VIRUS ATTACK ON SERVER - * MUST READ*

[Admin]

Below is a copy of a mass mail I sent out to the membership today. Please take note and check your computers!!
I don't want to go through this hell again.

Hello everyone,

Twitchy (Admin) here. Over the weekend the site hosting company suffered an attack and Team =XRaY= Forum ( http://www.tm-xray.com ) had been compromised with a keylogger attack.

We have all the files cleaned up and working properly again, I got Googles block on the site removed but apparently one of you has this keylogger on your machine and until you find it and clear it out, we can be compromised again.

Below is the letter the hosting company sent me with a list of suggested anti-virus softwares. Norton (symantec) and McAfee are expensive, useless and I've never had one catch a virus on me, nevermind malicious scripts on websites!

Along with the suggestions below I'm going to suggest two of my own, both of which are free, excellent and they will do a much better job than those suggested below. Please also get yourselves malware protection as well but both my programs do a good job of catching those too.

Avira: http://www.avira.com
You can download the free version here: http://www.free-av.de/en/trialpay_downlo...virus.html

Avast: http://www.avast.com/index
Just select the free version or upgrade if you are using and need to upgrade.


This is what the hosting company told me.

Hello,

I found the iframes and have removed them from the account. According to the logs it appears as though the FTP/cpanel account was compromised and the password was scraped. Notice the IP downloading and uploading to the account. This is indicative of a script that is injecting the files with iframes. From recent incidents like these we have come to the conclusion that a users password was stolen via a password scraper or keylogger that resides on their local PC or network. So no matter how many changes we make to the password as soon as they type it into FTP or cpanel its immediately sent off to this script that then injects the files. The logs are below and below the logs you will see tips on how to secure your local network.

ug 9 11:37:55 gator423 pure-ftpd: (?@69.115.45.32) [INFO] xrayteam is now logged in
Aug 9 11:41:00 gator423 pure-ftpd: (xrayteam@69.115.45.32) [NOTICE] /home/xrayteam//public_html/index.php downloaded (9446 bytes, 322.46KB/sec)
Aug 9 11:41:06 gator423 pure-ftpd: (xrayteam@69.115.45.32) [NOTICE] /home/xrayteam//public_html/index.php uploaded (16111 bytes, 21.44KB/sec)
Aug 9 11:41:08 gator423 pure-ftpd: (xrayteam@69.115.45.32) [NOTICE] /home/xrayteam//www/index.php downloaded (16111 bytes, 349734.27KB/sec)
Aug 9 11:41:15 gator423 pure-ftpd: (xrayteam@69.115.45.32) [NOTICE] /home/xrayteam//www/index.php uploaded (16112 bytes, 8.94KB/sec)
Aug 9 11:41:17 gator423 pure-ftpd: (xrayteam@69.115.45.32) [NOTICE] /home/xrayteam//www/mailcheck.php uploaded (187 bytes, 0.68KB/sec)
Aug 9 11:42:11 gator423 pure-ftpd: (xrayteam@69.115.45.32) [INFO] Logout.


* What are malicious iframes and what causes them?

Over the years hackers found it hard to trick people into visiting suspicious sites so they're now targeting legit sites and using them to infect unknowing customers. In most cases an FTP account's password is obtained through key logging malware, then legit website files are modified to distribute the malware and gather more passwords. If your PC has been infected with one of these trojans, your bank account, email accounts, and FTP accounts may no longer be secure.


* What to do if you find malicious iframes

1. Use the following online vulnerability scanner and ensure your software is up-to-date: http://secunia.com/vulnerability_scannin...?task=load
2. Download antivirus and fully scan your PC for malcious files. Here are some free online scanners:
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan8/ie.html
http://www.kaspersky.com/virusscanner
http://support.f-secure.com/enu/home/ols.shtml
3. Update all passwords that may have been obtained. Do not use old passwords, generate new ones.
4. Upload older versions of the files or contact support for assistance removing the malicious iframes.

* Prevention

- Ensure you use the latest browser version
- Disable javascript
- Use the firefox addon noscript
- Download and install some free antivirus software, make sure it stays updated
- Use http://www.avg.com.au/index.cfm?section=...onlinescan to test suspicious links you are given in emails or find online.


If any of you are owners of that IP address, You REALLY need to clean your system out. That is where this attack supposedly came from.

Please check your machines and if you need anything, feel free to PM me on the board. Do not reply to this email because I won't get it, you must PM me.

Thanks and I apologize for any issues anyone has had due to this.
Twitchy aka Admin http://www.tm-xray.com

[Dag=XRaY=]

This is what i found on that IP address.


69.115.45.32 - Geo Information
IP Address 69.115.45.32
Host ool-45732d20.dyn.optonline.net
Location US, United States
City Denville, NJ 07834
Organization Optimum Online
ISP Optimum Online
AS Number AS6128 CSC Holdings, Inc (Cablevision)
Latitude 40°88'41" North
Longitude 74°48'63" West
Distance 7604.30 km (4725.09 miles)




Dag OUT!

[Admin]

Yeah Dag, that means squat. All it's telling us is that whoever has the virus on their computer is in New Jersey (I'm in NJ and never heard of that town, must be up north) and they use Cablevision as their ISP. You'll never get theirs or anyone elses home location via IP address, I think you just get the closest "point" on the ISP server.

The only time I've been able to get an exact location is if someone is using internet that is also an intranet like at a college or government facility, large business etc.

[Trooper=XRaY=]

So is there know way of telling what member it was?
Does the server not record everyone’s ip?
Could it have been one of the new members that have just joined !!!!

[Dag=XRaY=]

Twitchy,
I understand it does not pinpoint an individual, but does it not rule out those that do not use that ISP?

[Admin]

IP's are really hard to narrow down. I don't think it's anyone from the board. I think the hosting company was giving me a load of bullshit on that regard.

What's hard about this is that anyone with any savvy can give themselves any IP from any ISP if they are smart enough and know how to set up proxy settings on their browsers. All those sites like "Hide my ip" and other obvious free ones online are for amateurs. A good hacker will know how to hide himself or disguise himself as someone else quite easily.

Trooper, the hosting company does not log every IP that visits the site. It's impossible to do and it's not their job. Their job is to give the domain and website a "home" and keep that home maintained and bug free. This company has had a wicked rash of attacks this past couple of months and they're quick to deny it's ever their fault.

You also have to realize these things do happen at times. I was setting someone up last year and they had a sneaky trojan on their servers they had no clue about. Well I wound up having to reformat my whole computer because I got infected through my FTP when I was working on loading files to and from his server. He got it from someone else he was working with doing the same thing. So you see, they start off someplace and wind up traveling many times unnoticed until someone has a better anti-virus program.

[Dag=XRaY=]

I guess i am an amature, i must admit.