Page 1 of 2
Forum hacked?
Posted: 24 Sep 2010, 13:01
by endless
Hello,
Today, upon visiting the forum, the windows media player is called and it tries to access this:
Code: Select all
http://www.hheuhez.co.cc/x55/helpctrall.php
It looks like the forum got manipulated by an attacker.
Best regards!
Re: Forum hacked?
Posted: 24 Sep 2010, 14:34
by marcush.
yep.
my virusscanner has given alarms since yesterdays..removing unknown websites ..
with exactly this adress or derivates of it...
Re: Forum hacked?
Posted: 24 Sep 2010, 15:07
by freedom_honda
Google Chrome is also warning me there is a malware on F1technical and suggested me to stay away from here.
Re: Forum hacked?
Posted: 24 Sep 2010, 15:45
by Carlos
Microsoft Security Essentials Beta V2 also gives a warning. But it's not a problem for me as my anti malware component blocked any download of code. I think any security software would. Tomba runs a very tight ship and deals with servers that have always been pretty secure. First time occurrence; since I joined the Forum, I'm sure that Tomba or his server will track this down. Im not worried. It happens to even the best sites.
Re: Forum hacked?
Posted: 24 Sep 2010, 18:32
by Steven
Thanks for reporting this guys.
I also had a few PM's about this.
Is this still happening?
The curious thing is that I never had any such warning.
Is it on the forum pages or on news, or where exactly?
Re: Forum hacked?
Posted: 24 Sep 2010, 18:45
by Pup
Google's safe search is down today, so it's likely that only those who got the latest update prior are getting the warning. Usually these things come not from the site itself, but from one of the off-site advertisers.
Yet another reason to run ad-block.
Re: Forum hacked?
Posted: 24 Sep 2010, 18:47
by manchild
I'd wild guess that it is conditioned by banners that appear on site depending on location of forum visitor. Perhaps certain banners contain malicious flash or auto load something on load. I had some that were crashing Firefox.
Re: Forum hacked?
Posted: 24 Sep 2010, 18:50
by Pup
Beat me to it.
fwiw, gp.com had the same problem earlier this week. In their case, it was their main advertiser, FXDD.
Re: Forum hacked?
Posted: 24 Sep 2010, 19:25
by fenix4life
Tomba wrote:Thanks for reporting this guys.
I also had a few PM's about this.
Is this still happening?
The curious thing is that I never had any such warning.
Is it on the forum pages or on news, or where exactly?
I had it just by going directly to the home page not to the forum.
As I was just opening my gmail account I wasn't sure what was going on.
After refreshing the f1technical site I had it again.
Even though now it does not occur any more.
Strange thing
Re: Forum hacked?
Posted: 24 Sep 2010, 19:39
by manchild
Firefox on
http://www.hheuhez.co.cc
Reported Attack Page!
This web page at
www.hheuhez.co.cc has been reported as an attack page and has been blocked based on your security preferences.
Attack pages try to install programs that steal private information, use your computer to attack others, or damage your system.
Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.
Domain Dossier on
http://www.hheuhez.co.cc
http://www.hheuhez.co.cc is a URL.
Domain Dossier will continue with
www.hheuhez.co.cc.
New: Compare web hosting plans across multiple providers: shared | VPS | dedicated
Address lookup
canonical name
www.hheuhez.co.cc.
aliases
addresses 69.50.221.196
Domain Whois record
Queried whois.nic.cc with "dom hheuhez.co.cc"...
No match for domain "HHEUHEZ.CO.CC".
>>> Last update of whois database: Fri, 24 Sep 2010 08:00:11 EDT <<<
Network Whois record
Queried whois.arin.net with "n 69.50.221.196"...
NetRange: 69.50.192.0 - 69.50.223.255
CIDR: 69.50.192.0/19
OriginAS:
NetName: ATJEU
NetHandle: NET-69-50-192-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ATJEU.COM
NameServer: NS2.ATJEU.COM
RegDate: 2003-06-04
Updated: 2010-07-27
Ref:
http://whois.arin.net/rest/net/NET-69-50-192-0-1
OrgName: atjeu publishing, llc
OrgId: APL-37
Address: 1515 West Deer Valley Road
Address: C-103
City: Phoenix
StateProv: AZ
PostalCode: 85027
Country: US
RegDate: 2002-09-10
Updated: 2009-11-30
Ref:
http://whois.arin.net/rest/org/APL-37
OrgTechHandle: BV137-ARIN
OrgTechName: Vasilev, Boris
OrgTechPhone: +1-623-434-5294
OrgTechEmail: [email protected]
OrgTechRef:
http://whois.arin.net/rest/poc/BV137-ARIN
DNS records
DNS query for 196.221.50.69.in-addr.arpa returned an error from the server: NameError
name class type data time to live
www.hheuhez.co.cc IN A 69.50.221.196 86400s (1.00:00:00)
hheuhez.co.cc IN A 69.50.221.196 86400s (1.00:00:00)
hheuhez.co.cc IN NS ns3.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN NS ns1.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN MX
preference: 5
exchange: mail.hheuhez.co.cc
86400s (1.00:00:00)
hheuhez.co.cc IN NS ns4.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN NS ns2.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN SOA
server: ns1.freedns.ws
email: admin.freedns.ws
serial: 1285267066
refresh: 21600
retry: 3600
expire: 604800
minimum ttl: 3600
86400s (1.00:00:00)
Traceroute
Tracing route to
www.hheuhez.co.cc [69.50.221.196]...
hop rtt rtt rtt ip address fully qualified domain name
1 0 1 0 70.84.211.97 61.d3.5446.static.theplanet.com
2 0 0 0 70.87.254.1 po101.dsr01.dllstx5.theplanet.com
3 0 0 0 70.85.127.105 po51.dsr01.dllstx3.theplanet.com
4 0 0 0 70.87.255.25 19.ff.5746.static.theplanet.com
5 0 0 0 70.85.126.226 e2.7e.5546.static.theplanet.com
6 23 23 23 68.1.0.169 chnddsrj02-ae3.0.rd.ph.cox.net
7 25 34 25 70.169.73.11
8 25 25 26 70.182.52.86 wsip-70-182-52-86.ph.ph.cox.net
9 35 27 27 69.50.221.196
Trace complete
Service scan
FTP - 21 220 ProFTPD 1.3.3a Server (ProFTPD Default Installation) [::ffff:69.50.221.196]
SMTP - 25 Error: TimedOut
HTTP - 80 HTTP/1.1 403 Forbidden
Date: Fri, 24 Sep 2010 06:38:21 GMT
Server: Apache/2.2.16 (FreeBSD) mod_ssl/2.2.16 OpenSSL/0.9.8k DAV/2 PHP/5.3.3
Connection: close
Content-Type: text/html; charset=iso-8859-1
POP3 - 110 +OK Dovecot ready.
IMAP - 143 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Re: Forum hacked?
Posted: 24 Sep 2010, 20:03
by marcush.
it happened two times me on 23.09 and on 24.09. with windows player opening when acessing the site and multiple virus warnings popping up in my virus scan software for attacking websites that are moved into q-status.
Re: Forum hacked?
Posted: 24 Sep 2010, 20:05
by Tim.Wright
I just got this now, it still seems to be a problem
Tim
endless wrote:Hello,
Today, upon visiting the forum, the windows media player is called and it tries to access this:
Code: Select all
http://www.hheuhez.co.cc/x55/helpctrall.php
It looks like the forum got manipulated by an attacker.
Best regards!
Re: Forum hacked?
Posted: 24 Sep 2010, 20:27
by manchild
Well, check my previous post.
All of you who experience those problems should send protest email to Atjeu Publishing LLC hosting company on whose server that malicious site is
[email protected]
Or call them if you're in USA +1-623-434-5294
OrgTechHandle: BV137-ARIN
OrgTechName: Vasilev, Boris
OrgTechPhone: +1-623-434-5294
OrgTechEmail:
[email protected]
The more complaints, sooner it will become shut down.
Re: Forum hacked?
Posted: 24 Sep 2010, 22:38
by Steven
I blocked the domain from google ads, might take a few hours to take effect.
Let me know if you get any more errors ok?
Thanks!
Re: Forum hacked?
Posted: 24 Sep 2010, 23:28
by n_anirudh
Guess its with Windows's only. been using Ubuntu now and nothing too wierd happening
