Results 1 to 10 of 10

Thread: Is it just me??

  1. #1
    Banned ivor&mel's Avatar
    Join Date
    Feb 2006
    Location
    Sheffield
    Posts
    586
    Rep Power
    0
    What's happened to the Forum since this morning? First I received an e-mail purporting to be from win2racing and containing a Trojan exe file. Then whenever I try to access any page on the Forum, I get pop-ups from winfixer.com and attempts to install a wmf file. Both Firefox and IE are affected, but the symptoms are different; And it's not my PC that is infected! - this happens on the 2 desktops and 2 laptops I've tried (all running Windows, of course...). I've been reluctant to post anything because I am concerned about login security now... has this site been hacked or what? There seems to be a lack of postings since this morning... I checked from the top-level of win2winracing, and the only 2 links I found that suffer from this behaviour are the Forum and the Gallery. Can anyone shed light on this?

    Ivor and Mel


  2. #2
    Respected Member
    Join Date
    Oct 2005
    Posts
    177
    Rep Power
    0
    I received an e-mail about a tool for win2win that I thought looked suspicious, so after checking I deleted it.

    If thats the same one you received I was very lucky, I`m running zonealarm suite but I didnt put it to the test so I dont know if it would have prevented any infection.

    Sorry to hear its causing you problems, go to zonealarm and test their software free for 2 weeks. It will do a scan and get rid of any problems, hopefully.

    I`m still evaluating mine, its seemed to have slowed down my computer but it may be a price worth paying.

    Peter
    You have enemies? Good. That means you've stood up for something, sometime in your life.
    Winston Churchill


  3. #3
    Banned
    Join Date
    Jan 2005
    Posts
    3,042
    Rep Power
    0
    <div class='quotetop'>QUOTE(deepete &#064; May 9 2006, 06&#58;13 PM) Quoted post</div><div class='quotemain'>
    I received an e-mail about a tool for win2win that I thought looked suspicious, so after checking I deleted it.

    If thats the same one you received I was very lucky, I&#96;m running zonealarm suite but I didnt put it to the test so I dont know if it would have prevented any infection.

    Sorry to hear its causing you problems, go to zonealarm and test their software free for 2 weeks. It will do a scan and get rid of any problems, hopefully.

    I&#96;m still evaluating mine, its seemed to have slowed down my computer but it may be a price worth paying.

    Peter
    [/b][/quote]

    Guys don&#39;t download anything, I think the forum has been hijacked. Wheres Keith when we need him??&#33;&#33;


  4. #4
    Respected Member
    Join Date
    Oct 2005
    Posts
    177
    Rep Power
    0
    I e-mailed keith about it this morning
    You have enemies? Good. That means you&#39;ve stood up for something, sometime in your life.
    Winston Churchill


  5. #5
    Banned ivor&mel's Avatar
    Join Date
    Feb 2006
    Location
    Sheffield
    Posts
    586
    Rep Power
    0
    Quote Originally Posted by deepete @ May 9 2006, 06:13 PM
    I received an e-mail about a tool for win2win that I thought looked suspicious, so after checking I deleted it.

    If thats the same one you received I was very lucky, I`m running zonealarm suite but I didnt put it to the test so I dont know if it would have prevented any infection.

    Sorry to hear its causing you problems, go to zonealarm and test their software free for 2 weeks. It will do a scan and get rid of any problems, hopefully.

    I`m still evaluating mine, its seemed to have slowed down my computer but it may be a price worth paying.

    Peter
    I run Zonealarm as firewall and AVG as anti-virus. AVG immediately picked up the Trojan in the e-mail; my ZA would not detect a Trojan in the exe file, it would only detect dodgy outgoing/incoming connections if the Trojan had been run.

    I've never looked at the anti-virus capabilities of ZA: all I use is the free firewall version. I'm always a bit suspicious of software that tries to do too many jobs! I use the ZA/AVG combination on all my machines, plus Spybot Search & Destroy (though I've read about problems with that recently) and Ad-aware. It seems to have kept me safe and clean, but nothing is ever 100% foolproof!

    I used the forum first thing this morning without any problems. I suspect the hacking or whatever occurred between 10:00 and 11:00 - the e-mail was sent at 10:55 and I immediately went to the Forum and then started seeing the problems. The e-mail was sent from IP address 66.147.238.53, which resolves to hc1.ded203.com and is part of a netblock assigned to HostRocket Web Services of New York.

    Are there any disgruntled Forum members with technical skills enough to hack the site, perhaps?

    Ivor and Mel

    Quote Originally Posted by ivor&mel @ May 9 2006, 06:55 PM
    Are there any disgruntled Forum members with technical skills enough to hack the site, perhaps?
    I've just reread that, and it sounds ambiguous! I am not suggesting hacking HostRocket Web Services! I was just wondering if the hacking of this Forum had been done by a disgruntled Forum member!

    Ivor and Mel


  6. #6
    Administrator
    Join Date
    Jan 2001
    Location
    N Wales
    Posts
    1,651
    Rep Power
    0
    Note: Their is no virus on the site or server. It has been thoroughly tested by myself, and other in the UK, and different countries.

    Your computer has been infected via spoof emails, and is most likely WINFIXER, which is MALWARE, hence adaware, spybot, av will not find it.

    The problem is on your own computer & the fix is here,

    http://forums.bollyent.com/index.php?showtopic=12084
    Regards,

    Keith & Ping


    Free Asian dating & forum - www.filipinouk.co.uk
    Subscription dating, 1000's of members - www.asiansingle4u.com
    Professional gambling & forum - www.win2win.co.uk
    Betting bot reviews - www.exchangebots.com
    Professional poker & forum - www.win2winpoker.co.uk
    Astronomy forum - www.astronomy-forum.co.uk
    Company site - www.win2win-limited.co.uk


  7. #7
    Banned ivor&mel's Avatar
    Join Date
    Feb 2006
    Location
    Sheffield
    Posts
    586
    Rep Power
    0
    Quote Originally Posted by admin @ May 9 2006, 07:30 PM
    Note: Their is no virus on the site or server. It has been thoroughly tested by myself, and other in the UK, and different countries.

    Your computer has been infected via spoof emails, and is most likely WINFIXER, which is MALWARE, hence adaware, spybot, av will not find it.

    The problem is on your own computer & the fix is here,

    http://forums.bollyent.com/index.php?showtopic=12084
    So are you telling me that all the machines I have used today are infected by that e-mail? Even though the e-mail was seen on only one of the machines, and the attachment was not run to install the Trojan? The only pages that show this behaviour are the Forum and Gallery pages on win2winracing. The only common factor is a visit to these pages on win2winracing.

    The e-mail headers show the following routing:

    Received: from [66.147.238.53] (helo=host.win2winracing.com) by pih-mxcore09.plus.net with esmtp (PlusNet MXCore v2.00) id 1FdOwf-00038z-Uo for <my-e-mail-address>; Tue, 09 May 2006 10:55:58 +0100

    Received: from nobody by host.win2winracing.com with local (Exim 4.44) id 1FdOwZ-0003eW-5L for <my-e-mail-address>; Tue, 09 May 2006 10:55:51 +0100

    X-Mailer: IPB PHP Mailer
    Message-ID: <E1FdOwZ-0003eW-5L@host.win2winracing.com>

    It seems that 66.147.238.53 resolves to both hc1.ded203.com and host.win2winracing.com... So where did the e-mail come from...?

    Ivor and Mel

    EDIT: I'm still trying to figure out what is going on here... It seems that whenever I connect to win2win, the browser downloads 2 Java files into:

    C:\Documents and Settings\Ivor Hutchinson.ROMSDAL.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar

    i.e.

    count.jar-15d389d-xxxxxxxx.idx
    count.jar-15d389d-xxxxxxxx.zip

    (xxxxxxxx seems to vary) and AVG reports the ZIP file as being infected.


  8. #8
    Administrator
    Join Date
    Jan 2001
    Location
    N Wales
    Posts
    1,651
    Rep Power
    0
    [img]style_emoticons/<#EMO_DIR#>/bigcry.gif[/img] No sleep for two days......Supposed to be on my hols now.

    Anyway, dicovered that some ...... had used a hack on the forum, all fixed now and extra security in place.

    Apologies for the hassle, out of my control. My guess is they are going round a lot of IPB forums on the planet, and I&#39;ve informed the programmers, who should sort it quick.

    Thanks to Rob for calling me just as I was off to bed [img]style_emoticons/<#EMO_DIR#>/yikes.gif[/img] Typical of the Welsh [img]style_emoticons/<#EMO_DIR#>/Grin.gif[/img]
    Regards,

    Keith & Ping


    Free Asian dating & forum - www.filipinouk.co.uk
    Subscription dating, 1000's of members - www.asiansingle4u.com
    Professional gambling & forum - www.win2win.co.uk
    Betting bot reviews - www.exchangebots.com
    Professional poker & forum - www.win2winpoker.co.uk
    Astronomy forum - www.astronomy-forum.co.uk
    Company site - www.win2win-limited.co.uk


  9. #9
    Banned
    Join Date
    Jan 2006
    Location
    Croydon, Surrey
    Posts
    164
    Rep Power
    0
    <div class='quotetop'>QUOTE(admin &#064; May 11 2006, 08&#58;19 AM) Quoted post</div><div class='quotemain'>
    [img]style_emoticons/<#EMO_DIR#>/bigcry.gif[/img] No sleep for two days......Supposed to be on my hols now.

    Anyway, dicovered that some ...... had used a hack on the forum, all fixed now and extra security in place.

    Apologies for the hassle, out of my control. My guess is they are going round a lot of IPB forums on the planet, and I&#39;ve informed the programmers, who should sort it quick.

    Thanks to Rob for calling me just as I was off to bed [img]style_emoticons/<#EMO_DIR#>/yikes.gif[/img] Typical of the Welsh [img]style_emoticons/<#EMO_DIR#>/Grin.gif[/img]
    [/b][/quote]

    I got the email aswell on my work computer and stupidly opened it.

    It caused all sorts of problems in work and the IT guys where giving me **** for opening it [img]style_emoticons/<#EMO_DIR#>/blink.gif[/img]

    It kept closing down applications and then re-booting the machine, but they fixed it - touch wood


  10. #10
    Administrator
    Join Date
    Jan 2001
    Location
    N Wales
    Posts
    1,651
    Rep Power
    0
    Blimey. Maybe they need some up-to-date AV installed, as it was a very old trojan. [img]style_emoticons/<#EMO_DIR#>/cwm24.gif[/img]
    Regards,

    Keith & Ping


    Free Asian dating & forum - www.filipinouk.co.uk
    Subscription dating, 1000's of members - www.asiansingle4u.com
    Professional gambling & forum - www.win2win.co.uk
    Betting bot reviews - www.exchangebots.com
    Professional poker & forum - www.win2winpoker.co.uk
    Astronomy forum - www.astronomy-forum.co.uk
    Company site - www.win2win-limited.co.uk


Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Filipino Forum : Philippine Forum