WARNING! Clickzs.com associated with trojan/codec installs

[rowan]

pornstarsxtra.com - came across this site mentioned on another board. It appears to be an old school paysite, but it also has pages that show a fake video player window (it's just an image, no attempt at embedding a video) with a link to an executable:



Description of IE SecPlugin
IE SecPlugin is an adware application that hijacks search page and monitors internet activities of the user.

WHOIS shows the registrant as Netsaits BV with the admin contact Gerco Marsch. clickzs.com has the same details.

clickzs.com lives at 64.237.39.70, pornstarsxtra.com lives at 64.237.39.66. 127 IPs from that block are allocated to Netsaits BV, which includes those two IPs.

So we have these two domains sharing the same company name, same admin contact, same host, same IP block.........

It's not the first time clickzs has been associated with shifty stuff, it wasn't so long ago that they were linking their buttons to Zango.

So who links to clickzs?

clickzs.com - Inlinks (166,840)
www.clicksz.com - Inlinks (95,762)

If they ever decided to be more blatant about their installs then there'd be a lot of shit going down.

[fris]

a lot of people (big sites) use clickzs, this blows

[GAMEFINEST]

good heaeds up

[RawAlex]

I think very few people either understand or choose to understand just how far these codec and spyware installers have gone into the porn business.

I would place a guess today that 30% or more of the joins / money are going to these types of operations, either as direct sales or a traffic buys from PPC sites that use these tools to generate traffic.

[Quickdraw]

Here is what just happened when browsing through freedailyporn.com(another site on 64.237.39.66 and same whois)

The following log shows clicking a link to a gallery and being redirected to trojans on the 85.255 ip range posing as spyware removers. The redirect happened instantly and all the other files you see loaded from the initial redirected page.
85.255.115.222/ind.htm?e404=1&src=124&surl=vip.clickzs.com

Code:

GET http://www.freedailyporn.com/
200 OK
***Click starts here***
GET http://vip.clickzs.com/tgp.php?fdp&thenudeteens.com/ebony/index.html
302 Found to http://85.255.115.222/ind.htm?e404=1&src=124&surl=vip.clickzs.com

GET http://85.255.115.222/ind.htm?e404=1&src=124&surl=vip.clickzs.com
200 OK

GET http://85.255.115.222/site.htm?lng=1&trg=cln&oip=0&trk=xicawxshtfnfffi
200 OK

GET http://85.255.115.222/_cntr.htm?trk=xicawxshtfnfffi
200 OK

GET http://free-spy-cam.net/index.htm?trk=xicawxshtfnfffi
200 OK

GET http://85.255.115.222/cnte-eshdvvw.htm?trk=xicawxshtfnfffi
200 OK

GET http://free-spy-cam.net/loading.htm
200 OK

GET http://69.50.172.115/sp/fpa/index.html
200 OK

GET http://85.255.115.222/cnte-ani_dthcbdg.htm?trk=xicawxshtfnfffi
200 OK

GET http://85.255.115.222/cnte-dhncgts.jar?trk=xicawxshtfnfffi
200 OK

GET http://85.255.115.222/back.htm
200 OK

GET http://85.255.115.222/com/ms/security/SecurityClassLoader.class
404 Not Found

GET http://85.255.115.222/riff_last.bin
200 OK

[Tempest]

Quote:

Originally Posted by Quickdraw

The following log shows clicking a link to a gallery and being redirected to trojans on the 85.255 ip range posing as spyware removers.

I believe that the server has been hacked with a modified version of apache... I've seen that before and that's what the host said. Not to me, but someone else.

[Tempest]

By the way 85.255.112.0 – 85.255.127.255 is INHOSTER and it looks like they're associated with Intercage and the codec installing "group".

[graphicsp1mp]

damn this shit is huge isnt it

nice find rowan

[NTM]

Clickzs

[Turboface]

Using a remotely hosted traffic trading script service is just a flawed idea from the get go.

[en21]

those big site should be able to afford paid script

[Iron Fist]

Brutal. It's no wonder why I dont use any 3rd party software on my network, just can't trust anyone anymore.

[percy]

Hello,

it looks like our server has been hacked. We are working on the problem.

Thanks

Percy

[percy]

This was not our doing, someone hacked our server and placed something on the server causing that fake video player window and it's executable to appear. We are working on the problem and will have it fixed asap.

Thanks again

Percy
Netsaits/ClickZs

[martinsc]

Quote:

Originally Posted by percy

This was not our doing, someone hacked our server and placed something on the server causing that fake video player window and it's executable to appear. We are working on the problem and will have it fixed asap.

Thanks again

Percy
Netsaits/ClickZs

better get this fixed soon....

[boneless]

ah it was all an error peeps, nothing to see here.

same with that zango bs you guys pushed right? also a hack or error.

seems that clicksz gets more and more shitty, and i for one hope every big site owner will drop this shit on the fly.

[Quickdraw]

Quote:

Originally Posted by percy

Hello,

it looks like our server has been hacked. We are working on the problem.

Thanks

Percy

Are you able to tell how long ago you were hacked?

[Godsmack]

Quote:

Originally Posted by boneless

ah it was all an error peeps, nothing to see here.

same with that zango bs you guys pushed right? also a hack or error.

seems that clicksz gets more and more shitty, and i for one hope every big site owner will drop this shit on the fly.

Yeah, good thing there are hackers, so we can all blame them LOL

[JamesK2]

Quote:

Originally Posted by boneless

ah it was all an error peeps, nothing to see here.

same with that zango bs you guys pushed right? also a hack or error.

[u-Bob]

Quote:

Originally Posted by Tempest

By the way 85.255.112.0 ? 85.255.127.255 is INHOSTER and it looks like they're associated with Intercage and the codec installing "group".

correct, inhost(er) is just one of many fake hosting companies used by scammers and thieves.

[u-Bob]

Quote:

Originally Posted by percy

it looks like our server has been hacked. We are working on the problem.

you'll have to do better than that...

[percy]

The executable was placed on our domain pornstarsxtra.com by a hacker. We do not know how they did it but there are just a few sites linking to that content (according to our server logs) and those sites are not ours. Check mommysuncensored dot com (not ours), the top left thumbs are linking to the content on our server (will probably be changed now we have removed the content from our server)

Anyone know the owner of mommysuncensored dot com?


Percy
Netsaits/ClickZs

[RawAlex]

percy, I got news for you... what you found on the domain isn't 10% of the hack. Good luck, the entire box is likely rooted beyond understanding.

[yahoo-xxx-girls.com]

Not a good way to conduct business, thanks for the heads up !

[RawAlex]

Quote:

Originally Posted by Tempest

By the way 85.255.112.0 ? 85.255.127.255 is INHOSTER and it looks like they're associated with Intercage and the codec installing "group".

This is an IP block that shouldn't be carried by anyone. It is amazing how much shit they are getting away with.

[fris]

use chkrootkit to find which files have been modified

[RawAlex]

Quote:

Originally Posted by Fris

use chkrootkit to find which files have been modified

Run it daily - because part of the trick is how they get access - the initial breakin occurs via FTP, usually obtained by a compromised webmaster PC. So the webmaster gets their server cleaned up, and the next day, they walk right back in (because even when you change the FTP or telnet passwords, they pick them right up again on your next access).

You need to check and clean not only the server, but any and all PCs that may have FTP or telnet access to the server, including all systems used by your hosting company that might have access.

Good fucking luck.

[JD]

fuck me....

[rowan]

bump....

[rowan]

One more bump

[Quickdraw]

Quote:

Originally Posted by Tempest

I believe that the server has been hacked with a modified version of apache... I've seen that before and that's what the host said. Not to me, but someone else.

I would like to believe that, this trojan redirect has been happening for months, and is still happening at this moment.

They took care of those videos right away, but the redirection to the trojans was never addressed. They have had plenty of time to clean up their server, so why is the redirect still happening? Lazy admin, bad host, maybe not a hack? The longer it takes to get fixed the less I believe it is a hack.

[Aussie Rebel]

Bump.....

[boneless]

as per my topic, thnk god for hacker, else there wasnt an excuse for this type of bad behaviour.

[Godsmack]

Quote:

Originally Posted by boneless

as per my topic, thnk god for hacker, else there wasnt an excuse for this type of bad behaviour.

LOL thats what i said earlier..

[hdkiller]

this is a gohackyourself thread?

[boneless]

Quote:

Originally Posted by hdkiller

this is a gohackyourself thread?

i think so yes

[Godsmack]

Quote:

Originally Posted by hdkiller

this is a gohackyourself thread?

Lolol, sure looks like it

[rowan]

Quote:

Originally Posted by hdkiller

this is a gohackyourself thread?

That's a better name for a knockoff board than many have come up with.

[NyLoS]

not again, gerco ! wake up !!! jeeez

[klinton]

Quote:

Originally Posted by Tempest

By the way 85.255.112.0 ? 85.255.127.255 is INHOSTER and it looks like they're associated with Intercage and the codec installing "group".

I have also problems with this ip on my sites....redirects...and I also don't know how this could happen :P...damn

[biskoppen]

Nice... another 100k users infected with the codec trojan, another drop in our sales...

Let me repeat myself.. : I'm pretty sure, from stuff I've seen, that these guys are in the top 3 of affiliates overall with all programs.. You have NO IDEA how much they're stealing

[RawAlex]

The amount they are stealing is pretty stunning - and most programs know it and smile and take their traffic anyway.

[Tempest]

Quote:

Originally Posted by klinton

I have also problems with this ip on my sites....redirects...and I also don't know how this could happen :P...damn

Have your host check the apache binary and ensure it hasn't been replaced.

[klinton]

Quote:

Originally Posted by Tempest

Have your host check the apache binary and ensure it hasn't been replaced.

at first I thought that it was dns cache poisoning...
but it looks like it is something different,maybe this what you are saying...hopefully..I'll contact them asap

[ServerGenius]

Quote:

Originally Posted by Fris

use chkrootkit to find which files have been modified

chkrootkit isn't nearly as good as rkunter free for download @ http://www.rootkit.nl/

[Miguel T]

Happy I dont use that ;)

[Quickdraw]

Still hacked? This redirect happened today.

htxp://cz8.clickzs.com/tgp.php?bbgx&60&CJ1&hxtp://galleries.babes.tv/mg/08/?nats=MTAwMDQ5OjM6Ng,0,0,0,1107875810&content=suzi ecarina2b

htxp://85.255.115.222/ind.htm?e404=1&src=130&surl=cz8.clickzs.com