Joe Bravo
Max Output Level: -56.5 dBFS
- Total Posts : 1870
- Joined: 2004/01/27 14:43:37
- Status: offline
New Virus/Trojan Technique?
I was wondering if some of you guys that have space on a web server have noticed this happening too. For the past month, at least once or twice per week, when I view my server stats I'll find what apears to be a new link to one of my web pages from a website that I've never heard of before, and when I put their url into my browser window and try to go there, all I'll get is a blank web page with the words: SERVER ERROR. Nothing else whatsoever. If I try to view the source file it says the same thing and nothing else, no head or body tags ... nothing. The latest link I got was today from ( DON'T CLICK ON THIS!): http://www.cjrz.com The Whois record for this domain reads: Registrant: cjrz.com 7328 East Hartman Dr. Wichita Falls, TX 76302 US Domain name: CJRZ.COM Administrative Contact: Robers, Ophelia 7328 East Hartman Dr. Wichita Falls, TX 76302 US +1.9408573433 Fax: +1.9408573982 Technical Contact: Robers, Ophelia 7328 East Hartman Dr. Wichita Falls, TX 76302 US +1.9408573433 Fax: +1.9408573982 Registration Service Provider: iPowerWeb, 888 511 4678 602-307-5438 (fax) http://IPOWER.com This company may be contacted for domain login/passwords, DNS/Nameserver changes, and general domain support questions. Registrar of Record: TUCOWS, INC. Record last updated on 04-Feb-2007. Record expires on 27-Jan-2008. Record created on 27-Jan-2007. Domain servers in listed order: NS2.HOSTMONSTER.COM 70.98.111.2 NS1.HOSTMONSTER.COM 70.98.54.2 Domain status: clientTransferProhibited clientUpdateProhibited I tried googling "Robers, Ophelia" and "Ophelia Robers", neither of which turned up anything. I used reverse phone number lookups for their contact number: (940) 857-3433, and it came up as not existing as a business or personal number either one. I got a couple of trojans over the past couple of weeks and couldn't figure out where they came from. I'm wondering if this is a new sort of fishing idea someone had, in that, they figure that if you see someone linking to your web site, that you'll do exactly what I did, which is to go the url that's linking to you, and that there's a trojan waiting for you when you click on their web page? Anybody familiar with this?
|
scook
Forum Host
- Total Posts : 24146
- Joined: 2005/07/27 13:43:57
- Location: TX
- Status: offline
RE: New Virus/Trojan Technique?
2007/02/08 10:41:59
(permalink)
FYI, the street address looks bogus too. There is no East Hartman Drive in Wichita Falls, there is an East Hatton Drive.
|
Joe Bravo
Max Output Level: -56.5 dBFS
- Total Posts : 1870
- Joined: 2004/01/27 14:43:37
- Status: offline
RE: New Virus/Trojan Technique?
2007/02/08 10:49:20
(permalink)
|
Kicker
Max Output Level: -81 dBFS
- Total Posts : 477
- Joined: 2004/06/08 23:31:37
- Location: Amherst, MA
- Status: offline
RE: New Virus/Trojan Technique?
2007/02/08 18:07:04
(permalink)
Joe, The server logs may not be reporting the complete web address of the page that contains the link. It may only show you the domain. Somewhere in that domain there is probably a page with tons of links to all sorts of web sites. It's a common technique to generate traffic. The server error that you see from the root address means that the web server can't process the default page. The page that you receive that says Server Error is harmless. If there's nothing in the source file, then there's nothing to worry about.
|
Joe Bravo
Max Output Level: -56.5 dBFS
- Total Posts : 1870
- Joined: 2004/01/27 14:43:37
- Status: offline
RE: New Virus/Trojan Technique?
2007/02/08 19:42:23
(permalink)
I don't know, I've never done it before but, I think you can make the source say anything and be completely different from what shows on the web page, or you can make it not show anything at all (many do). Now the strange thing is, that their domain was due to expire a couple of days ago, so they must have been around for a while, yet there's not one cached page at google with cjrz.com in the web address. But you will find over 500 pages listed that are entirely (well I only looked at a few dozen so I'm assuming) nothing but pages showing web stats and their name (cjrz.com) keeps coming up as a referrer ... just like with me. Also, their supposed to be based in Texas but their web host is located in Utah. It's really strange. I understand what you're saying about them having a links page to generate traffic; I see that all the time, but I don't understand why they don't have a single page cached at Google when they must have been around for at least a year. How do you generate those links pages without it showing up in a search engine somewhere? The only way I can think of is to use Flash (or JavaScript). That could be a big pain to make a page full of links like that though. But I'm fairly sure now that their page(s) isn't carrying any trojans etc. I've gotten on their web page a couple of times between last night and today and AVG didn't find anything when I scanned just now. So, false alarm I guess. Just call me Chicken Little. But I'm 6'5" so at least I'm no Little Chicken.
post edited by Joe Bravo - 2007/02/08 20:20:26
|
altima_boy_2001
Max Output Level: -55 dBFS
- Total Posts : 2033
- Joined: 2005/11/04 17:48:01
- Location: Central Iowa
- Status: offline
RE: New Virus/Trojan Technique?
2007/02/08 20:04:59
(permalink)
ORIGINAL: Joe Bravo I understand what you're saying about them having a links page to generate traffic; I see that all the time, but I don't understand why they don't have a single page cached at Google when they must have been around for at least a year. How do you generate those links pages without it showing up in a search engine somewhere? The only way I can think of is to use Flash (or JavaScript). That could be a big pain to make a page full of links like that though. Appropriately configured robots.txt in the root of the domain will alter what bots will access from your site. Corporate written bots will follow this standard in general because they might face liability if they don't. You can request google to not cache anything from your domain also so I would assume that other engines have the same ability.
|
d_in_conduct
Max Output Level: -86 dBFS
- Total Posts : 226
- Joined: 2004/03/03 19:05:03
- Status: offline
RE: New Virus/Trojan Technique?
2007/02/08 22:27:12
(permalink)
I had a lot of changes to web pages that were created with a certain PhotoShop Web Photo Gallery script. All the other scripts seem to be holding on okay, but with that one script I would get links to warez inserted onto my page. Since I keep a master copy of everything on the ground, I could just delete from the site and upload new... created with a different script. There must be bots that look for specific codes.
------------------------------------------------ All your base are belong to us...
|