Suspicious! Anyone else with trouble?

Mike Hewson
Mike Hewson
Moderator
Joined: 1 Dec 05
Posts: 6588
Credit: 312833499
RAC: 183687
Topic 190881

When, and only when I access/refresh
this
thread in Mozilla or Internet Explorer, my Trend Micro Internet Security catches and blocks attempts at lifting my credit card number and sending it to addresses like these ones:

http://ltproject.org/neilmunday/
http://seti.brutalhosts.com/
http://www.zacrifice.com/boincstats/
http://www.emacolet.com/seti/
http://www.wuschelkiste.de/setistat/boinc/
http://boincstats.nova-online.de/
http://www.pierre-bon.com/NMundayCounterSite/
http://munday.kincheloe.us/
http://wolfensystems.com/
http://www.geeksamazing.com/cgi-bin/
http://ncg58.eden5.netclusive.de/signature/
http://www1.helbing.nu/mundayweb/

where = mirror_xml.php?bg=c8c8c8&border=808080&text=ff0000&use_border=1&credit=120311.54%2C84258.31%2C83394.34%2C43421.33%2C32888.55%2C28567.23%2C12654.87%2C3592.17%2C1204.38%2C1087.24%2C225.08%2C191.55&name=MattDavis&updated=09/03...2C90.7%2C68.36%2C58.47%2C69.1%2C19.59&prjs=Seti%2CPredictor%2CEinstein%2CCPDN%2CLHC%2CRosetta%2CSZTAKI%2CSIMAP%2CuFluids%2CWCG%2CRALPH%2CSeti+BETA&rac=264.12%2C402.02%2C292.44%2C6.38%2C98.96%2C218.63%2C51.89%2C75.85%2C28%2C28.2%2C11.23%2C1.32&rf=1&prj=-1

there's a new address attempted each time, but it stays within the above set. I scan daily and fully to the limits of Trend Micro, and I am pretty well always on with broadband. I've only tested it with this machine I am writing from now.
If it's purely a local problem for me then I'll deal. I'm reporting it out of concern that it may be the case that someone is/has using/used the E@H forums to ill effect. The 'php' rang a bell, as that has something to do with scripting in the server/client interaction doesn't it?. Suggestions? Mike

Oh, and when I attempted to post the above message ( creating a new thread )

http://einstein.phys.uwm.edu/forum_post.php?id=6

was blocked! ( no ) So now I've posted this using an entirely unrelated machine.

I have made this letter longer than usual because I lack the time to make it shorter ...

... and my other CPU is a Ryzen 5950X :-) Blaise Pascal

Wurgl (speak^Wcrunching for Special: Off-Topic)
Wurgl (speak^Wc...
Joined: 11 Feb 05
Posts: 321
Credit: 140550008
RAC: 0

Suspicious! Anyone else with trouble?

Turn off signatures and Aventars like I do :^)

Michael Roycraft
Michael Roycraft
Joined: 10 Mar 05
Posts: 846
Credit: 157718
RAC: 0

RE: When, and only when I

Mike,

Sounds like you have a spyware/malware infestation. Two programs to use:
Spybot Search and Destroy
AdAware SE Personal
Both are free, don't take too long to scan, and use no resources other than when scanning. You might want to go into the advanced settings and tweak for deeper, more thorough scans. If so, let me know, and I'll try to find the site that best goes into that, or at least let you know how to duplicate my settings.

Also, if you're using the paid version of Trend Micro, make sure you have the latest vieus definitions.

Respects,

Michael

microcraft
"The arc of history is long, but it bends toward justice" - MLK

Mike Hewson
Mike Hewson
Moderator
Joined: 1 Dec 05
Posts: 6588
Credit: 312833499
RAC: 183687

Thank you both! The Trend

Message 25707 in response to message 25706

Thank you both! The Trend Micro has dealt with it, it's no longer an issue for me. I'd just characterized it and reported it before I chose to eliminate it. I'm fairly new to bulletin boards, so I wasn't really aware that virus/malware/whatever could be an issue. But on reflection I guess nearly anything electively executable ( like scripts on html ) is prone. It's clarified why my daughter's computer is a recurring problem - she hangs around MSN/Hotmail!!

Cheers, Mike. :-)

( Hey Mike, email me man ! )

I have made this letter longer than usual because I lack the time to make it shorter ...

... and my other CPU is a Ryzen 5950X :-) Blaise Pascal

Michael Roycraft
Michael Roycraft
Joined: 10 Mar 05
Posts: 846
Credit: 157718
RAC: 0

Mike, I shall do that. I

Mike,

I shall do that. I know I promised you an afternoon followup after the stent
surgery on Feb 16, but they filled me so full of Demerol that I hardly knew my
own name until the day after. Whew, bummer! Ya never got around to answering
my question about your family and all being out of the woods regarding the
wildfires that day. Short preview - the CT scan 2 weeks ago showed about
triple the # of badguys in my liver as the original, only 2 months previous,
and the pancreatic booger much larger.

Mike, after how much you've gone above and beyond the call in helping me, I owe
you much more than the scant few words in my irregular "update list" emails.

Chapter One, coming at ya soon!

Michael

microcraft
"The arc of history is long, but it bends toward justice" - MLK

Mike Hewson
Mike Hewson
Moderator
Joined: 1 Dec 05
Posts: 6588
Credit: 312833499
RAC: 183687

RE: Mike, I shall do that.

Message 25709 in response to message 25708

Quote:

Mike,

I shall do that. I know I promised you an afternoon followup after the stent
surgery on Feb 16, but they filled me so full of Demerol that I hardly knew my
own name until the day after. Whew, bummer! Ya never got around to answering
my question about your family and all being out of the woods regarding the
wildfires that day. Short preview - the CT scan 2 weeks ago showed about
triple the # of badguys in my liver as the original, only 2 months previous,
and the pancreatic booger much larger.

Mike, after how much you've gone above and beyond the call in helping me, I owe
you much more than the scant few words in my irregular "update list" emails.

Chapter One, coming at ya soon!

Michael


It's cool man! I figured you were sick, I was waiting for you to call! Mr Dragon's gone for this year too....

I have made this letter longer than usual because I lack the time to make it shorter ...

... and my other CPU is a Ryzen 5950X :-) Blaise Pascal

Neil Munday
Neil Munday
Joined: 11 Feb 05
Posts: 3
Credit: 273255
RAC: 0

Hi, The list of sites you

Hi,

The list of sites you mention are the ones used by my web site to take the load of generating user's stats signatures off my web server.

Norton and Trend Micro have been known to think that my mirror system is somehow attacking users' PCs.

I can assure this is not the case and that your firewall is very wrong indeed!! There is no way that a PHP script (which runs server side) could get your credit card details or any other details, unless you explicitly submitted them to the script in some way.

For those who are interested, when I request for a user's stats graphic is received, my script randomly chooses one of the mirror sites and redirects them to the chosen mirror to get the graphic using a PHP header() function. This function generates an HTML header for the user's browser which tells it to get the image from a different location.

E.g.

Hope this helps,

Neil.

http://boinc.mundayweb.com

Beach Bum
Beach Bum
Joined: 12 Dec 05
Posts: 68
Credit: 215346
RAC: 0

I would like to see what the

I would like to see what the is. Seeing as I am the owner of wolfensystems.com.

As Neil said I am a mirror build for his stats site.

I have looked over his code that is hosted, and it is fine, no attempt at stealing anything, other than maybe my bandwidth, but I gave him that right,lol.

I would just put this up to a false hit. Not the first time it will happen in life, nor the last.

Bye All

Beach Bum
Founder of The Hawaiian Beach Bums

Come Join us at Hawaiian Beach Bums

Mike Hewson
Mike Hewson
Moderator
Joined: 1 Dec 05
Posts: 6588
Credit: 312833499
RAC: 183687

Hi! :-) Well the is

Hi! :-)

Well the is whatever I put in the earlier post.

I no longer have that machine, as a viable entity, so I also now have no recollection or record other than that post. It hasn't been a problem since ( ie. Trend Micro ).

Some infestation no doubt, not your fault though! :-)

Cheers, Mike.

I have made this letter longer than usual because I lack the time to make it shorter ...

... and my other CPU is a Ryzen 5950X :-) Blaise Pascal

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.