C|Net user has numerous certificate pop-ups when browsing

Viruses and worms
1

Links to pop-ups modified below:

hxxp://gedochin.com/certification_security_alert.jpg

hxxp://gedochin.com/Certification_Details.cer

Urlquery scanned first time ever: http://urlquery.net/report.php?id=86564 http://urlquery.net/report.php?id=86565

Urlvoid here: http://www.urlvoid.com/scan/gedochin.com/

So new, it is the first time scanned by both sites. No prior history.

Any idea what this is? Any way to backtrack to point of origin?

2

Google says the identity of this site cannot be verified. IP server .
has been attacked on many occasions to be defaced or misused.
SSL Certificate is expired. The certificate was valid from 11/29/2006 through 11/29/2007.
SSL Certificate is not trusted…
The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

Most like a new Zeus server. On that AS were found: Ps allocated: 512
Blacklisted URLs: 264

Hosts…

…badware? Yes
…botnet C&C servers? Yes
…Zeus botnet servers? No, but now questionable
…Current Events? Yes

pol

3

Thanks Polonus,

Posted a reply for user over at C|net with some of the info (condensed), enough to let user know they are infected. This is a somewhat rare one, so thanks for the help here.

Does Avast! protect?

4

Hi mcchain,

The site registration length has been 12 years. Registrar: Registrar: ENOM, INC.
Host is FastServers, Inc. Plano, TX, USA
Server IP has an Appache hack and defacement via web application bug hack mode, file inclusion, remote password guessing,
so at abuseATfastservers.net well they had some issues to look into,
the server software there transmits the full server software version, this should be avoided (Apache settings)
Apache/X.X.XX (Unix) PHP/X.X.XXmod_log_bytes/XXmod_bwlimited/X.X mod_auth_passthrough/1.X FrontPage/X.0.X.XXXX mod_ssl/X.X.XX OpenSSL/X.X.XX
scrambled the version numbers for security reasons - but any attacker could abuse that info coming as “low hanging fruit” so to say…
and attackers always go for the low hanging fruit…
some tips for hardening that server there: http://www.thegeekstuff.com/2011/03/apache-hardening/ links article author = RAMESH NATARAJAN

polonus