Kacperski paint a different picture of him and it's not pretty.

»www.google.com/search?sourceid=n···erski%22

Emails to the abuse department at Atrivo might be in order.

(edited to correct grammar)
--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11928806 Mon, 22 Nov 2004 13:35:08 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11928799
The real failure here is Microsoft, they have let everyone down with lack of security in their internet explorer program. Maybe it is high time they get off their asses and sandbox internet explorer from the windows interface, I knew eventually the intergation of IE would be a HUGE mistake.

I am sick of the argument for internet explorer fans, it can BE secure. Why would I waste my time trying to configure internet explorer to be "secure" through trial and error, when I can switch to a healthy alternative like Kmeleon, Mozilla, Firefox, Opera, etc. that are secure out of the box.

The other argument, Internet Explorer is FASTER! Sure it might be slightly faster, but the time wasted clearing the scumware off your machine through the holes in it is much more time consuming/difficult than waiting 1 or 2 seconds longer for a page to load. Since when does SPEED rule over SECURITY? come on now.

These are exploits that Microsoft seems to have refused to fix, because a lot of these exploits have been around for awhile now. It seems like to me that microsoft takes longer and longer to release patches for internet explorer when they should be putting them out much quicker.
--
- paranoidxe (textsource.org)]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11928799 Mon, 22 Nov 2004 13:34:07 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11928387
»IDS CPU/Memory usage

That will teach me not to ever run IE again or forget to update my Blackice signatures. ]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11928387 Mon, 22 Nov 2004 12:40:36 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11928298 »news.com.com/2001-9373_3-0.html?···efd.xtra

Maybe now it will get even more ink.

Bump:D
--
Remember............You can NEVER be OVERPROTECTED!!]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11928298 Mon, 22 Nov 2004 12:29:46 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11923278 first RPC worms started coming out. Now an unpatched system
can get infected in less than a minute after being connected
to the Internet.

As for the Reg's adserver being infected by Bofra, I was
on their site yesterday during the time frame they mentioned,
but since Falk-AG's URLs are all in my hosts file, the site
was prevented from fetching the infected code. And I was
running Mozilla anyway.

But I think I'll be very careful about what sites I visit
from my workstation, which while protected, may not offer
the same degree as Mozilla (it uses IE w/no popup blocker.)
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors.]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11923278 Sun, 21 Nov 2004 19:56:01 EDT Bofra exploit hits The Register http://www.dslreports.com/forum/Bofra-exploit-hits-The-Register-11923127 Important notice Early on Saturday morning some banner advertising served for The Register by third party ad serving company Falk AG became infected with the Bofra/IFrame exploit. The Register suspended ad serving by this company on discovery of the problem.

If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software

http://www.theregister.co.uk/2004/11/21/register_adserver_attack/]]> http://www.dslreports.com/forum/Bofra-exploit-hits-The-Register-11923127 Sun, 21 Nov 2004 19:37:46 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11922530
Request: sp2fucked.biz
whois server for *.biz is whois.neulevel.biz ...
connected to whois.neulevel.biz [209.173.53.169:43] ...
Domain Name: SP2FUCKED.BIZ
Domain ID: D7921805-BIZ
Sponsoring Registrar: DIRECT INFORMATION PVT. LTD., (D.
A. DIRECTI.COM)
Sponsoring Registrar IANA ID: 303
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant ID: DI_937571
Registrant Name: John Miller
Registrant Organization: Liber Inc
Registrant Address1: 135/2 Washington str
Registrant City: Limasson
Registrant Postal Code: 06432
Registrant Country: Cyprus
Registrant Country Code: CY
Registrant Phone Number: +944.8735673
Registrant Email: support@coolsearch.biz
Administrative Contact ID: DI_937571
Administrative Contact Name: John Miller
Administrative Contact Organization: Liber Inc
Administrative Contact Address1: 135/2 Washington str
Administrative Contact City: Limasson
Administrative Contact Postal Code: 06432
Administrative Contact Country: Cyprus
Administrative Contact Country Code: CY
Administrative Contact Phone Number: +944.8735673
Administrative Contact Email: support@coolsearch.biz
Billing Contact ID: DI_937571
Billing Contact Name: John Miller
Billing Contact Organization: Liber Inc
Billing Contact Address1: 135/2 Washington str
Billing Contact City: Limasson
Billing Contact Postal Code: 06432
Billing Contact Country: Cyprus
Billing Contact Country Code: CY
Billing Contact Phone Number: +944.8735673
Billing Contact Email: support@coolsearch.biz
Technical Contact ID: DI_937571
Technical Contact Name: John Miller
Technical Contact Organization: Liber Inc
Technical Contact Address1: 135/2 Washington str
Technical Contact City: Limasson
Technical Contact Postal Code: 06432
Technical Contact Country: Cyprus
Technical Contact Country Code: CY
Technical Contact Phone Number: +944.8735673
Technical Contact Email: support@coolsearch.biz
Name Server: NS1.SP2FUCKED.BIZ
Name Server: NS2.SP2FUCKED.BIZ
Created by Registrar: DIRECT INFORMATION PVT. LTD., (D.
A. DIRECTI.COM)
Last Updated by Registrar: DIRECT INFORMATION PVT. LTD., (D.
A. DIRECTI.COM)
Domain Registration Date: Sat Oct 09 17:54:48 GMT 2004
Domain Expiration Date: Sat Oct 08 23:59:59 GMT 2005
Domain Last Updated Date: Tue Nov 16 23:03:13 GMT 2004

>>>> Whois database was last updated on: Sun Nov 21 23:24:33 GMT 2004

Here's what Symantec speaks of it:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: MHTMLRedir.Exploit
File: C:\Documents and Settings\userid.DOMAIN\Local Settings\Temporary Internet Files\Content.IE5\VR1NRTW4\adv65[1].htm
Location: Quarantine
Computer: PEGASUS
User: casey
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Sun Nov 21 16:21:54 2004]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11922530 Sun, 21 Nov 2004 18:25:29 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921860 See Profile, well that is not good at all! Unfortunately, I do not know. The prevention I was addressing was on the surfing end, not the web server itself. Hopefully someone will come along that is able to address this, short of trying to simply turn off all 3ed Party Objects served to a site's users until this calms down - which actually might be the safest route, but which might entail lost revenue and contractual complications on a commercial site.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~**]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921860 Sun, 21 Nov 2004 16:38:33 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921788 http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921788 Sun, 21 Nov 2004 16:29:55 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921742 said by Formeister:

I couldn't get on to any of those sites and I was wondering if it's just because I use the latest Hosts file from this forum From earlier posts in this thread, it appears that hpguru See Profile's/IE-SYPAD would stop you from getting on the sites, even if they were still active.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~**]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921742 Sun, 21 Nov 2004 16:23:13 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921589
As for the great unwashed masses, I'm cleaning 4-5 PCs a month for friends and family. A friend who used to be in the PC OEM business (aka, Mom & Pop) now makes his living cleaning up Windows computers, and he's working six days a week, 12 hours a day. Better money than he ever made as a screwdriver shop.

The average user doesn't have Windows autoupdate turned on. They don't on AV software, or they do (only because it came from the OEM with a trial subscription) but they let the subscription lapse and don't even realize they are surfing naked. They have been conditioned by IE to believe that annoying popups are "normal." Their kids and spouses are using the computer for God knows what-- especially for AIM, where "autodownload files sent to me" is a default setting!

Back in the good old days, the threat to your computer was sneakerware-- stuff on floppies and CDs. Today, it's any website you visit, anyone on your "buddy" list, anyone who gets a mailer virus and has one of your email addresses in their address book, and whether there are unpatched OS or IE vulnerabilities already being used by malware.

As recently as two years ago, I didn't have any AV software. I used a software firewall when I had dial up, and still use a router/fw with broadband. And I never had a virus infection on any of the five PCs here, all but one running windows (my main WS has run Linux since 1998). I know today that most computers are hosed to one extent or another by malware--and I'm not even counting tracking cookies. If they are on the net, without a firewall, OS patches, and antivirus, I would bet that anyone with broadband is hosed, and even most dialup users are hosed. With threats like the IFRAMEs exploit, even people with AV software, anti-spyware utilities, a firewall, and the system fully patched can get hosed just by visiting a website with banner ads.]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921589 Sun, 21 Nov 2004 16:06:09 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921523 http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921523 Sun, 21 Nov 2004 15:57:04 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921431
Forgot to say to IM links rather than post. Tks]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921431 Sun, 21 Nov 2004 15:42:15 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921057 said by ironwalker:

Does IESpyad block these?
Already posted in the thread. IE-SYPAD does indeed block all the sites listed in Eric's first post in this thread. To check to see if IE-SPYAD blocks a specific site, just open ie-ads.reg in Notepad, hit CTRL+F, and paste in the name of the site you want to check for.
--
TheJoker]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11921057 Sun, 21 Nov 2004 14:38:11 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11920674 Does IESpyad block these?]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11920674 Sun, 21 Nov 2004 13:40:56 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11920507 My server was done in the exact way that you describe.
However, the server management company insist that it was done by an individual in Texas, who just 'Happened" to guess my password...
First time !
Yeah right, I believe that (NOT)

so if I am correct, and my server people are lying to me and it had been hacked...
What would I be looking for to prove it, aside from the iframes injected into the pages themselves ? And also... What do i need to remove to stop it re-occurring ? Thanks]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11920507 Sun, 21 Nov 2004 13:17:09 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919732 said by Joe Stewart:

I've written up some more detail of some of the banner-ad IFRAME exploiters:

http://www.lurhq.com/iframeads.html

One of the banner services being abused to infect users is oas-central.realmedia.com.Thanks Joe. This sure seems to me to be a real solid reason to BLOCK the calling and downloading of such 3ed Party Objects!
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~**]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919732 Sun, 21 Nov 2004 11:11:03 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919694
http://www.lurhq.com/iframeads.html

One of the banner services being abused to infect users is oas-central.realmedia.com.

-Joe]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919694 Sun, 21 Nov 2004 11:04:05 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919676 »crappy ads at majorgeeks.com]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919676 Sun, 21 Nov 2004 10:59:40 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919650 It can be uninstall as well for those who are worry about conflicts with the future official patch. It has worked flawlessly for myself so far to date.]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919650 Sun, 21 Nov 2004 10:55:20 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919587 See Profile, would you post just the filters applicable to this exploit (Reg-Ex is ok, if existent), since AdBlock (WebWasher...) users might want to Add them to their existing filter set? I have already added b00gle.info coolsearch.biz newiframe.biz pizdato.biz . While these folks may presently just be attempting to exploit an IE vulnerability, any known areas were they operate might should be avoided, even by FF users. Thanks!
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~**]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919587 Sun, 21 Nov 2004 10:43:59 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919076 http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11919076 Sun, 21 Nov 2004 08:19:56 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918625 http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918625 Sun, 21 Nov 2004 04:10:59 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918597 quote:
Microsoft fully supports SP1 and will issue a patch for what ever exploit this is I'm sure. It sounds to me like you have to be rather naive to get this infection. You have to use IE (only the naive do that these days), and you have to do a bunch of suspicious clicks? That is what the naive do.


Well, I think most of us were naive at one time. Being naive or not has nothing to do with it. This is a dangerous exploit. In fact, there has been some speculation that it's a prelude to a major distributed denial of service attack. SANS is reporting on it.

quote:
Spy/Adware via Browser Vulnerabilities and Compromised Web Servers

Steve Friedl pointed us to the BroadbandReports discussion that documents a series of web server compromises that deliver spy/adware to victims that visit compromised sites. The victims are running a vulnerable browser. The information is still preliminary, but there are indications that the attackers are using an IFRAME vulnerability in Internet Explorer to deliver the payload. The web servers hosting the malicious code seem to be running Apache.

The BroadbandReports discussion of this incident:
http://www.broadbandreports.com/forum/remark,11904374

A post to the Full-Disclosure list that may be related to this incident, referencing IFRAME and Apache (this link was posted on the BroadbandReports forum):
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/27857

Information about the recent IFRAME vulnerability (no patch available at the moment; Windows XP SP2 systems not affected):
http://secunia.com/advisories/12959

We don't have much information regarding this attack pattern to determine its scope. We'd love to hear from you if you can share with us logs, malware samples, or observations relevant to this incident. If server compromises are wide-spread, this incident is reminiscent of attacks on Web servers that distributed the Download.Ject trojan in June.


And the updates on the IFRAME vulnerabilities:

quote:
Just to refresh everyone on the details. On October 24, a vulnerability was discovered in the IFRAME tags of Internet Explorer 6.0 affecting all Windows platforms except Windows XP SP2. This vulnerability can be exploited by going to a web-site that has malicious code. Currently, some high profile sites with banner ads are linking to servers that have the exploit and malicious code.


I traced the file which set off the exploit from one web page down through multiple nested IFRAMES embedded in web page on a forum.

It also notes that machines with XP SP 2 are NOT vulnerable. I've installed SP 2 on both my XP machines with no problems whatsoever.
--
aka Suzi, Spyware Warrior]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918597 Sun, 21 Nov 2004 03:58:24 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918511 said by Mele20:

you couldn't pay me to upgrade a Dell.Well of the computers I have personally upgraded to SP2, 10 of them have been Dells. I maintain that if you know what you're doing, the process will go well. You will not convince me that's untrue, because I have never done a bad SP2 install.
--
I do not trust Firefox. Spread anything besides that horrid piece of crap.]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918511 Sun, 21 Nov 2004 03:24:07 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918499 said by Jeremy341:

said by Mele20:

I am not at all convinced that I need to install SP2 with all its headaches.
If you haven't installed it, how can you know it will cause headaches? I have installed SP2 on many computers, and have never had a problem.
Have you been following Libra See Profile threads? We both have Dell Dimensions (I have the 8300 she has the 8400). After helping her for some time now, you couldn't pay me to upgrade a Dell. ;) Dell told her that upgrading her brand new 8400 Dimension to SP2 is what wrecked her computer. She has had a huge mess ever since. Dell took her back to SP1 and she has had problem after problem. Microsoft and Dell together can't even figure it all out.

Additionally, I have a scanner that cannot upgrade to SP2. It is using 98SE software on SP1a but that won't work on SP2.

Microsoft fully supports SP1 and will issue a patch for what ever exploit this is I'm sure. It sounds to me like you have to be rather naive to get this infection. You have to use IE (only the naive do that these days), and you have to do a bunch of suspicious clicks? That is what the naive do.

ctrip See Profile Of course XP Pro SP1 can be fully patched. I have all the patches and Microsoft supports SP1 for two more years and I will continue to get all patches. So don't say SP1 cannot be fully patched. That will be the case ONLY after Microsoft ceases supporting it. By that time I will either install SP2 (if I have not already done so) or have Longhorn. I have never said I will never install SP2. But I see no need to do so now and I would prefer to wait and install Longhorn instead (assuming Longhorn will be compatible with this hardware). If and when I decide SP2 is necessary then I will install it. I don't believe it is necessary at this time and this IE exploit doesn't convince me.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918499 Sun, 21 Nov 2004 03:19:36 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918467 http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918467 Sun, 21 Nov 2004 03:10:45 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918385 http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918385 Sun, 21 Nov 2004 02:45:51 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918167
These are filters included in my "Browser Security Pack".
I've uploaded v4.25 to my site and the Prox-List Y! Group.

»www.kye-u.com/proxo/forums/index···ntry3104
»www.kye-u.com/proxo/downloads.ph···cfgpacks
»groups.yahoo.com/group/prox-list···ge/20178]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11918167 Sun, 21 Nov 2004 01:56:57 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11917789
Whats worse is that when it attempts to download, it will first put its own little page telling you that you must download it in order to view the website.

I did it once, but luckily, I have ZoneAlarm and told it to block access to whatever attempts to access the internet. Also, I fought the download and deleted things that kept being downloaded. When that was all over, I ran adaware, and deleted whatever else there was to delete, and then searched the registry to delete any more things.

The only thing to do is tell Internet Explorer to NOT download items that are from the company "CLICK HERE TO CONTINUE" and IE will block it.]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11917789 Sun, 21 Nov 2004 00:35:36 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11916533 said by Mele20:

I haven't seen anyone say that SP1a (fully patched) with Proxo (latest JD5000 alpha extra/advanced filters) gets infected. So, I am not at all convinced that I need to install SP2 with all its headaches.
SP1a cannot be fully patched because a fully patched XP machine would be SP2. But I wish you good luck in your daring and determined experiment of never updating your XP machine to protect yourself from exploits and vulnerabilities as they are discovered.
--
I actually voted for John Kerry... before I voted against him.]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11916533 Sat, 20 Nov 2004 21:35:10 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11916459 said by Mele20:

I am not at all convinced that I need to install SP2 with all its headaches.If you haven't installed it, how can you know it will cause headaches? I have installed SP2 on many computers, and have never had a problem.
--
I do not trust Firefox. Spread anything besides that horrid piece of crap.]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11916459 Sat, 20 Nov 2004 21:24:27 EDT Re: video recording method http://www.dslreports.com/forum/Re-video-recording-method-11916449 said by Ben Edelman:

I use Windows Media Encoder, free from »www.microsoft.com/windowsmedia . It generally does a good job. Sometimes my test machine gets so badly infected that the encoder crashes, though. I doubt that MS ever tested the encoder under such conditions, or designed it to cope with such conditions.
thans much, it works really well, at least on a fastish computer.

also, consider this another vote for you to subscribe here..]]> http://www.dslreports.com/forum/Re-video-recording-method-11916449 Sat, 20 Nov 2004 21:23:23 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11916345 said by ironwalker:

quote:
toddbs98, the exploits I tested were not successful in harming a fully patched version of XP, at least not in my testing. My tests show an unpatched XP installation.



Now,hopefully, all those that didnt/wont/uninstalled sp2 will now seee why its a much needed resource.
Thanx Ben
I haven't seen anyone say that SP1a (fully patched) with Proxo (latest JD5000 alpha extra/advanced filters) gets infected. So, I am not at all convinced that I need to install SP2 with all its headaches. I very seldom use IE anyhow.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11916345 Sat, 20 Nov 2004 21:07:52 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11915971 quote:
Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:

69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz


Thanks for all the info, Eric. All blocked at the firewall level now.

js
--
"As I was sayin' buster, this planet ain't big enough for the two of us so... OFF YA GO!"]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11915971 Sat, 20 Nov 2004 20:15:21 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11914885
We work on that assumption in work and on bleeding snort generally. There are still such a large number of apps that SP2 breaks we work to keep SP1 secure.

Although the new vulns in SP2 are getting it caught up with SP1 for open issues. :)

Thanks for pointing that out, I'll correct my post on the bleedingsnort site as well.

Matt]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11914885 Sat, 20 Nov 2004 17:35:10 EDT Re: Effect of patches; testing methods http://www.dslreports.com/forum/Re-Effect-of-patches-testing-methods-11914411 said by Ben Edelman:

Nerdtalker, yes, I was using a vmware test environment for the tests shown in the video. Vmware makes it much easier to run these kinds of tests.
Thanks!

So this un-patched XP installation was essentially SP1?

Thanks again Ben for elaborating on all this.
--
Touch a thistle timidly, and it pricks you; grasp it boldly, and its spines crumble. -William S. Halsey

I'm testing Gmail's spam filters, fill it up: Broadbandreports1@gmail.com
Spam to date: 548]]> http://www.dslreports.com/forum/Re-Effect-of-patches-testing-methods-11914411 Sat, 20 Nov 2004 16:32:05 EDT Re: News: Major Exploit Underway... http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11913839 quote:
toddbs98, the exploits I tested were not successful in harming a fully patched version of XP, at least not in my testing. My tests show an unpatched XP installation.



Now,hopefully, all those that didnt/wont/uninstalled sp2 will now seee why its a much needed resource.
Thanx Ben
--
"LIVE FREE OR DIE" www.Theforumz.com ---- www.ownt.com-- Fiber Optics is the future of high-speed internet access. Stop by the BBR Fiber Optic]]> http://www.dslreports.com/forum/Re-News-Major-Exploit-Underway-11913839 Sat, 20 Nov 2004 15:19:05 EDT