I just had this email containing a Trojan downloader
Congratulations! ( From Archaeo Forums ) Inbox
Archaeo Forums
<diego@stonepages.com>
Archaeo Forums
http://www.stonepage...forum/index.php
Congratulations!
You are new moderator of our forum.
If you agree, download key file.
URL deleted by the Moderator
0
Urgent - Virus!?
Started by DougWeller, 31-Aug-2006 18:36
20 replies to this topic
#3
lord of the badgers
-
- Registered
- 10 posts
Pebble Tripper
Posted 31 August 2006 - 19:06
Doug, will you please edit out the link to the trojan! 
Had this attempt before on another forum using this software, my mate is a techie & he had to save both the owner's set up (which was compromised by the hacker) & another user's PC. If it's the same trojan, it's really hard to get rid of
Had this attempt before on another forum using this software, my mate is a techie & he had to save both the owner's set up (which was compromised by the hacker) & another user's PC. If it's the same trojan, it's really hard to get rid of
#5
DougWeller
-
- Registered
- 14 posts
Pebble Tripper
Posted 31 August 2006 - 19:45
lord of the badgers, on 31 August 2006, 19:06, said:
Doug, will you please edit out the link to the trojan!
Had this attempt before on another forum using this software, my mate is a techie & he had to save both the owner's set up (which was compromised by the hacker) & another user's PC. If it's the same trojan, it's really hard to get rid of
It is edited out, look again. I left the name it but you can't link to it.
Doug
Had this attempt before on another forum using this software, my mate is a techie & he had to save both the owner's set up (which was compromised by the hacker) & another user's PC. If it's the same trojan, it's really hard to get rid of
It is edited out, look again. I left the name it but you can't link to it.
Doug
Had this attempt before on another forum using this software, my mate is a techie & he had to save both the owner's set up (which was compromised by the hacker) & another user's PC. If it's the same trojan, it's really hard to get rid of
It is edited out, look again. I left the name it but you can't link to it.
Doug
#6
lord of the badgers
-
- Registered
- 10 posts
Pebble Tripper
Posted 31 August 2006 - 19:49
cool nice one Doug. Tried to PM Diego, but I'm worried he's got the same issue the board owner of the forum i mentioned here - ie his PC is stuffed up with the infection. That took my mate ages to clear, plus he had to borrow the guy's login to fix it. Hope that it's not got to that state
#7
BuckyE
-
- Registered
- 142 posts
Menhir Seeker
- Location:Westminster, MD, USA
- Interests:travel, Neolithic archaeology
Posted 31 August 2006 - 20:30
I got it too. (Didn't click the link: was suspicious, came here to PM Diego, saw this thread.) We can proably assume everyone did. Diego needs to send a notice to all right now. Yikes!
Bucky Edgett
#8
mort
-
- Registered
- 36 posts
Junior Member
- Location:Wales
- Interests:computers, history, photography and Tess my spaniel!
Posted 31 August 2006 - 20:59
i inadvertenly clicked on it and now my pc is infected.
have deleted most of it, but will need to invest in the latest anti virus software to get rid completely.
not sure what it does as yet, so am not going to be contactable for a bit.
phone me rob!
mark
have deleted most of it, but will need to invest in the latest anti virus software to get rid completely.
not sure what it does as yet, so am not going to be contactable for a bit.
phone me rob!
mark
#9
BuckyE
-
- Registered
- 142 posts
Menhir Seeker
- Location:Westminster, MD, USA
- Interests:travel, Neolithic archaeology
Posted 31 August 2006 - 21:27
Full header if it helps:
Priority: Normal
Type of Message: Inbox: Read
Date of creation:
Return-Path: <apache@mustang.xssl.net>
Delivered-To: me, yep
Received: (qmail 3222 invoked by uid 78); 31 Aug 2006 17:25:12 -0000
Received: from unknown (HELO ns-mr7.netsolmail.com) (10.49.16.166)
by mail14.lb.hosting.dc2.netsol.com with SMTP; 31 Aug 2006 17:25:12 -0000
Received: from mustang.xssl.net (mustang.xssl.net [67.15.32.13])
by ns-mr7.netsolmail.com (8.13.6/8.13.6) with ESMTP id k7VHP7PD006815
for <me, yep, my email was correct>; Thu, 31 Aug 2006 13:25:08 -0400
X-ClientAddr: 127.0.0.1
Received: from mustang.xssl.net (localhost.localdomain [127.0.0.1])
by mustang.xssl.net (8.12.11/8.12.11) with ESMTP id k7VHKu4f009267;
Thu, 31 Aug 2006 18:21:43 +0100
Received: (from apache@localhost)
by mustang.xssl.net (8.12.11/8.12.11/Submit) id k7VHFqEb028202;
Thu, 31 Aug 2006 18:15:52 +0100
Date: Thu, 31 Aug 2006 18:15:52 +0100
Message-Id: <200608311715.k7VHFqEb028202@mustang.xssl.net>
To:
Subject: Congratulations! ( From Archaeo Forums )
From: "Archaeo Forums" <diego@stonepages.com>
X-Priority: 3
X-Mailer: IBForums PHP Mailer
X-xssl.net-MailScanner-Information: Please contact the ISP for more information
X-xssl.net-MailScanner: Found to be clean
X-MailScanner-From: apache@mustang.xssl.net
Priority: Normal
Type of Message: Inbox: Read
Date of creation:
Return-Path: <apache@mustang.xssl.net>
Delivered-To: me, yep
Received: (qmail 3222 invoked by uid 78); 31 Aug 2006 17:25:12 -0000
Received: from unknown (HELO ns-mr7.netsolmail.com) (10.49.16.166)
by mail14.lb.hosting.dc2.netsol.com with SMTP; 31 Aug 2006 17:25:12 -0000
Received: from mustang.xssl.net (mustang.xssl.net [67.15.32.13])
by ns-mr7.netsolmail.com (8.13.6/8.13.6) with ESMTP id k7VHP7PD006815
for <me, yep, my email was correct>; Thu, 31 Aug 2006 13:25:08 -0400
X-ClientAddr: 127.0.0.1
Received: from mustang.xssl.net (localhost.localdomain [127.0.0.1])
by mustang.xssl.net (8.12.11/8.12.11) with ESMTP id k7VHKu4f009267;
Thu, 31 Aug 2006 18:21:43 +0100
Received: (from apache@localhost)
by mustang.xssl.net (8.12.11/8.12.11/Submit) id k7VHFqEb028202;
Thu, 31 Aug 2006 18:15:52 +0100
Date: Thu, 31 Aug 2006 18:15:52 +0100
Message-Id: <200608311715.k7VHFqEb028202@mustang.xssl.net>
To:
Subject: Congratulations! ( From Archaeo Forums )
From: "Archaeo Forums" <diego@stonepages.com>
X-Priority: 3
X-Mailer: IBForums PHP Mailer
X-xssl.net-MailScanner-Information: Please contact the ISP for more information
X-xssl.net-MailScanner: Found to be clean
X-MailScanner-From: apache@mustang.xssl.net
Bucky Edgett
#10
lord of the badgers
-
- Registered
- 10 posts
Pebble Tripper
Posted 31 August 2006 - 21:44
I'll add to that... the trojan is on "this guy's" server - oh what a surprise.. russian email contact...
still, you could give the f***er a ring
WHOIS information for zabywjwzlr.biz:
[whois.melbourneit.com]
Domain Name: ZABYWJWZLR.BIZ
Domain ID: D13747367-BIZ
Sponsoring Registrar: TLDS INC.
Sponsoring Registrar IANA ID: 320
Domain Status: clientTransferProhibited
Registrant ID: 6580702-SRSPLUS
Registrant Name: Greg Roa
Registrant Organization: Private person
Registrant Address1: Zion rd Cleves
Registrant City: Cleves
Registrant State/Province: OH
Registrant Postal Code: 45002
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.5134676554
Registrant Email: zabywjwzlr@mail.ru
Administrative Contact ID: 6580703-SRSPLUS
Administrative Contact Name: Greg Roa
Administrative Contact Organization: Private person
Administrative Contact Address1: Zion rd Cleves
Administrative Contact City: Cleves
Administrative Contact State/Province: OH
Administrative Contact Postal Code: 45002
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.5134676554
Administrative Contact Email: zabywjwzlr@mail.ru
Billing Contact ID: 6580703-SRSPLUS
Billing Contact Name: Greg Roa
Billing Contact Organization: Private person
Billing Contact Address1: Zion rd Cleves
Billing Contact City: Cleves
Billing Contact State/Province: OH
Billing Contact Postal Code: 45002
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.5134676554
Billing Contact Email: zabywjwzlr@mail.ru
Technical Contact ID: 6580704-SRSPLUS
Technical Contact Name: Greg Roa
Technical Contact Organization: Private person
Technical Contact Address1: Zion rd Cleves
Technical Contact City: Cleves
Technical Contact State/Province: OH
Technical Contact Postal Code: 45002
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.5134676554
Technical Contact Email: zabywjwzlr@mail.ru
Name Server: NS1.ZABYWJWZLR.BIZ
Name Server: NS2.ZABYWJWZLR.BIZ
Created by Registrar: TLDS INC.
Last Updated by Registrar: TLDS INC.
Domain Registration Date: Mon Jun 19 04:34:55 GMT 2006
Domain Expiration Date: Mon Jun 18 23:59:59 GMT 2007
Domain Last Updated Date: Wed Jun 21 08:32:00 GMT 2006
>>>> Whois database was last updated on: Thu Aug 31 20:40:06 GMT 2006 <<<<
still, you could give the f***er a ring
WHOIS information for zabywjwzlr.biz:
[whois.melbourneit.com]
Domain Name: ZABYWJWZLR.BIZ
Domain ID: D13747367-BIZ
Sponsoring Registrar: TLDS INC.
Sponsoring Registrar IANA ID: 320
Domain Status: clientTransferProhibited
Registrant ID: 6580702-SRSPLUS
Registrant Name: Greg Roa
Registrant Organization: Private person
Registrant Address1: Zion rd Cleves
Registrant City: Cleves
Registrant State/Province: OH
Registrant Postal Code: 45002
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.5134676554
Registrant Email: zabywjwzlr@mail.ru
Administrative Contact ID: 6580703-SRSPLUS
Administrative Contact Name: Greg Roa
Administrative Contact Organization: Private person
Administrative Contact Address1: Zion rd Cleves
Administrative Contact City: Cleves
Administrative Contact State/Province: OH
Administrative Contact Postal Code: 45002
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.5134676554
Administrative Contact Email: zabywjwzlr@mail.ru
Billing Contact ID: 6580703-SRSPLUS
Billing Contact Name: Greg Roa
Billing Contact Organization: Private person
Billing Contact Address1: Zion rd Cleves
Billing Contact City: Cleves
Billing Contact State/Province: OH
Billing Contact Postal Code: 45002
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.5134676554
Billing Contact Email: zabywjwzlr@mail.ru
Technical Contact ID: 6580704-SRSPLUS
Technical Contact Name: Greg Roa
Technical Contact Organization: Private person
Technical Contact Address1: Zion rd Cleves
Technical Contact City: Cleves
Technical Contact State/Province: OH
Technical Contact Postal Code: 45002
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.5134676554
Technical Contact Email: zabywjwzlr@mail.ru
Name Server: NS1.ZABYWJWZLR.BIZ
Name Server: NS2.ZABYWJWZLR.BIZ
Created by Registrar: TLDS INC.
Last Updated by Registrar: TLDS INC.
Domain Registration Date: Mon Jun 19 04:34:55 GMT 2006
Domain Expiration Date: Mon Jun 18 23:59:59 GMT 2007
Domain Last Updated Date: Wed Jun 21 08:32:00 GMT 2006
>>>> Whois database was last updated on: Thu Aug 31 20:40:06 GMT 2006 <<<<
#12
Diego
-
- Administrators
- 1,313 posts
Administrator
- Gender:Male
- Location:Trevignano Romano, Italy
- Interests:Megalithic sites, Astronomy, Music, Ornithology
Posted 31 August 2006 - 22:13
We just discovered the mess... This is a copy of the message we sent to all the registered users:
Dear friends,
We are very sorry to inform you that today a nasty hacker somehow crept into our forum software and sent a fake message saying "Congratulations! You are new moderator of our forum. If you agree, download key file." to a substantial number of registered users.
Please DO NOT click the link provided in the fake message, because it would probably start the dowload of a trojan virus that may cause damage to the files on your computer.
We are still investigating how to avoid that such a nasty thing will happen again in the future. In the meantime, please disregard any e-mail message from the forum without our names on it - and IN ANY CASE do not click any link on the message.
Please accept our apologies for any inconvenience and bear with us with this difficult situation.
Best regards,
Paola Arosio & Diego Meozzi
Stone Pages
Dear friends,
We are very sorry to inform you that today a nasty hacker somehow crept into our forum software and sent a fake message saying "Congratulations! You are new moderator of our forum. If you agree, download key file." to a substantial number of registered users.
Please DO NOT click the link provided in the fake message, because it would probably start the dowload of a trojan virus that may cause damage to the files on your computer.
We are still investigating how to avoid that such a nasty thing will happen again in the future. In the meantime, please disregard any e-mail message from the forum without our names on it - and IN ANY CASE do not click any link on the message.
Please accept our apologies for any inconvenience and bear with us with this difficult situation.
Best regards,
Paola Arosio & Diego Meozzi
Stone Pages
#13
lord of the badgers
-
- Registered
- 10 posts
Pebble Tripper
Posted 31 August 2006 - 22:18
Diego,
When i hear from my mate I'll see if he knows what was done on the other board (same-ish software: Invision Power Board v2.1.7 - see that's a later version than yours - might''ve been upgraded after the attack).
When i hear from my mate I'll see if he knows what was done on the other board (same-ish software: Invision Power Board v2.1.7 - see that's a later version than yours - might''ve been upgraded after the attack).
#14
IrishStones
-
- Registered
- 112 posts
Trilithon Connoisseur
- Location:USA
- Interests:Pre-celtic Ireland
Posted 31 August 2006 - 22:22
Now I feel like a real F***tard. I never fall for anything close to these.... there is always a first! I certainly didn't open it, but I emailed Diego to tell him he'd mailed this to the wrong person. Stupid. I hadn't been here in so long I thought maybe he'd finally done what he threatened to do years ago, and given up the headaches of this site... and was giving the moderation to a worthy successor.
Good News: I have a Macintosh which has only a one-ten-thousandth of a chance of being infected even if I had clicked. I don't know whether or not they could mine a confirming address.
Bad news?: DIego. And Paola. I hope this hasn't messed you up. Or too many of the rest of you.
Super news: Glad to see you well, Nigel.
Jane
Good News: I have a Macintosh which has only a one-ten-thousandth of a chance of being infected even if I had clicked. I don't know whether or not they could mine a confirming address.
Bad news?: DIego. And Paola. I hope this hasn't messed you up. Or too many of the rest of you.
Super news: Glad to see you well, Nigel.
Jane
#15
Diego
-
- Administrators
- 1,313 posts
Administrator
- Gender:Male
- Location:Trevignano Romano, Italy
- Interests:Megalithic sites, Astronomy, Music, Ornithology
Posted 31 August 2006 - 22:27
lord of the badgers, on 31 August 2006, 20:49, said:
ried to PM Diego, but I'm worried he's got the same issue the board owner of the forum i mentioned here - ie his PC is stuffed up with the infection.
I wont' give the hacker more attention than he/she already has. But I have sent a 'nice' message to his/her Internet service/hosting provider. And we are taking other actions right now.
BTW, Doug can you please get me in contact with your friend that had this very same problem with his forum?
Reply to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
