Webmaster Forum Rules | Posting Guide | Contact Us | Testimonials | Contributing Geek Program | Advertise on Geek/Talk
Welcome to the GeekTalk Webmaster Discussion Forums from GeekVillage.com

Click Here To Register. It's Free!

Go Back   geek/talk: Signature-free discourse for serious web publishers > YOUR REVENUE: Making Money On The Internet > Making Money with CPC and/or CPM Programs
User Name
Password
Register FAQ Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old 08-13-2006, 04:26 PM   #1
fatale
Registered User
 
fatale's Avatar
 
Join Date: Nov 2000
Posts: 231
Angry FastClick/ValueClick serving a virus!

There's a virus/spyware being served from one of FastClick/ValueClicky ad campaigns. We have received several user complaints today, so naturally I went to investigate and I was just able to catch it on our website myself (my virus scanner was tripped). I was unable to identify the actual ad campaign (manual review of all running campaigns didn't trip my anti-virus), but here's the info in case someone else can. All potentially dangerous links are mangled so they don't turn into actual links -- make sure you have the latest anti-virus running if you are brave enough to load any of them (at your own risk of course!!!).

The actual exploit/virus is being detected in the following file:
_http://64.34.181.44/adrun/exp.wmf

The ad (gif) on the page that was displayed when it happens is loaded from (this should be safe to view):
http://g.websponsors.com/graphics/93909/468x60.gif

The browser log file ("Live HTTP headers" plug-in for Mozilla Firefox) shows that the actual ad code was served by the following file:
_http://www.searchplain.com/ADSAdClient37/GetAd/J43/TF=_NEW/1011/SC=LG/LOC=R/ID=0006BFFD968BB8AD/

Which tries to load a number of different files that try to exploit various Windows vulnerabilities:
_http://64.34.181.44/adrun/c.html
_http://64.34.181.44/adrun/index2.html
_http://64.34.166.182/webnetcounters/pps.html
_http://64.34.181.44/adrun/in.html
_http://64.34.166.182/webnetcounters/pl_load.js
_http://64.34.181.44/adrun/ct.html

The IP addresses above all resolve to searchplain.com servers.

Needless to say I removed all FastClick banners from our site until this can be resolved. Judging by the user complaints, this has been going on this whole weekend. I've e-mailed FastClick of course, but the form says it can take them 1-2 _business_ days to reply, so I thought I'll warn everyone here as well.
fatale is offline   Reply With Quote
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
New Taliban Virus sdarken geek/yak 5 10-24-2001 11:59 PM
Engage shutting down ad serving RaviJP Making Money with CPC and/or CPM Programs 9 09-17-2001 03:32 PM
Free Real Media ad serving Voltaire Archives of old posts from Let's Barter/Trade, Buy, & Sell 2 07-09-2001 12:01 PM
Virus Warning! demae geek/yak 2 05-31-2001 07:32 PM
Contentzone not serving banners, not updating stats. SomeRandomGuy Making Money with CPC and/or CPM Programs 1 07-02-2000 09:44 PM

Please support our advertisers. They ensure our survival.

All times are GMT -5. The time now is 03:18 PM.


GeekVillage.com is copyright © 1998-2015 Curiosity Cave - Science gifts for clever kids. All rights reserved.
Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.