I am the webmistress of Lavender-N-Lace Mails. We are still in pre-launch, expected to officially launch May 1, 2008. Our site was hit by a hijacker this morning, redirecting all rotating banner ads, sponsor links, and treasure room links to true-money. It mostly just affected the referral url, but there were at least 2 banners changed to the banner for true-money, and on those 2 the duration was set to 99999999 [can't remember how many 9s, but you get the idea].
Seaturtlesptr, Dynamic-Mails, Marissaspaidmails, and Riverfallmails have all been affected by this same hijacker/hacker. Most probably some form of exploitive trojan.
Support tickets have been sent to Cash Crusader, but we still don't know how this thing was able to get into our database and affect our ads.
As of now, Lavender-N-Lace Mails has its banners back up and working; all but a few where members still need to resend their referral urls; those have been redirected to the sites advertising page for the present.
Don't know yet if other sites were also affected.
Joy
chedvah/jmwchedvah

sent mine in already through the contact page Joy, just today.

Unfortunately, Wallabymail and Cashemails4u were hit as well. After speaking with the host, all is ok now. But we are missing a couple of days worth of ads.

any idea who did it yet?

Dynamic-Mails, FusionMails & RareMails were also hit by this

Thanks for your ads; got them up and going!
Wow! It hit more than I knew.
It also hit Riverfallmails.
We don't know yet how it hit; but it seemed to come through the ccscript.
I hope they find out, because I really don't want to go through that again!
A number of us webmasters are pretty tired tonight; cleaning out our sites and reposting the ads.
Joy
chedvah/jmwchedvah

Beezyclickin.com was also hit only the banners rotating for banner impressions. I have over 120+ links to change and an admin was sent out to all members to resend in there referral links/site links

Becca

Who are you all hosted with?

Add Polar Bear Clicks to the list Have PMed the webmistress to let her know.

I am with hostigation [I think]; I know a few others are, but I don't know about all of them.
Joy
chedvah/jmwchedvah

On WIW forum there's some info to link this with the geg07 hackings/banner hijackings, and to link geg07 to the onlythebestptr domain thefts and hijacks. Onlythebestptr is linked to some of the $1000000000 sites and to estdomains. Estdomains is linked to the Russian Business Network (malware network).

I don't know what this is about, but Sini posted this notice not long ago in the industry announcements section, so you might want to contact her if you haven't already?

http://getpaidforum.com/forums/index.php?showtopic=511742

How legit is this person; and why the secrecy? I'm not too trusting at the moment. LOL
Joy
chedvah/jmwchedvah

Im not certain which person you are referring to, but you should most definetely contact Sini about this hacking. Wagdolls information is also to be trusted.

Totally agree cubster. Wagdoll knows her stuff and can totally be trusted. She is an excellent source of information.

Gardenia Clicks and Soaring Eagle got it also, all we had to do was go to the last update and put it in. HATE HACKERS

Sorry to hear this guys.. Hope they catch this person soon.. I haven't seen a problem with either of my sites yet.. Knock on wood

The person I was referring to is this Sini who is requesting us to contact them with information but can't tell us why. I am not aware of this person, as it seems like others here are. Just trying to figure out who is who, and who can be trusted, that is all.
Joy
chedvah/jmwchedvah

There was a thread awhile ago and I assumed it was referring to the Mastersam or the other one (forget name) from Onlythebest. Only a regular reader would have connected it i think. I was wondering why the secrecy at the time and no real discussion here or at other forums

http://getpaidforum.com/forums/index.php?showtopic=511074

I would say sini is to be trusted and wagdoll knows her stuff.

Sini is Admin here plus she also is part owner of Polar PTR and Polar Webservices. She is very tech savvy too. HTH.

Thanks! Thenit seems I need to contact her.
Joy
chedvah/jmwchedvah

Just so everyone knows there is a very valid reason for the secrecy, everyone who have contacted me know the reason, but they nor I can not and will not say anything in public for now.

Thanks for the reply. The other sites that you know are with hostigation, were they also affected by the hijacking of banners?

Actually the Hostigation sites are not the only hijacked sites and represent ony a very small portion of them. This organization has been hacking and hijacking sites for several years. Remember the stellaartois hackings? Same group. They are familiar with both CC and Aurora scripts as well as TX and forum scripts and quickly identify any security holes. It is not exclusive to PTR, recently this same group hacked into the websites belonging to the North Carolina State University library, the U.S. Administration on Aging and the U.S. government's Medicare program and many others were compromised as well. Those hackings were documented on March 13.

The US, British and Canadian authorities have been trying to shut down this group for several years with no luck.

Actually that group and this hacker are not the same (the things we know about him doesn't support the theory of him being related to that group at least)...and on the other hand; yes, this guy is not a new one. He has been around at least for one year and done lots of damage.

valeptr....

add it to the list of being hacked!


grrrrrrrrrrr

They are related, see wagdoll's post #11. There is the ESTDOMAIN connection which is the RBN malware server. WiW has great resources which show the trail and connections very clearly and how it attempts to obscure and hide the trail of origin. It doesn't take much looking through internet security forums to realize that everything associated with estdomains is related to that group. These forums are made up of security professionals who have been tracking this for many years they know what they're talking about. You have a two bit RBN amateur doing this particular hacking, but it IS RBN nevertheless.

Choosing to ignore or dismiss this fact is doing nothing but enabling these criminals. PTR has enabled this activity far too long. It's time for the secrecy to end and to bring it out in the open and take a stand. Stop hiding it and making excuses for it like an alcoholic uncle at a family reunion.

We can't wipe it out or stop it, but we CAN get it out of PTR if enough people POs, and members alike take a firm stand. Currently, this industry only has one forum that is actually doing anything which is a sad sad statement about the apathy and head in the sand attitude that is prevalent.

He may be a wannabe RBN, but definately not one of them.

If you want to argue that I'm doing something wrong by ow mean do, but I don't care. I will do the "thing" on my own and like I feel it's best to be done. Those who know how things are and who are involved understand why and others won't have to as it's none of their business.

I won't post to this thread anymore as I just don't have energy for this type of convo.

excellent post

Why not? If sites, forums possibly work together things might change for the better for PTR.

Ok Sini if you are more knowledgeable than the experts at the security forums continue on and lead these folks astray. You may feel you have a good understanding of this person but there are many that have been on his and others trail for quite some time.

Do you guys really think a really think real hacker groups accept this type of members....come on...they would all be in jail if they would.

Whatever you say.

Going back to my sandbox where denial doesn't reign. Peace, out.

Hi,

It is the same concept as cheat bots and all that, if a PO knows how to stop them, is he going to explain all that openly so the cheaters can read it and find a better way to cheat and bypass the security measures ?
It doesn't at all mean automatically that people aren't doing anything, making up excuses, ignoring or dismissing those hackings. IMHO, accusing the people here just out of the blue and without any knowledge of what they are doing because they don't brag about it is a bit quick in judgements and insulting.

Also, everyone who has the knowledge about all this is free to post wherever they feel like, if they choose to post only in one place, it's their right but it will limit the audience, different people, different forums .. not everyone runs everywhere.

Sophie

They don't just accept them, they recruit them. That heirachy ensures that the top dogs are always at arms length from the actual crimes. They have been using this method for five years. That is how they keep the top out of jail. Actually one of the key RBN founders has been in jail for two years. Interviews with him clearly show that not even jail can affect the heirachial system they have set up. It is based on the Communist "cell" system, you can get one or two, but the bulk remains unharmed.

Yep...a wannabe RBN, but as I said not a real one.

Would you care to explain why the security experts feel that it is critical to deal with this as openly and in detail to as wide an audience as possible?

What is your point anyway...critisize me, stop me from doing what I'm doing or what?

Lets agree this:

- I don't know anything....those on WIW are the ultimate supreme super humans and are always right.
- What I'm doing is wrongn, I should do everything differently etc.

So now you should be happy and I can continue all those wrong things and on wrong way.

Personally I don't know why others say what they say ... I just know what I say and why, well, most of the time

In any case, those experts might be sent here to share the knowledge as there is quite a large audience and we might even spread the infos further thru our various activities and members.

Sini

If he was not part of it might call him a lowly pawn but yes still part of it, he would not be able to use their ESTDOMAIN connection. This ones methods may be sloppy but remember we are at the bottom of their hit pool too. The upper ones are going after big corporations. At this moment we have caught and Jailed one of their head individuals (Shocker Hey) and still they flourish and grow like weeds.

The upper ones are actually protected by layers of heirachy and are almost impossible to get at,or to even identify.
The system relies upon the pawns. Without them, it cannot exist to the extent that it does

So you see I'm not talking from inexperience or because I can't see the forest through the trees. I'm not trying to shoot you down or your efforts. I'm just trying to convey what your really up against

Yesterday, I described the RBN thing as like they are the centre of a huge spiderweb, they sit at the middle, people come to them for exploit packages that they sell, then each part of the spiderweb goes out and spreads this stuff over the internet. The connections that we've seen 'suggest' strongly that this hacker is connected to that spiderweb, even if it is somewhere low down and he's not "one of them" per se. If Sini has other information that can't be refuted as not everyone knows what that information is. Is it entirely impossible that it does gel somewhere? Sini has information "we" don't have if we have never been affected by having him in our servers, but those connections still exist. Either they're a coincidence or a red herring or something else?



I don't think it's exactly the same as cheat bots, because malware affects all of us. You have special PO areas where you can put info on cheat bots, but we don't have the same thing for members everywhere? If you hide the domains they are using for drive by hijacks how can anyone protect themselves from the hijack if you sweep it under the carpet? In security forums they share information on how hackers gain access to servers, not so that hackers can get better access, but so that more people can protect their servers, and more visitors to the sites can be protected. Very few people are going to be inclined to join one of these hacker groups and try it for themselves, if they wanted to I used to have some links to open sites where you could pick up the same exploit code as was found in things like stelaartois - it's openly available, but you need a little expertise even as a script kiddy to be able to understand and use it. I know it's there but I couldn't use it, because I recognise it like I can recognise French language, but I can't converse in the language. I wouldn't direct link to those sites publically though, but I would link to something that explained how a server had been compromised or a domain that was being used for drive bys. If Sini has information she feels is best shared off the forums then that's her call though and I'm not disagreeing with that or criticising her for it. She knows what she has and I don't so I can't say I wouldn't do the same thing in her position. If Sini has proof that all of the connections are coincidences or don't exist, it would be helpful to understand why but that's not going to happen so she's going to have to accept that other people have seen something that looked very convincing and it's going to be hard for them to understand that without access to the info she has (if that makes any sense, and I'm not saying that's a reason for her to share what she knows in public.)

I agree about limiting information spread by only posting it in one place, but there are rules in place at this forum that prevent information being posted in this forum if the information is in another place. There is a rule that stops you linking to the info in that place, I don't think it would be right to just copy other peoples posts and not say properly where it came from, so you can't bring the information or warnings here very easily to share it or for people here to discuss it here. People aren't all simply choosing to only post in one place, they can't bring the information here due to the rules.

I don't agree, sorry. You're discussing an issue with people from GPF, where else they post is irrelevant. None of the posts I read were saying anything like that about WIW.

From what I can see you are both trying to help people and sometimes have a different way of doing that. Everyone can't agree on everything all the time, even when they both have the same aims.

Anyway I am sorry for posting in here, like you say it's none of my business and I wish people would keep it out of my way but when they bring it to my computer I start thinking it is my business. All I was trying to do was post something I thought might be of help to someone to understand it. I was wrong, I shouldn't have tried. Sophie says it's our choice, but I wonder if it's worth it if we are all think labeling people as one side or the other is the most important thing.

Hi Wag,

About what can or cannot be said, I do trust Sini if she thinks that for the time being it is better to not post everything otherwhise she would post the information. From what I can read, the people who need the info will receive it from Sini so it's not as if it is such a big secret, it is just not posted openly. Personally I see Sini being very committed on this and I really do hope that it will all work out.

About posting in order to have the biggest audience possible, besides this one, there are other fora and not here, not there is the info posted regularly by some but on one forum, so the audience will remain limited anyway.
As for GPF, the forum where some post about bad stuff was already banned from here before those sections about nasties/malaware etc .. were started so when it was decided to post it there, everyone knew it would not be linked here back then already.

I must admit I don't care for the other forum, I used to think I should fight to show the real colour of it but I have given that up by now, one thing is sure, I and others have probably been more harmed and hurt by it than by all the malawares and hackings we have been the victim of .. some things you can't just hide and fake they never existed or restore with a back up or fix by having a new computer.

This being said, I do appreciate people helping here regardless where else they post, it is not because I don't support one forum that I judge and blame everyone who posts there, we all have our own experiences and opinions, as long as we remain civil and tolerant, we should be able to live with those differences.

From what I could see, people appreciated your help and explanations in this thread so there is not one single reason to regret having posted, on the contrary.

Sophie

If this is the hacker who got into this forum and deleted signatures including mine, then it is the business of us all to some extent.

Not trying to be rude here, just pointing out that it really is everyone's business to protect their computers and accounts here and elsewhere.

It's very comforting to know that Sophie's personal beefs are more important than botnets, phishing, hacking, and id theft. I'm sure most gov't authorities would agree with her and I believe that thousands of PTR members feel better knowing this.

Geeze Sophie, get over yourself and your personal issues. Is this is a public information forum or your own personal gripe board?

You're not protecting yourself or those people by not allowing the linking. That doesn't make whatever is hurting you go away, it just means people can't link to information there and makes it harder to discuss it here. You can't just blame others for posting there when it was in the censor here. I don't think it was as much of an issue before this site developed it's nasties section and the information could have been so complimentary. No one else wanted to make a choice of there or here, it was imposed upon them by the rules. A new computer isn't always an option. Restoring a backup doesn't refund money stolen by an egold keylogger.

You're right, it wouldn't save everyone from nasties. I don't totally comprehend the comparison you've made but I'm not arguing with the decision, only disagreeing with the way it sounded like people were making a choice to post somewhere else and limit the information available here, when it's the rules that are doing that, not the people.

I hope Sini's info will help POs be able to protect themselves and their members. Like 2k said, this is such a big issue and it's not going to go away soon, but hopefully the more people who work together the safer it can be made despite the hackers.

I just checked some of the sites that were hit with the geg07 forerunner to this incident, bratmails on affiliate-sites.net, doptr is currently on name-services.com, coolcatmails is with getpaidsolutions. So it's an eclectic list.

Can you elaborate this one? The thread was only about the true-money URL injection when it was staying on topic.

I didn't know of anyone hosted other places than myself, but even then, it was only my shared servers, which are far fewer than those that lease servers from me, that list would be 10x longer of sites that were not hit.

I've figured the whole thing as the true-money guy knowing an exploit to CC that Jutaky wishes to keep his head in the sand about and blame it on me instead, all as revenge for Sini bringing his stupidness to my attention and then me canceling his server and keeping a month of fees for my time to deal with all the domains he stole. I guess he got his $100 worth of entertainment out if me with this latest exploit.

Sorry but you don't get it, some things never will go away and the people who did it never will take the responsibility of it, so be it, life goes on. Now lately it has even turned to be rather funny, I had someone IMing me some time ago asking me if QB meant Queen Bee, I said I thought it meant Queen Beauty

The point I wanted to make is that some who claim to fight fraud can't be trusted, made that entire forum lose credibility and caused those rules to exist ... I am really sorry some good people are in the middle of this but there is not much that can be done at this point imho.

The connections are listed in the WIW forum. true-money seems to be a replacement for onlythebestptr. onlythebestptr was on the same server as geg07. geg07 was a similar CC specific hacking through the banners rather than dropping an iframe. onlythebestptr is connected to the stolen domains that were moved to estdomains. Estdomains is connected to the RBN.

coolcatmails, doptr and bratmails are three of the sites affected by geg07, that was a few weeks ago. I just did a whois on those three and got the results I posted. It wasn't just your servers affected then, I don't think this is only about you, it's just a coincidence that they got into your server today, but it could have been any server with CC sites on it.

First...sorry to everyone, I had a very bad morning and got a little too much heat.



If there is a bug in cc that causes these please share it with us, you seem to know of such, so why don't you just show what it is instead of making accusations (that are inaccurate).

I have never seen Jutaky revenging anything to anyone (Have you?) or hurting anyone in any way for that matter, so what makes you think he would lower himself to that level now?