affiliate drones

It sounds like it is not ClarkPromotions website (from what he says), but he obviously understands cloaking pretty well if that is what is going on. I’m not going to check out the website because I don’t need anything loaded onto my PC accidentally or otherwise.

All we can do is try to pry it out of him and see what he knows. I’m sure we can get information out if we are careful. However, we would need a very diplomatic person to try… Not all of us are like that

Good point

I read that part, then somehow modified my own thought after reading his second post. I read them on 2 separate occasions… But, I AM getting old

Yes – we should find out what this person is doing, but I still maintain that we need someone who is very diplomatic to do so. If not, then he/she will be scared away and we will know nothing.

Yes – But what is he cloaking? What exactly is he ‘feeding’ to the search engines? Is it a direct scraping of any of our sites?? Or is it just spam for the SE containing a lot of keyword-heavy html? That’s the kind of info I would be interested in knowing.

Here’s some more this is the one I invited in last week.

Currently, security firms are warning that machines can be attacked if users do any of the following:

open a malicious .WMF file in Windows Picture and Fax Viewer

open a malicious .WMF file in Windows Picture and Fax Viewer

or preview a malicious .WMF file in Windows Explorer

However, the number of attacks could increase dramatically if malicious hackers find more automated ways to target systems, such as using e-mail, instant messages or file sharing, according to Ken Dunham, director of the rapid response team at VeriSign’s iDefense.
Attacks so far have been limited to installation of adware and spyware on compromised machines, but “you’re probably going to see Trojans and more sinister code develop and emerge in the next few days,” Dunham said in an interview.
There is no patch for the security hole. While some workarounds are being suggested on the Web, Dunham is only validating this one for disabling .WMF file handling: First, users should click on the Start button on the taskbar. Then they should click on Run, type “regsvr32 /u shimgvw.dll” and click “Ok” when the change dialog appears.
However, Dunham warns that recent vulnerabilities related to .WMF have also included .EMF files and that “it is possible that exploitation might still be possible through alternative file types such as EMF,” he wrote in an e-mail alert. “For now, the WMF disabling workaround may help mitigate attacks against vulnerable Windows XP/2003 computers. This workaround may impact the display of thumbnails or other images on the computer.”
Microsoft is investigating “new public reports of a possible vulnerability in Windows,” said a company spokesman. “Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or issuing a security advisory, depending on customer needs.”
In the meantime, Microsoft encourages its customers follow its recommended security practices, he wrote. Users who believe they have been affected can contact Microsoft’s product support team, he wrote. Ways to make this contact vary depending on where users are based. More information can be found on the Microsoft website.Dunham characterises the threat as “significant,” while Secunia rates it “extremely critical.” Symantec Corp. labels it as a “level two” threat, on a scale in which “level four” is the most critical.
Secunia lists the vulnerable operating systems as Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Windows XP Home Edition and Windows XP Professional.

Well I kinda figured that out I couldn’t help myself. It all makes sense now! I sent him two pm no responses.

How he pull theses tricks off is the way I mentioned. He used the technique I mentioned and he’s been watching me or us for quite sometime.

I want this fellow in the worst way possible. I have a hunch he is part of the 888 thing as well.

Sorry if I got carried away a little in the public forum. But in my PM I sent him to my chollegues site hopefully for some whipping. I doubt that he went.

I can spell worth shit right now, but I know he the one behind this scheme. He manipulated me for information and I am pissed.

Oh yeah I found this in his source code the whole code is java combinned with activex

action=”index.aspx?src=o&kwd=cs” language=”javascript” onsubmit=”if (!ValidatorOnSubmit()) return false;” id=”form5″>

I’M going after this guy on my own I have the facts and he wasted 8 hours of my time. Location Israel he is connected to 888 as well. greek39

well I didn’t want to start my day with this. The entire page I visited last night was all in javascript. I only copied a piece if code the letters is a mask for the real coding language its hidden from public view. Also notice the activex.

The site is for sure a scaper site I recorded the IP’s and some aff tags. The site was created on December 21/05 its exactly the the type of code used to exploit as I mentioned in a couple of my previous posts. The server provider severs 3 sites probalbly all of his.

I received after visiting 60 adware and spyware crap on my computer. On a interesting note remeber last week some casino affiliates got a nasty worm with a .wmp extension. I think it was lauched by this guy it just too much of a coincidence they all received the same worm on the same day directly addressed to them.

But it appears this gut won’t be returnning. He has still not reposted nor pm me back. I hope he visited the site I told him to go to.

I won’t involve CAP for obvious reasons. greek39

What is happening is cloaking then scraping. Cloaking is a different version of a web site the cloaked site is a black hatter scraped site. This is done by activex ( active scripting ).

So say a person goes to my site under cetain conditons it will show a different site for some people who have not patched the hole in their IE firewall. This hole in the firewall is a newly discovered one, found in December 2005. So for this to work you must have a unpatched firewall and the virus.

Alot of no good people are jumping on this expliotation to lauch such attacks. The virus already mentioned does the following according to microsoft

The DHTML Editing Control is vulnerable to a cross-domain violation. When the DHTML Editing Control opens the content from a website, it appears to operate within the security context of that website. While the DHTML Editing Control has the security context of the opened site, the DHTML Editing Control is under full control of the page that hosts it. Working indirectly through the DHTML Editing Control, a website in one domain has the ability to access information in another domain or zone.
II. Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker may be able to execute script in the Local Machine Zone. Script that executes in the Local Machine Zone can be used to download and execute arbitrary code. An attacker may obtain full access to web content in another domain, which may reside in a different security zone. The impact is similar to that of a cross-site scripting vulnerability. This includes the ability to spoof or modify web content, access website information such as cookies, or retrieve data from an encrypted HTTPS connection

This I believe enables your browser to do. So the people infected or who not updated the firewall patch when browsing are seeing different web pages.

By updating the IE firewall this closes this hole. This could explain the defensive nature of this guy.

Also this guy has never droppoed his url I wish he would. Closely read what microsoft had to say about this latest virus. It does alot more, an attacker can gain access too web content in another domain in a different security zone (possible firewall), modify web content, access website cookies ect..

Hey Dom I thought you were on holidays?

greek39

This is speculation!