Trojan from blivvsen com

**blacjac** · 21 September 2010, 00:48

Nice one administrator

**administrator** · 21 September 2010, 00:58

Originally posted by Zippy View Post

Don't worry. If the little bastard has got me I'll sort it.

Someone else I owe drinks to at the next meet up then

Originally posted by blacjac View Post

Nice one administrator

I don't feel particularly clever at the minute, should have turned the ad server off as soon as people started complaining. I did upgrade the adserver last night but not to the most recent.

Code:

root@cukmain:~/openx/20100919# ls -al
total 159984
drwxr-xr-x  3 root root      4096 Sep 19 22:18 .
drwxr-xr-x  6 root root      4096 Sep 21 01:39 ..
-rw-r--r--  1 root root 154185110 Sep 19 21:59 cukopenx.sql
drwxr-xr-x 10  500  500      4096 Sep 19 22:04 openx-2.8.0
-rw-r--r--  1 root root   9452354 Apr 29  2009 openx-2.8.0.tar.gz

I have just had a look around the OpenX site and can't see where I could have downloaded that version of the software from.

Think must have been a link in the control panel, just upgraded and moved on to the next site. Got distracted though as the next site I went to patch had already been had.

Still, at least no-one else will get had when the forum and main site (adserver covers the main site too) gets busier in the morning.

Thanks to you all for letting me know and helping track it down. Apologies again to the infected, hope it is no more than an AV clean up job for you and no system rebuilds needed...

**NickFitz** · 21 September 2010, 02:09

Just checked with an HTTP debugger and, even when I allow the ads through, nothing untoward is showing up now

Of note is that, when searching for blivvsen.com, this thread is currently the only content that appears on a Google search except for some robot that tracks new domain registrations.

The whois record for that domain is:

Code:

Domain blivvsen.com

Date Registered: 2010-9-16
Date Modified: 2010-9-17
Expiry Date: 2011-9-16

DNS1: ns1.blivvsen.com
DNS2: ns2.blivvsen.com

Registrant
    Private Whois Service
    Private Whois Service  lj371hp4c91e42b57a56@db4lf1v4c7e2571db075.privatewhois.net
    *******PLEASE DO NOT SEND LETTERS******
    ****Contact the owner by email only****
    c/o blivvsen.com
    N4892 Nassau
    Bahamas

Administrative Contact
    Private Whois Service
    Private Whois Service  d4xk8fg4c91e42b6c24e@db4lf1v4c7e2571db075.privatewhois.net
    *******PLEASE DO NOT SEND LETTERS******
    ****Contact the owner by email only****
    c/o blivvsen.com
    N4892 Nassau
    Bahamas
    Tel: +852.81720004

Technical Contact
    Private Whois Service
    Private Whois Service  zasauyb4c91e42b64174@db4lf1v4c7e2571db075.privatewhois.net
    *******PLEASE DO NOT SEND LETTERS******
    ****Contact the owner by email only****
    c/o blivvsen.com
    N4892 Nassau
    Bahamas
    Tel: +852.81720004

Registrar: Internet.bs Corp.
Registrar's Website : <a 
href='http://www.internetbs.net/'>http://www.internetbs.net/</a>

"Registrar: Internet.bs Corp"... lots of BS from their end, it seems

**cojak** · 21 September 2010, 06:51

Should this affect us daywalkers?

**d000hg** · 21 September 2010, 06:57

I don't remember what time I was on CUK last night. Any chance admin might be able to find a list of logged-in users in the danger period and contact them all - other users might have made an infrequent visit and not see this thread.

Is this trojan browser-specific? And I assume it targets Windows alone?

**administrator** · 21 September 2010, 07:31

Originally posted by cojak View Post

Should this affect us daywalkers?

No, is all cleaned up now. Software definitely up to date.

Originally posted by d000hg View Post

I don't remember what time I was on CUK last night. Any chance admin might be able to find a list of logged-in users in the danger period and contact them all - other users might have made an infrequent visit and not see this thread.

Is this trojan browser-specific? And I assume it targets Windows alone?

Will see if can pull a list of logged in users when I get into work.

I would have thought Windows specific...

**Sockpuppet** · 21 September 2010, 08:53

NOD32 went ape tulip last night and kept blocking bilsen url. Just ran a scan and nothing so pretty happy.

**minestrone** · 21 September 2010, 10:03

I noticed the java plugin kick off last night and was not sure why, machine is still on in the house.

It's fully patched and up to date with windows security essentials though, should be fine.

**administrator** · 21 September 2010, 10:05

Good stuff, glad no-one so far seems to have been hit badly with it. Must say, as Trojans go it was a bit of a wimpy one. Luckily. Will certainly be keeping on top on OpenX updates. Seen quite a few sites over the last few days hit with it so if you have any unpatched sites running OpenX then sort it quickly!

**Zippy** · 21 September 2010, 11:04

A deep scan suggests I got away with it too - nothing was detected.

Trojan from blivvsen com

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Trojan from blivvsen com

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Tag Cloud