«

[Stroggy]

before we start randomly blaming people
I say we blaim the New Guy!
ehm
failing to do that

it could be a virus... or perhaps an accident?

[Tom Henrik]

But...

It's fun to blame random people...

[Stroggy]

fine
I blame you... your infected game... and your army of smurfs

and if you didn't do it...
it was captain Snuffles, in the bathroom, with a sponge (for those that don't get it... search for the boardgame Clue)

[Kosta]

OK, after some digging, I've found the IP of the intruder that did this. It was someone from the UK it seems. To be precise:

Fri May 7 15:41:53 2004 0 host213-122-59-207.in-addr.btopenworld.com

Now to check the forum logs to see if anyone uses that IP! And if not, well, must be a random hacker!

[Kosta]

ok, after some more research, this is what I came up with...
So, the original address that the "hacker" used when connecting via FTP was

host213-122-59-207.in-addr.btopenworld.com

So, extract the IP from that, we get 213.122.59.207

Since the IPs are logged in the forum, I extracted everything that falls under the 213.122.xxx.xxx range (which I believe Brittish Telecom certainly has) and I got a very interesting result. No names yet, since it could be a mistake, but there IS a person on this forum who uses the 213.122 range repeatedly. :?

Now, a lot of people certainly connect via BT so its too much of a wild guess to be certain. Perhaps its just a coincidence. I'll keep you informed

[Tom Henrik]

I am beginning to suspect my own machine as being the traitor. :?

In the past I have had problems with people trying to access my machine through the use of a socalled "Trojan Horse". I thought I had gotten rid of these jerks, but maybe I haven't.

Neither the firewall I use or any of my anti-spyware programs have detect anything unusual, but I think that I might have a free-loafer. Is there something I can do to be sure? Any programs I can use?

As for the IP.
I am not sure how I can find my own IP, but there is a chance that I am connected to the British one as I only live across the lake.

Please tell me what I can do to be sure my machine has not been used against you guys.

[Stroggy]

make a search for "my ip" on google
there are serveral sites which display your ip

[Tom Henrik]

Thanks, Stroggy!


I'm off.

[Kosta]

Quote:

I am beginning to suspect my own machine as being the traitor. *:? *

Well, your IP resolves to 217-160-43.adsl.tele2.no, and you've always posted under that one so that's not it. However, what I did find odd is this:

--------------------------------------------------
Zupah_Smurf/s722/plugins/plugins/icqpwsteal.dll b _ i r kostak ftp 0 * c
Zupah_Smurf/s722/plugins/plugins/icqpwsteal.txt b _ i r kostak ftp 0 * c
Zupah_Smurf/s722/plugins/plugins/matrix.dll b _ i r kostak ftp 0 * c
<cut>
Zupah_Smurf/s722/s7config.cfg b _ i r kostak ftp 0 * c
Zupah_Smurf/s722/server.exe b _ i r kostak ftp 0 * c
Zupah_Smurf/s722/sin.exe b _ i r kostak ftp 0 * c
Zupah_Smurf/s722/sub7.exe b _ i r kostak ftp 0 * c
--------------------------------------------------

OK, so what this basically means is that, for some unknown reason, one of the most popular backdoors ever - subseven, was in your directory on the server. OK, so this is how I think the story goes:

You had / have sub7 installed on your computer. The intruder connected to your machine and extracted all passwords from your computer (yes, it can do that). Then the guy saw the password for abandonia which I gave you. He then connected to the site using WS_FTP and uploaded sub7 to your directory (that's what the logs show he did). I have absolutely no idea why he did it. After he uploaded sub7 to your directory on the server, he erased everything, and left the sub7 files and directories intact. In fact, that was one of the only things left on the server. However, he wasn't very smart because he thought that by deleting the access.log he would cover his tracks.

I filed an abuse complaint to Brittish Telecom. Maybe they'll answer, maybe they wont. Time will tell. One thing is sure - Tom, get some anti-virus software please

[Tom Henrik]

The only program I have downloaded with the letter 7 in it is 7-zip, and the only FTP I have ever used is yours, Kosta. I didn't know what a FTP was until you told me.

And I found the same Ip-address as you did.

But if it is the files in that folder that are corrupt, how do I prevent that from ever happening again. It would be a shame if the site becomes deleted every time I supply you with a new game.