BFT3K

Please Read This! - Important Security Issue!

I am not a technical expert, but from what I can figure out, here is a major hacker issue that everyone should be aware of.

Read on, as IT DOES EFFECT SALES!

If I am not interpreting this information incorrectly, please clarify, as I am not married to my own interpretation, but it appears to be a very valid hypothesis.

I recently noticed one or two of my sites were receiving malware warnings, when attempting to access the pages.

Upon further investigation I noticed that all of my "error" pages were infected by iframes that redirected you to a Russian site.

I then did a search for my own sites, and I came upon many pages which included text along the lines of the following...

-----------

How to get FREE Access to YourSiteName.com (obviously this is actually the real name of the site, but I changed it for demonstration purposes)

Using someone elses YourSiteName.com membership to get access is shady...and all the YourSiteName.com passwords on google are expired

But I finally got in for free by using a free deal link for YourSiteName.com

1. Use the deal link below
2. Click to join YourSiteName.com...fill in an email and password
3. Verify you're not under 18 with a credit card...(Don't worry it won't be charged)
4. Then just check your email for the Free Lifetime Membership!

Deal Link: http://refer.ccbill.com/cgi-bin/clic...m/updates.html

-----------

The link address is intentionally incorrect: http://www.YourSiteName.com/updates.html. On my sites for example, the updates.html portion has a capital "U" and not a lower "u" - so you are instantly redirected to one of the infected error pages.

BTW: CCBill has since flagged account number 2186562, but it isn't even clear if they were the culprit.

When the link was working, the surfer would enter a credit card to join for free, and then, since the page does not really exist, the thieves/hackers would steal the card number, and then redirect them to one of my error pages, which they had already infected with iframe malware.

Adding insult to injury (and this is the worst part), it looks like Symantec (the parent company of Norton Utilities) has taken it upon itself to inform everyone using Norton Utilities, that the pages of these sites are dangerous to visit.

The problem is, even AFTER you remove the iframes from your pages, the Norton warnings DO NOT GO AWAY!

It is fine for a security company to warn you that a site is dangerous, but for them to compile a database, and then NOT update that database in realtime, is TOTAL BULLSHIT!

As more and more sites are now finding themselves on this Symantec blacklist, it is obvious that MANY DOLLARS are being lost, by both the site owners, as well as the billing companies!

I just had a very long talk with CCBill about this, and they totally agree that sales are now falling, thanks to this Symantec bullshit - even though I suppose it was meant to be helpful.

What say you?

AzteK

Do you know what the exploit is and to protect against it?

__________________
WANTED: Buying Blog Posts and Links

BFT3K

A hacked FTP break in is the best theory so far, but that theory is not yet verified.

BFT3K

These are not my sites, but here are additional examples of the scam. Maybe one of these is YOUR site?

http://www.e-bug.net/forum/messages/5354.shtml
http://www.topgun.com.tw/forum_view.php?sn=110129112428
http://beatbox.com.do/web/guia/item/19-cash-the-club
http://michaud-designs.net/vpig/show...ject_id=212945

HD Content

Yes I agree, i have been getting passwords hacked. I thought CCBill was getting hacked and giving out the passwords to my site. It seems the big wigs are at it again

BFT3K

Looks Russian, but the truly disturbing part of this story is the part about Symantec's database. The people who try to gain access to our sites without paying deserve to get fucked, but to lose sales because Symantec does not update their blacklist in realtime, is a whole other kettle of fish.

iframe issue seems to have originated from here...

Domain ID160516368-LROR
Domain Name:ZABILPPC.ORG
Created On:27-Oct-2010 09:51:30 UTC
Last Updated On:27-Dec-2010 03:48:31 UTC
Expiration Date:27-Oct-2011 09:51:30 UTC
Sponsoring Registrar:Regtime Ltd. (R1602-LROR)
Status:OK
Registrant ID:CO785685-RT
Registrant Name:Eduard Aleksandrov
Registrant Organization:Private person
Registrant Street1:Latishskih-Strelkov 1-48
Registrant Street2:
Registrant Street3:
Registrant City:Kazan
Registrant State/Province:RU
Registrant Postal Code:420087
Registrant Country:RU
Registrant Phone:+7.8432964725
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:[email protected]
Admin ID:CA785685-RT
Admin Name:Eduard Aleksandrov
Admin Organization:Private person
Admin Street1:Latishskih-Strelkov 1-48
Admin Street2:
Admin Street3:
Admin City:Kazan
Admin State/Province:RU
Admin Postal Code:420087
Admin Country:RU
Admin Phone:+7.8432964725
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:[email protected]
Tech ID:CT785685-RT
Tech Name:Eduard Aleksandrov
Tech Organization:Private person
Tech Street1:Latishskih-Strelkov 1-48
Tech Street2:
Tech Street3:
Tech City:Kazan
Tech State/Province:RU
Tech Postal Code:420087
Tech Country:RU
Tech Phone:+7.8432964725
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:[email protected]
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM

SmokeyTheBear

Over the past 90 days, zabilppc.org appeared to function as an intermediary for the infection of 73 site(s) including fullmelons.com/, chicksinsocks.com/, hottiesniper.com/.

__________________
hatisblack at yahoo.com

BFT3K

And my guess is the owners of those sites have since removed their iframe infected pages, but thanks to Symantec's blacklist, 2 of the 3 sites you just listed are still marked as dangerous.



Symantec is killing sales. They have no right to flag sites for malware, and then, once the site is disinfected, they leave the site on the list for all Norton protected computers to continue receiving the warnings.

How many sales are being lost to this?!

EDepth

Looks like he was just trying to get people to signup to sites expecting it was free when it really wasn't. CCBill flagged all of his accounts as well. Appears the exploit stuff is unrelated is my guess. Or maybe he is combo'ing it if your box is infected w/ his board spam.

__________________
ICQ: 275335837

biskoppen

This has been a problem for many years.. I think I remember that back when I digged into this I found out that these russian hackers are in the top 5 of most sales generating adult webmasters out there..

__________________
Submit my videos to make bank, tons of 5 minute videos offered right here

BFT3K

I just contacted Symantec about this issue.

I asked many questions, but in the end the most I could get out of them is this link. It is a form you need to fill out, to have your site re-evaluated....

http://us.norton.com/support/kb/web_...070815 2454EN

So to sum up, once you are flagged, your site pops up warnings to your surfers. Once you fix the problem, your site remains flagged by Norton Security until you set up a Norton account, and request a flag removal.

How about that?

jonnydoe

I had something similar happen several years ago where every index page on the server was infected with an iframe. My host was able to quickly kill all occurrences but we never did trace exactly how they got in to plant it for sure. I was running a custom PHP script so we speculated that their was a vulnerability but it was not attacked again. We also speculated that it could have possibly happened when reviewing a submission that was infected and then it somehow went through the local PCs FTP client to the server.

I think I would make sure that your CMS is up to date or still being updated by the script writer to avoid it recurring.

__________________
Want a Sponsor that really PAYS?!?!?!?!


I&C#Q 3-0/2 7+3.3 0=5|2

rogueteens

If you don't use norton, how do you know if they have flagged one of your sites?

__________________
Free traffic and backlinks from one of the fastest growing adult pinsites on the net - SAUCY PICTURES!
Easily my best performing webcam sponsor - CLICK HERE!!

ruff

I had someone get into my main server and put iframe redirects on my error pages. This was back when I was getting hacked about every month. I still don't know what exploit they used, got some ftp data and only targeted about 10 sites every time. Finally had my server admin restrict access to that server to my IP address only and no problem since. Got flagged by Norton, Google and McAfee but every thing went away after I cleaned the sites.

__________________
CryptoFeeds

BFT3K

Like Ruff mentioned above, Google and others also set up blacklists.

Google offers a similar resubmission option, but I suppose, over time, the sites are ultimately revisited. If they are clean, they will be accepted and re-indexed again... eventually.

If you want to expedite this process however, you need to manually re-submit the site(s) to all blacklists you find yourself on.

rogueteens

Okay, but that doesnt answer how i'd know if norton had blacklisted me. Google would be rather obvious but for non-norton users, not so easy.

__________________
Free traffic and backlinks from one of the fastest growing adult pinsites on the net - SAUCY PICTURES!
Easily my best performing webcam sponsor - CLICK HERE!!

cooldude7

http://safeweb.norton.com/safety

@ is this site safe?