Author Topic: Creepy BLF Mirrors - Let's figure this out. (Read 8534 times)

SquartleTurtle · August 06, 2015, 02:02:54 AM

forum for IT geniuses

Ad Bot · Advertisement

Electrk. · August 06, 2015, 02:03:37 AM

Quote from: SquartleTurtle on August 06, 2015, 02:02:54 AM

forum for IT geniuses

ftfy

XR-7 · August 06, 2015, 02:04:35 AM

Quote from: Electrk. on August 06, 2015, 02:03:37 AM

ftfy

Which one is that

Beefcaik · August 06, 2015, 02:05:45 AM

Miga · August 06, 2015, 02:08:17 AM

Yet more goofiness: all the download links for all the trojaned files are hosted at some guy's house. He's using a D-Link router presumably and using the DynDNS service that D-Link provides. The machine that he's hosting the trojan on is running Debian 6.

McZealot · August 06, 2015, 02:09:54 AM

I'm trying to contact the support teams for Persephonebooks and Getchip and that site Carbon linked. I really want to know what is going on and how this is happening to their sites. A little awkward since it's all in Russian.

dargereldren · August 06, 2015, 02:21:54 AM

did a Google search for my username in both websites, i'm still there

i'm "dargereldren,Barnabas" because the scraping is horrible

Ragequit · August 06, 2015, 02:22:23 AM

Quote from: Miga on August 06, 2015, 02:08:17 AM

Yet more goofiness: all the download links for all the trojaned files are hosted at some guy's house. He's using a D-Link router presumably and using the DynDNS service that D-Link provides. The machine that he's hosting the trojan on is running Debian 6.

what country

Miga · August 06, 2015, 02:28:21 AM

Quote from: Ragequit on August 06, 2015, 02:22:23 AM

what country

Looks like the IP traces back to France.

McZealot · August 06, 2015, 02:29:09 AM

OK. The crappy skyline banner seems to be the #1 way to find these sites. I've added a bunch more to the OP. I'm gonna contact all the sites (the English ones at least) and ask what is going on.

Dreams_Of_Cheese · August 06, 2015, 02:31:50 AM

Quote from: McZealot on August 06, 2015, 02:00:38 AM

BTW: If you highlight the text you will see hidden messages in all posts. For some reason they are invisible?

I imagine this is so that search engines will pick on the invisible words and direct more people toward them. One moment you're looking up wheat bread, the next you're downloading malware.

Miga · August 06, 2015, 02:38:23 AM

Quote from: McZealot on August 06, 2015, 02:29:09 AM

OK. The crappy skyline banner seems to be the #1 way to find these sites. I've added a bunch more to the OP. I'm gonna contact all the sites (the English ones at least) and ask what is going on.

My guess is the person/group doing this is using some vulnerability in Apache to gain access to these sites and this is the result of not keeping your servers up-to-date. And yes, it's all the same person/group doing this, the trojan link leads back to the same D-Link DynDNS result.

McZealot · August 06, 2015, 02:57:16 AM

Quote from: Miga on August 06, 2015, 02:38:23 AM

My guess is the person/group doing this is using some vulnerability in Apache to gain access to these sites and this is the result of not keeping your servers up-to-date. And yes, it's all the same person/group doing this, the trojan link leads back to the same D-Link DynDNS result.

goddamn are we all gonna get killed by the russian mafia or something now

Blocky943 · August 06, 2015, 03:00:00 AM

Dreams_Of_Cheese · August 06, 2015, 03:02:07 AM

Hm. If they've picked up on stufflord then they've probably checked up on us recently. I wonder if they saw our thread, and that's why the forum from the book website disappeared?