Site de Net-Integration piraté ?

[Hunter]

sorry for all english..please translate.

 

---edit: Hunter, I translated the title of your message ("Net-Integration site hacked? Do not open any emails from NI") ipl_001

 

Net-Integration site hacked?, Do not open any emails from NI

 

 

Apparently net-Integration website/forums have been hacked and mass emails are being sent out from the webmaster ie:

 

 

[email protected]

Subject: Protect Your PC !!! ( From Net-Integration Forums )

From: "Net-Integration Forums" <[email protected]>

Date: Tue, 16 Aug 2005 09:03:20 -0400

Protect Your PC !!!

Please download antivirus protection

antivirusprotection.pisem.net/avp.

Note: (.exe removed)

 

 

which contians Trojan-PSW.Win32.LdPinch.gen (Kaspersky on line scan)

 

 

Currently, attempting to contact N-I forums will result in "This Account Has Been Temporarily Suspended for Security Purposes"

 

further details when available will be posted......

 

Should you receive any such emails, immediately delete; do not open!

 

http://gladiator-antivirus.com/forum/index...topic=28346&hl=

[Invité tesgaz]

Salut,

 

en francais, ca donne ceci :

désolé pour  l' anglais. traduisez svp.

 

 

Site de Net-Integration piraté ?, N'ouvrez aucun email

de N-I (Net Integration)

 

 

Apparemment le site Web et les forums de Net-Integration ont

été piratés et des emails de masse sont envoyés de l'IE du webmaster :

 

 

[email protected]

Objet : Protégez votre PC !!! (de Net-Integration Forums)

De : "Net-Integration Forums" <[email protected]>

Date : Mardi 16 Août 2005 09:03:20 -0400

Protégez votre PC !!!

Svp téléchargez la protection antivirus

antivirusprotection.pisem.net/avp.

Note : (.exe enlevé)

 

 

qui contient Trojan-PSW.Win32.LdPinch.gen (scan en ligne de Kaspersky)

 

 

Actuellement, essayer de contacter les forums de N-I

aura comme conséquence, le message "Ce compte a été temporairement suspendu

pour cause de sécurité"

 

plus amples détails postés quand disponibles...

 

Si vous recevez de tels e-mails, effacez les immédiatement ; ne

les ouvrez pas !

 

http://gladiator-antivirus.com/forum/index...topic=28346&hl=

[Hunter]

Salut tesgaz,

 

 

Many people have gotten even mulitple email.

 

http://www.dslreports.com/forum/remark,14145402

[ipl_001]

Hi Hunter, tesgaz, hello veryone,

 

Thanks a lot for your very important message!

 

Merci à tesgaz pour la traduction !

 

For those who didn't follow (who were not on the forum weeks ago), I remind that Hunter is an Administrator of the wonderful Gladiator Security Forum -> http://gladiator-antivirus.com/forum/index.php?act=idx

Pour ceux qui n'ont pas suivi (qui n'étaient pas sur le forum il y a quelques semaines), je rappelle que Hunter est un Administrateur du merveilleux Gladiator Security Forum -> http://gladiator-antivirus.com/forum/index.php?act=idx

 

 

 

Les liens vers NI mènent vers une page comportant seulement ce message :

This Account Has Been Temporarily Suspended for Security Purposes

Please forgive the inconvenience.

( http://www.google.fr/url?sa=t&ct=res&cd=1&...6yzKqmCQu7GoeEC )

 

 

 

Pour ceux qui n'ont pas connu, cela me rappelle ce qu'il s'est passé en février 2004 et qui a mené à la création de l'ASAP et au rapprochement de tous les sites antispywares US.

SpywareInfo Hacked

02.20.2004 @ 05:45 PM PT

 

I talked with Mike Healan, the editor of SpywareInfo, a resource providing the latest spyware threats, forums, and links to related articles and information so that your system can stay free and clean.

 

Mike has a dedicated server in Atlanta which hosts spywareinfo.com/net/org, merijn.org, tomcoyote.org, dogreader.com and mikehealan.com. On Feb 6, there were a few sporadic DDoS attacks that were easily filtered out.

 

On Feb 11th about 8am, several hundred PCs infected with some sort of trojan started hammering the server with bogus traffic to port 80 (HTTP). Mike’s web host started blocking IPs trying to open too many connections and brought the server up. 10 minutes later, 2,000 more PCs hit the server and knocked it down again. The data center started blocking wide ranges of IP addresses and stopped the attack again. They attacked again after that and the data center finally firewalled the IP address of the server.

 

On Feb 12, we switched IP addresses and brought the server back up. 2,000 - 3,000 PCs brought the server down again about 15 minutes later.

 

On the 13, Mike moved tomcoyote.org to hostpc.com and merijn.org to xblock.com. He put out a newsletter using tomcoyote.org explaining what was going on and asking for some donations to help cover costs. The next day, several thousand PCs attacked merijn.org and knocked down merijn and xblock. Several thousand more hit tomcoyote.org and knocked it down along with one of hostpc’s servers. Both sites are still down, xblock is back up and the status of hostpc is up in the air.

 

On Feb 18, the crew put up two proxy servers that pulled data from the server in Atlanta and used a “round robin” DNS failover system to load balance traffic between the two proxies. Spywareinfo was running again and dogreader was partially working the next day. The bad guys hit the servers with about 2,000 PCs and the proxies lasted about 36 hours before they were knocked offline. Both servers have been shut down by their data centers.

 

On the 19th, the meanies also attacked Net-Integration.net, which hosts the support forums for Spybot S&D. A lot of the moderators and helpers at SWI are also admins or moderators for that support board. N-I is back up.

 

Update on NI: the attack on Net-Integration was unrelated to the attack on SpywareInfo. It was just a regular script kiddie IRC packet attack that didn’t last very long.

 

That’s where they currently stand.

 

Starting tonight or tomorrow (hopefully), spywareinfo will have dozens (maybe hundreds) of redundant proxy servers provided by a new corporate sponsor (that can’t be named yet). They will provide however many servers and IP addresses it takes to keep the site running in exchange for a newsletter plug and an ad on the main site.

 

At this point, we don’t know who is resonsible or what they’re using. There is a suspect, but we can’t prove it yet.

 

One guy wrote to say his firewall was logging an enormous number of connections to Mike’s site and he couldn’t figure out why. He contacted Norton’s tech support and they said they were also showing something making connections to his site, so we may be about to get our hands on whatever they are using.

 

He has been in touch with the FBI about this, but they’re playing phone tag. Unfortunately, he’s used up $2,500 so far, hostpc about $1,400, xblock at least $2,000 plus some losses for their other customers on their server. Lord knows what it’s going to cost overall.

 

Mike appreciates all the support from his readers and from other antispyware companies. Donations (or plug [email protected] into paypal) are appreciated as these are free resource sites that have to pay their bills like everyone else.

 

Thanks to Chance for bringing the situation to my attention.

( http://channels.lockergnome.com/news/archi...fo_hacked.phtml )

 

Hunter, I posted this because many members at Zebulon don't know about this period and events which have been very important in the antimalware fight... Would you think it not convenient, I would erase this!

[Hunter]

Post by Magnus Mischel

 

author of Trojan Hunter

 

When run, this trojan copies itself to C:\Windows\csrss.exe and also drops the file C:\Windows\dll.dll. The actual trojan is a password stealer that will attempt to grab your ICQ, email account, dialup and other passwords. Any found passwords are mailed to two russian email addresses.

 

If an Internet connection is available, the trojan will attempt to download and execute further files from a Hungarian web site. Unfortunately these files are no longer available and so could not be analyzed

(*) On a lab machine. Do not attempt at home.

 

 

http://www.dslreports.com/forum/remark,14145402#14145980

Modifié le 16 août 2005 par Hunter

[Chachazz]

Bonjour!

 

Je m'appelle Chachazz de Gladiator Security Forums!

 

Une message de l'Administrateur de Net-Integration:

 

Apparently mass emails have been sent out using N-I to do so.

 

These emails are not legitimate mail from net-integration.

 

Date 8-16-2005 prior to 11:00 AM CDT

 

Please do not open them! Delete them.

 

Eagle1 has shut down the Board and is investigating, I will post more news as I receive it.

 

Please understand I have a wide territory to cover and thank you for your patience.

 

tashi

Net-Integration Administrator.

 

Pardon l'anglais! (?)

 

Modifié le 17 août 2005 par Chachazz

[ipl_001]

I see that Chachazz subscribed to Zeb' 10 minutes ago and is reading this thread!

 

Welcome to you Chachazz (moderator on GSF)! Nice to meet you here!

[Chachazz]

Merci ipl, ma plaisir

[ipl_001]

Merci ipl, ma plaisir

553066[/snapback]

 

Thanks a lot for your coming here and warning us about that bad event at N-I!

[ipl_001]

Rebonjour Hunter, tesgaz, Chachazz, rebonjour à tous,

 

Net-Integration a de gros soucis !

 

Il serait dur pour tashi, T-Zero, LonyRJones et autres responsables de N-I, de savoir qu'ils sont aussi la cause (même si victimes avant tout) de plein d'infections de par le monde en plus des soucis sur leur site/forum !

 

Je suggère que les membres de Zebulon qui sont aussi sur d'autres forums, aident et relaient cette information !

Si possible, un message ici pour éviter qu'on poste de manière multiple sur d'autres forums Français !

 

Merci !

 

-----

Voici le message que je viens de poster sur Gladiator :

Hi Chachazz, TeMerc, hello everyone,

 

You personaly came onto my French forum to provide us with this information, thank you very much!

 

As I guess tashi, T-Zero, LonyRJones and others would be far more upset to add infections "from N-I" of oodles of systems throughout the world to theirs issues regarding their own forum/site, I asked members at Zebulon to spread information to all of the French Security forums!