Comments on: How to get rid of JS/Tenia.d

By: John

John — Thu, 25 Jun 2009 03:01:08 +0000

I got the same i-frame crap on my drupal site. I upgraded from my 5.1 version to 5.1.8 to fix it. Thanks for your info; it helped identifying what was going on.

By: Silvano

Silvano — Thu, 09 Apr 2009 14:09:15 +0000

Hey, I got the same problem and I lost my 4/10 pagerank

I found two interesting things:

1 – the cracker modified my .htaccess to send all bots (google, yahoo, etc) to his website

2 – he changed the file wp-content/cache.php to work as a PHP shell

So if you didn’t notice these, get rid of them ASAP.

Thanks for the post! It really helped me.

By: Donna

Donna — Thu, 02 Apr 2009 21:48:02 +0000

I’ve never read that book but for a short while I had been reading an interesting blog from an actual cyber sleuth! He used to investigate criminals online– their facebook/myspace pages as well as uncovering other online activities. It was a great Web site but somehow I lost the link and couldn’t remember the name of him or his blog. Oh well.

By: Steve Ragan

Steve Ragan — Wed, 01 Apr 2009 12:57:40 +0000

Of course you can’t be certain that that is an actual person at that actual address. I’ve never heard of address verification for domain registration.
Well, whomever it is, I’m pretty sure that he’s been shut down already. I went to grab the content of that URL directly (in a safe, non-browser way) and I got a 404. The same person is listed for similar domains too like google-analyze.org and google-analyze.cn
I love cyber-sleuthing – it’s like a hobby you could say
Ever read The Cuckoo’s Egg by Clifford Stoll?
It’s the story of the original computer sleuth. Interesting read – well, if you’re a geek.

By: Donna

Donna — Tue, 31 Mar 2009 17:09:10 +0000

Thanks Steve for that info— I wish there was a way to press charges or alert the authorities…

By: Donna

Donna — Tue, 31 Mar 2009 17:07:27 +0000

I was using Norton but it never picked up the trojans on my computer so I uninstalled it and am now using BitDefender.

By: B. Davis

B. Davis — Mon, 30 Mar 2009 13:21:19 +0000

My Kaspersky anti-virus software caught it.

By: Steve Ragan

Steve Ragan — Mon, 30 Mar 2009 12:58:08 +0000

FWIW – here’s some info on what you had.
Googled the URL in that iframe and came up with this -

Date: 2009/03/26_00:00
Domain: google-stat.com/tomi/?t=2
IP: 202.73.57.6
Reverse Lookup: dyn6-b57-access.superdsl.com.sg
Malware Description: Luckysploit
Registrant: johnvernet@gmail.com

Some info on Luckysploit here –
http://www.finjan.com/MCRCblog.aspx?EntryId=2213

And info on the slimeball who registered the domain -

whois google-stat.com

Registrant:
Private person
Email: johnvernet@gmail.com
Organization: Private person
Address: 350 Lynn Dr
City: Sylvan Springs
State: AL
ZIP: 36604
Country: US
Phone: +7.4955123456
Fax: +7.4955123456

By: Michael

Michael — Sun, 29 Mar 2009 16:15:53 +0000

What do you use for anti-virus?

By: Michael

Michael — Sun, 29 Mar 2009 13:42:27 +0000

I have never understood the spammer mentality