Forum hacked?

Everything about this website and its content. Here you will find update announcements or requests for feedback. Questions about layout, functionality, content, and your suggestions are welcome.
endless
0
Joined: 03 Jul 2010, 09:17

Forum hacked?

Post

Hello,

Today, upon visiting the forum, the windows media player is called and it tries to access this:

Code: Select all

http://www.hheuhez.co.cc/x55/helpctrall.php

It looks like the forum got manipulated by an attacker.

Best regards!

marcush.
159
Joined: 09 Mar 2004, 16:55

Re: Forum hacked?

Post

yep.
my virusscanner has given alarms since yesterdays..removing unknown websites ..
with exactly this adress or derivates of it...

User avatar
freedom_honda
0
Joined: 23 Jul 2007, 04:12

Re: Forum hacked?

Post

Google Chrome is also warning me there is a malware on F1technical and suggested me to stay away from here.

Carlos
11
Joined: 02 Sep 2006, 19:43
Location: Canada

Re: Forum hacked?

Post

Microsoft Security Essentials Beta V2 also gives a warning. But it's not a problem for me as my anti malware component blocked any download of code. I think any security software would. Tomba runs a very tight ship and deals with servers that have always been pretty secure. First time occurrence; since I joined the Forum, I'm sure that Tomba or his server will track this down. Im not worried. It happens to even the best sites. :D

User avatar
Steven
Owner
Joined: 19 Aug 2002, 18:32
Location: Belgium
Contact:

Re: Forum hacked?

Post

Thanks for reporting this guys.
I also had a few PM's about this.

Is this still happening?
The curious thing is that I never had any such warning.

Is it on the forum pages or on news, or where exactly?

Pup
Pup
50
Joined: 08 May 2008, 17:45

Re: Forum hacked?

Post

Google's safe search is down today, so it's likely that only those who got the latest update prior are getting the warning. Usually these things come not from the site itself, but from one of the off-site advertisers.

Yet another reason to run ad-block.
Last edited by Pup on 24 Sep 2010, 18:49, edited 1 time in total.

manchild
12
Joined: 03 Jun 2005, 10:54

Re: Forum hacked?

Post

I'd wild guess that it is conditioned by banners that appear on site depending on location of forum visitor. Perhaps certain banners contain malicious flash or auto load something on load. I had some that were crashing Firefox.

Pup
Pup
50
Joined: 08 May 2008, 17:45

Re: Forum hacked?

Post

Beat me to it. :lol:

fwiw, gp.com had the same problem earlier this week. In their case, it was their main advertiser, FXDD.

fenix4life
0
Joined: 15 Mar 2008, 10:32

Re: Forum hacked?

Post

Tomba wrote:Thanks for reporting this guys.
I also had a few PM's about this.

Is this still happening?
The curious thing is that I never had any such warning.

Is it on the forum pages or on news, or where exactly?
I had it just by going directly to the home page not to the forum.
As I was just opening my gmail account I wasn't sure what was going on.

After refreshing the f1technical site I had it again.
Even though now it does not occur any more.

Strange thing

manchild
12
Joined: 03 Jun 2005, 10:54

Re: Forum hacked?

Post

Firefox on http://www.hheuhez.co.cc
Reported Attack Page!

This web page at www.hheuhez.co.cc has been reported as an attack page and has been blocked based on your security preferences.


Attack pages try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.
Domain Dossier on http://www.hheuhez.co.cc
http://www.hheuhez.co.cc is a URL.
Domain Dossier will continue with www.hheuhez.co.cc.
New: Compare web hosting plans across multiple providers: shared | VPS | dedicated
Address lookup
canonical name www.hheuhez.co.cc.
aliases
addresses 69.50.221.196
Domain Whois record

Queried whois.nic.cc with "dom hheuhez.co.cc"...

No match for domain "HHEUHEZ.CO.CC".

>>> Last update of whois database: Fri, 24 Sep 2010 08:00:11 EDT <<<

Network Whois record

Queried whois.arin.net with "n 69.50.221.196"...

NetRange: 69.50.192.0 - 69.50.223.255
CIDR: 69.50.192.0/19
OriginAS:
NetName: ATJEU
NetHandle: NET-69-50-192-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ATJEU.COM
NameServer: NS2.ATJEU.COM
RegDate: 2003-06-04
Updated: 2010-07-27
Ref: http://whois.arin.net/rest/net/NET-69-50-192-0-1

OrgName: atjeu publishing, llc
OrgId: APL-37
Address: 1515 West Deer Valley Road
Address: C-103
City: Phoenix
StateProv: AZ
PostalCode: 85027
Country: US
RegDate: 2002-09-10
Updated: 2009-11-30

Ref: http://whois.arin.net/rest/org/APL-37


OrgTechHandle: BV137-ARIN
OrgTechName: Vasilev, Boris
OrgTechPhone: +1-623-434-5294
OrgTechEmail: sales@atjeu.com


OrgTechRef: http://whois.arin.net/rest/poc/BV137-ARIN

DNS records

DNS query for 196.221.50.69.in-addr.arpa returned an error from the server: NameError
name class type data time to live
www.hheuhez.co.cc IN A 69.50.221.196 86400s (1.00:00:00)
hheuhez.co.cc IN A 69.50.221.196 86400s (1.00:00:00)
hheuhez.co.cc IN NS ns3.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN NS ns1.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN MX
preference: 5
exchange: mail.hheuhez.co.cc
86400s (1.00:00:00)
hheuhez.co.cc IN NS ns4.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN NS ns2.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN SOA
server: ns1.freedns.ws
email: admin.freedns.ws
serial: 1285267066
refresh: 21600
retry: 3600
expire: 604800
minimum ttl: 3600
86400s (1.00:00:00)
Traceroute

Tracing route to www.hheuhez.co.cc [69.50.221.196]...
hop rtt rtt rtt ip address fully qualified domain name
1 0 1 0 70.84.211.97 61.d3.5446.static.theplanet.com
2 0 0 0 70.87.254.1 po101.dsr01.dllstx5.theplanet.com
3 0 0 0 70.85.127.105 po51.dsr01.dllstx3.theplanet.com
4 0 0 0 70.87.255.25 19.ff.5746.static.theplanet.com
5 0 0 0 70.85.126.226 e2.7e.5546.static.theplanet.com
6 23 23 23 68.1.0.169 chnddsrj02-ae3.0.rd.ph.cox.net
7 25 34 25 70.169.73.11
8 25 25 26 70.182.52.86 wsip-70-182-52-86.ph.ph.cox.net
9 35 27 27 69.50.221.196

Trace complete
Service scan
FTP - 21 220 ProFTPD 1.3.3a Server (ProFTPD Default Installation) [::ffff:69.50.221.196]
SMTP - 25 Error: TimedOut
HTTP - 80 HTTP/1.1 403 Forbidden
Date: Fri, 24 Sep 2010 06:38:21 GMT
Server: Apache/2.2.16 (FreeBSD) mod_ssl/2.2.16 OpenSSL/0.9.8k DAV/2 PHP/5.3.3
Connection: close
Content-Type: text/html; charset=iso-8859-1
POP3 - 110 +OK Dovecot ready.
IMAP - 143 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

marcush.
159
Joined: 09 Mar 2004, 16:55

Re: Forum hacked?

Post

it happened two times me on 23.09 and on 24.09. with windows player opening when acessing the site and multiple virus warnings popping up in my virus scan software for attacking websites that are moved into q-status.

User avatar
Tim.Wright
330
Joined: 13 Feb 2009, 06:29

Re: Forum hacked?

Post

I just got this now, it still seems to be a problem

Tim
endless wrote:Hello,

Today, upon visiting the forum, the windows media player is called and it tries to access this:

Code: Select all

http://www.hheuhez.co.cc/x55/helpctrall.php

It looks like the forum got manipulated by an attacker.

Best regards!
Not the engineer at Force India

manchild
12
Joined: 03 Jun 2005, 10:54

Re: Forum hacked?

Post

Well, check my previous post.

All of you who experience those problems should send protest email to Atjeu Publishing LLC hosting company on whose server that malicious site is sales@atjeu.com

Or call them if you're in USA +1-623-434-5294

OrgTechHandle: BV137-ARIN
OrgTechName: Vasilev, Boris
OrgTechPhone: +1-623-434-5294
OrgTechEmail: sales@atjeu.com

The more complaints, sooner it will become shut down.

User avatar
Steven
Owner
Joined: 19 Aug 2002, 18:32
Location: Belgium
Contact:

Re: Forum hacked?

Post

I blocked the domain from google ads, might take a few hours to take effect.
Let me know if you get any more errors ok?


Thanks!

n_anirudh
28
Joined: 25 Jul 2008, 02:43

Re: Forum hacked?

Post

Guess its with Windows's only. been using Ubuntu now and nothing too wierd happening :)