Jump to content


Photo

hacked domain names - hosts file


  • Please log in to reply
4 replies to this topic

#1 quirkasaurus

quirkasaurus

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 20 May 2004 - 03:03 PM

SWI-community--

I accidentally stumbled across:

www . neoptes . com

... obviously mistyping www . neopets . com.

What happened was, I was suddenly on a re-directed search engine page
that felt eerily similar to the CWS hacks!! complete with miriads of pop-ups.

Fortunately, I had my Sun Java thing installed and, if it tried, I wasn't infected.

However, I hadn't heard this method used before,
I always see a lot of "HOW DID THIS HAPPEN ?!?!!"

Maybe one of you brave admin souls can visit this site and
confirm this suspicion and we can get this site included in
the spy-bot hosts file, and others like it.

Thanks!

#2 Mere_Mortal

Mere_Mortal

    Spy-Aware

  • Helper Trainee
  • PipPipPipPip
  • 292 posts

Posted 27 May 2004 - 06:04 AM

Hi and welcome to SWI

Okay, I don't care cos I'm at a Library

Upon reaching the page www.neoptes.com...

Popup 1 -
http://ads1.revenue....FBC_720x300.gif

Popup 2 -
Source code shows several references to
http://search.domainsponsor.com

Popup 3 -
This site was blocked by restriction list: RM Offensive Material Filter List
http://www.games-fac...yringtonen1.htm

Regards

Edited by Mere_Mortal, 27 May 2004 - 06:06 AM.


#3 quirkasaurus

quirkasaurus

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 27 May 2004 - 10:03 AM

So... You're concurring that it contained the CWS virus ?

or... You're saying that the redirected links should already be blocked
by the S&D hosts file ?

Or... You're saying that the popups were blocked by the Library's own
RM filter program ?

All of the above ?

Thanks for answering!

#4 d4vr0s

d4vr0s

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 May 2004 - 05:35 PM

I find any spyware going there on my test system. 2 popups and a popup on exiting the site asking to set your homepage to a lame search engine.

I used hjt and cws to examine the system before and after.

#5 Mere_Mortal

Mere_Mortal

    Spy-Aware

  • Helper Trainee
  • PipPipPipPip
  • 292 posts

Posted 29 May 2004 - 05:00 AM

I wouldn't know if it's CWS, or at least it doesn't seem to be. Don't quote me there, mind.

Or... You're saying that the popups were blocked by the Library's own RM filter program ?

Only one of them was.

The library host won't allow any such changes to the homepage or registry in any case, so I can't conclude whether the address and/or the popups are malicious.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button