nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to justin
Re: Does anyone know anything about this advert?
The main link redirects to http://www.eskimo.com/dsl/?gclid=CMbU0pK03pICFQhusgodDghp-w and there is a suspicious iframe near the end of that page.
iframe content is http://cdpuvbhfzz.com/dl/adv598.php and that contains obfuscated javascript.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13 |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA
Host:
Charter HSI/CATV
Earthlink DSL
Embarq
ISP b2b etc
Cisco
| There is a thread at CastleCops regarding: cdpuvbhfzz.com
http://www.castlecops.com/p1079008-iframe_loading_hxxp_cdpuvbhfzz_com_dl_adv598_php.html
--
The foundations of character are built not by lecture, but by bricks of good example, laid day by day. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Thanks for that CastleCops reference. Quite interesting. |
|
skj
Welcome to the far side of reality
Premium,Mod
join:2002-04-04
Atlanta, GA
Host:
Charter HSI/CATV
Earthlink DSL
Embarq
ISP b2b etc
Cisco
| Yes, it is. That thread was also posted today, so it looks like this nasty may have recently started ciruclating around the net.
--
The foundations of character are built not by lecture, but by bricks of good example, laid day by day. |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
1 edit | Domain created 3/31/08.. so looks recent.
Domain name: cdpuvbhfzz.com
er, removed domain info.. see this:
»www.chiriquichatter.net/blog/2008/04/12/an
--
Life is too short to be boring |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to nwrickert
Here is the iframe definition near the bottom of the eskimo.com page:
Anything obfuscated that way looks suspicious to me.
the content of the iframe has "unescape('%19%04%3C9%0E%60wL0" and that percent encoding goes on for most of the javascript (around 23000 bytes). Clearly somebody was hiding something.
I fetched those pages with "wget", so have local copies.
I later tried loading the page in XP with firefox, scripting turned on, but a limited user account. Nothing bad happened. This probably requires IE on an admin account before it can do anything bad.
Yet another reason to use a limited user account, to use firefox, to use the noscript extension.
--
AT&T dsl; Westell 327w modem/router; SuSE 10.1; firefox 2.0.0.13 |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country! | looks like the code in that line directs the user to the aforementiond website's directory: /dl/adv598.php
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
1 edit | yes it does
I used "lynx -dump" to decode it, before I posted the target link in an earlier post in this thread. That's quicker than trying to do it manually.
I don't currently have a good tool for handling that obfuscated javascript, though. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
1 edit | I also see that the adv.php page seems to have a malware warning from stopbadware.org - is that a recent development?
This site is currently (as of 04/15/2008) being reported to StopBadware by the following partners:Google: reported bad
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Not sure.
I checked the stopbadware.org site for www.eskimo.com/dsl/ but it isn't listed. Other parts of eskimo.com are listed, but not the one that was used here.
I'm not seeing any warning if I try reloading the original link. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| I think I might have loaded Google's link instead - Such a dummy I am!! My GET of the actual link only yielded an apache page .
--
Mayors of New York come from nowhere and go nowhere.
Wallace Sayre (apparently, so do governors... ) |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA | reply to nwrickert
cdpuvbhfzz.com has address 85.255.121.195
Found 4 websites with the IP 85.255.121.195
1) aarmrgdxrv.com
2) acdedblshd.com
3) adtctqypoa.com
4) xabmiphabh.cn |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | Probably controlled by RBN, with domain registrations paid using stolen credit cards. |
|
newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD
| reply to nwrickert
said by nwrickert  :I don't currently have a good tool for handling that obfuscated javascript, though.
If you're looking for a good "de-obfuscator", Net Demon does the trick.
--
Ö¿Ö
The Rules of Spam | Maryland's Newest Anti-Spam Law
Where are we going? And what's with the hand basket? |
|
Graycode
join:2006-04-17
·net2phone
1 edit | reply to foxsteve
said by foxsteve :cdpuvbhfzz.com has address 85.255.121.195 Found 4 websites with the IP 85.255.121.195 1) aarmrgdxrv.com 2) acdedblshd.com 3) adtctqypoa.com 4) xabmiphabh.cn That IP may have been taken off line, I can't seem to connect to it.
Edit: It seems my ISP is blocking access to that IP. |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
| reply to nwrickert
Information related to '85.255.112.0 - 85.255.127.255'
inetnum: 85.255.112.0 - 85.255.127.255
org-name: UkrTeleGroup Ltd.
address: UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
Ukraine
person: Andrew Sotov
abuse-mailbox: mailto:abuse@ukrtelegroup.com.ua
phone: +380631508855 |
|
newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD
| quote:
I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:
InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)
»isc.sans.org/diary.html?storyid=997
--
Ö¿Ö
The Rules of Spam | Maryland's Newest Anti-Spam Law
Where are we going? And what's with the hand basket? |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
| reply to Graycode
Requesting »85.255.121.195 .. Ok
Reply received (reply time: 1782 ms)
------------------------------------
HTTP/1.1 200 OK
Date: Wed, 16 Apr 2008 16:21:17 GMT
Server: Apache/2.2.6 (Debian) PHP/5.2.4-2 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2
Content-Length: 0
Connection: close
Content-Type: text/html |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
2 edits | reply to newview
said by newview : quote:
I hate block lists... maybe because I have been on the 'wrong end' of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:
InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)
» isc.sans.org/diary.html?storyid=997 When I go online or search I always get a porn/spam advertising site like Jupk.com!
Known Advertising Sites
www.jupk.com
www.ipodderx.comPossible Hostile
I have seen this happen when you type an address straight into the address bar including for www.google.co.uk and www.bbc.co.uk.
Currently known advertising websites are www.jupk.com and www.ipodderx.com but there are likely to be many more. Please contact me if you know of one.
The solution
Note: I still haven't discoved what causes the hijack in the first place. If you know please contact me.
First find your DNS settings
Here is how you do this in Microsoft Windows XP or 2000
Go to Windows Control Panel
Go to the 'Network Connections' (or 'Network and Internet Connections' then 'Network Connections') section.
Find the item in this window that is your connection to the internet and double click it.
If you connect though BT this may be 'BT Broadband'
If you connect though a network it may be 'Local Area Connection'
On the 'General' tab of the window that appears scroll down until you see the 'Internet Protocol' item and double click it.
On the 'General' tab of the window that appears check which of the following is selected.
Obtain DNS server address automatically
Use the following DNS server addresses
Next check the Settings are OK
If it is the latter make a note of the two sets of numbers and search for them in the list on the right of this page. E.g. a known bad server is 85.255.113.194
If you find then in the list delete the numbers and change the setting to 'Obtain DNS server address automatically'.
If you don't find them in the list this may still be the problem so email the numbers to us using the contact form below and then change the setting to 'Obtain DNS server address automatically'.
Contact Me
Please use this form to contact me.
(20th April 2007) I'm being overwhelmed by emails about this so please now use the new forum
Inhoster Addresses
85.255.112.0
through..
85.255.127.255
Solve This Problem
Report New Site or Report New DNS or Report Root Cause
If when you use your web browser you keep on getting a site that looks like the image below your DNS settings have been hijacked and using a server at an Ukrainian company called Inhoster.
»gabrielharrison.co.uk/consultanc···_hijack/
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
|
|
Graycode
join:2006-04-17
·net2phone
| reply to foxsteve
My ISP, Cox, has apparently encountered them before.
Tracing route to 85.255.121.195 over a maximum of 30 hops
...
4 13 ms 9 ms 9 ms 68.12.9.85
5 18 ms 13 ms 16 ms 68.12.14.58
6 15 ms 12 ms 13 ms 68.12.14.33
7 40 ms 38 ms 38 ms 68.1.1.121
8 68.1.18.28 reports: Destination net unreachable.
Trace complete.
|
|
