Please Read This! - Important Security Issue!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • BFT3K
    Too lazy to set a custom title
    • Dec 2005
    • 10764

    #1

    Please Read This! - Important Security Issue!

    Please Read This! - Important Security Issue!

    I am not a technical expert, but from what I can figure out, here is a major hacker issue that everyone should be aware of.

    Read on, as IT DOES EFFECT SALES!

    If I am not interpreting this information incorrectly, please clarify, as I am not married to my own interpretation, but it appears to be a very valid hypothesis.

    I recently noticed one or two of my sites were receiving malware warnings, when attempting to access the pages.

    Upon further investigation I noticed that all of my "error" pages were infected by iframes that redirected you to a Russian site.

    I then did a search for my own sites, and I came upon many pages which included text along the lines of the following...

    -----------

    How to get FREE Access to YourSiteName.com (obviously this is actually the real name of the site, but I changed it for demonstration purposes)

    Using someone elses YourSiteName.com membership to get access is shady...and all the YourSiteName.com passwords on google are expired

    But I finally got in for free by using a free deal link for YourSiteName.com

    1. Use the deal link below
    2. Click to join YourSiteName.com...fill in an email and password
    3. Verify you're not under 18 with a credit card...(Don't worry it won't be charged)
    4. Then just check your email for the Free Lifetime Membership!

    Deal Link: http://refer.ccbill.com/cgi-bin/clic...m/updates.html

    -----------

    The link address is intentionally incorrect: http://www.YourSiteName.com/updates.html. On my sites for example, the updates.html portion has a capital "U" and not a lower "u" - so you are instantly redirected to one of the infected error pages.

    BTW: CCBill has since flagged account number 2186562, but it isn't even clear if they were the culprit.

    When the link was working, the surfer would enter a credit card to join for free, and then, since the page does not really exist, the thieves/hackers would steal the card number, and then redirect them to one of my error pages, which they had already infected with iframe malware.

    Adding insult to injury (and this is the worst part), it looks like Symantec (the parent company of Norton Utilities) has taken it upon itself to inform everyone using Norton Utilities, that the pages of these sites are dangerous to visit.

    The problem is, even AFTER you remove the iframes from your pages, the Norton warnings DO NOT GO AWAY!

    It is fine for a security company to warn you that a site is dangerous, but for them to compile a database, and then NOT update that database in realtime, is TOTAL BULLSHIT!

    As more and more sites are now finding themselves on this Symantec blacklist, it is obvious that MANY DOLLARS are being lost, by both the site owners, as well as the billing companies!

    I just had a very long talk with CCBill about this, and they totally agree that sales are now falling, thanks to this Symantec bullshit - even though I suppose it was meant to be helpful.

    What say you?
  • AzteK
    Confirmed User
    • Feb 2001
    • 3451

    #2
    Do you know what the exploit is and to protect against it?

    Comment

    • BFT3K
      Too lazy to set a custom title
      • Dec 2005
      • 10764

      #3
      Originally posted by AzteK
      Do you know what the exploit is and to protect against it?
      A hacked FTP break in is the best theory so far, but that theory is not yet verified.

      Comment

      • BFT3K
        Too lazy to set a custom title
        • Dec 2005
        • 10764

        #4
        These are not my sites, but here are additional examples of the scam. Maybe one of these is YOUR site?

        http://www.e-bug.net/forum/messages/5354.shtml
        http://www.topgun.com.tw/forum_view.php?sn=110129112428
        http://beatbox.com.do/web/guia/item/19-cash-the-club
        http://michaud-designs.net/vpig/show...ject_id=212945

        Comment

        • HD Content
          So Fucking Banned
          • Jul 2010
          • 316

          #5
          Yes I agree, i have been getting passwords hacked. I thought CCBill was getting hacked and giving out the passwords to my site. It seems the big wigs are at it again

          Comment

          • BFT3K
            Too lazy to set a custom title
            • Dec 2005
            • 10764

            #6
            Originally posted by HD Content
            Yes I agree, i have been getting passwords hacked. I thought CCBill was getting hacked and giving out the passwords to my site. It seems the big wigs are at it again
            Looks Russian, but the truly disturbing part of this story is the part about Symantec's database. The people who try to gain access to our sites without paying deserve to get fucked, but to lose sales because Symantec does not update their blacklist in realtime, is a whole other kettle of fish.

            iframe issue seems to have originated from here...

            Domain ID160516368-LROR
            Domain Name:ZABILPPC.ORG
            Created On:27-Oct-2010 09:51:30 UTC
            Last Updated On:27-Dec-2010 03:48:31 UTC
            Expiration Date:27-Oct-2011 09:51:30 UTC
            Sponsoring Registrar:Regtime Ltd. (R1602-LROR)
            Status:OK
            Registrant ID:CO785685-RT
            Registrant Name:Eduard Aleksandrov
            Registrant Organization:Private person
            Registrant Street1:Latishskih-Strelkov 1-48
            Registrant Street2:
            Registrant Street3:
            Registrant City:Kazan
            Registrant State/Province:RU
            Registrant Postal Code:420087
            Registrant Country:RU
            Registrant Phone:+7.8432964725
            Registrant Phone Ext.:
            Registrant FAX:
            Registrant FAX Ext.:
            Registrant Email:[email protected]
            Admin ID:CA785685-RT
            Admin Name:Eduard Aleksandrov
            Admin Organization:Private person
            Admin Street1:Latishskih-Strelkov 1-48
            Admin Street2:
            Admin Street3:
            Admin City:Kazan
            Admin State/Province:RU
            Admin Postal Code:420087
            Admin Country:RU
            Admin Phone:+7.8432964725
            Admin Phone Ext.:
            Admin FAX:
            Admin FAX Ext.:
            Admin Email:[email protected]
            Tech ID:CT785685-RT
            Tech Name:Eduard Aleksandrov
            Tech Organization:Private person
            Tech Street1:Latishskih-Strelkov 1-48
            Tech Street2:
            Tech Street3:
            Tech City:Kazan
            Tech State/Province:RU
            Tech Postal Code:420087
            Tech Country:RU
            Tech Phone:+7.8432964725
            Tech Phone Ext.:
            Tech FAX:
            Tech FAX Ext.:
            Tech Email:[email protected]
            Name Server:NS1.NAMESELF.COM
            Name Server:NS2.NAMESELF.COM

            Comment

            • SmokeyTheBear
              ►SouthOfHeaven
              • Jun 2004
              • 28609

              #7
              Over the past 90 days, zabilppc.org appeared to function as an intermediary for the infection of 73 site(s) including fullmelons.com/, chicksinsocks.com/, hottiesniper.com/.
              hatisblack at yahoo.com

              Comment

              • BFT3K
                Too lazy to set a custom title
                • Dec 2005
                • 10764

                #8
                Originally posted by SmokeyTheBear
                Over the past 90 days, zabilppc.org appeared to function as an intermediary for the infection of 73 site(s) including fullmelons.com/, chicksinsocks.com/, hottiesniper.com/.
                And my guess is the owners of those sites have since removed their iframe infected pages, but thanks to Symantec's blacklist, 2 of the 3 sites you just listed are still marked as dangerous.



                Symantec is killing sales. They have no right to flag sites for malware, and then, once the site is disinfected, they leave the site on the list for all Norton protected computers to continue receiving the warnings.

                How many sales are being lost to this?!
                Last edited by BFT3K; 02-02-2011, 02:45 PM.

                Comment

                • EDepth
                  Confirmed User
                  • Nov 2005
                  • 510

                  #9
                  Looks like he was just trying to get people to signup to sites expecting it was free when it really wasn't. CCBill flagged all of his accounts as well. Appears the exploit stuff is unrelated is my guess. Or maybe he is combo'ing it if your box is infected w/ his board spam.
                  ICQ: 275335837

                  Comment

                  • biskoppen
                    Confirmed User
                    • Mar 2003
                    • 5809

                    #10
                    This has been a problem for many years.. I think I remember that back when I digged into this I found out that these russian hackers are in the top 5 of most sales generating adult webmasters out there..
                    Submit my videos to make bank, tons of 5 minute videos offered right here

                    Comment

                    • BFT3K
                      Too lazy to set a custom title
                      • Dec 2005
                      • 10764

                      #11
                      I just contacted Symantec about this issue.

                      I asked many questions, but in the end the most I could get out of them is this link. It is a form you need to fill out, to have your site re-evaluated....

                      http://us.norton.com/support/kb/web_...100708152454EN

                      So to sum up, once you are flagged, your site pops up warnings to your surfers. Once you fix the problem, your site remains flagged by Norton Security until you set up a Norton account, and request a flag removal.

                      How about that?
                      Last edited by BFT3K; 02-02-2011, 04:02 PM.

                      Comment

                      • jonnydoe
                        Confirmed User
                        • Aug 2006
                        • 543

                        #12
                        I had something similar happen several years ago where every index page on the server was infected with an iframe. My host was able to quickly kill all occurrences but we never did trace exactly how they got in to plant it for sure. I was running a custom PHP script so we speculated that their was a vulnerability but it was not attacked again. We also speculated that it could have possibly happened when reviewing a submission that was infected and then it somehow went through the local PCs FTP client to the server.

                        I think I would make sure that your CMS is up to date or still being updated by the script writer to avoid it recurring.
                        Want a Sponsor that really PAYS?!?!?!?!


                        I&C#Q 3-0/2 7+3.3 0=5|2

                        Comment

                        • rogueteens
                          So fucking bland
                          • Jul 2006
                          • 8005

                          #13
                          If you don't use norton, how do you know if they have flagged one of your sites?
                          Free traffic and backlinks from one of the fastest growing adult pinsites on the net - SAUCY PICTURES!
                          Easily my best performing webcam sponsor - CLICK HERE!!

                          Comment

                          • ruff
                            I have a plan B
                            • Aug 2004
                            • 5507

                            #14
                            I had someone get into my main server and put iframe redirects on my error pages. This was back when I was getting hacked about every month. I still don't know what exploit they used, got some ftp data and only targeted about 10 sites every time. Finally had my server admin restrict access to that server to my IP address only and no problem since. Got flagged by Norton, Google and McAfee but every thing went away after I cleaned the sites.
                            CryptoFeeds

                            Comment

                            • BFT3K
                              Too lazy to set a custom title
                              • Dec 2005
                              • 10764

                              #15
                              Originally posted by rogueteens
                              If you don't use norton, how do you know if they have flagged one of your sites?
                              Like Ruff mentioned above, Google and others also set up blacklists.

                              Google offers a similar resubmission option, but I suppose, over time, the sites are ultimately revisited. If they are clean, they will be accepted and re-indexed again... eventually.

                              If you want to expedite this process however, you need to manually re-submit the site(s) to all blacklists you find yourself on.

                              Comment

                              • rogueteens
                                So fucking bland
                                • Jul 2006
                                • 8005

                                #16
                                Originally posted by BFT3K
                                Like Ruff mentioned above, Google and others also set up blacklists.
                                Okay, but that doesnt answer how i'd know if norton had blacklisted me. Google would be rather obvious but for non-norton users, not so easy.
                                Free traffic and backlinks from one of the fastest growing adult pinsites on the net - SAUCY PICTURES!
                                Easily my best performing webcam sponsor - CLICK HERE!!

                                Comment

                                • cooldude7
                                  Confirmed User
                                  • Nov 2009
                                  • 4306

                                  #17
                                  Originally posted by rogueteens
                                  Okay, but that doesnt answer how i'd know if norton had blacklisted me. Google would be rather obvious but for non-norton users, not so easy.
                                  http://safeweb.norton.com/safety

                                  @ is this site safe?

                                  Comment

                                  Working...