Forum hacked?

endless · Post 24 Sep 2010, 13:01

Hello,

Today, upon visiting the forum, the windows media player is called and it tries to access this:

http://www.hheuhez.co.cc/x55/helpctrall.php

It looks like the forum got manipulated by an attacker.

Best regards!

marcush. · Post 24 Sep 2010, 14:34

yep.
my virusscanner has given alarms since yesterdays..removing unknown websites ..
with exactly this adress or derivates of it...

freedom_honda · Post 24 Sep 2010, 15:07

Google Chrome is also warning me there is a malware on F1technical and suggested me to stay away from here.

Carlos · Post 24 Sep 2010, 15:45

Microsoft Security Essentials Beta V2 also gives a warning. But it's not a problem for me as my anti malware component blocked any download of code. I think any security software would. Tomba runs a very tight ship and deals with servers that have always been pretty secure. First time occurrence; since I joined the Forum, I'm sure that Tomba or his server will track this down. Im not worried. It happens to even the best sites.

Post 24 Sep 2010, 18:32

Thanks for reporting this guys.
I also had a few PM's about this.

Is this still happening?
The curious thing is that I never had any such warning.

Is it on the forum pages or on news, or where exactly?

Pup · Post 24 Sep 2010, 18:45

Google's safe search is down today, so it's likely that only those who got the latest update prior are getting the warning. Usually these things come not from the site itself, but from one of the off-site advertisers.

Yet another reason to run ad-block.

manchild · Post 24 Sep 2010, 18:47

I'd wild guess that it is conditioned by banners that appear on site depending on location of forum visitor. Perhaps certain banners contain malicious flash or auto load something on load. I had some that were crashing Firefox.

Pup · Post 24 Sep 2010, 18:50

Beat me to it.

fwiw, gp.com had the same problem earlier this week. In their case, it was their main advertiser, FXDD.

fenix4life · Post 24 Sep 2010, 19:25

Tomba wrote:Thanks for reporting this guys.
I also had a few PM's about this.

Is this still happening?
The curious thing is that I never had any such warning.

Is it on the forum pages or on news, or where exactly?

I had it just by going directly to the home page not to the forum.
As I was just opening my gmail account I wasn't sure what was going on.

After refreshing the f1technical site I had it again.
Even though now it does not occur any more.

Strange thing

manchild · Post 24 Sep 2010, 19:39

Firefox on http://www.hheuhez.co.cc

Reported Attack Page!

This web page at www.hheuhez.co.cc has been reported as an attack page and has been blocked based on your security preferences.

Attack pages try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

Domain Dossier on http://www.hheuhez.co.cc

http://www.hheuhez.co.cc is a URL.
Domain Dossier will continue with www.hheuhez.co.cc.
New: Compare web hosting plans across multiple providers: shared | VPS | dedicated
Address lookup
canonical name www.hheuhez.co.cc.
aliases
addresses 69.50.221.196
Domain Whois record

Queried whois.nic.cc with "dom hheuhez.co.cc"...

No match for domain "HHEUHEZ.CO.CC".

>>> Last update of whois database: Fri, 24 Sep 2010 08:00:11 EDT <<<

Network Whois record

Queried whois.arin.net with "n 69.50.221.196"...

NetRange: 69.50.192.0 - 69.50.223.255
CIDR: 69.50.192.0/19
OriginAS:
NetName: ATJEU
NetHandle: NET-69-50-192-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ATJEU.COM
NameServer: NS2.ATJEU.COM
RegDate: 2003-06-04
Updated: 2010-07-27
Ref: http://whois.arin.net/rest/net/NET-69-50-192-0-1

OrgName: atjeu publishing, llc
OrgId: APL-37
Address: 1515 West Deer Valley Road
Address: C-103
City: Phoenix
StateProv: AZ
PostalCode: 85027
Country: US
RegDate: 2002-09-10
Updated: 2009-11-30
Ref: http://whois.arin.net/rest/org/APL-37

OrgTechHandle: BV137-ARIN
OrgTechName: Vasilev, Boris
OrgTechPhone: +1-623-434-5294
OrgTechEmail: sales@atjeu.com

OrgTechRef: http://whois.arin.net/rest/poc/BV137-ARIN

DNS records

DNS query for 196.221.50.69.in-addr.arpa returned an error from the server: NameError
name class type data time to live
www.hheuhez.co.cc IN A 69.50.221.196 86400s (1.00:00:00)
hheuhez.co.cc IN A 69.50.221.196 86400s (1.00:00:00)
hheuhez.co.cc IN NS ns3.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN NS ns1.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN MX
preference: 5
exchange: mail.hheuhez.co.cc
86400s (1.00:00:00)
hheuhez.co.cc IN NS ns4.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN NS ns2.freedns.ws 86400s (1.00:00:00)
hheuhez.co.cc IN SOA
server: ns1.freedns.ws
email: admin.freedns.ws
serial: 1285267066
refresh: 21600
retry: 3600
expire: 604800
minimum ttl: 3600
86400s (1.00:00:00)
Traceroute

Tracing route to www.hheuhez.co.cc [69.50.221.196]...
hop rtt rtt rtt ip address fully qualified domain name
1 0 1 0 70.84.211.97 61.d3.5446.static.theplanet.com
2 0 0 0 70.87.254.1 po101.dsr01.dllstx5.theplanet.com
3 0 0 0 70.85.127.105 po51.dsr01.dllstx3.theplanet.com
4 0 0 0 70.87.255.25 19.ff.5746.static.theplanet.com
5 0 0 0 70.85.126.226 e2.7e.5546.static.theplanet.com
6 23 23 23 68.1.0.169 chnddsrj02-ae3.0.rd.ph.cox.net
7 25 34 25 70.169.73.11
8 25 25 26 70.182.52.86 wsip-70-182-52-86.ph.ph.cox.net
9 35 27 27 69.50.221.196

Trace complete
Service scan
FTP - 21 220 ProFTPD 1.3.3a Server (ProFTPD Default Installation) [::ffff:69.50.221.196]
SMTP - 25 Error: TimedOut
HTTP - 80 HTTP/1.1 403 Forbidden
Date: Fri, 24 Sep 2010 06:38:21 GMT
Server: Apache/2.2.16 (FreeBSD) mod_ssl/2.2.16 OpenSSL/0.9.8k DAV/2 PHP/5.3.3
Connection: close
Content-Type: text/html; charset=iso-8859-1
POP3 - 110 +OK Dovecot ready.
IMAP - 143 * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

marcush. · Post 24 Sep 2010, 20:03

it happened two times me on 23.09 and on 24.09. with windows player opening when acessing the site and multiple virus warnings popping up in my virus scan software for attacking websites that are moved into q-status.

Tim.Wright · Post 24 Sep 2010, 20:05

I just got this now, it still seems to be a problem

Tim

endless wrote:Hello,

Today, upon visiting the forum, the windows media player is called and it tries to access this:
Code: Select all
http://www.hheuhez.co.cc/x55/helpctrall.php
It looks like the forum got manipulated by an attacker.

Best regards!

manchild · Post 24 Sep 2010, 20:27

Well, check my previous post.

All of you who experience those problems should send protest email to Atjeu Publishing LLC hosting company on whose server that malicious site is sales@atjeu.com

Or call them if you're in USA +1-623-434-5294

OrgTechHandle: BV137-ARIN
OrgTechName: Vasilev, Boris
OrgTechPhone: +1-623-434-5294
OrgTechEmail: sales@atjeu.com

The more complaints, sooner it will become shut down.

Post 24 Sep 2010, 22:38

I blocked the domain from google ads, might take a few hours to take effect.
Let me know if you get any more errors ok?

Thanks!

n_anirudh · Post 24 Sep 2010, 23:28

Guess its with Windows's only. been using Ubuntu now and nothing too wierd happening

Forum hacked?

Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?

Re: Forum hacked?