r3wt (OP)
|
|
November 21, 2013, 02:42:41 AM Last edit: November 21, 2013, 03:54:40 AM by r3wt |
|
Looks like malware distribution to Windows users. I've spoken with one individual who unfortunately was infected. the signature of the bot shows up as "bitcoinminer"(like the false positive in cgminer) and infected paint.exe. upon investigation, i was able to T/V in and determine that it is indeed not a false positive. the malware escalates privilege, opens svc host. unfortunately the bot owner caught wind of my snooping and terminated team viewer. Windows users, be careful. Download MBAR(Malware Bytes Anti Rootkit) and check your machine out immediately. Seems like the botowner has chosen the forum as a distribution point for an upcoming Ddos attack, a complex layer 7 attack where botnets are used to circumvent convential ddos filters and detection protocols(fits timing, and mo of Person behind a previous attack of this nature on a website i won't disclose.) Of course, it could just be an attempt to steal the wallets of BCT users. <!-- this concludes the Tinfoil Hat Report--> <!--my logs for bitcointalk.org--> 2013/11/20 13:10:17 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50537, Process: chrome.exe) 2013/11/20 13:30:19 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 51720, Process: chrome.exe) 2013/11/20 13:50:14 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 52942, Process: chrome.exe) 2013/11/20 14:10:17 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54343, Process: chrome.exe) 2013/11/20 14:30:20 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 55592, Process: chrome.exe) 2013/11/20 14:50:23 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 56784, Process: chrome.exe) 2013/11/20 15:10:18 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 57917, Process: chrome.exe) 2013/11/20 15:30:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 59123, Process: chrome.exe) 2013/11/20 15:50:16 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 60394, Process: chrome.exe) 2013/11/20 16:10:19 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 61690, Process: chrome.exe) 2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62478, Process: chrome.exe) 2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62484, Process: chrome.exe) 2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62485, Process: chrome.exe) 2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62486, Process: chrome.exe) 2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62487, Process: chrome.exe) 2013/11/20 16:19:49 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62488, Process: chrome.exe) 2013/11/20 16:19:57 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62491, Process: chrome.exe) 2013/11/20 16:19:57 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62492, Process: chrome.exe) 2013/11/20 16:25:50 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 63281, Process: chrome.exe) 2013/11/20 16:25:50 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 63282, Process: chrome.exe) 2013/11/20 17:07:48 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49392, Process: chrome.exe) 2013/11/20 17:16:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49914, Process: chrome.exe) 2013/11/20 17:16:21 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49915, Process: chrome.exe) 2013/11/20 17:16:46 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49960, Process: chrome.exe) 2013/11/20 17:16:46 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 49961, Process: chrome.exe) 2013/11/20 17:30:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50879, Process: chrome.exe) 2013/11/20 17:30:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 50880, Process: chrome.exe) 2013/11/20 18:43:54 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 55526, Process: chrome.exe) 2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62244, Process: chrome.exe) 2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62245, Process: chrome.exe) 2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62246, Process: chrome.exe) 2013/11/20 20:26:56 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62247, Process: chrome.exe) 2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62313, Process: chrome.exe) 2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62314, Process: chrome.exe) 2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62315, Process: chrome.exe) 2013/11/20 20:28:24 -0600 GN0DE r3wt IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 62316, Process: chrome.exe)
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
anti-scam
Sr. Member
Offline
Activity: 476
Merit: 251
COINECT
|
|
November 21, 2013, 03:14:33 AM |
|
How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.
|
|
|
|
scintill
|
|
November 21, 2013, 03:25:28 AM |
|
How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.
Yeah, I see nothing about where it is supposedly "inserted into Bitcointalk", how users can protect themselves, how the forum can clean it...
|
1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
|
|
|
r3wt (OP)
|
|
November 21, 2013, 03:29:16 AM |
|
How does it infect people? Javascript? Flash? Which browsers are affected? You'll need to be a bit more specific.
Yeah, I see nothing about where it is supposedly "inserted into Bitcointalk", how users can protect themselves, how the forum can clean it... You're welcome. I expect theymos or someone else to handle it now.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5404
Merit: 13498
|
|
November 21, 2013, 03:31:52 AM |
|
If there is actually a problem with the forum, MalwareBytes can collect a substantial bounty. But they're probably just wrong. Anti-malware companies make money by scaring users into thinking that everything around them is dangerous. The forum has previously been blocked by anti-malware software because you can find download links to stealth mining software here.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
r3wt (OP)
|
|
November 21, 2013, 03:33:53 AM |
|
If there is actually a problem with the forum, MalwareBytes can collect a substantial bounty. But they're probably just wrong. Anti-malware companies make money by scaring users into thinking that everything around them is dangerous. The forum has previously been blocked by anti-malware software because you can find download links to stealth mining software here. Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5404
Merit: 13498
|
|
November 21, 2013, 03:38:36 AM |
|
Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.
You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
scintill
|
|
November 21, 2013, 03:43:24 AM |
|
atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.
I'm trying not to be too hostile here, but I'm really skeptical and feel like you're deliberately being vague. What "issue"? All you've really done is claim there's an infection, speculate on its motives, and give some sort of log without much description of what it is. So, at least could you say what the log is? Something has blocked outgoing connections from chrome.exe to bitcointalk.org (109.201.133.195)? What do the columns mean? What software produced this log? Are the port numbers listed from your side or bitcointalk's? It would indeed be unusual for Chrome to be connecting to high-numbered ports of bitcointalk, but not unusual for high-numbered ports to be the originating port from Chrome as a client. Sounds like theymos has debunked the log as an overactive general blacklist, not an indication of a new, specific infection on bitcointalk.
|
1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
|
|
|
papaminer
|
|
November 21, 2013, 03:53:43 AM |
|
I see it has been reported already.. Anyway... theymos explanation does answer why is it being blocked NOW? I have been MBAMPRO user for more than a few years... and it only blocked the forum THIS MORNING? Just when BTC went OVER $500/USD? anyway... here is my log... just incase... some one who really cares... 2013/11/20 19:44:09 -0800 admin-PC admin IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54730, Process: firefox.exe) 2013/11/20 19:44:09 -0800 admin-PC admin IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54732, Process: firefox.exe) 2013/11/20 19:44:09 -0800 admin-PC admin IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54734, Process: firefox.exe) 2013/11/20 19:44:09 -0800 admin-PC admin IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54736, Process: firefox.exe) 2013/11/20 19:44:09 -0800 admin-PC admin IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54737, Process: firefox.exe) 2013/11/20 19:44:09 -0800 admin-PC admin IP-BLOCK 109.201.133.195 (Type: outgoing, Port: 54738, Process: firefox.exe) 2013/11/20 19:44:15 -0800 admin-PC admin MESSAGE Stopping IP protection 2013/11/20 19:44:15 -0800 admin-PC admin MESSAGE IP Protection stopped successfully 2013/11/20 19:44:15 -0800 admin-PC admin MESSAGE Starting IP protection 2013/11/20 19:44:16 -0800 admin-PC admin MESSAGE IP Protection started successfully
|
฿: 1L7dSte4Rs4KyyxRCgrqSWYtkXdAb4Gy1z MORE INFO ABOUT ME: BTC
|
|
|
r3wt (OP)
|
|
November 21, 2013, 03:56:49 AM |
|
Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.
You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this. Been using it for years, and this is the first time its occured at bitcointalk. Additionally, i searched malware bytes ip database and bitcointalk is not on the list of hosts. I accept that it could be a false positive, but to brush it off without investigation is lazy.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
|
BitcoinFX
Legendary
Offline
Activity: 2646
Merit: 1722
https://youtu.be/DsAVx0u9Cw4 ... Dr. WHO < KLF
|
|
November 22, 2013, 06:51:59 PM |
|
Doesn't explain how I (MBAM PRO user) see the warning, but regular MBAM users do not? atleast investigate the issue. could have slipped some malware under your nose into the server for all you know.
You see the warning because you have website blocking (pro-only) enabled. bitcointalk.org is blocked in the site blocking list. I've already received reports of this.
|
|
|
|
|