What's happened to the Forum since this morning? First I received an e-mail purporting to be from win2racing and containing a Trojan exe file. Then whenever I try to access any page on the Forum, I get pop-ups from winfixer.com and attempts to install a wmf file. Both Firefox and IE are affected, but the symptoms are different; And it's not my PC that is infected! - this happens on the 2 desktops and 2 laptops I've tried (all running Windows, of course...). I've been reluctant to post anything because I am concerned about login security now... has this site been hacked or what? There seems to be a lack of postings since this morning... I checked from the top-level of win2winracing, and the only 2 links I found that suffer from this behaviour are the Forum and the Gallery. Can anyone shed light on this?

Ivor and Mel

I received an e-mail about a tool for win2win that I thought looked suspicious, so after checking I deleted it.

If thats the same one you received I was very lucky, I`m running zonealarm suite but I didnt put it to the test so I dont know if it would have prevented any infection.

Sorry to hear its causing you problems, go to zonealarm and test their software free for 2 weeks. It will do a scan and get rid of any problems, hopefully.

I`m still evaluating mine, its seemed to have slowed down my computer but it may be a price worth paying.

Peter

<div class='quotetop'>QUOTE(deepete &#064; May 9 2006, 06&#58;13 PM) Quoted post</div><div class='quotemain'>
I received an e-mail about a tool for win2win that I thought looked suspicious, so after checking I deleted it.

If thats the same one you received I was very lucky, I&#96;m running zonealarm suite but I didnt put it to the test so I dont know if it would have prevented any infection.

Sorry to hear its causing you problems, go to zonealarm and test their software free for 2 weeks. It will do a scan and get rid of any problems, hopefully.

I&#96;m still evaluating mine, its seemed to have slowed down my computer but it may be a price worth paying.

Peter
[/b][/quote]

Guys don&#39;t download anything, I think the forum has been hijacked. Wheres Keith when we need him??&#33;&#33;

I e-mailed keith about it this morning

I received an e-mail about a tool for win2win that I thought looked suspicious, so after checking I deleted it.

If thats the same one you received I was very lucky, I`m running zonealarm suite but I didnt put it to the test so I dont know if it would have prevented any infection.

Sorry to hear its causing you problems, go to zonealarm and test their software free for 2 weeks. It will do a scan and get rid of any problems, hopefully.

I`m still evaluating mine, its seemed to have slowed down my computer but it may be a price worth paying.

Peter

I run Zonealarm as firewall and AVG as anti-virus. AVG immediately picked up the Trojan in the e-mail; my ZA would not detect a Trojan in the exe file, it would only detect dodgy outgoing/incoming connections if the Trojan had been run.

I've never looked at the anti-virus capabilities of ZA: all I use is the free firewall version. I'm always a bit suspicious of software that tries to do too many jobs! I use the ZA/AVG combination on all my machines, plus Spybot Search & Destroy (though I've read about problems with that recently) and Ad-aware. It seems to have kept me safe and clean, but nothing is ever 100% foolproof!

I used the forum first thing this morning without any problems. I suspect the hacking or whatever occurred between 10:00 and 11:00 - the e-mail was sent at 10:55 and I immediately went to the Forum and then started seeing the problems. The e-mail was sent from IP address 66.147.238.53, which resolves to hc1.ded203.com and is part of a netblock assigned to HostRocket Web Services of New York.

Are there any disgruntled Forum members with technical skills enough to hack the site, perhaps? :icon_eek:

Ivor and Mel


Are there any disgruntled Forum members with technical skills enough to hack the site, perhaps? :icon_eek:

I've just reread that, and it sounds ambiguous! I am not suggesting hacking HostRocket Web Services! I was just wondering if the hacking of this Forum had been done by a disgruntled Forum member!

Ivor and Mel

Note: Their is no virus on the site or server. It has been thoroughly tested by myself, and other in the UK, and different countries.

Your computer has been infected via spoof emails, and is most likely WINFIXER, which is MALWARE, hence adaware, spybot, av will not find it.

The problem is on your own computer & the fix is here,

http://forums.bollyent.com/index.php?showtopic=12084

Note: Their is no virus on the site or server. It has been thoroughly tested by myself, and other in the UK, and different countries.

Your computer has been infected via spoof emails, and is most likely WINFIXER, which is MALWARE, hence adaware, spybot, av will not find it.

The problem is on your own computer & the fix is here,

http://forums.bollyent.com/index.php?showtopic=12084

So are you telling me that all the machines I have used today are infected by that e-mail? Even though the e-mail was seen on only one of the machines, and the attachment was not run to install the Trojan? The only pages that show this behaviour are the Forum and Gallery pages on win2winracing. The only common factor is a visit to these pages on win2winracing.

The e-mail headers show the following routing:

Received: from [66.147.238.53] (helo=host.win2winracing.com) by pih-mxcore09.plus.net with esmtp (PlusNet MXCore v2.00) id 1FdOwf-00038z-Uo for <my-e-mail-address>; Tue, 09 May 2006 10:55:58 +0100

Received: from nobody by host.win2winracing.com with local (Exim 4.44) id 1FdOwZ-0003eW-5L for <my-e-mail-address>; Tue, 09 May 2006 10:55:51 +0100

X-Mailer: IPB PHP Mailer
Message-ID: <E1FdOwZ-0003eW-5L@host.win2winracing.com>

It seems that 66.147.238.53 resolves to both hc1.ded203.com and host.win2winracing.com... So where did the e-mail come from...?

Ivor and Mel

EDIT: I'm still trying to figure out what is going on here... It seems that whenever I connect to win2win, the browser downloads 2 Java files into:

C:\Documents and Settings\Ivor Hutchinson.ROMSDAL.001\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar

i.e.

count.jar-15d389d-xxxxxxxx.idx
count.jar-15d389d-xxxxxxxx.zip

(xxxxxxxx seems to vary) and AVG reports the ZIP file as being infected.

style_emoticons/<#EMO_DIR#>/bigcry.gif No sleep for two days......Supposed to be on my hols now.

Anyway, dicovered that some ...... had used a hack on the forum, all fixed now and extra security in place.

Apologies for the hassle, out of my control. My guess is they are going round a lot of IPB forums on the planet, and I&#39;ve informed the programmers, who should sort it quick.

Thanks to Rob for calling me just as I was off to bed style_emoticons/<#EMO_DIR#>/yikes.gif Typical of the Welsh style_emoticons/<#EMO_DIR#>/Grin.gif

<div class='quotetop'>QUOTE(admin &#064; May 11 2006, 08&#58;19 AM) Quoted post</div><div class='quotemain'>
style_emoticons/<#EMO_DIR#>/bigcry.gif No sleep for two days......Supposed to be on my hols now.

Anyway, dicovered that some ...... had used a hack on the forum, all fixed now and extra security in place.

Apologies for the hassle, out of my control. My guess is they are going round a lot of IPB forums on the planet, and I&#39;ve informed the programmers, who should sort it quick.

Thanks to Rob for calling me just as I was off to bed style_emoticons/<#EMO_DIR#>/yikes.gif Typical of the Welsh style_emoticons/<#EMO_DIR#>/Grin.gif
[/b][/quote]

I got the email aswell on my work computer and stupidly opened it.

It caused all sorts of problems in work and the IT guys where giving me **** for opening it style_emoticons/<#EMO_DIR#>/blink.gif

It kept closing down applications and then re-booting the machine, but they fixed it - touch wood

Blimey. Maybe they need some up-to-date AV installed, as it was a very old trojan. style_emoticons/<#EMO_DIR#>/cwm24.gif