no idea if its a real tool or not.
i just know i was reading it and it sounds suspicious.
a lot.
do not run this until we have more info on what exactly it does.

if i wanted to make spyware to grab all your keys this would be how i would do it so...
i dunno maybe its legit, all im saying is be careful coz it sounds very fishy.

http://forum.rscnet.org/showthread.php?p=2760808#post2760808

edit1: i opened the file for closer inspection in hex. and it connects to anon ftp ftp.madmax05.250free.com
beware this comes from a newly regged nick...he says he was "working" for 6 months.
this smells fishy as hell. you have been warned.

edit2: [L] Connecting to ftp.madmax05.250free.com -> DNS=ftp.madmax05.250free.com IP=64.202.96.169 PORT=21
[L] Connected to ftp.madmax05.250free.com
[L] 220---------- Welcome to Pure-FTPd ----------
[L] 220-You are user number 6 of 100 allowed.
[L] 220-<<
[L] 220-*************************************
[L] 220-Downloads are not currently permitted
[L] 220-through FTP. Please use your 250Free
[L] 220-URL to download files. In addition,
[L] 220-only one person may be logged into
[L] 220-your username at a time.
[L] 220-*************************************
[L] 220->>
[L] 220-Local time is now 20:05. Server port: 21.
[L] 220-This is a private system - No anonymous login
[L] 220-RATIOS ARE ENABLED FOR EVERYONE:
[L] 220-to download 1 Mb, uploading 20000 Mb of goodies is mandatory.
[L] 220 You will be disconnected after 10 minutes of inactivity.
[L] USER madmax05
[L] 331 User madmax05 OK. Password required

anyone know if its ok? how's tristan's pc?

That VB executable is compiled from a project named "C:\Documents and Settings\mad max\Desktop\ip stealer with back door\Project1.vbp", you might not want to run it :P

yep, exactly what i am reporting.

rsc is spreading a hack...
would be nice to have it removed soon...

Attachment deleted

:thumb:

Nice job guys on deleting this fast! :thumbsup:

*edit* why isnt that guy banned? *edit*

:Handshake

How can I see that this thing is a virus without actually running it and f'ing myself?

Thanks for the report Kid :thumb: Hopefully not too many people downloaded it.

How can I see that this thing is a virus without actually running it and f'ing myself?

You can look at the executable with a hex editor, inside there's a bunch of unicode strings that give a pretty good hint at what it's doing. There's the project name I said above, and the ftp address to 250free.com, and a login and pass to that site. It apparently attempts to upload a txt file with your ip address to that ftp.

There's also some personal info about the user at 250free.com, including an address and a phone number that propably are fake, an aol.com email address and an ip address that routes to AOL...

edit: and based on the files on the site, seems like no-one got caught, there's a file named "vicip.txt" but that includes only a LAN ip (192.168.0.2) :P

Thanks Kidcodea.

there does seem to be tiny problem ATM, i've seen enough evidence to suggest a security update should be part of the next patch, make 'em work it all out again, :shrug:

once the crack-muppets get pissed off trying to directly work with the exe, it's inevitable that little scams such as this will crop up.:pillepall

May i be the first to openly suggest 'fighting dirty' with these kiddie's, we know enough about 'em:smileypul to make 'em think twice about screwing with the ONLY decent title out there.:D

If you can get their address we can start sending mailbombs and other niceties, or organizing bashing parties :-))))

:smileypul

It's 99% certain this is a trojan. If anyone did download the file, don't run it. If you did already run it:

- install a firewall if you haven't already.
- press ctrl+shift+esc, go to the 'process' tab and check for any suspicious programs running.
- open regedit (windowskey + r, type 'regedit', press enter) and check these reg keys for suspicious programs:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr en tVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr en tVersion\RunOnce
- Open your start menu and check if there's anything strange in your 'startup' folder.


Check this thread on the LFS forum for more information: http://www.lfsforum.net/showthread.php?t=3262


thanks mbrio, fonny and scirocco for prompt action.
sry for trans-forum quote, but its the only way i can add to that, with this bit of info:

if u want a bit more info on task processes without using more complicated commercial apps like wintasks etc, u can use the fab processxp.exe from sysinternals. the best small utils ever for pc imho, and free!
they should come default with windows, but they dont, because they are good. yeah that was a windows critic...

http://www.sysinternals.com/Utilities/ProcessExplorer.html

leech the whole site if u want, coz its the best shit that can happen to your windows. no shit, no fuss, straight to the point, easy to use utils.
i can monitor and control almost as much as i could with amigaOS and snoopdos etc :)
google info on processes is also a nice time saver.
the gurus around surely know them but im sure many people dont and im sure they will be helpful for a few around here.

Good tip Kidcodea. I'll link to your post on RSC.

Now let's just hope he didn't use Sony's rootkit :/. Is there an uninstaller for that thing yet? [edit] Yes there is, but apparently (http://www.boingboing.net/2005/11/14/sonys_rootkit_uninst.html) that's even worse...

@TheAfro: this has nothing to do with LFS or LFS's security. This is just a regular trojan that sends your IP to an FTP and leaves a backdoor open (atleast that's my guess based on what Kegetys found out). That way the guy who made this can just connect to the IP through the backdoor and do whatever he wants. Assuming you understood all that, you'll realise this has nothing to do with LFS, apart from the fact the guy was using LFS as a ploy to get people to download the trojan.

@TheAfro: this has nothing to do with LFS or LFS's security. This is just a regular trojan that sends your IP to an FTP and leaves a backdoor open (atleast that's my guess based on what Kegetys found out). That way the guy who made this can just connect to the IP through the backdoor and do whatever he wants. Assuming you understood all that, you'll realise this has nothing to do with LFS, apart from the fact the guy was using LFS as a ploy to get people to download the trojan.

In a way, it's almost commical that someone wishing to install a trojan would advertise in a manner to seduce those of us with 56k dial-up.

If he wants my Yoko Ono box set in .wav format that badly...

In addition to someone posting on RSC to chech the autorun entries in the registry, here's a great utility from systeminternals.com (the same guy that revealed the Sony Rootkit issue) Autoruns (http://www.sysinternals.com/Utilities/Autoruns.html). It's the best utility that allows you to see programs that autorun with windows/login that I know of.

Nice one Inspector KiDCoDEa :detective

:nod: You da Man Kid......it's guys like you keeping the rest of us safe that makes LFS such a great world to be apart of.

there does seem to be tiny problem ATM, i've seen enough evidence to suggest a security update should be part of the next patch, make 'em work it all out again, :shrug:

once the crack-muppets get pissed off trying to directly work with the exe, it's inevitable that little scams such as this will crop up.:pillepall

May i be the first to openly suggest 'fighting dirty' with these kiddie's, we know enough about 'em:smileypul to make 'em think twice about screwing with the ONLY decent title out there.:D

But AFAIK it wasn't an LFS hack, it was just a program that you were "supposed" to run along with LFS...

Seems like he wasn't such a l33t hacker anyway, he only managed to get someones lan IP! lol!:D

Is it not possible to change the address to which everything is sent using a hex editor and find out exactly what it sends?

I downloaded it, opened the zip and thought "no way am I running this". So I'm safe.

But my graphics card died yesterday (nothing to do with the attachment), so I'm not best pleased....

But my graphics card died yesterday (nothing to do with the attachment)Or is this just an excuse not to appear nooby :razz:so I'm not best pleased....That I can sympathise with :( But these things happen :shrug:

But the money I've now got to spend on a graphics card (subject to proper testing when I go home this weekend) would have gone on ECCI pedals.

Oh damn the God of computers for being an arse!

!!!Thread hijack alert!!!

Tristan, those ECCI Pedals (just to make you feel worse) , couple of questions:

1) Can you buy in the uk?
2) Is the PMBII worth it?
3) <gone beyond a couple> Do you know if the momo addon comes with new pots?
4) Do you know if the momo addon can have a clutch pedal?

Troy

I'd be very surprised if it was posted only to the RSC forum. . .

!!!Thread hijack alert!!!

Tristan, those ECCI Pedals (just to make you feel worse) , couple of questions:

1) Can you buy in the uk?
2) Is the PMBII worth it?
3) <gone beyond a couple> Do you know if the momo addon comes with new pots?
4) Do you know if the momo addon can have a clutch pedal?

Troy
Sorry to perpetuate the hijack but I have bought a set of ECCI's and can answer a couple of these: :)

1) Yes, I did. But be warned: The delivery guy will ask you for an extra £40-odd for import tax.

2) Well, I have PBMII so I can't comment whether it's better without, but the brake pedal does gradually get harder to push. Without it, it would be like the accelerator and have the same resistance for the whole travel.

3) If you mean, "do the replacement Momo pedals have better pots", then yes they do.

4) I believe you can buy an extra clutch pedal for them, but it connects via a separate USB lead which means windows and games will see it as an entirely separate controller.

tristan: I had a similar screen when I overclocked the card too much. After a reboot and setting clocks back to normal, everything is fine again, so maybe you won't have to buy a new card....well, just maybe..

Thanks kryten,

for 3) the answer i was looking for was to 'new' was do the new pedals come with thier own 'different pots' as mine are now duff

If you dont mind me asking, how much did you pay in total

Troy

PS. Smeeee :)

I'd be very surprised if it was posted only to the RSC forum. . .

Yeah, me too.


Is this one a trojan aswell then? http://www.lfsforum.net/showthread.php?t=3132
Never downloaded it, just wondering why the thread was locked.

Yeah, me too.


Is this one a trojan aswell then? http://www.lfsforum.net/showthread.php?t=3132
Never downloaded it, just wondering why the thread was locked.

It works for me :x The thread is closed probably because the file itself can be used as a cheat. Though I wonder why the file is still downloadable then...but it works.

FlintFredstone, you have PM. :)

i'm sorry if it seemed i got the wrong end of the stick but i've just seen too much evidence to suggest a LOT of peeps are using cracked LFS's, probbly paranoia but the muppets are gettting more common.

You got right, but actualy i WOULD play cracked LFS if i would not have enough money to buy a license. Crack came out, when I payd for my license. But license is a lot better, than a crack.

"Nice" find! :nod: Thank you, KiDCoDEa (http://www.lfsforum.net/member.php?u=29)!