munin
+ Reply to Thread
Results 1 to 6 of 6

Thread: Internet Accounts attack - IP warning

  1. #1
    Join Date
    Feb 2005
    Posts
    1

    Exclamation Internet Accounts attack - IP warning

    Hi

    This is my first post here.

    I recently have had a number of internet accounts attacked, where the user tried to Login, and in one case was successful (so they probably got a general password from a bad site).

    I believe this person also tried to access my egold account.

    I have pasted the whois on the IPA : (some of my accounts reported the offending IPA to me.
    noorus.aklubi.ee (***.40.*0.222)
    Domain
    ***.40.*0.0 - ***.40.*0.255
    Estonian Educational and Research Network
    Mihkel Kraav
    Raekoja plats *4
    5*004 Tartu
    Estonia
    +*72 7 *02**0
    +*72 7 *02***
    [email]mihkel@eenet.ee[/email]

    Raivo Hirmo
    EENet
    Raekoja plats *4
    EE5*004 Tartu
    Estonia
    +*72 7 *02 **0
    +*72 7 *02 ***
    [email]Raivo.Hirmo@eenet.ee[/email]

    TraceRoute
    Hop IP Address Hostname Average RTT*
    * **2.*68.*.* bodhi.pair.net 0.*8 ms
    2 64.2*4.*74.*77 so-2-*-0.ar2.cle*.gblx.net *.6* ms
    * 67.*7.65.*82 so5-0-0-2488M.ar2.CPH*.gblx.net ***.5* ms
    4 208.48.2*.*54 geant-se*-se.so-6-0-0.ar2.CPH*.gblx.net *64.*5 ms
    5 62.40.*0*.2*0 eenet-gw.se*.se.geant.net **5.87 ms
    6 ***.40.***.24* ***.40.***.24* **6.** ms
    7 ***.40.***.*86 trt-ge0-*-**4.bb.eenet.ee ***.68 ms
    8 ***.40.*0.222 noorus.aklubi.ee *47.70 ms


    I am looking for information on how to report this to an agency that actually cares to followup (local police report won't make a difference, for a hack from another country).

    Last week, one of my network computers got a spyware trojan for the i-search bar system. It took me over a day to clean it out, and it made major changes in my registry, including the inability to remove the items from autorun. It also added icons to my desktop for antispyware (where the site described the exact conditions that it infected me with). I think I got it while at a search engine, and the perputrators id was in all the links.

    The name of some of the infecting files were:
    C:\WINDOWS\isrvs\suka.exe
    C:\WINDOWS\isrvs\dsfeef.exe
    C:\WINDOWS\isrvs\feee.exe
    C:\WINDOWS\isrvs\sfee.exe
    C:\58af2afd.exe
    C:\WINDOWS\system*2\soft.exe

    and the Desktop links were:
    \Desktop\Evidence Eraser.lnk
    \Desktop\PopUp Blocker Stops PopUps.lnk
    \Desktop\Spyware Avenger.lnk
    \Desktop\Virus Hunter Security.lnk
    \Desktop\Your Platinum ****.lnk
    All of the address were like: [url]http://in.[/url] (Eraser,Spyhunter etc
    or [url]www.mainstreamdollars.[/url]

    The base company for these programs is:
    Postal Mail: iDownload.com
    **80 Avenue of the Americas
    *4th Floor
    New York, NY *00*6
    *-800-844-5***


    And it took 4 seperate spyware programs, ZoneAlarm and AntiVir to suppress all of its links.
    The trojan system also disconnected my ability to do a windows update.
    I could have admired this attack for it thouroughness, if I weren't gritting my teeth so much.

    To me, this is terrorism.
    they loaded programs into my computer, including flagged viruses, and trojans, disconnected my services and some of my administrative privilages and then had the ball to advertise their site for a cleanup!

    Where to report, as I want to get these suckas!

    For another Idea, how about a class action suit on any company deploying such systems. based on lost time and privacy hacking?
    Majic
    Clearline Enterprises

  2. #2
    Haint Guest
    I doubt one has anything to do with the other, aside from unsafe computing practices on your part. As for the i-search toolbar you were infected with:

    "Pugi is a family of customised toolbars/browser hijackers based on toolbar code from Softomate Solutions (besttoolbars.net). The behaviours of Pugi variants depends on the details in the configuration XML file supplied and updated by the customisers, but typically there will be a toolbar with a search box and link buttons, coupled with an address bar search hijacker, DNS error hijacker and sometimes homepage hijacker or search sidebar hijacker.

    Some of Pugi-based toolbars have been installed by various non-legitimate means and are considered parasites.
    Variants

    Pugi/Searchit, pointed at [url]www.searchit.com,[/url] distributed through inet-traffic.com.

    Pugi/SearchExplorer, pointed at [url]www.search-explorer.com,[/url] distributed through and controlled by adpowerzone.com.

    Pugi/Qidion, controlled by qidion.com, pointed at [url]www.findwhatevernow.com.[/url]

    Pugi/******bar, pointed at ******bar.com; also sets search pages to point at ******bar.com.

    Pugi/WhyPPC, controlled and targeted at whyppc.com, operated by YesUp Ecommerce Solutions.

    Pugi/iSearch, pointed at isearch.com, controlling server auto.isearch.com. Distributed and controlled by iDownload.com. Some versions of its installer also include a Hosts file hijacker that blocks access to several dozen anti-parasite web sites, including DOXdesk. If doxdesk.com resolves to the address *27.0.0.*, this is the parasite responsible.

    Pugi/4**Ferret, controlling server and search target 4**ferret.com (typically redirecting to *2*search.com for searches). Pugi/SearchLocate, search target searchlocate.com, also includes a sidebar that opens with pay-per-click links when a search is carried out on another search engine. Both 4**Ferret and SearchLocate are operated by Avatar Resources, who also operate the AutoStartup parasite.

    Pugi/Gexus: controlling server and search target gexus.com.

    Pugi/Yuups: controlling server and hompage hijack site yuups.com. Uses graphics from the Google toolbar; some of the buttons from the toolbar link to Google instead of YuupSearch.

    ISTbar/XXXToolbar and RichFind also include Pugi-based toolbars as part of their code.
    Also known as

    Softomate toolbar. Browser Angel (SearchLocate variant).
    Distribution

    ActiveX drive-by download in pop-up adverts. Pugi/iSearch is installed by ActiveX drive-by-downloads triggered by Windows Media DRM licensing through protectedmedia.com/instantdrm.com, and also through exploitation of IE security holes on porn sites using traffic monitors from Porngraph.

    Pugi/SearchExplorer was also installed by the 2ndThought parasite from June 200*.

    Pugi/WhyPPC was installed by ActiveX drive-by download in pop-ups from popinads.com (part of paypopup.com/YesUp, which also operates whyppc.com).

    Pugi/4**Ferret was bundled with Grokster around late 2004.

    Pugi/Gexus was distributed by ActiveX drive-by download from serialspot.com (adzoma.com).

    Pugi/Yuups was distributed by IE security hole exploits in the usual CoolWebSearch manner.
    What it does
    Advertising

    Possible, if enabled in the toolbar’s configuration. The SearchExplorer variant is the only version known to use this facility.
    Privacy violation

    Possible, again in the SearchExplorer variant which may pass URLs being viewed to its controlling server every few pages (including local folders viewed using the Windows Explorer!), and also in the SearchLocate variants, which passes all searches made on other sites to its servers, which set a cookie so that search usage can be *****ed.
    Security issues

    Has a self-updating feature, which is usually not turned on, but might be enabled in some variants.
    Stability problems

    None known.
    Removal

    Open Add/Remove Programs in the Control Panel and remove the entry ‘Searchit - toolbar’ (Searchit variant), ‘Toolbar - My toolbar’ (Search-Explorer variant), ‘qidion - toolbar’ (Qidion variant), ‘******barHallmedia.net’ (******Bar variant), ‘IE Toolbar’ (WhyPPC variant), ‘autoSearch’ (SearchLocate variant), ‘4**Ferret Toolbar’ (4**Ferret variant) or ‘YuupSearch Toolbar’ (Yuups variant).

    In the SearchLocate variant, the Add/Remove Programs entry removes the software but not the A/R P entry itself. To clear up, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and delete the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5558*DC-2CDB-408*-8878-7*A080B22*42}.

    In the Yuups variant, the Add/Remove Programs entry removes the toolbar but leaves behind a program set to run at startup which opens the yuups.com site in a pop-up. See below to remove this.
    Manual Removal

    Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands, for Pugi/Searchit:

    cd "%WinDir%\System"
    regsvr*2 /u "..\Downloaded Program Files\srchitbar.dll"

    Or, for Pugi/SearchExplorer:

    cd "%WinDir%\System"
    regsvr*2 /u "C:\Program Files\Search-Explorer\explbar.dll"

    Or, for Pugi/Qidion:

    cd "%WinDir%\System"
    regsvr*2 /u "..\Downloaded Program Files\qi*2.dll"

    Or, for Pugi/******Bar:

    cd "%WinDir%\System"
    regsvr*2 /u "C:\Program Files\******Bar\******bar.dll"

    Or, for Pugi/WhyPPC:

    cd "%WinDir%\System"
    regsvr*2 /u "..\Downloaded Program Files\toolbar.dll"

    Or, for Pugi/iSearch:

    cd "%WinDir%\System"
    regsvr*2 /u toolbar.dll

    Or, for Pugi/SearchLocate:

    cd "%WinDir%\System"
    regsvr*2 /u "\Program Files\SearchLocate\sidebar.dll"

    Or, for Pugi/4**Ferret:

    cd "%WinDir%\System"
    regsvr*2 /u "\Program Files\4**Ferret\toolbar.dll"

    Or, for Pugi/Gexus:

    cd "%WinDir%\System"
    regsvr*2 /u "..\Downloaded Program Files\toolbar.dll"

    Or, for Yuups:

    cd "%WinDir%\System"
    regsvr*2 /u "\Program Files\YuupSearch Toolbar\google_toolbar.dll"

    Restart the computer and you should be able to delete the program files. For the SearchExplorer and ******Bar variants you can delete the entire ‘Search-Explorer’ or ‘******Bar’ folder in the Program Files on the C: drive (regardless whether or not that is your system drive).

    For the SearchLocate, 4**Ferret and Yuups variants you can delete the entire ‘SearchLocate’, ‘4**Ferret’ or ‘YuupSearch Toolbar’ folders from the normal Program Files folder.

    For the iSearch variant you can delete the files toolbar.dll and version.txt from the System*2 folder (inside the Windows folder, called just ‘System’ on Windows *5/*8/Me).

    For Pugi/Qidion use this command to delete the files:

    del "%WinDir%\Downloaded Program Files\qi*2.dll"

    For Pugi/Searchit:

    del "%WinDir%\Downloaded Program Files\srchitbar.dll"

    For Pugi/Gexus and Pugi/WhyPPC:

    del "%WinDir%\Downloaded Program Files\toolbar.dll"

    To clean up, you can also remove the settings in a subkey under the registry key HKEY_LOCAL_MACHINE\Software. The subkey is called search-explorer (SearchExplorer variant), searchit (Searchit variant), qidion (qidion variant), ******bar (******bar variant), iSearch (iSearch variant), Softomate (SearchLocate and WhyPPC variants), BTB (4**Ferret variant) or XBTB0*500 (Yuups variant).

    For the Yuups variant, you should also remove the yuups.com-opening startup task. To do this, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’) and select the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, right-click the entry ‘MSTask’ pointing to run_dll.exe and choose ‘Delete’. Restart the computer and you should be able to delete the file run_dll.exe in the System*2 folder (inside the Windows folder; called just ‘System’ on Windows *5/*8/Me).
    iSearch variant

    After removal, check your Hosts file. This can be found inside the Windows folder on Windows *5/*8/Me, or in System*2\drivers\etc in the Windows folder on Winddows NT/2000/XP/200*. Load it into a text editor such as Notepad and check for lines pointing addresses from *27.0.0.2 upwards at spyware-related sites. If they are there, delete all of these, and correct the entry for localhost to *27.0.0.* instead of *27.0.0.0.
    2ndThought removal

    If you had Pugi/SearchExplorer, check whether it was installed by 2ndThought. 2ndThought is a commercial trojan controlled by 2nd-thought.com. It is installed by ActiveX drive-by-downloads from the advertising network AdsCPM, who wrote it (as well as FreeScratchAndWin).

    Open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’) and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. On the right, delete the ‘stcloader’ entry if you have it. If so, restart the computer and you should be able to delete the ‘STC’ folder inside Program Files, and ‘2ndsrch.dll’ and ‘stcloader.exe’ from the System folder (which is inside the Windows folder, and called ‘System*2’ on Windows NT/2000/XP)."

    [url]http://www.doxdesk.com/parasite/Pugi.htm[/url]

  3. #3
    Unregistered Guest
    I agree with the above post. Do youself a big favor, stop using MicroSoft Explorer as your Web Browser and switch to Mozilla FireFox. Install and use MicroSoft Antispyware, Spysweeper, SpywareBlaster, SpyBotSearch and Destroy, and Ad-Aware. Get yourself a good hardware firewall like AlphaShield and compliment it with a good software firewall like OutPost Firewall or ZoneAlarm. Set ZoneAlarm or Outpost to block any offending IP addresses. Problem solved!!! Oh, and frequently change all your passwords.

  4. #4
    Unregistered Guest

    THE PERSON LOGGING FROM ***.40.*0.222 HACKED MY ACCOUNT!

    The person hacking from ***.40.*0.222 HACKED INTO MY SyncInvest.com account and changed my details and probably is currently trying to steal my investments!

    I have contacted SyncInvest. Fortunately when you change your details, the last known account e-mail is alerted and the new e-mail/ip log is shown.

    HACKER AMONGST US. DETAILS:

    IP ADDRESS: ***.40.*0.222
    E-MAIL: [email]tuzik2005@**********[/email]

    LET'S NAIL THIS HACKER BEFORE S/HE GETS ANY FURTHER!

    I AM WILL TO PRESS CHARGES IF S/HE IS FOUND!

    THANK YOU ALL!

  5. #5
    Nick Guest

    Hey man - i can help you

    Hey man - the names of files is mostly russian:
    suka in russian means "b-i-t-c-h".
    Your attackers probably was using SOCKS proxies from Estonia.
    You can find list of them at [url]www.stayinvisible.com[/url]
    If you really want to investigate them - contact to This Estonian ISP
    and tell them date and type of attack.
    You can use abuse to report this attack to Estonian isp.
    You also can go to WHOIS.SC website:
    [url]www.whois.sc[/url] and check this adress is this spamming adress or not.
    Some usefull websites will add this ip if its sending viruses or spam.
    Better use TrendMicro firewall - its antivirus + firewall.
    Its a real protection of your pc.
    And last Windows XP tips:
    Go to Control Panel==>Administrative Tools==>Services and stop "Workstation" and "Server" Services - than your pc will be not avaible for hackers from the Internet.
    Tip 2:If you see suddenly message: "Your pc will be shutdowned in 60 seconds" - DO NEXT THING GO TO CMD (Start==>Run==>cmd)
    And type "shutdown /a" - THIS WILL ABORT ALL SHUTDOWNS MADED BY HACKERS FROM INTERNET.
    Best Regards
    Nick

  6. #6
    Unregistered Guest
    Go to Control Panel==>Administrative Tools==>Services and stop "Workstation" and "Server" Services - than your pc will be not avaible for hackers from the Internet.
    i got a lot of services which depend on that "workstation" und "Server" !?

    and i have access to the I-NET with a wireless pci-card in my PC using a DHCP server (wlan-router) who gives the LAN ip's to serveral machines in our network...
    what will happen to ME if a stop that two services ???

+ Reply to Thread

Similar Threads

  1. hi can you hacking MySpace Accounts And Deleted MySpace Accounts
    By The_Devil_Wears in forum Internet Privacy
    Replies: 0
    Last Post: 11-07-2009, 09:27 PM
  2. wap/wep attack
    By pure hate in forum Internet Privacy
    Replies: 6
    Last Post: 09-12-2007, 04:15 AM
  3. Warning - SCAM!
    By anti-scammer in forum Internet Privacy
    Replies: 1
    Last Post: 06-03-2005, 08:43 PM
  4. WARNING!!!Code Red Alert
    By tips&tricks in forum Viruses and Trojans
    Replies: 0
    Last Post: 08-19-2001, 04:11 AM
  5. WARNING! Is your proxy spying on you?
    By Blacksheep in forum Proxies and Firewalls
    Replies: 16
    Last Post: 07-17-2001, 12:49 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts