General :
K-Meleon Web Browser Forum
General discussion about K-Meleon
Malware in K-Meleon's Web?
Posted by:
Anonymous User
Date: June 16, 2007 06:40PM
One user has reported the following (but in the wrong place, so I've moved it here):
----------------------------------------------------------------------------------
Enviado por: batifol07 (ALyon-153-1-44-2.w86-194.abo.wanadoo.fr)
Fecha: June 16, 2007 07:10PM
Hi,
It seems that the K-Meleon forum is infected by "
http://s99.winmplayer.com". Actually that is always triggered when I start K-Meleon with K-Meleon forum. The malicious files are indeed hosted at that "winmplayer" site. Winmplayer transfers data during about 1 minute.
----------------------------------------------------------------------------------
I must say that I'm using Kaspersky Security Suite and I can confirm this report. Kaspersky's suite detects it and asks me what to do.
Re: Malware in K-Meleon's Web?
Date: June 16, 2007 07:33PM
Don't delete message when you can really move them...
Re: Malware in K-Meleon's Web?
Posted by:
Anonymous User
Date: June 16, 2007 07:47PM
I know I can move the threads but it was not a new thread, it was a new message on the
Long time to start thread, so AFAIK, I could not move it.
I've sent you the Kaspersky log, it all started the May 30th. Here's an extract from Kaspersky logs:
06/06/2007 11:55:38 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3164. Time: 06/06/2007 11:55:38
06/06/2007 11:55:39 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:39
06/06/2007 11:55:40 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3172. Time: 06/06/2007 11:55:40
06/06/2007 11:55:43 Malicious HTTP object
http://s99.winmplayer.com/check/404-6.htm: detected malware 'Exploit.HTML.IESlice.l'.
06/06/2007 11:55:43 Malicious HTTP object
http://s99.winmplayer.com/check/404-6.htm: access denied.
06/06/2007 11:55:43 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:43
06/06/2007 11:55:49 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:49
06/06/2007 11:55:59 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:59
06/06/2007 11:56:21 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:56:21
06/06/2007 11:57:04 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:57:04
06/06/2007 11:58:29 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:58:29
81.95.148.13 is an IP from Panama.
Re: Malware in K-Meleon's Web?
Date: June 16, 2007 08:23PM
Quote
enaitzjgaI know I can move the threads but it was not a new thread, it was a new message on the
Long time to start thread, so AFAIK, I could not move it.
Use split thread in that case. Or just copy, but avoid delete, that's not really nice.
Re: Malware in K-Meleon's Web?
Posted by:
Anonymous User
Date: June 16, 2007 08:30PM
All right, I will proceed that way in the future.
Re: Malware in K-Meleon's Web?
Date: June 16, 2007 10:18PM
----------------------------------------------------------------------------------
Enviado por: batifol07 (ALyon-153-1-44-2.w86-194.abo.wanadoo.fr)
Fecha: June 16, 2007 07:10PM
Hi,
It seems that the K-Meleon forum is infected by "
http://s99.winmplayer.com". Actually that is always triggered when I start K-Meleon with K-Meleon forum. The malicious files are indeed hosted at that "winmplayer" site. Winmplayer transfers data during about 1 minute.
----------------------------------------------------------------------------------
@enaitzjga reported "I must say that I'm using Kaspersky Security Suite and I can confirm this report. Kaspersky's suite detects it and asks me what to do."
For the record, I've just logged on with the same problem, detected by KAV, and denied access by me. It's there.
Cheers,
Buzz
Re: Malware in K-Meleon's Web?
Posted by:
Guest
Date: June 17, 2007 02:35PM
It seems like the problem has been solved. When i try to access the website it gives me this message:
"Service Unaviable
This account has been suspended for violation of hosting terms and conditions"
Re: Malware in K-Meleon's Web?
Date: June 17, 2007 06:00PM
Don't be fooled. This message is a fake (they even made a typo...)
Re: Malware in K-Meleon's Web?
Posted by:
Guest21
Date: June 17, 2007 08:18PM
when i click the forum buttom my computer FROZE for like 2 minutes, so wuts the reason for that? malware?
Re: Malware in K-Meleon's Web?
Posted by:
beowulf
Date: June 17, 2007 10:22PM
Quote
enaitzjgaI know I can move the threads but it was not a new thread, it was a new message on the
Long time to start thread, so AFAIK, I could not move it.
I've sent you the Kaspersky log, it all started the May 30th. Here's an extract from Kaspersky logs:
06/06/2007 11:55:38 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3164. Time: 06/06/2007 11:55:38
06/06/2007 11:55:39 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:39
06/06/2007 11:55:40 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3172. Time: 06/06/2007 11:55:40
06/06/2007 11:55:43 Malicious HTTP object
http://s99.winmplayer.com/check/404-6.htm: detected malware 'Exploit.HTML.IESlice.l'.
06/06/2007 11:55:43 Malicious HTTP object
http://s99.winmplayer.com/check/404-6.htm: access denied.
06/06/2007 11:55:43 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:43
06/06/2007 11:55:49 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:49
06/06/2007 11:55:59 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:55:59
06/06/2007 11:56:21 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:56:21
06/06/2007 11:57:04 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:57:04
06/06/2007 11:58:29 Intrusion.Win.IE.MultObj.exploit! Attacker's IP address: 81.95.148.13. Protocol/service: TCP on local port 3169. Time: 06/06/2007 11:58:29
81.95.148.13 is an IP from Panama.
If you detect the intrusion with Kasper, why is the message a fake?
It was malware or not?
Re: Malware in K-Meleon's Web?
Posted by:
beowulf
Date: June 18, 2007 02:34PM
ANYONE KNOWS THIS GUY?
IP address: 84.158.233.132
Reverse DNS: p549ee984.dip.t-dialin.net.
Reverse DNS authenticity: [Verified]
ASN: 3320
ASN Name: DTAG (Deutsche Telekom AG)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): DE [Germany]
Country Currency: EUR [euros]
Country IP Range: 84.128.0.0 to 84.191.255.255
Country fraud profile: Normal
City (per outside source): Stuttgart, Baden-Wurttemberg
Country (per outside source): DE [Germany]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Re: Malware in K-Meleon's Web?
Posted by:
Anonymous User
Date: June 18, 2007 03:39PM
I don't know him, but I can tell you this:
IP address: 84.158.233.132
IP country: Germany
IP address state: Baden-Württemberg
IP address city: Rohrdorf
IP latitude: 47.733299
IP longitude: 10.083300
Re: Malware in K-Meleon's Web?
Posted by:
beowulf
Date: June 18, 2007 05:08PM
I also detected the s99wimplayer when I start Kmeleon site with Internet Explorer only and it crash inmediatly. Thanks enaitzjga, I received at least eleven attacks (?) from the IP above 84.158.233.132 after posted my comment yesterday, detected with sygate pro. I can not read IP in the posts, so I am thinking that somebody who can get access to them is really interested in my PC. I also think that Dorian should was so hard with you and the problem is really here, the s99wimplayer is in this website and starts in IE to make it crash.
Re: Malware in K-Meleon's Web?
Posted by:
beowulf
Date: June 18, 2007 05:10PM
Quote
beowulf
I also detected the s99wimplayer when I start Kmeleon site with Internet Explorer only and it crash inmediatly. Thanks enaitzjga, I received at least eleven attacks (?) from the IP above 84.158.233.132 after posted my comment yesterday, detected with sygate pro. I can not read IP in the posts, so I am thinking that somebody who can get access to them is really interested in my PC. I also think that Dorian should was so hard with you and the problem is really here, the s99wimplayer is in this website and starts in IE to make it crash.
I meant Dorian should be less hard with you, because problem exists.
Re: Malware in K-Meleon's Web?
Date: June 18, 2007 05:27PM
Quote
beowulf
If you detect the intrusion with Kasper, why is the message a fake?
It was malware or not?
I was answering the post above. The message on the site s99.winmplayer.com is a fake.
Re: Malware in K-Meleon's Web?
Posted by:
Anonymous User
Date: June 18, 2007 08:16PM
I've joined the Louis-Paris new thread with this thread because they are about the same issue.
Thanks for the picture, Louis-Paris!
So it's not a problem from Kaspersky, Nod-32 also detects it.
Re: Malware in K-Meleon's Web?
Date: June 18, 2007 08:25PM
Re: Malware in K-Meleon's Web?
Date: June 18, 2007 08:25PM
It would be nice if you could get the source of the page when it happens to know from where it come. I can't find much info about this malware...
Edited 2 time(s). Last edit at 06/18/2007 08:27PM by Dorian.
Re: Malware in K-Meleon's Web?
Date: June 18, 2007 08:26PM
you get the source of the page on my screenshot
Re: Malware in K-Meleon's Web?
Date: June 18, 2007 08:32PM
When I say the source, I mean the thing you get when doing ctrl+U
Re: Malware in K-Meleon's Web?
Date: June 18, 2007 08:34PM
Oh wait I've found it I think
Re: Malware in K-Meleon's Web?
Date: June 18, 2007 08:57PM
just save the URL in a HTML file as a link and open the file and save target file
Re: Malware in K-Meleon's Web?
Posted by:
Anonymous User
Date: June 22, 2007 04:05PM
I haven't noticed more attacks for some days.
Was the problem located and fixed?