Pages: [1] 2 3 4 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 11 post(s) |
|
Suvetar
Forum Moderator Interstellar Services Department
|
Posted - 2006.10.09 15:37:00 -
[1]
Hi Everyone,
As you probably noticed, we've had a surfeit of posts linking to a shady looking URL recently; as you will no doubt imagine this is indeed a piece of malware that is designed to steal your Username and Password and who knows what else.
So surf safe, don't click any links tempting you to hack EVE and rest assured that your friendly local mod team are doing everything we can to get the forums back on track!
Thanks!
|
|
Unfamed II
FinFleet Lotka Volterra
|
Posted - 2006.10.09 15:43:00 -
[2]
Edited by: Unfamed II on 09/10/2006 15:43:31 Keep up the good work, was about to report one linky, but it had already disappeared while I was writing about it to you.
|
GC13
Caldari FATAL REVELATIONS Lotka Volterra
|
Posted - 2006.10.09 15:55:00 -
[3]
A trojan? O RLY?
*chalks one up for intuition*
---
New to Eve? Interested in manufacturing stuff, or doing research on blueprints? Check out my fully-updated Science and Industry guide. |
Daald
Celestial Fleet Ascendant Frontier
|
Posted - 2006.10.09 16:03:00 -
[4]
Edited by: Daald on 09/10/2006 16:02:53 Look for a file in you C: drive called autoexec.exe
That is what the website tries to install by creating an adodb.stream object. It tries to instantiate that object twice. I'm still looking at the second portion of the infecting code. ___________________________________________ Logic is a systematic method of coming to the wrong conclusion with confidence. -Murphy |
Verite Rendition
Caldari AUS Corporation CORE.
|
Posted - 2006.10.09 16:08:00 -
[5]
Originally by: Daald Edited by: Daald on 09/10/2006 16:02:53 Look for a file in you C: drive called autoexec.exe
That is what the website tries to install by creating an adodb.stream object. It tries to instantiate that object twice. I'm still looking at the second portion of the infecting code.
I'm assuming he's trying to use a 0-day IE exploit? ---- AUS Corp Lead Megalomanic |
Daald
Celestial Fleet Ascendant Frontier
|
Posted - 2006.10.09 16:10:00 -
[6]
The code is obfuscated. I'm deobfuscating by hand and trying to insert meaning as I see it.
I'll let you know as I learn more. ___________________________________________ Logic is a systematic method of coming to the wrong conclusion with confidence. -Murphy |
Quin Tal
Expeto Libertas
|
Posted - 2006.10.09 16:13:00 -
[7]
Thanks for the heads up Suvetar.
Do you know what one of the URL's is so we know what to look for?
|
Jenny Spitfire
Caldari
|
Posted - 2006.10.09 16:15:00 -
[8]
Originally by: Quin Tal Thanks for the heads up Suvetar.
Do you know what one of the URL's is so we know what to look for?
Ukrainian website, somename.something.somewhere.ua. --------- Cruelty is God's way of showing kindness and God is kind. Vagabond pilots want http://oldforums.eveonline.com/?a=topic&threadID=405915 |
keepiru
Supernova Security Systems
|
Posted - 2006.10.09 16:15:00 -
[9]
Btw, the spamming and cleanup broke the glue on the stickyes in ships & modules, could you slap some new blue-tack on them? :D ----------------
Please fix BC Sig/Agility! |
Daald
Celestial Fleet Ascendant Frontier
|
Posted - 2006.10.09 16:17:00 -
[10]
I would block anything going to advertology.net
That is where one of the attack vectors is coming from. ___________________________________________ Logic is a systematic method of coming to the wrong conclusion with confidence. -Murphy |
|
Mortok Tristan
|
Posted - 2006.10.09 16:18:00 -
[11]
Originally by: Daald Edited by: Daald on 09/10/2006 16:02:53 Look for a file in you C: drive called autoexec.exe
That is what the website tries to install by creating an adodb.stream object. It tries to instantiate that object twice. I'm still looking at the second portion of the infecting code.
The second part is c:\windows\csrss.exe get rid of it, and references to it in the registry
|
Tharrn
Amarr 1st Praetorian Guard Vigilia Valeria
|
Posted - 2006.10.09 16:32:00 -
[12]
Wohoo... 'Stop Scams' is the newest spambot.
Now recruiting!
|
spurious signal
Caldari Brainiacs
|
Posted - 2006.10.09 16:36:00 -
[13]
Surely now it's time to start curbing the posting rights of trial accounts?
Heck, seems to me that 90% of the uses of trial accounts in general are bad. When 10% of the people logged on at any one time are trial accounts you have to question if they're being used as intended.
|
Tsanse Kinske
WeMeanYouKnowHarm
|
Posted - 2006.10.09 16:38:00 -
[14]
Originally by: Tharrn Wohoo... 'Stop Scams' is the newest spambot.
http://oldforums.eveonline.com/?a=topic&threadID=300394 for an example.
* * * In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move.
-Douglas Adams, writing about EVE |
Jenny Spitfire
Caldari
|
Posted - 2006.10.09 16:39:00 -
[15]
Originally by: Tsanse Kinske
Originally by: Tharrn Wohoo... 'Stop Scams' is the newest spambot.
http://oldforums.eveonline.com/?a=topic&threadID=300394 for an example.
Spammmer has a political agenda againsts trial accounts. --------- Cruelty is God's way of showing kindness and God is kind. Vagabond pilots want http://oldforums.eveonline.com/?a=topic&threadID=405915 |
Tharrn
Amarr 1st Praetorian Guard Vigilia Valeria
|
Posted - 2006.10.09 16:39:00 -
[16]
It's not trial accounts - they are using hacked accounts. the last two bots posted using characters that are over a year old.
Now recruiting!
|
|
Karass Sayfo
Forum Moderator Interstellar Services Department
|
Posted - 2006.10.09 16:40:00 -
[17]
Before you click on URLs, put your mouse over first to see the address. When in doubt, dont click! _______
|
|
Caerleus
Board of Twenty
|
Posted - 2006.10.09 16:41:00 -
[18]
Changing trial account rights will have very little effect. This spammage is coming from accounts that are NOT trial accounts, but either hacked accouts or paid for accounts. This is how they are able to access certain parts of the forums that trial accounts already have no access to.
Post count limters, say 1 post per minute. That would slow them down considerably.
Eve is like a new girlfriend - you know its going down at some point, its just when and for how long. |
Jenny Spitfire
Caldari
|
Posted - 2006.10.09 16:42:00 -
[19]
Edited by: Jenny Spitfire on 09/10/2006 16:42:08
Originally by: Mortok Tristan
Originally by: Daald Edited by: Daald on 09/10/2006 16:02:53 Look for a file in you C: drive called autoexec.exe
That is what the website tries to install by creating an adodb.stream object. It tries to instantiate that object twice. I'm still looking at the second portion of the infecting code.
The second part is c:\windows\csrss.exe crss.exe get rid of it, and references to it in the registry
Fixed. --------- Cruelty is God's way of showing kindness and God is kind. Vagabond pilots want http://oldforums.eveonline.com/?a=topic&threadID=405915 |
GC13
Caldari FATAL REVELATIONS Lotka Volterra
|
Posted - 2006.10.09 16:44:00 -
[20]
You'd figure people wouldn't be stupid enough to click on a link in an obvious spam post. Oh well, I guess the dumbos a few standard deviations below the median for intelligence are making the lives of forumers difficult.
---
New to Eve? Interested in manufacturing stuff, or doing research on blueprints? Check out my fully-updated Science and Industry guide. |
|
|
Xorus
Forum Moderator Interstellar Services Department
|
Posted - 2006.10.09 16:45:00 -
[21]
With the recent postings of links to keyloggers on the internet we have the following advice to give our forum users, firstly if you don't already have an Anti-Virue program we suggest you get one, there are a number of free products for home users including AVG Free Edition, Avast Home Edition and Avira AntiVir, all of these are free for home users, if you already have an Anti-Virus program make sure its up to date as having an out of date AV program is almost as bad as not having one at all.
Always be careful what you download on the EVE Forums as you never know what it might contain, things like EVEMon and Quickfit are safe to download as they have been tested and are from trusted sources, always be careful of any links posted on these forums as you never know what it may contain, ensure all your security software is up to date before clicking links.
---
Wanna Buy a Goat??- Tirg
Member of the 'Kaemonn is My Hero' club Member of the "Immy's Bald Head Appreciation Society" Xorus is currenly off duty counting trees in Siberia. -Ivan K How much is that goaty in the window, baaa baaaa - Cortes (Secretary, Bald Head Appreciation Society)
All your sig are belong to me - Tanis
|
|
Sean Dillon
Caldari Privateers
|
Posted - 2006.10.09 16:46:00 -
[22]
I think people who do this are pathetic.
But Imho every link thats posted somewhere should be approached with caution, I have played other mmorpg where the fenomenon of keyloggers is alot bigger then in eve online. Part of this is because the market system makes it very easy to check market transactions. Nonetheless this doesn't mean people won't give it a try. Aslong people are willing to pay $ for isk on ebay you will see this keep happening.
|
Fleeeeeeeeeee
|
Posted - 2006.10.09 16:49:00 -
[23]
keep jumping up and down on them i'm sure they'll sod offf eventually
|
Baleorg
Gallente Guys of Sarcasm
|
Posted - 2006.10.09 16:57:00 -
[24]
Edited by: Baleorg on 09/10/2006 16:58:09 *cough* clicking links that promise to "gain unfair advantage" ye... btw.. why are *YOU* still using IE ?! :-P you like risks?
---
BTW: A GOOD Cache-Cleaner |
Daald
Celestial Fleet Ascendant Frontier
|
Posted - 2006.10.09 17:01:00 -
[25]
Originally by: Jenny Spitfire Edited by: Jenny Spitfire on 09/10/2006 16:42:08
Originally by: Mortok Tristan
Originally by: Daald Edited by: Daald on 09/10/2006 16:02:53 Look for a file in you C: drive called autoexec.exe
That is what the website tries to install by creating an adodb.stream object. It tries to instantiate that object twice. I'm still looking at the second portion of the infecting code.
The second part is c:\windows\csrss.exe crss.exe get rid of it, and references to it in the registry
Fixed.
I didn't see that. It seems that the second portion sets up autoexec.exe to gain elevated privileges. I guess there was another attack vector that I didn't follow?
The second portion of that code seems to do this: http://www.snort.org/pub-bin/sigs.cgi?sid=7988
___________________________________________ Logic is a systematic method of coming to the wrong conclusion with confidence. -Murphy |
Eve Hel
|
Posted - 2006.10.09 17:20:00 -
[26]
they should have a flame treatment in their nuts area.
seriously thise ppl have no honer... most be sad to be them. |
ElCoCo
Gallente KIA Corp
|
Posted - 2006.10.09 17:22:00 -
[27]
Someone suggested it already... can you put the url on the profanity filter list?
|
Emily Spankratchet
Minmatar Pragmatics
|
Posted - 2006.10.09 17:23:00 -
[28]
Ho hum. At least the bot that starts new threads doesn't completely destroy the forum by randomly necroing things.
Good luck ISD, you're doing a great job.
|
solidshot
Sebiestor tribe
|
Posted - 2006.10.09 17:26:00 -
[29]
new spammer named Traderia
|
ThunderGodThor
KIA Corp
|
Posted - 2006.10.09 17:29:00 -
[30]
So are u guys able to hand out the ban stick fast enough to stop this posting **** (insert varios 4 letter words? I mean few mins ago the corp and alliances was completely spammed.
|
|
|
|
|
Pages: [1] 2 3 4 :: one page |
First page | Previous page | Next page | Last page |