Warning - Keylogger Link Sent via PM

[Kamloops]

Not sure where to post this -

I recieved a PM and it wants you to go to a site, DOT NOT GO THERE

Do not go to edit by mod - it'll be a bit easier for people not to go there if you didn't post the link

I believe it will install a keylogger on your machine! I somehow got into the root of the site and was able to look at all the files, I downloaded a couple of TXT files named MK-keylog.txt and REG-160-keylog.txt. The contents of those files are information logged which looks like conversations with Tech Support at Register.com
They may have installed a keylogger there?

This is really bad, I am not sure if I have it installed on my machine but as soon as I went to that site I knew something was not right as it just says wait 10 seconds, I stopped it right away and then somehow got into the root, so I snooped around there.

This must be how the domains are been stolen! If anyone wants the TXT files let me know.

And if you have an idea on how I can check to see if I have a keylogger intstalled please PM me.

I see the member is Banned now.

This is the PM from a Member -

Atech
Banned
Trader Rating: (0)
Join Date: Mar 2008

domains about
your domains with 450$ for me
okay ?
my list istnight.com look at , 16k$ ..

 

[Frikkle]

Agreed. I think they can only force a malware download through IE and not FF/Opera.

I'm still not going to try though.

-Frikkle

 

[Shane]

I got this PM ealier, checked site too.. hope im ok as I was using Linux with full security.

 

[Barts]

This is a very serious matter but I don't think it is been taken that serious.

It's not NamePros' job to warn people about security threats. Try an AntiVirus company, they made it their job. And while you're at it buy a good AV/Security solution aswell, it seems to me you need it

Thanks for reporting though! Much appreciated.

 

[Kamloops]

It's not NamePros' job to warn people about security threats. Try an AntiVirus company, they made it their job. And while you're at it buy a good AV/Security solution aswell, it seems to me you need it

Thanks for reporting though! Much appreciated.

Well it is not my job either. Next time I see something wrong I will keep my mouth shut.

And for your info no antivirus software would detect this.

I think namepros does have some responsibility to warn its members of things like this when they become aware.

We are a community and should look out for each other.

 

[copper]

Relax, buddy.
RJ listened to you
He just sent PM about it.

Next time you see something wrong, scream for the safety of all members.
You've done a good job warning other members

Well it is not my job either. Next time I see something wrong I will keep my mouth shut.

And for your info no antivirus software would detect this.

I think namepros does have some responsibility to warn its members of things like this when they become aware.

We are a community and should look out for each other.

 

[Len]

Thanks for the warning kamloops!

 

[RJ]

Wow. The user was banned for sending spam PM's earlier, but I was not aware of the possible malware his site contained. His outgoing PM's have all been deleted from the database and everyone who got a PM from him has been notified of this thread.

We are a community and should look out for each other.

Agreed, 100%. Thank you Kamloops!

 

[Sameh]

You can always use this button

to report anything fishy. Even in PMs.

 

[Barts]

Well it is not my job either. Next time I see something wrong I will keep my mouth shut.

And for your info no antivirus software would detect this.

I think namepros does have some responsibility to warn its members of things like this when they become aware.

We are a community and should look out for each other.

Keyloggers are actually pretty well detected by good AV solutions But anyway, I wasn't trying to upset you. I just responded to your kinda harsh attitude towards NamePros in this matter. NamePros is taking its responsibility very serious IMHO and is doing quite a good job in protecting us. Just yesterday I got interrogated out of the blue about my nickname change (which is legit ofcourse). Which other boards have such a pro-active approach? I think none.

 

[Ross]

I did some snooping on the site with my sidekick(which cant get any of that stuff). I was not able to get in to anything. It comes up with

You don't have permission to access /cgi-bin/ on this server.

Additionally you can go to the images folder but there are no images. It is a cpanel acccount because i did try the /cpanel and the normal cpanel log in came up. Also what gives the keylogger on to your computer (if there is a key logger) is that pop up that comes up. If you have a pop up blocker that pretty much stops it. I have tried to access the site by bypassing the "wait 10 seconds" but have not found the right file or folder to go into. Thanks for the heads up!

It is kinda wierd how you got in to see the root and all that. The server seems to be pretty much locked down....

 

[johnnywj]

You can always use this button

to report anything fishy. Even in PMs.

I used that button earlier today when i got that PM. Yesterday i got a email
from that person with the same link, but did not click on it since i felt there
was something wrong. I use FF not IE.

 

[Sameh]

I used that button earlier today when i got that PM. Yesterday i got a email
from that person with the same link, but did not click on it since i felt there
was something wrong. I use FF not IE.

Got the same email.

Subject was "Domain About" .. right?

 

[johnnywj]

Got the same email.

Subject was "Domain About" .. right?

Yes same Subject.

 

[RJ]

Fraudsters are looking for any opportunity to take advantage of people.

This is a reminder we all have to get in the habit of looking at our PM's on NamePros as objectively as we do our own emails. Be careful of any messages coming out of the blue from people you don't know. Hopefully no one was affected by this recent spamming.

 

[Kamloops]

Ya it was odd, I was using firefox but now they have done something and it does not work. I think I just happened to stumble onto it at the right time as it was right after that they closed down the hole

I did decode the java file and have that as well. I have sent all my info to Norton. Including the jpg.exe file.

Due to their "good purpose", keyloggers and other types of surveillance software are not detected by most AntiVirus programs. You would have to have a keylogger detection software installed and most people dont install that. Keyloggers may be hard to detect due to their stealthing abilities.

When I take the page I get in firefox - decode it and then try to save it as a txt file in notepad, Norton catches it and deletes it, says this -

Discovered: June 8, 2001
Updated: February 13, 2007 11:50:11 AM
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP



Downloader connects to the Internet and downloads other Trojan horses or components.

Note: Virus definitions dated June 1, 2006 or earlier may detect this threat as Download.Trojan.
ProtectionInitial Rapid Release version June 11, 2001
Latest Rapid Release version March 11, 2008 revision 036
Initial Daily Certified version June 11, 2001 revision 007
Latest Daily Certified version March 11, 2008 revision 035
Initial Weekly Certified release date June 13, 2001
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat AssessmentWildWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
DamageDamage Level: Low
DistributionDistribution Level: Low

Writeup By: Gor Nazaryan

 

[GreenGambler]

I just got the same message on DP forum but directing me to a differnt URL:

Here is the message from member, hasand, on DP forum:
Dont' go there, Im just showing you.

your domains with 400$ each okay ?
and
your - my domain list
http://www.google-fan-club.com/domains-sale.html
look at , use İE6 .

 

[weblord]

submit the file on
http://www.kephyr.com/filedb/index.php?modRequest=0
run hijackthis on your computer and copy/paste the logs here

 

[Kamloops]

I just got the same message on DP forum but directing me to a differnt URL:

Here is the message from member, hasand, on DP forum:
Dont' go there, Im just showing you.

your domains with 400$ each okay ?
and
your - my domain list
http://www.google-fan-club.com/domains-sale.html
look at , use İE6 .

That site seems to be dead but if you search google for http://www.google-fan-club.com and then look at a
and then look at the cache it interesting,,,once directory call //key!

Index of /

Name Last modified Size Description

[DIR] Parent Directory 07-Feb-2008 01:39 -
[DIR] _private/ 30-Jan-2008 21:22 -
[DIR] cgi-bin/ 30-Jan-2008 21:21 -
[DIR] images/ 30-Jan-2008 21:22 -
[DIR] key/ 02-Mar-2008 00:06 -
[TXT] postinfo.html 30-Jan-2008 21:22 2k

 

[filter]

security tip for people running Windows or Linux - you can download the VMware player here -> http://vmware.com/download/player/

and then install VMware's "Secure Browser Appliance" ->
http://www.vmware.com/appliances/directory/browserapp.html

any browser exploit you might still run into will then be compartmentalized in your "virtual machine" environment

it's not foolproof, but a good first step for a more secure system.

and if you're so inclined, you could install some full-of-holes version of Windows inside a virtual machine, run IE6 with ActiveX enabled, go to trojan-horse websites, download spyware and keyloggers .... and see what it's all about - without compromising your base system.

if you're so inclined, that is .... :gl:

 

[Bill]

He also signed up for a second account "hasand" which has also been banned.

-Bill

 

[DomainMagnate]

I received that one and clicked through. But the site had some banner saying I should install Flash to view the file. I thought it was strange because I have flash installed.. I think. So I quickly realized it might be spyware, but it usually asks for your confirmation to install, so i clicked to see if they install some spyware pretending to be flash and no I got redirected to macromedia.com Anyway I think it shouldn't be dangerous unless you do install somethin.

 

[Kate]

...
We deal with hundreds of banned people every day, and if we publicly warned everybody about every important 'incident', you'd have to weed though a lot of crap every day to get to the good stuff on NamePros. RJ and crew do an outstanding job of bringing to light any threat to NP members.
...

The amount of crap you are dealing with is worrying
We are just seeing the tip of the iceberg :yell:

 

[Bill]

He just signed up again tonight with the username Muratti - All of the PM's sent have been deleted and account is now banned.

-Bill

 

[GreenGambler]

I just got his message im my email box Too bad I'm not falling for it!

What a doofus. Let me know if his email address will help anyone out and I'll forward it to you.

 

[sb225]

I received that one and clicked through. But the site had some banner saying I should install Flash to view the file. I thought it was strange because I have flash installed.. I think. So I quickly realized it might be spyware, but it usually asks for your confirmation to install, so i clicked to see if they install some spyware pretending to be flash and no I got redirected to macromedia.com Anyway I think it shouldn't be dangerous unless you do install somethin.

aha
once you clicked a cookie will be sit in your PC from this cookie transfers your passwords usernames etc
the hacker will acess whatever he gets the information
never click links or signtaures from unknown persons
even in signatures they are keeping this types of links