Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[Rchivist]

Quote:

Originally Posted by Ravenheart

Addblock and No Script are blocking the links to

http://traffurl.ru/sliv?19907971



Hmm, tis suspicious

traffurl.ru seems quite a familiar domain on google with lots of queries and dodgy script compaints - just google "traffurl.ru" but don't panic! I wouldn't necessarily follow all the urls given on the various forums as they include hacker sites.

I'm using Norton AV, Sunbelt Counterspy 1.5, and Flashblock- no warnings from them - but as traffurl.ru is on my mvps HOSTS file, it isn't actually getting to do anything anyway as it resolves to 127.0.0.1.
also running FF and Adblock and NoScript.

Page Source shows me an obfuscated script right at the bottom of the page, underneath the </body> and </html> tags.
script>eval(unescape(etc. etc. </script> - that corresponds to what was showing on some of the google entries.

The WHOIS I got on traffurl.ru is
domain: TRAFFURL.RU
type: CORPORATE
nserver: ns2.googleset.info.
nserver: ns1.googleset.info.
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 812 1234567
e-mail: rekvizitor@gmail.com
registrar: NAUNET-REG-RIPN
created: 2007.12.20
paid-till: 2008.12.20
source: TC-RIPN
Last updated on 2008.04.29 19:57:06 MSK/MSD

Looks like your site may have been got hacked.

[JackSon]

Yes AVG here didn't like that site either. Co-inciedently, AVG also objects to me attempting to view page 339 of this topic thread. Which leaves me unable to read any posts on it currently

[popper]

that thread implyed its downloading a codec, do we know what its calling itself and were its putting it ?

if thats the case and will a simple regsvr32.exe /u codec-name then delete the file if its auto installed itself work?


http://www.developersdex.com/asp/mes...2978&r=6157380
"
Re: Strange javascript in my index.html file.
From: The Magpie
Date Posted: 2/11/2008 5:40:00 PM


Randy Webb wrote:
>
> I agree that something got whacked somewhere. But, before you can
> even answer the question, you would have to know where the "file"
> is served from. It could be on a server that has free FTP - for a
> price - and is silently inserting it.
>
Agreed, you do.
>
> As for it being a site that you are "driving visitors" to, that is
> nonsense. The iframe is hidden - display: none. Doesn't make a lot
> of sense to drive someone to your site if you hide the window it is
> going to be displayed in.
>
Correct - nothing to do with the site location.
>
> Bet you an internet beer it is a tracking site.
>
There, you lose.

Its a trojan disguised as a codec and drops quietly and happily into
your system through Media Player (unless you are one of the few
cautious types who set it to choose "Don't download codecs without
bloody asking me first!"). For the OP this means a couple of things.

1. Your PC is now infected and has been recruited into a botnet.
2. Your website is infecting other PCs every time one visits it.
3. Your PC is now being used by a - probably criminal - gang.
4. The hard one - you know about it, so you are responsible.

In essence, this means fix the website, or you could be sued. Clean
your PC, or you could be sued. Report the hacking to your hosting
provider, or you could be sued. Report it to your local or national
police, or - worst of all - you could be charged as an accessory to
the criminal activity probably now going on with your PC and with all
your website visitors. Yes, this is serious. You need to deal with it."

[AlexanderHanff]

Jamie,

I hope you don't mind but I just asked the badphorm admins to suspend the thread temporarily so you can sort this out without people being at risk.

Alexander Hanff

[Deko]

Has this also caused problems @ badphorm ?

[AlexanderHanff]

Quote:

Originally Posted by Deko

Has this also caused problems @ badphorm ?

The same site is in a stickied thread over there.

Alexander Hanff

[Deko]

Ahhh its the link thats causing the warning, not the quoted code inserted into these pages

My brain is frazzled today like the 100A breaker which blew this morning and took out 6 Electraks on that phase :-(

[OF1975]

Although not a Man City fan, and there's a tenous link to Phorm in this post, but I see that Thaksin Shinawatra is trying to rival BT,VM and Talk Talk for most stupid decision of the year by sacking Eriksson

[popper]

lol
http://www.ispreview.co.uk/talk/show...threadid=26993
29-04-2008, 05:11 PM
Bob2002
!EXTREME Member!

Join Date: Oct 2003
Posts: 2,297



I've located the real thing - feel free to use it as you will

[img]Download Failed (1)[/img]

[mark777]

Quote:

Originally Posted by OF1975

Although not a Man City fan, and there's a tenous link to Phorm in this post, but I see that Thaksin Shinawatra is trying to rival BT,VM and Talk Talk for most stupid decision of the year by sacking Eriksson

Perhaps poor decision making is common amongst those facing being locked up.

----

Nice one popper!

[CWH]

Just a thought. Can anyone explain the difference between BT, who has already tested over 100,000 customers and going to do further tests, and VM who reputedly haven't done any tests at all, (apart from - in their words - a small lab test).
It would appear to me, that these two different approaches can't be reconciled, particularly when VM tell that all 'Due Diligence' will be completed prior to roll-out.

Colin

It seems pretty clear that BT, VM and 'tother lot have agreed between them that BT will carry out (and, as we know, has already carried out) testing on behalf of all three.

[popper]

Quote:

Originally Posted by CWH

Just a thought. Can anyone explain the difference between BT, who has already tested over 100,000 customers and going to do further tests, and VM who reputedly haven't done any tests at all, (apart from - in their words - a small lab test).
It would appear to me, that these two different approaches can't be reconciled, particularly when VM tell that all 'Due Diligence' will be completed prior to roll-out.

Colin

the most obvious one is that the BT executives and personel involved in the Unlawful RIPA interception in 2006/7 are under direct threat of a criminal conviction at some point in the future.

were as the other two firms are as yet until evidence emerges are not, currently.

"remember RIPA conviction for UK executives case law already exists.

the lost RIPA appeal of Stanford's
http://www.lawdit.co.uk/reading_room...20Stanford.htm
"
Stanford Loses Criminal Appeal

3 February 2006

Stanford Loses Criminal Appeal

....
The Regulation of Investigatory Powers Act 2000 provides a defence to an individual who intercept a communication in the course of its transmission from a private telecommunication system, if they can establish:

a) that they are entitled to control the operation of the system; or

b) they have the express or implied consent of such a person to make the interception.

Stanford relied on the position that he had gained access to the emails through a company employee. The employee apparently was given access to usernames and passwords on the email server.

Therefore, Stanford argued, he was entitled to access the emails as “a person with a right to control the operation or the use of the system”.

Geoffrey Rivlin QC, the trial judge had a different view. He pointed out that
“right to control”
did not mean that someone had a right to access or operate the system, but that the Act required that person to of had a right to authorise or to forbid the operation. [that mean YOU users as the owner of the data]

Stanford appealed the judge’s decision. However, the Court of Appeal upheld Rivlin’s view. It pointed out that the purpose of the law was to protect privacy. Therefore Stanford’s sentence of 6 months imprisonment (suspended for two years) and a fine of £20,000 with £7000 prosecution costs
were upheld.

Daniel Doherty"

I would like to remind all members that if you do not have consent from an individual(s), you should not be posting their e-mail addresses. CF has received complaints today from some individuals stating their details were posted without consent.

[vicz]

Quote:

Originally Posted by Mick

I would like to remind all members that if you do not have consent from an individual(s), you should not be posting their e-mail addresses. CF has received complaints today from some individuals stating their details were posted without consent.

That'd be K*nt at traffurl.ru then would it?