justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| Does anyone know anything about this advert?
from a non registered user, complaint sent by email..
I clicked on the banner ad and my pc is completely unusable now. Trojans, viruses, etc. My Symanetc Corp 10 and spybot lit up like fireworks were goin off. Whats the story here? Can you help? I just fucked my work PC. How can this happen on a trusted site like dslreports? What now?
I don't recognize that advert but maybe someone here knows where it goes to so I can tell this person whether it is really malware or not.. |
|
Its a Secret
I don't leave home without it
Premium
join:2008-02-23
Don't ask | I've sent a request to have this looked at by the mods. Hopefully, we'll know something soon...
--
A triple espresso, please... |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
4 edits | reply to justin
I just got a similar one..
Yah, same one leads here:
Can anyone confirm any issue? I'm on a mac..
--
Life is too short to be boring |
|
n1zuk
sweating with the oldies
Premium
join:2001-10-24
South Burlington, VT | reply to justin
I saw it earlier, when I was at work. I (thankfully) didn't click on it.
It did seem out of the normal to me...
--
New to Forum Life? Click here and learn. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T Midwest
| reply to justin
The main link redirects to http://www.eskimo.com/dsl/?gclid=CMbU0pK03pICFQhusgodDghp-w and there is a suspicious iframe near the end of that page.
iframe content is http://cdpuvbhfzz.com/dl/adv598.php and that contains obfuscated javascript.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13 |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA
Host:
Charter HSI/CATV
Earthlink DSL
Embarq
ISP b2b etc
Cisco
| There is a thread at CastleCops regarding: cdpuvbhfzz.com
http://www.castlecops.com/p1079008-iframe_loading_hxxp_cdpuvbhfzz_com_dl_adv598_php.html
--
The foundations of character are built not by lecture, but by bricks of good example, laid day by day. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Thanks for that CastleCops reference. Quite interesting. |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA
Host:
Charter HSI/CATV
Earthlink DSL
Embarq
ISP b2b etc
Cisco
| Yes, it is. That thread was also posted today, so it looks like this nasty may have recently started ciruclating around the net.
--
The foundations of character are built not by lecture, but by bricks of good example, laid day by day. |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
1 edit | Domain created 3/31/08.. so looks recent.
Domain name: cdpuvbhfzz.com
er, removed domain info.. see this:
»www.chiriquichatter.net/blog/2008/04/12/an
--
Life is too short to be boring |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
 ·RoadRunner Cable
·AT&T Yahoo
1 edit | reply to justin
Linkscanner doesn't like that ad's URL:
»linkscanner.explabs.com/linkscan···odJlsH-g
Nor does it like the one in the iframe, which it says is
on a disreputable hosting provider, known to host malicious
code.
It calls the former an orphaned lure site.
The iframe one's WHOIS data:
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
nil
Java Geek
join:2000-11-27 | Based on a brief google search, it appears to be an exploit script targeting word press, vbulletin, coppermine, etc. Php exploit, maybe?
--
Life is too short to be boring |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | reply to nil
If you can make the ad appear again, can you click the "ads by google" link at the right and drill down, open up and keep drilling until you get the part where you can report a bad ad to adsense? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | I can reproduce the original url (to googlesyndication) if that's any help |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| I've blocked eskimo.com and also emailed our adsense rep with a complaint. Unfortunately I really don't see how this can be avoided in future. I doubt any ad network is smart enough to vet and clean the click stream from any ad, and if they did when the ad was lodged what is to stop the landing page getting modified later? |
|
cabana
now in strawberry
Assistant
join:2000-07-07
New York, NY
Host:
AT&T Southeast
56k Lookout (Broad..
| reply to nwrickert
I recreated similar ads with the coloring and "feel" -- but I am not sure if they are related -- properties showed:
pagead2.googlesyndication.com/pagead/imgad?id=CJ_1t5_n5bHiowEQ2AUYTzIIQhaO6-aqw3E
pagead2.googlesyndication.com/pagead/imgad?id=CPvFnZC4uc-M0AEQ2AUYTzIIxm5IBBA487w
pagead2.googlesyndication.com/pagead/imgad?id=CPvFnZC4uc-M0AEQ2AUYTzIIxm5IBBA487w
The thing I noticed on the screenshot that was strange - was to the right the "served by google" was missing (usually shows next to our banners on the homepage)-- could be that it was there and just not caught on the screen shot. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | reply to justin
Yes, I agree there is not a lot you can do to prevent this. |
|
nil
Java Geek
join:2000-11-27 | Based on a google search, eskimo.com was exploited, not doing this on purpose.
--
Life is too short to be boring |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | I assumed that.
Unfortunately, other sites will be similarly exploited. |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| It's definitely a php-based exploit, but not targeting all open source php apps (that I can tell so far), so probably looking for some specific code problem. An analysis of the source and libraries used by the known targets would probably narrow it down..
--
Life is too short to be boring |
|
Its a Secret
I don't leave home without it
Premium
join:2008-02-23
Don't ask | reply to justin
ZA has ad block which I've used without regret. This is only one more reason...
--
A triple espresso, please... |
|
