Broadband Tech > Security > Security > Does anyone know anything about this advert?

Does anyone know anything about this advert?

I've sent a request to have this looked at by the mods. Hopefully, we'll know something soon...
--
A triple espresso, please...

reply to justin

http://www.eskimo.com/dsl/?gclid=CIi9u9613pICFQMelgodJlsH-g
 

reply to justin
I saw it earlier, when I was at work. I (thankfully) didn't click on it.

It did seem out of the normal to me...
--
New to Forum Life? Click here and learn.

reply to justin
The main link redirects to http://www.eskimo.com/dsl/?gclid=CMbU0pK03pICFQhusgodDghp-w and there is a suspicious iframe near the end of that page.

iframe content is http://cdpuvbhfzz.com/dl/adv598.php and that contains obfuscated javascript.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13

There is a thread at CastleCops regarding: cdpuvbhfzz.com

http://www.castlecops.com/p1079008-iframe_loading_hxxp_cdpuvbhfzz_com_dl_adv598_php.html
--


The foundations of character are built not by lecture, but by bricks of good example, laid day by day.

Thanks for that CastleCops reference. Quite interesting.

Yes, it is. That thread was also posted today, so it looks like this nasty may have recently started ciruclating around the net.
--


The foundations of character are built not by lecture, but by bricks of good example, laid day by day.

Domain created 3/31/08.. so looks recent.

Domain name: cdpuvbhfzz.com
er, removed domain info.. see this:

»www.chiriquichatter.net/blog/2008/04/12/an
--
Life is too short to be boring

reply to justin
Linkscanner doesn't like that ad's URL:
»linkscanner.explabs.com/linkscan···odJlsH-g

Nor does it like the one in the iframe, which it says is
on a disreputable hosting provider, known to host malicious
code.

It calls the former an orphaned lure site.

The iframe one's WHOIS data:

OrgName:    RIPE Network Coordination Centre 
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:  
PostalCode: 1001EB
Country:    NL
 
ReferralServer: whois://whois.ripe.net:43
 
NetRange:   85.0.0.0 - 85.255.255.255 
CIDR:       85.0.0.0/8 
NetName:    85-RIPE
NetHandle:  NET-85-0-0-0-1
Parent:     
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    2004-04-01
Updated:    2004-04-06
 

Based on a brief google search, it appears to be an exploit script targeting word press, vbulletin, coppermine, etc. Php exploit, maybe?
--
Life is too short to be boring

reply to nil
If you can make the ad appear again, can you click the "ads by google" link at the right and drill down, open up and keep drilling until you get the part where you can report a bad ad to adsense?

I can reproduce the original url (to googlesyndication) if that's any help

I've blocked eskimo.com and also emailed our adsense rep with a complaint. Unfortunately I really don't see how this can be avoided in future. I doubt any ad network is smart enough to vet and clean the click stream from any ad, and if they did when the ad was lodged what is to stop the landing page getting modified later?

reply to nwrickert
I recreated similar ads with the coloring and "feel" -- but I am not sure if they are related -- properties showed:

pagead2.googlesyndication.com/pagead/imgad?id=CJ_1t5_n5bHiowEQ2AUYTzIIQhaO6-aqw3E

pagead2.googlesyndication.com/pagead/imgad?id=CPvFnZC4uc-M0AEQ2AUYTzIIxm5IBBA487w

pagead2.googlesyndication.com/pagead/imgad?id=CPvFnZC4uc-M0AEQ2AUYTzIIxm5IBBA487w

The thing I noticed on the screenshot that was strange - was to the right the "served by google" was missing (usually shows next to our banners on the homepage)-- could be that it was there and just not caught on the screen shot.

reply to justin
Yes, I agree there is not a lot you can do to prevent this.

Based on a google search, eskimo.com was exploited, not doing this on purpose.
--
Life is too short to be boring

I assumed that.

Unfortunately, other sites will be similarly exploited.

It's definitely a php-based exploit, but not targeting all open source php apps (that I can tell so far), so probably looking for some specific code problem. An analysis of the source and libraries used by the known targets would probably narrow it down..
--
Life is too short to be boring

reply to justin
ZA has ad block which I've used without regret. This is only one more reason...
--
A triple espresso, please...