Re: Does anyone know anything about this advert? in Security

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 23:26:38 EDT

foxsteve : ISP SONIC has no any problem
C:\....>tracert 85.255.121.195

Tracing route to 85.255.121.195 over a maximum of 30 hops
.... .....................................

4 16 ms 53 ms 16 ms 200.ge-1-2-0.gw2.equinix-sj.sonic.net [64.142.0.210]
5 19 ms 17 ms 17 ms sjc-c00-pni-gbe-1-5-6.wvfiber.net [206.223.116.18]
6 17 ms 17 ms 19 ms 66.186.192.250
7 19 ms 17 ms 19 ms gw1.cernel.net [64.28.176.1]
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * 28 ms 28 ms 85.255.121.195

Trace complete.

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 23:26:07 EDT

foxsteve : Error

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 11:01:23 EDT

Graycode : My ISP, Cox, has apparently encountered them before.


Tracing route to 85.255.121.195 over a maximum of 30 hops
...
  4    13 ms     9 ms     9 ms  68.12.9.85
  5    18 ms    13 ms    16 ms  68.12.14.58
  6    15 ms    12 ms    13 ms  68.12.14.33
  7    40 ms    38 ms    38 ms  68.1.1.121
  8  68.1.18.28  reports: Destination net unreachable.
 
Trace complete.

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 10:09:25 EDT

Name Game :

said by newview :

quote:
I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

»isc.sans.org/diary.html?storyid=997

When I go online or search I always get a porn/spam advertising site like Jupk.com!
Known Advertising Sites
www.jupk.com
www.ipodderx.comPossible Hostile

I have seen this happen when you type an address straight into the address bar including for www.google.co.uk and www.bbc.co.uk.

Currently known advertising websites are www.jupk.com and www.ipodderx.com but there are likely to be many more. Please contact me if you know of one.

The solution
Note: I still haven't discoved what causes the hijack in the first place. If you know please contact me.
First find your DNS settings
Here is how you do this in Microsoft Windows XP or 2000

Go to Windows Control Panel
Go to the 'Network Connections' (or 'Network and Internet Connections' then 'Network Connections') section.
Find the item in this window that is your connection to the internet and double click it.
If you connect though BT this may be 'BT Broadband'
If you connect though a network it may be 'Local Area Connection'
On the 'General' tab of the window that appears scroll down until you see the 'Internet Protocol' item and double click it.
On the 'General' tab of the window that appears check which of the following is selected.
Obtain DNS server address automatically
Use the following DNS server addresses
Next check the Settings are OK
If it is the latter make a note of the two sets of numbers and search for them in the list on the right of this page. E.g. a known bad server is 85.255.113.194
If you find then in the list delete the numbers and change the setting to 'Obtain DNS server address automatically'.
If you don't find them in the list this may still be the problem so email the numbers to us using the contact form below and then change the setting to 'Obtain DNS server address automatically'.
Contact Me
Please use this form to contact me.

(20th April 2007) I'm being overwhelmed by emails about this so please now use the new forum

Inhoster Addresses
85.255.112.0
through..
85.255.127.255

Solve This Problem
Report New Site or Report New DNS or Report Root Cause
If when you use your web browser you keep on getting a site that looks like the image below your DNS settings have been hijacked and using a server at an Ukrainian company called Inhoster.

»gabrielharrison.co.uk/consultanc···_hijack/
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 01:24:00 EDT

foxsteve : Requesting »85.255.121.195 .. Ok
Reply received (reply time: 1782 ms)
------------------------------------
HTTP/1.1 200 OK
Date: Wed, 16 Apr 2008 16:21:17 GMT
Server: Apache/2.2.6 (Debian) PHP/5.2.4-2 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2
Content-Length: 0
Connection: close
Content-Type: text/html

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 01:08:25 EDT

newview :

quote:
I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

»isc.sans.org/diary.html?storyid=997
--

Ö¿Ö
The Rules of Spam | Maryland's Newest Anti-Spam Law
Where are we going? And what's with the hand basket?

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 01:02:40 EDT

foxsteve : Information related to '85.255.112.0 - 85.255.127.255'

inetnum: 85.255.112.0 - 85.255.127.255
org-name: UkrTeleGroup Ltd.
address: UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
Ukraine
person: Andrew Sotov
abuse-mailbox: mailto:abuse@ukrtelegroup.com.ua
phone: +380631508855

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 01:01:56 EDT

Graycode :

said by foxsteve :

cdpuvbhfzz.com has address 85.255.121.195
Found 4 websites with the IP 85.255.121.195

1) aarmrgdxrv.com
2) acdedblshd.com
3) adtctqypoa.com
4) xabmiphabh.cn

~~That IP may have been taken off line,~~ I can't seem to connect to it.

Edit: It seems my ISP is blocking access to that IP.

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:58:48 EDT

newview :

said by nwrickert :

I don't currently have a good tool for handling that obfuscated javascript, though.

If you're looking for a good "de-obfuscator", Net Demon does the trick.
--

Ö¿Ö
The Rules of Spam | Maryland's Newest Anti-Spam Law
Where are we going? And what's with the hand basket?

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:52:25 EDT

nwrickert : Probably controlled by RBN, with domain registrations paid using stolen credit cards.

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:48:35 EDT

foxsteve : cdpuvbhfzz.com has address 85.255.121.195
Found 4 websites with the IP 85.255.121.195

1) aarmrgdxrv.com
2) acdedblshd.com
3) adtctqypoa.com
4) xabmiphabh.cn

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:43:40 EDT

Name Game : foulu
Contributor
Coppermine frequent
--------------------------------------------------------------------------------
Hi,

I make a php file that can sanitize the addition data from php & html file that infected with iframe things. I create it to use on one of my working site but I think release it will help more people. The script is simple, just check current folder and all sub folder for .php & .html, loop to find infect string in those files and then remove it. Anyway, use it with own will, I will not take any responsibility if you damage your site when using it.

I attach the file with this post, download and rename it to cure.php, upload to your site & run it.

------------------------------------------------------------
cure.txt (2.48 KB - downloaded 81 times.)

http://forum.coppermine-gallery.net/index.php/topic,51671.180.html

also there...
A little shell (/bin/sh) script to clean up that... Not better than capecodgal's one but very simple to use if you have shell access or /bin/sh cgi capabilities.

Use it on your web's root.

------------------------------------------------------------
nettoie_cpg.txt (0.37 KB - downloaded 32 times.)

--
Gladiator Security Forum http://www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
http://www.theover50goldengroup.net

cure.txt 2,615 bytes

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:38:25 EDT

TechSponge : BTW - I never got to click on anything on the site...i had the time to visually search for NY and NJ as served areas...and the fireworks just began.

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:38:24 EDT

Lanik :

said by TechSponge :

Hey Folks! Im the idiot that clicked on the cool looking Banner.

Sh!t happens, we've all made that mistake at one point or another. What's more important is how you proceed from there mainly and what lessons were learned during this exercise in patience. :)
--
"If it ain't broke don't fix it."

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:34:43 EDT

TechSponge : Hey Folks! Im the idiot that clicked on the cool looking Banner. I never click on Banners unless Im on legit sites. Thought that was safe. Guess not.
So...got back to the city to work on this PC to get it running for tomorrow.
Info: I was running spybot s&d fully patched and teatimer running. Spywareblaster installed but not "active". Symantec Corp 10, fully patched.
It created 2 folder in PROGRAM FILES. Netproject & Helper. 3 BHO's were added according to hijackthis. 2 were pointing to ieservicegate(IE Anti-Spyware - {9034a523-d068-4be8-a284-9df278be776e} - »www.ieservicegate.com/redire{...} + Extra button: (no name) - {9034a523-d068-4be8-a284-9df278be776e} - »www.ieservicegate.com/redire{...}) and 1 to netproject (sbmdl.dll).
There were a bunch of items caught by Spybot: Zlob, Smitfraud, Spylocked, win32 renos, and a few others.
As I type this, even though i would say ive done a good job cleaning...i get a few warnings from symantec in my temp ie content files for trojans (mediatubecodec[1].exe) and spybot is blocking...something.
Looks like the wipe begins. Thanks to all for all of your input. All of this is above my head. Im just a simple network guy.
-Sponge

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:14:32 EDT

mysec : Using the link nwrickert gives, here is the exploit in action.

As the page loads, the iframe connects in the background to cdpuvbhfzz.com (see IE status bar) and almost immediately an IE error box appears:

____________________________________________________________

Meanwhile adv598.html caches:

____________________________________________________________

As soon as the user clicks to close the IE error box, the IE window closes, a new IE Blank window opens and the obfuscated code attempts to download loadadv598.exe in the background:

____________________________________________________________

The following file also caches, and the CLSID is one of several vulnerable ActiveX exploits
used in the past, but I didn't follow through to check it more.

____________________________________________________________

Conclusion

Lots of fancy footwork attempting to accomplish the same old thing: sneak in a trojan downloader,
easily prevented with proper security.

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:12:16 EDT

Name Game : Someone has Redirected my Site to cdpuvbhfzz.com-What do I do?

»forum.coppermine-gallery.net/ind···1.0.html

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:10:17 EDT

rick752 : I think I have this blocked now. Thanx.
That really sucks :(

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:06:25 EDT

EGeezer : And more here -

»www.google.com/search?q=adv598.php
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

Re: Does anyone know anything about this advert?

Wed, 16 Apr 2008 00:03:42 EDT

Name Game :

said by rick752 :

Thanx, Name Game ... that was the 2nd verification that I was looking for.
Changing filter in ABP EasyList now. :)

What a nasty piece of work that stuff is..good luck Rick.

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 23:59:11 EDT

rick752 : Thanx, Name Game ... that was the 2nd verification that I was looking for.
Changing filter in ABP EasyList now. :)

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 23:55:54 EDT

Name Game : Discussions > Troubleshooting & Implementation Questions > Script appears to be running from GoogleADs
(But it is not..see here)
»groups.google.com/group/adsense-···lnk=raot

»forum.coppermine-gallery.net/ind···sg250236

see also
Malicious site? or hacked site?

traffdollars.biz/dl/adv598.php

»spywarehunt.blogspot.com/
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 23:52:37 EDT

EGeezer : I think I might have loaded Google's link instead - Such a dummy I am!! My GET of the actual link only yielded an apache page .
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 23:49:35 EDT

LoneWolf : Another good reason to have an ad blocker.
In my case AdMuncher.
Can't click on what I can't see. :D

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 23:49:33 EDT

rick752 : I just added:
*cdpuvbhfzz.com*
.. to the 'Malicious code' area of the EasyList subscription for Adblock Plus.

That took care of the current malicious 3rd-party frame there. That frame is still present on Eskimo.com.

We'll have to see how this manifests itself again in another instance to try to zero in on it.
--
EasyList, EasyElement, & ABP Tracking Filter Subscriptions for Adblock Plus

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 23:48:34 EDT

nwrickert : Not sure.

I checked the stopbadware.org site for www.eskimo.com/dsl/ but it isn't listed. Other parts of eskimo.com are listed, but not the one that was used here.

I'm not seeing any warning if I try reloading the original link.

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 23:19:22 EDT

EGeezer : I also see that the adv.php page seems to have a malware warning from stopbadware.org - is that a recent development?

This site is currently (as of 04/15/2008) being reported to StopBadware by the following partners:Google: reported bad

--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 23:03:14 EDT

nwrickert : yes it does

I used "lynx -dump" to decode it, before I posted the target link in an earlier post in this thread. That's quicker than trying to do it manually.

I don't currently have a good tool for handling that obfuscated javascript, though.

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 23:02:45 EDT

EGeezer : looks like the code in that line directs the user to the aforementiond website's directory: /dl/adv598.php
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... )

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 22:53:26 EDT

nwrickert : Here is the iframe definition near the bottom of the eskimo.com page:
Anything obfuscated that way looks suspicious to me.

the content of the iframe has "unescape('%19%04%3C9%0E%60wL0" and that percent encoding goes on for most of the javascript (around 23000 bytes). Clearly somebody was hiding something.

I fetched those pages with "wget", so have local copies.

I later tried loading the page in XP with firefox, scripting turned on, but a limited user account. Nothing bad happened. This probably requires IE on an admin account before it can do anything bad.

Yet another reason to use a limited user account, to use firefox, to use the noscript extension.

--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 22:33:28 EDT

Its a Secret : ZA has ad block which I've used without regret. This is only one more reason...
--
A triple espresso, please...

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 22:25:08 EDT

nil : It's definitely a php-based exploit, but not targeting all open source php apps (that I can tell so far), so probably looking for some specific code problem. An analysis of the source and libraries used by the known targets would probably narrow it down..
--
Life is too short to be boring

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 22:22:16 EDT

nwrickert : I assumed that.

Unfortunately, other sites will be similarly exploited.

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 22:18:11 EDT

nil : Based on a google search, eskimo.com was exploited, not doing this on purpose.
--
Life is too short to be boring

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 22:16:32 EDT

nwrickert : Yes, I agree there is not a lot you can do to prevent this.

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 22:15:02 EDT

cabana : I recreated similar ads with the coloring and "feel" -- but I am not sure if they are related -- properties showed:

pagead2.googlesyndication.com/pagead/imgad?id=CJ_1t5_n5bHiowEQ2AUYTzIIQhaO6-aqw3E

pagead2.googlesyndication.com/pagead/imgad?id=CPvFnZC4uc-M0AEQ2AUYTzIIxm5IBBA487w

pagead2.googlesyndication.com/pagead/imgad?id=CPvFnZC4uc-M0AEQ2AUYTzIIxm5IBBA487w

The thing I noticed on the screenshot that was strange - was to the right the "served by google" was missing (usually shows next to our banners on the homepage)-- could be that it was there and just not caught on the screen shot.

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 22:14:11 EDT

justin : I've blocked eskimo.com and also emailed our adsense rep with a complaint. Unfortunately I really don't see how this can be avoided in future. I doubt any ad network is smart enough to vet and clean the click stream from any ad, and if they did when the ad was lodged what is to stop the landing page getting modified later?

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 22:09:04 EDT

nwrickert : I can reproduce the original url (to googlesyndication) if that's any help

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 22:03:57 EDT

justin : If you can make the ad appear again, can you click the "ads by google" link at the right and drill down, open up and keep drilling until you get the part where you can report a bad ad to adsense?

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:54:45 EDT

nil : Based on a brief google search, it appears to be an exploit script targeting word press, vbulletin, coppermine, etc. Php exploit, maybe?
--
Life is too short to be boring

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:50:46 EDT

Doctor Four : Linkscanner doesn't like that ad's URL:
»linkscanner.explabs.com/linkscan···odJlsH-g

Nor does it like the one in the iframe, which it says is
on a disreputable hosting provider, known to host malicious
code.

It calls the former an orphaned lure site.

The iframe one's WHOIS data:

--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:48:34 EDT

nil : Domain created 3/31/08.. so looks recent.

Domain name: cdpuvbhfzz.com
er, removed domain info.. see this:

»www.chiriquichatter.net/blog/2008/04/12/an
--
Life is too short to be boring

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:47:19 EDT

skj : Yes, it is. That thread was also posted today, so it looks like this nasty may have recently started ciruclating around the net.
--

The foundations of character are built not by lecture, but by bricks of good example, laid day by day.

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:37:01 EDT

nwrickert : Thanks for that CastleCops reference. Quite interesting.

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:30:37 EDT

skj : There is a thread at CastleCops regarding: cdpuvbhfzz.com

http://www.castlecops.com/p1079008-iframe_loading_hxxp_cdpuvbhfzz_com_dl_adv598_php.html
--

The foundations of character are built not by lecture, but by bricks of good example, laid day by day.

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:26:42 EDT

nwrickert : The main link redirects to http://www.eskimo.com/dsl/?gclid=CMbU0pK03pICFQhusgodDghp-w and there is a suspicious iframe near the end of that page.

iframe content is http://cdpuvbhfzz.com/dl/adv598.php and that contains obfuscated javascript.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:24:17 EDT

n1zuk : I saw it earlier, when I was at work. I (thankfully) didn't click on it.

It did seem out of the normal to me...
--
New to Forum Life? Click here and learn.

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:22:16 EDT

nil : I just got a similar one..

Yah, same one leads here:

Can anyone confirm any issue? I'm on a mac..
--
Life is too short to be boring

Re: Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:16:51 EDT

Its a Secret : I've sent a request to have this looked at by the mods. Hopefully, we'll know something soon...
--
A triple espresso, please...

Does anyone know anything about this advert?

Tue, 15 Apr 2008 21:05:43 EDT

justin : from a non registered user, complaint sent by email..

I clicked on the banner ad and my pc is completely unusable now. Trojans, viruses, etc. My Symanetc Corp 10 and spybot lit up like fireworks were goin off. Whats the story here? Can you help? I just fucked my work PC. How can this happen on a trusted site like dslreports? What now?

I don't recognize that advert but maybe someone here knows where it goes to so I can tell this person whether it is really malware or not..