There has been a hacker at work...
 

Some guy installed spyware on people's machines through most likely exploiting security flaws in MicroSoft's Internet Explorer. This code is doing the same thing gator's programs are doing: put advertising on pages that weren't there before. Smutserver.com is one of the main targets of this hack right now...

I just got off the phone with smutserver and we went in to the problem in detail. The code that was posted by Grumpy in the other thread wasn't found anywhere on any of the machines on smutserver, and it looks like it it locally generated by a piece of spyware on people's computers. I know in Grumpy's office there's a machine that is infected with this, so I'm pretty sure that by tomorrow morning we'll have a fix available...

The code that is loaded is loading offshoreclicks consoles and then the original page in a frame, but pointed to with an IP-address instead of the original URL to prevent the spyware program to trigger again on the frame that is loaded. This does open possibilities to post an easy fix though.

I'll be writing offshoreclicks to see if they're willing to close down these consoles. I worked with 'em before in the past and I'm pretty confident they're willing to look in to this.

In the mean time I'm tracing down what sites are affected by this Russian cheater to make sure the listings of those sites are layed off for a while.

As soon as a fix is available I'll post it here. This hacker has the possibility right now to ad domains to his program and pop offshoreclicks consoles on any site he whishes... So I think it's pretty important this guy is stopped.

If anybody has any ideas that might be useful, please post 'em here. Remember that this is not something that is "only affecting the free Internet"... if this guy ads gofuckyourself.net to his list offshoreclicks consoles will start popping up every time you close a page here. ALL sites are in risk of being infected...

This wouldnt be a problem if you would stop giving away free porn!


Haha, just kidding. thats serious shit, good luck getting a fix for it. fucking bastards

they killed kenny!

Have you tried using adaware? If this spyware/scumware isn't wide spread they might not have it in their definitions yet, but I have had great luck with them. The URL is:
http://www.lavasoftusa.com/

If anyone doesn't know: adaware is like anti virus software, but for spyware/scumware. They release updated definitions for it to keep you protected from the latest in scumware.

Give it a try, um, or don't.

-Rev

I was on a machine today that had the infection. When I saw it I thought of spyware myself, so we ran ad-aware on it. It found nothing...

Got any file names we could look for?? Or any thing to look for??
In the Reg.

too much free porn!

Nope, it's 1:24am here right now. The office where the infected machine is is closed now. I'll call 'em first thing tomorrow morning.

AYH... please read the entire message. This hacker can easily adapt his spyware to make the same consoles pop up on your site...

it's true. none of this would have happened if there was no free porn!

Russian Cheater! Hah now that's anticlimactic.

LOL he was joking dude.

The code in the other thread seems pretty basic...

This another one of those encoded lines like the guy
last week?

Seems that should be ruled out before you go looking
for adware burrowing into the system. Perhaps a quick
check for "window." hex encoded in the script check
routine.

:( I was joking dude...

my sarcastic humor is unwanted..... I suddenly feel lonely..... someone hold me.... :(

This is definately something that's generated locally... there's no headers and footers or anything in that code, the code as posted in that other thread was all that showed up on the page. If this was done with javascript it would show in the source and the headers and footers of smutserver would be there...

Also, if it would be something in the HTML the original URL and the URL with the IP-address should give the same result, but on an infected machine, they don't. This is really caused by spy-ware

well i think offshoreclicks would have personal information on the guy, after all they pay him.

So i guess the authorities should be contacted

Good thought......I wonder if Offshoreclicks actually has something to do with this??...I mean they are known for some of the worst consoles in the business??.....Just a thought.

OPERA

OPERA

OPERA

www.opera.com

Funny how Mac users don't have to deal with Micro$oft exploits, huh?

Can't that be worked around with a SSI Include statement??

Hell yea!!!

I'm still feeling unloved here guys......

*caresses Amp*

:Graucho

Absolutley - faster and you got to love the tabbed windows.

startin' to feel some love here.....

Or something as simple as this?

http://www.bignosebird.com/sdocs/nested.shtml

*gives Amp a six pack and some smokes*

now that's fuckin' love man!

**gives Amp a six pack and some smokes... and touches him*

Touche :winkwink:

Popov, Konstantin [email protected]
Vavilova str.
47-1-27
Moscow, NA 117312
RU
722-4068


http://www.xrenoder.com/tgp/

Hey... ha ha ..... I'm laughing out loud here.... ha ha ........ and I'd just like to send out a big.... ha ha ha ........ a great big "FUCK YOU"... ha ha ha..... to all those that pissed all over smutserver when this issue first came to light......

ha ha ha


Stupid fuckers. Get your heads out of your asses and realize that freehosts like smutserver are just the opposite of evil... they are excellent. Stupid fucks.


Again,..... ha ha ha. Laugh with me now. I've had pages on smutserver since they started, and have nothing but great things to say about them. My word is final. Get it?

you know I love you CD.....

false, this hacker would just hack the paysites with traffic.

what's a Hun? i dont get it ..


;-)

Shut yer hole biatch!

hmmm, I killed that name awhile back, but I remember "Xrenoder" signed up for a trade shit, maybe 4 months ago? Killed it tho.

There is Never enough free porn on the Net.

Well it keep us Kids off the street Anyhow :thumbsup

Best browser to use!

www.opera.com

good for running multiple bots... but for anything else, it's still 2nd best.

We are getting closer... The consoles have stopped. So I guess the hacker is reading this board or offshoreclicks cancelled his account. The spyware is still active, we found a configuration file of it which seems to be updateable...

this thread is full o' luv.

Both cheaters and Amp get their share of hq man luving.

any more news yet?

Goodluck Hun!

I just wonder...how many folks here contribute to Hun's coffers?
I DO love his business model-
pure money thru other people' efforts
;-)

Yeah, this is pretty much the standard way hackers change start pages and add bookmarks. Norton's latest antivirus now have a "malicious" .js detector that locked this down. It used to be pretty bad last year.

One site that used this method [auto start page modification] is blussy.com -- some gimp ass wannabe search directory.

Its not surprising that a lot of the cheat/hacks out there come from Russia. The exchange rate between USD and Rus R is big enough to make it worth Russian cheaters' time to hack paysite programs either through scummy promo tactics or maybe outright reassigning aff ref codes at the processor level. In addition to the exchange rate, Russians have a high level of technical training. Unlike "script kiddies" a higher proportion of Russian hackers actually write and research their own code.

Frankly, I'm surprised that we haven't heard more stories of card processors being duped into paying cheaters instead of the webmasters that legitimately sent the conversion.

Okay !
Amp's pic at ratethewebmaster is so hot that it shuts down my computer !



Wooo hoooo ! Sexy Pic !