Site Exploit Used

[Mark H]

It looks as though this site was attacked using an exploit. This allowed them to to upload some code to insert a link to a site containing a trojan downloader. 99% of the files are now gone and I think the exploit is now closed. Please post to this thread if you notice anything odd.

 

If you want to be 100% safe it wouldnt hurt to run a virus scan on your pc, a free online one is based here:

 

http://housecall.trendmicro.com/

 

I will post more later but as you can guess I'm kinda busy right now

 

BTW - The wiki will be down while I upgrade it.

[Martin R]

You are certainly on the ball Mark. I was on MLOC at about 7pm when my Norton anti virus detected a Trojan horse apparently. The computer started doing a few odd things. I turned it off and back on and run a virus scan. The Norton has deleted it now apparently. I though you were on the case as MLOC was then down.

[Steve R]

Thxs Beefcake for the info. Got to admit I've had few trojans found on my PC over the last week aswell. Just upgraded my Norton tonight too but old version seemed to find it fine.

[Tango190]

Avast picked up something and knobbed it off about .... 4pm to 6pm whatever my last session was.

 

Something to do with an advert Mark ??

 

Bob

[Mark H]

Yep thats the one, the site they pointed to was this:

 

Domain Name: TRAFF4ALL.BIZ

Domain ID: D12492352-BIZ

Sponsoring Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM

Sponsoring Registrar IANA ID: 82

Domain Status: ok

Registrant ID: OLNIC26296630

Registrant Name: D B Kog

Registrant Organization: D B Kog

Registrant Address1: Pobedi -3

Registrant City: Omsk

Registrant State/Province: Omsk

Registrant Postal Code: 4214523

Registrant Country: Russian Federation

Registrant Country Code: RU

Registrant Phone Number: +7.3412453452

Registrant Facsimile Number: +7.3412453452

Registrant Email: [email protected]

Administrative Contact ID: OLNIC26296630

Administrative Contact Name: D B Kog

Administrative Contact Organization: D B Kog

Administrative Contact Address1: Pobedi -3

Administrative Contact City: Omsk

Administrative Contact State/Province: Omsk

Administrative Contact Postal Code: 4214523

Administrative Contact Country: Russian Federation

Administrative Contact Country Code: RU

Administrative Contact Phone Number: +7.3412453452

Administrative Contact Facsimile Number: +7.3412453452

Administrative Contact Email: [email protected]

Billing Contact ID: OLNIC26296630

Billing Contact Name: D B Kog

Billing Contact Organization: D B Kog

Billing Contact Address1: Pobedi -3

Billing Contact City: Omsk

Billing Contact State/Province: Omsk

Billing Contact Postal Code: 4214523

Billing Contact Country: Russian Federation

Billing Contact Country Code: RU

Billing Contact Phone Number: +7.3412453452

Billing Contact Facsimile Number: +7.3412453452

Billing Contact Email: [email protected]

Technical Contact ID: OLNIC26296630

Technical Contact Name: D B Kog

Technical Contact Organization: D B Kog

Technical Contact Address1: Pobedi -3

Technical Contact City: Omsk

Technical Contact State/Province: Omsk

Technical Contact Postal Code: 4214523

Technical Contact Country: Russian Federation

Technical Contact Country Code: RU

Technical Contact Phone Number: +7.3412453452

Technical Contact Facsimile Number: +7.3412453452

Technical Contact Email: [email protected]

Name Server: NS2.ALLCOUNT.NET

Name Server: NS1.GAME4ALL.BIZ

Created by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM

Last Updated by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM

Domain Registration Date: Sat Feb 18 11:33:52 GMT 2006

Domain Expiration Date: Sat Feb 17 23:59:59 GMT 2007

Domain Last Updated Date: Thu May 11 18:10:39 GMT 2006

 

>>>> Whois database was last updated on: Fri May 12 22:27:53 GMT 2006 <<<<

 

NeuLevel, Inc., the Registry Operator for .BIZ, has collected this information

for the WHOIS database through an ICANN-Accredited Registrar. This information

is provided to you for informational purposes only and is designed to assist

persons in determining contents of a domain name registration record in the

NeuLevel registry database. NeuLevel makes this information available to you

"as is" and does not guarantee its accuracy. By submitting a WHOIS query, you

agree that you will use this data only for lawful purposes and that, under no

circumstances will you use this data: (1) to allow, enable, or otherwise

support the transmission of mass unsolicited, commercial advertising or

solicitations via direct mail, electronic mail, or by telephone; (2) in

contravention of any applicable data and privacy protection acts; or (3) to

enable high volume, automated, electronic processes that apply to the registry

(or its systems). Compilation, repackaging, dissemination, or other use of the

WHOIS database in its entirety, or of a substantial portion thereof, is not

allowed without NeuLevel's prior written permission. NeuLevel reserves the

right to modify or change these conditions at any time without prior or

subsequent notification of any kind. By executing this query, in any manner

whatsoever, you agree to abide by these terms.

 

NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE

OF THE AVAILABILITY OF A DOMAIN NAME.

[Martin R]

D B Kog in the Russian Federation Its a long way to send the boys round

[Mark H]

The FAQ wiki is back up and running now

[Simon V]

Yep, my weekly viruscan on McAfee picked up my infection too - file deleted.

 

Cheers Mark.

[ankh]

Bummer,

 

Can anyone tell me what the Trojan was and it's target OS (I assume just Windows).

 

Thx.

 

Rich

[Mark H]

It was a Microsoft Windows only trojan. More details here:

 

http://securityresponse.symantec.com/avcen...byteverify.html

 

If you had a patched Windows it wouldnt be affected even if the trojan downloaded as Microsoft released a patch for the exploit used back in April.

[MattyB]

My forum was hit with the same thing too. I had an Admin user called "Wax" created, all templates were modified with a forwarding <iframe> entry and ever single user was emailed and PM'd with the link to the virus.

 

Nasty bugger.

[Steve J]

Got hit by this yesterday about 3pm. Wa replying on a thread using my company laptop when all hell broke loose.

 

End result is that it's deleted my SOPHOS antivirus and killed off Outlook. I can't use my laptop now till I can get it into the office for IT to look at. No work on Monday then

[Mark H]

heh glad we could be of service Serves them right for giving you such duff antivirus software and not keeping Windows updated

 

Matty B, luckily what we had wasnt as serious as that.