Name.com Injected?

[sura]

Today I opened Name.com and written :
"Name.com is currently experiencing connectivity issues with various registries. We apologize for any inconvenience this may cause. We are working to resolve the issue as quickly as possible. Please try again later or contact us at [email protected]. "

I'm afraid Name.com was injected by trojan/virus, yesterday I git this report on my Norton AntiVirus

Attempted Intrusion "HTTP XMLHTTP SetRequestHeader Exec" against your machine was detected and blocked.
Intruder: www.name.com(4.79.81.165)(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP: MANIK(XXX.XXX.XXX.XX).
Attacked Port: 4293.

Be careful

 

[Dean]

Every day name.com worries me more. They seem to be going down constantly or being slow. Their interface is full of bugs. Recently I also read someone on here who said they took all his domains because they thought he had incorrect contact info. I am really worried as I have about 70 domains there.

 

[sura]

Name.com took domains because of incorrect contact info?? WTF

 

[Dean]

see this http://www.namepros.com/3078815-post.html

 

[mwzd]

I got this today -

Details: Attempted Intrusion "HTTP XMLHTTP SetRequestHeader Exec" against your machine was detected and blocked.
Intruder: www.name.com(4.79.81.165)(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP: localhost.
Attacked Port: 2454.

Getting to be a big headache now.

 

[bbalegere]

Will this affected Linux users?

 

[Peter]

Name.com took domains because of incorrect contact info?? WTF

They are following ICANN rules in this instance. The person who registered a domain is responsible for and obliged too keeping the whois info updated.

 

[Dean]

They are following ICANN rules in this instance. The person who registered a domain is responsible for and obliged too keeping the whois info updated.

Other registrars usually give the registrant warning and then if they dont update contact details they will suspend the domains. When contacts are updated the domain is usually unsuspended. If name.com just delete a domain when they suspect incorrect contact details then this is very concerning.

 

[Dreads]

Name.com is doing its job for the domain taking and checkig

yet the virus, hmm thats something serious 0o

 

[Peter]

Other registrars usually give the registrant warning and then if they dont update contact details they will suspend the domains.

Correction many registrars don't bother checking properly or acting when they find out.

 

[Hive]

oh noes :O ahhhhhhhhhhhhhhhh! name.com why??

damn.. hope this thing gets solved sooon. i have few names there.



Peter

 

[kellie]

If any of you are currently getting this can you please PM me with your setup?

What OS, browser and which, if any anti-virus software you run. Versions of all of this information would be very helpful as we troubleshoot.

We believe folks running Windows, IE and Norton are the only people running into this problem and that it's not actually a virus/trojan, but are continuing to look into it.

Thank you.

 

[mwzd]

Attempted Intrusion "HTTP XMLHTTP SetRequestHeader Exec" against your machine was detected and blocked.
Intruder: www.name.com(4.79.81.165)(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP: localhost.
Attacked Port: 4688.

Intrusion detected and blocked.
All communication with www.name.com(4.79.81.165) will be blocked for 30 minutes. - This was 3 minutes back.

I'm using win xp sp3, norton internet security, firefox3.

 

[kellie]

Attempted Intrusion "HTTP XMLHTTP SetRequestHeader Exec" against your machine was detected and blocked.
Intruder: www.name.com(4.79.81.165)(http(80)).
Risk Level: High.
Protocol: TCP.
Attacked IP: localhost.
Attacked Port: 4688.

Intrusion detected and blocked.
All communication with www.name.com(4.79.81.165) will be blocked for 30 minutes. - This was 3 minutes back.

I'm using win xp sp3, norton internet security, firefox3.

Thanks mwzd - if you have a moment can you tell me which version of Norton - 2009?

 

[SupraTT]

Hi All,

Seems like name.com still has not fixed this issue...my Norton Internet Security is seeing name.com as a threat.

SupraTT

 

[kellie]

Supra - if you'd be kind enough to send me the information as requested above, it would be greatly appreciated.

We've been unable to reproduce it.

Those of you receiving this result - do you know if your antivirus definitions are up to date?

Hi All,

Seems like name.com still has not fixed this issue...my Norton Internet Security is seeing name.com as a threat.

SupraTT

 

[gemstar]

I have no problems

 

[mwzd]

My virus definitions were updated yesterday. Today I get the same problem.

This is an unresolved issue for me at least.

When you say you are not able to duplicate the issue you're saying it does not exist?

 

[kellie]

My virus definitions were updated yesterday. Today I get the same problem.

This is an unresolved issue for me at least.

When you say you are not able to duplicate the issue you're saying it does not exist?

We've heard from enough people that it exists, but we have not been able to re-create it. We've gone so far as to set up two different machines mimicking the PC set up that you and another customer has reported to us.

 

[Ross]

Check this out Kellie:

http://www.magicdeckvortex.com/vbforums/showpost.php?p=178554&postcount=20

They had the same problem, read the whole thread to see if this is similar or you can get any info. Looks like its a server problem and they just bought a new server and there have been no problems.

 

[kellie]

Ross, thank you for the link. Our team had already found that and have determine it's not quite the same problem.

I'm still looking for anyone experiencing this problem to chat with our tech team. Anyone?

 

[oborseth]

Hello. I'm working on this issue for Name.com. We cannot reproduce it using "Norton Internet Security 2009" which should detect any malicious use of SetRequestHeader. We don't use this javascript function at all on the site so it's a mystery. So, any help with additional information would be greatly appreciated.

1) What product and version of Norton are you using?

2) What page were you trying to access when you got this message?

3) Did you go to name.com by entering the URL into your browser's address bar or did you get there through a link or bookmark? If a link or bookmark, what is the URL that was linked to or bookmarked?

4) If you unblock the site in Norton, do you continue to get this message?

5) Do you get this message while browsing other sites?

6) If you are using Firefox, allow the page to load and view the source to see if the SetRequestHeader javascript function can be found. If so, I'd love to see the source.

The SetRequestHeader exploit only affects Microsoft IE users but Norton catches it before getting to the client's browser so users of all browsers will see it.

At this point, I believe the issue is either that users getting this message are already affected with a trojan or virus that is calling the SetRequestHeader function while browsing the web OR there is some sort of cross site scripting exploit going on that is passing javascript to the browser via a link to name.com that then calls the SetRequestHeader function. I'm not 100% sure yet though.

Thanks,
Owen Borseth

 

[mwzd]

This is still occurring for me.

Any resolution would be appreciated.

Else I'll just have to move my names out.

 

[chandan]

i didn't get any such warnings but yesterday i faced some php problem

i saw it displays some error message ( some one edited their header file and it
was not allowing to login )

 

[Dean]

On a positive note, I like the new design