Trying to trap me into clicking on a hijacker from logs?! - Website Analytics - Tracking and Logging forum at WebmasterWorld - WebmasterWorld

Forum Moderators: DixonJones

Message Too Old, No Replies

Trying to trap me into clicking on a hijacker from logs?!

might be webmaster-targeted...

LaBonne

5:38 am on Dec 1, 2003 (gmt 0)

10+ Year Member

Aloha,
I've been scanning & analyzing my logs rather obsessively since Google update Florida, when I noticed a new referrer website. Curious, I clicked on the referrer to see if it was going to do me any good...when it switched me over to a website that started downloading UCsearch.cab - a nasty hijacker (backdoor trojan).

Since the name of the referrer website was very closely related to my website product, and a page from my website was called up from that location I have to wonder if it was a targeted attack. That they meant for me to find it, click, and let them into my business PC. There was no actual link to my website on the page.

I checked the page via Google cache and found it to be a page of mish-mash phrases and links. The domain seems to have expired over the last year, with the nasty trojan-guys picking it up to bring in "customers". It actually moves you to another page with the trojan download on it.

I'd love to paste the logfile portion & the name of the website it goes to, but I don't want to violate any rules. Needless to say, it ruined my evening!

So...has this logfile trap happened to anyone else?

Constantin

3:25 pm on Dec 1, 2003 (gmt 0)

10+ Year Member

Wow,
Now that's a nasty way to be woken up in the evening. I'm glad you figured it out before your machines and the server had been compromised as planned. Not to ignite any zealotry here but episodes like this one are yet another reason why I'm sticking with my 2 percenter OS...

Anyway, I assume that you've reported the site to their provider? ...at least try to shut the thing down before someone less vigilant than you has their day(s) ruined.

richmondsteve

4:35 pm on Dec 1, 2003 (gmt 0)

10+ Year Member

LaBonne, I can't say that I've ever seen someone try to infect someone's PC this way, but I'm not surprised. Faking referrers and visiting other sites is a form of log spam. If you search here or Google for webmasterworld log spam you may find someone who's encountered a similar tactic to infect a PC.

LaBonne

5:11 pm on Dec 1, 2003 (gmt 0)

10+ Year Member

Mahalo,

Actually I did catch the thing. Having only dialup, I clicked, heated something for dinner, and came back to find a strange download. Felt stupid, then tracked the bugger down & killed it.

At least now I know how to find other instances in WW! I have been tracking down the provider as best as I can & doing some informing...

anallawalla

12:31 pm on Dec 7, 2003 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

There is an opinionated SEO who left me a juicy URL to click (something like www.dodgyseo.com/?juicy_string). I did not give him the satisfaction but manually checked out his site.

There is a lot of this going on (including the kind you mentioned).

Hobbyist

1:16 pm on Dec 7, 2003 (gmt 0)

10+ Year Member

I guess that's why when checking links via logs, I do it in "paranoid" mode. Firebird + proxomitron, with JS,Activex,jav,referrers turned off. Ocasionally with proxy to mask ip addressess

It won't stop them from learning that you visited the site if it's a specially prepared url for you, but that can't be helped.