zimok

Got this from Chrome right now, legit?

__________________

If you don't think you have anything to be grateful for, you're not thinking.

Maitiú

I'm getting the same with Google Chrome.

__________________
Your bad vibe will drive away your tribe

Hyasynth

I'm getting the same on Safari 4

http://www.wickedfire.com/suggestion...-new-post.html

Hyasynth

I'm getting the same in Safari 4

Lenny

Spades

Same... with Avast:

__________________

evo190

Norton just blocked:

HTTP malicious javascript encoder

attacking computer: naemnitibo.in (200.63.45.34)

attacker url: naemnitibo.in/cn.php?hyc

tried to attack me on port 57707

zimok

If anyone has a mods phone # or Jon's phone, call him and tell them to remove the rogue iframe. Every hour is money in the hands of the crooks.

__________________

If you don't think you have anything to be grateful for, you're not thinking.

CygnusX

My Trend Micro Antivirus is detecting this too. I hope Jon can get it fixed asap.

Spades

Found it...
Here's the domain info for this stupid fuck. Obviously it's anonymous but I'm hoping Shady will show up soon and dig a little deeper than I can.

Domain Name:NAEMNITIBO.IN
Created On:18-May-2009 15:34:44 UTC
Last Updated On:18-May-2009 15:37:31 UTC
Expiration Date:18-May-2010 15:34:44 UTC
Sponsoring Registrar:Web Commerce Communications Limited dba WebNic.cc (R105-AFIN)
Status:TRANSFER PROHIBITED
Registrant ID:WN13571799T
Registrant Name:Alexander Kalinin
Registrant Organization:Private person
Registrant Street1:ulitsa Dolskaya d.10 kv.33
Registrant Street2:
Registrant Street3:
Registrant City:Moskva
Registrant State/Province:Moskva
Registrant Postal Code:115569
Registrant Country:RU
Registrant Phone:+7.49573431510
Registrant Phone Ext.:
Registrant FAX:+0.0
Registrant FAX Ext.:
Registrant Email:[email protected]
Admin ID:WN13571800T
Admin Name:Alexander Kalinin
Admin Organization:Private person
Admin Street1:ulitsa Dolskaya d.10 kv.33
Admin Street2:
Admin Street3:
Admin City:Moskva
Admin State/Province:Moskva
Admin Postal Code:115569
Admin Country:RU
Admin Phone:+7.49573431510
Admin Phone Ext.:
Admin FAX:+0.0
Admin FAX Ext.:
Admin Email:[email protected]
Tech ID:WN13571801T
Tech Name:Alexander Kalinin
Tech Organization:Private person
Tech Street1:ulitsa Dolskaya d.10 kv.33
Tech Street2:
Tech Street3:
Tech City:Moskva
Tech State/Province:Moskva
Tech Postal Code:115569
Tech Country:RU
Tech Phone:+7.49573431510
Tech Phone Ext.:
Tech FAX:+0.0
Tech FAX Ext.:
Tech Email:[email protected]
Name Server:NS1.NAEMNITIBO.IN
Name Server:NS2.NAEMNITIBO.IN

__________________

texic

Is anyone seeing anything in Firefox? No error here, wondering if it's just because the site is blocked by default.

Sticks79

No problems here, WickedFire teh hacked eh!

__________________

Spades

texic, do you have an AV installed? If not, you could easily be infected with whatever this guys pushing around. Download FREE antivirus software - avast! Home Edition

__________________

smoosh

I will ping Jon or Stanley if no one's done it yet... and FF is not detecting any errors.

__________________
Whatever you do - do NOT milk the bull!
"Pickles of Thunder!" - still in development...
"Put some thunder in your pickle!" - Buy Viagra today!
Ebooks - virtual content guaranteed to make you a virtual billionaire....virtually...

texic

I'm running Kaspersky and all my definitions are up to date. Seems that because Firefox blocks the site by default, nothing is ever run.

kblessinggr

yea i'm getting it on every page of wf on safari 4, basically the embeded url got it flagged as a malware site by association.

__________________
Twitter Facebook Blog
IonVz - Managed VPS (starting at 34.99/month) and Shared (39.99/year) hosting.
Directadmin only $10(non-recurring/one-time). We manage Nginx webservers. Why Nginx?
I can Fix, Slice, Configure or Install your Site/Server

mikeiavelli

my girlfriend's sites got infected recently with something similar (was javascript, not iframes though)

i researched it and basically there is spyware out there that sits idol on people's home computers monitoring FTP ports and sending username/passwords whenever someone logs into an FTP... basic ftp connections aren't encrypted. it's better to use sftp. i cleaned her computer of everything, changed her passwords, and had her switch to sftp before I could get the code to stop popping up every night.

i don't know if that's the problem here, but just a suggestion. i searched for 2-3 days before i figured out that her problems weren't holes in her php scripts or server side stuff....

knukk

Here's Google's diagnostic page about that website: Google Safe Browsing diagnostic page for naemnitibo.in

__________________

knukk

That's true. If you run Firefox it blocks accessing that website until you tell it to do otherwise.

__________________

Red_Virus

I have AVG Internet Security & using Firefox and getting no errors ! is it fixed ?

__________________
Over 1400 reviews posted for my 100 Dofollow Social Bookmarking Service : $19/URL (3 sites only per social bookmarking account). - PM me for discounts on BULK orders.

knukk

No.

But Firefox has that website on automatic block, so it won't access it without your consent.

__________________

kblessinggr

A lot of hooha as being marked as suspicious. Shame its not a simple matter of putting naemnitibo.in into the hosts file to have it pointed to localhost (since the warnings are triggered by either name and ip)

__________________
Twitter Facebook Blog
IonVz - Managed VPS (starting at 34.99/month) and Shared (39.99/year) hosting.
Directadmin only $10(non-recurring/one-time). We manage Nginx webservers. Why Nginx?
I can Fix, Slice, Configure or Install your Site/Server

kblessinggr

You know, I honestly thought that WF got flagged due to makemoniesonline.com and people who keep thinking its malware... shame my expectations were a bust.

__________________
Twitter Facebook Blog
IonVz - Managed VPS (starting at 34.99/month) and Shared (39.99/year) hosting.
Directadmin only $10(non-recurring/one-time). We manage Nginx webservers. Why Nginx?
I can Fix, Slice, Configure or Install your Site/Server

turbolapp

I have AVG and am on FF as well so I don't see what you guys are talking about either. It requires an admin to fix anyways so I'm pretty useless here.

knukk

Well, if you want to see for yourself you can go to http://naemnitibo.in. Firefox will block the access and give you the option to enter it if you'd like.

If you take a look into the source code of every page on Wickedfire now, you'll see that an iframe has been imprinted, which loads naemnitibo.in. Maybe it is a bug that has been exploited. The forums over at DevShed have also been attacked by this fuck (see this thread).

__________________

kblessinggr

If it's an iframe, firefox has the warning shown within the iframe itself, as opposed to the parent frame.

__________________
Twitter Facebook Blog
IonVz - Managed VPS (starting at 34.99/month) and Shared (39.99/year) hosting.
Directadmin only $10(non-recurring/one-time). We manage Nginx webservers. Why Nginx?
I can Fix, Slice, Configure or Install your Site/Server

invisible777

Wow, thank god for Firefox.

This iframing douchebag needs to be hung by his balls.

amfire

working fine with FF. do not see any warning.

Rage9

I didn't see any warning in Firefox either.

__________________


MadPPC.com - PPC, PHP, and other Affiliate Marketing tips. It's OK to be MAD!

knukk

Yes, that's why users of Firefox shouldn't worry even though they haven't seen any warning.

__________________

Webferret

so the question is... what are we going to do to this fuck.

and 'novel' suggestions?

AdHustler

I'll let Jon know.

__________________

puroz

firefox + noscript + ubuntu = lolz @ virus

__________________

Brandon

Stanley took care of it. Thx for letting us know.

__________________
"Let me tell you what Melba Toast is packin' right here, all right. We got 4:11 Positrac outback, 750 double pumper, Edelbrock intake, bored over 30, 11 to 1 pop-up pistons, turbo-jet 390 horsepower. We're talkin' some fuckin' muscle." - Wooderson

zimok

No problem, I'll take a 5 minute video of turbolapp walking on her turbostation as my reward.



From this angle please, thanks

__________________

If you don't think you have anything to be grateful for, you're not thinking.

turbolapp

^^Dude. That is so wrong.

My LCD screen is so much bigger than that.

Brandon

Hahahaha!

__________________
"Let me tell you what Melba Toast is packin' right here, all right. We got 4:11 Positrac outback, 750 double pumper, Edelbrock intake, bored over 30, 11 to 1 pop-up pistons, turbo-jet 390 horsepower. We're talkin' some fuckin' muscle." - Wooderson

zimok

Anything else my princess?

__________________

If you don't think you have anything to be grateful for, you're not thinking.

xmcp123

No matter which way you cut it, the trail goes dead somewhere in Russia. Impossible to verify who's real.
The place is a bulletproof hosting provider.
The only other trail I could see goes to the UK, but the name is "Oleg Orlov"...some human rights politician in Russia. So it's probably just them fucking around.
I could get a little deeper in, but honestly it's a pain in the ass since I can't just visit the URLs.

__________________

Stanley

We removed all traces of the exploit but if it resurfaces send a PM to me & Brandon.

bprimeelite

ahhh I was hoping this was a digital point type of move where they put 20 iframes per page with amazon, ebay, and other affiliate cookies. I never did get a warning using firefox and AVG on this one though and AVG is usually pretty touchy on iframes.

amanda11

OH NOES MALWARE STOLE MAH PASSWORDS.

Seriously, what did the asshole did to my computer.

CPW-Carl

It was called "security system 2009". Basically it tries to scare you into inputing your credit card details to get rid of spyware it "finds" on your system. Oh the irony.

btalibanned

Hey hey hey, wtf is going on here? Where's jon? Where's the Official word on whats happenin? Who's responsible for this shit?

It's not me...

dably

I'm to lazy to check out the payload but from the sounds of it, security system 2009, is a yet another fake AV. I really want to know how these folks get and keep merchant accounts. The chargeback rate on that stuff has to be insanely high.

Seriously if you got infected with it consider wiping your hard drive there is no telling what they bundled that crap with. Undetected password stealers are a dime a dozen and if you manage your servers from the same computer there is a fair chance you will have your passwords stolen for them and similar malicious code placed on your sites.

Spades

I dunno so much about the high chargebacks, you gotta think, peoples systems are completely fucked by the malware and then boom... they pay for the software and it does exactly what it has promised them. Nevertheless, it's a shady ass way of making money. But I doubt it's that hard to maintain a merchants account and i'm sure they bundle their transactions with other (actually legit) products.

__________________

xmcp123

Not sure where Jon is. But I'm tellin ya anything tryin to track them back via their domain is a failboat.
No way to tell who's a real person in Russia.
No way to tell if the non-russian names are real. Or stolen.
There's a lot more nastiness coming from these guys. It's a minefield trying to find them. And also, there's certain people you just don't out.

__________________