If you have recieved a message from Neofriends.net saying that you must download a file to keep your abers safe, DO NOT DOWNLOAD IT!!!! It is a keylogger. Someone gained access to rickys admin account and used it to send this email to users. if you have already downloaded it, delete it and change your passwords asap. If you have already ran it, you may need to run an antivirus program to remove it from your computer.
A lot of people here have multiple accounts and millions, a lot of profit if people fall for it. >.> So try and keep everything safe!!
so who got hit? /raises hand... lost an account... i was wondering why it was acting goofy... it was also typing random things like PORN and ASDFASDGFHA.... also closed everything out. So I had to restart in safe mode and run a fixer... /headache... /now i have to start over again.... second time today.
Ok, thanks for posting. Im glad I checked this before I downloaded it. It seemed fishy because I got 3 emails about it with only minutes inbetween them. Wow... That would have been REALLY bad..
Thanks for confirming it was fake. I had my doubts... but it *was* from an admin. And for a moment there was even an announcement. Glad I was at work and couldnt download anything!
>,< if only you could have sent the email telling us earlier. ended up having to reformat my computer because of this. fortunately it was my crappy computer that only had games on it, so i didn't have to lose any important files. but still was/is quite a drag to reinstall everything x.x Has anyone inspected the Keylogger? I'm wondering if it is possible for it to collect information other than neo =/
Dang, I was wondering why a form even opened up when I ran the .exe... But now it's opening random programs and such, how do I get rid of it?
Uh-oh.. that's not good. I don't ever check my mail I provided here.. so I'm not worried about it. By chance could someone post the IP used..? Unless it was a lvl 5 there's bound to be some packets left over from the attack. Btw, was it a n00b brute-forcing, or something more skillful. Also, might I suggest a login-attempt fail script if one doesn't already exist. This is an easy method for averting typical brute-forcers. I would also suggest a ip/cookie ban script as well. Btw, this can be reported to: www.ic3.gov/ (I would NOT suggest reporting this here unless it is your only option)
Thanks for the announcement billy, even though i didnt receieve a message. But how is Rickys acct safe from this?
I downloaded it on an older crappy computer with Vista yesterday to see what it did and nothing popped up but inside of the little folder where the 'program' was there was a little file and everytime I opened it up it would have everything that I typed. I'm not sure if it sent anything to him or not because I purposely logged into an old Neopet account with Nps and items on it and nothing ever happened to it. I was also on the forum at this time (my password's been changed, no worries) and he never did log into my account like he did a few other people's. I also purposely PM'd Ricky's account after I downloaded it and whoever was on his account PM'd me back with a , so they def. knew I had downloaded it. Maybe he wasn't smart enough to make it compatible with Vista, I don't know. Anyway -- not sure if this is his actual IP but it's the one that shows up in the Email for me:
uh oh, this guy is from or is using a proxy from somewhere in quebec, canada... one of the ip I'm using to connect to nf is in the 64.86.xxx.xxx range.
I think there should be a warning on the front page about this. I seriously did not read this topic because I thought it was some old thing that was just about the rules and what not. I didn't know about this until someone helped me in my topic in the help section. So whoever can edit the boards and stuff can put a warning in big bold red letters saying its a scam?
Overall this took 11 nodes to resolve, however, the required information for reporting this threat, and resolving it were completed. Simply contact the individuals listed below, in combination with the ic3 branch if a complete resolution is required. (This seems to have been a lvl 3 attack, and is easily traceable. The wordings posted are simply for informational purposes, as tunneling old information is not a hobby of mine..) Hope this helps: (the initial trace was done from an independant, unrelated IP) Node #5: Spoiler Node # 5: IP = 4.69.133.42 OrgName: Level 3 Communications, Inc. OrgID: LVLT Address: 1025 Eldorado Blvd. City: Broomfield StateProv: CO PostalCode: 80021 Country: US NetRange: 4.0.0.0 - 4.255.255.255 CIDR: 4.0.0.0/8 NetName: LVLT-ORG-4-8 NetHandle: NET-4-0-0-0-1 Parent: NetType: Direct Allocation NameServer: NS1.LEVEL3.NET NameServer: NS2.LEVEL3.NET Comment: RegDate: Updated: 2004-06-04 OrgAbuseHandle: APL8-ARIN OrgAbuseName: Abuse POC LVLT OrgAbusePhone: +1-877-453-8353 OrgAbuseEmail: mailto:abuse@level3.com OrgTechHandle: ARINC4-ARIN OrgTechName: ARIN Contact OrgTechPhone: +1-800-436-8489 OrgTechEmail: mailto:arin-contact@genuity.net OrgTechHandle: TPL1-ARIN OrgTechName: Tech POC LVLT OrgTechPhone: +1-877-453-8353 OrgTechEmail: mailto:ipaddressing@level3.com Name: ARIN Contact Handle: ARINC4-ARIN Company: Genuity Address: 225 Presidential Way City: Woburn StateProv: MA PostalCode: 01888 Country: US Comment: RegDate: 2002-10-28 Updated: 2002-11-04 Phone: +1-800-436-8489 (Office) Email: mailto:arin-contact@genuity.net Email: mailto:arin-contact@genuity.com Node #6: Spoiler Node #6: IP = 4.69.137.118 [OrgName: Level 3 Communications, Inc. OrgID: LVLT Address: 1025 Eldorado Blvd. City: Broomfield StateProv: CO PostalCode: 80021 Country: US NetRange: 4.0.0.0 - 4.255.255.255 CIDR: 4.0.0.0/8 NetName: LVLT-ORG-4-8 NetHandle: NET-4-0-0-0-1 Parent: NetType: Direct Allocation NameServer: NS1.LEVEL3.NET NameServer: NS2.LEVEL3.NET Comment: RegDate: Updated: 2004-06-04 OrgAbuseHandle: APL8-ARIN OrgAbuseName: Abuse POC LVLT OrgAbusePhone: +1-877-453-8353 OrgAbuseEmail: mailto:abuse@level3.com OrgTechHandle: ARINC4-ARIN OrgTechName: ARIN Contact OrgTechPhone: +1-800-436-8489 OrgTechEmail: mailto:arin-contact@genuity.net OrgTechHandle: TPL1-ARIN OrgTechName: Tech POC LVLT OrgTechPhone: +1-877-453-8353 OrgTechEmail: mailto:ipaddressing@level3.com Name: ARIN Contact Handle: ARINC4-ARIN Company: Genuity Address: 225 Presidential Way City: Woburn StateProv: MA PostalCode: 01888 Country: US Comment: RegDate: 2002-10-28 Updated: 2002-11-04 Phone: +1-800-436-8489 (Office) Email: mailto:arin-contact@genuity.net Email: mailto:arin-contact@genuity.com Node #7: Spoiler Node #7: IP = 4.69.136.134 OrgName: Level 3 Communications, Inc. OrgID: LVLT Address: 1025 Eldorado Blvd. City: Broomfield StateProv: CO PostalCode: 80021 Country: US NetRange: 4.0.0.0 - 4.255.255.255 CIDR: 4.0.0.0/8 NetName: LVLT-ORG-4-8 NetHandle: NET-4-0-0-0-1 Parent: NetType: Direct Allocation NameServer: NS1.LEVEL3.NET NameServer: NS2.LEVEL3.NET Comment: RegDate: Updated: 2004-06-04 OrgAbuseHandle: APL8-ARIN OrgAbuseName: Abuse POC LVLT OrgAbusePhone: +1-877-453-8353 OrgAbuseEmail: mailto:abuse@level3.com OrgTechHandle: ARINC4-ARIN OrgTechName: ARIN Contact OrgTechPhone: +1-800-436-8489 OrgTechEmail: mailto:arin-contact@genuity.net OrgTechHandle: TPL1-ARIN OrgTechName: Tech POC LVLT OrgTechPhone: +1-877-453-8353 OrgTechEmail: mailto:ipaddressing@level3.com Name: ARIN Contact Handle: ARINC4-ARIN Company: Genuity Address: 225 Presidential Way City: Woburn StateProv: MA PostalCode: 01888 Country: US Comment: RegDate: 2002-10-28 Updated: 2002-11-04 Phone: +1-800-436-8489 (Office) Email: mailto:arin-contact@genuity.net Email: mailto:arin-contact@genuity.com Node #8: Spoiler Node #8: IP = 4.68.19.203 OrgName: Level 3 Communications, Inc. OrgID: LVLT Address: 1025 Eldorado Blvd. City: Broomfield StateProv: CO PostalCode: 80021 Country: US NetRange: 4.0.0.0 - 4.255.255.255 CIDR: 4.0.0.0/8 NetName: LVLT-ORG-4-8 NetHandle: NET-4-0-0-0-1 Parent: NetType: Direct Allocation NameServer: NS1.LEVEL3.NET NameServer: NS2.LEVEL3.NET Comment: RegDate: Updated: 2004-06-04 OrgAbuseHandle: APL8-ARIN OrgAbuseName: Abuse POC LVLT OrgAbusePhone: +1-877-453-8353 OrgAbuseEmail: mailto:abuse@level3.com OrgTechHandle: ARINC4-ARIN OrgTechName: ARIN Contact OrgTechPhone: +1-800-436-8489 OrgTechEmail: mailto:arin-contact@genuity.net OrgTechHandle: TPL1-ARIN OrgTechName: Tech POC LVLT OrgTechPhone: +1-877-453-8353 OrgTechEmail: mailto:ipaddressing@level3.com Name: ARIN Contact Handle: ARINC4-ARIN Company: Genuity Address: 225 Presidential Way City: Woburn StateProv: MA PostalCode: 01888 Country: US Comment: RegDate: 2002-10-28 Updated: 2002-11-04 Phone: +1-800-436-8489 (Office) Email: mailto:arin-contact@genuity.net Email: mailto:arin-contact@genuity.com Node #9: Spoiler Node #9: IP = 4.71.220.2 OrgName: Level 3 Communications, Inc. OrgID: LVLT Address: 1025 Eldorado Blvd. City: Broomfield StateProv: CO PostalCode: 80021 Country: US NetRange: 4.0.0.0 - 4.255.255.255 CIDR: 4.0.0.0/8 NetName: LVLT-ORG-4-8 NetHandle: NET-4-0-0-0-1 Parent: NetType: Direct Allocation NameServer: NS1.LEVEL3.NET NameServer: NS2.LEVEL3.NET Comment: RegDate: Updated: 2004-06-04 OrgAbuseHandle: APL8-ARIN OrgAbuseName: Abuse POC LVLT OrgAbusePhone: +1-877-453-8353 OrgAbuseEmail: mailto:abuse@level3.com OrgTechHandle: ARINC4-ARIN OrgTechName: ARIN Contact OrgTechPhone: +1-800-436-8489 OrgTechEmail: mailto:arin-contact@genuity.net OrgTechHandle: TPL1-ARIN OrgTechName: Tech POC LVLT OrgTechPhone: +1-877-453-8353 OrgTechEmail: mailto:ipaddressing@level3.com Name: ARIN Contact Handle: ARINC4-ARIN Company: Genuity Address: 225 Presidential Way City: Woburn StateProv: MA PostalCode: 01888 Country: US Comment: RegDate: 2002-10-28 Updated: 2002-11-04 Phone: +1-800-436-8489 (Office) Email: mailto:arin-contact@genuity.net Email: mailto:arin-contact@genuity.com Node # 10: Spoiler Node # 10: IP = 69.80.226.190 OrgName: Alpha Red, INC OrgID: ALPHA-14 Address: 1415 Louisiana Address: STE 2220 City: Houston StateProv: TX PostalCode: 77002 Country: US ReferralServer: rwhois://rwhois.alphared.com:4321/ NetRange: 69.80.224.0 - 69.80.255.255 CIDR: 69.80.224.0/19 NetName: ALPHARED-HOUSTON-B NetHandle: NET-69-80-224-0-1 Parent: NET-69-0-0-0-0 NetType: Direct Allocation NameServer: DNS1.ALPHARED.COM NameServer: DNS2.ALPHARED.COM NameServer: DNS3.ALPHARED.COM NameServer: DNS4.ALPHARED.COM Comment: RegDate: 2006-08-22 Updated: 2008-04-01 RAbuseHandle: ALPHA-ARIN RAbuseName: AlphaRed Abuse RAbusePhone: +1-713-739-0415 RAbuseEmail: mailto:abuse@alphared.com RTechHandle: ARS21-ARIN RTechName: Alpha Red Support RTechPhone: +1-713-739-0415 RTechEmail: mailto:arin.support@alphared.com OrgAbuseHandle: ALPHA-ARIN OrgAbuseName: AlphaRed Abuse OrgAbusePhone: +1-713-739-0415 OrgAbuseEmail: mailto:abuse@alphared.com OrgTechHandle: ARS21-ARIN OrgTechName: Alpha Red Support OrgTechPhone: +1-713-739-0415 OrgTechEmail: mailto:arin.support@alphared.com Name: Alpha Red Support Handle: ARS21-ARIN Company: Alpha Red, INC Address: 1415 Lousiana Address: STE 2220 City: Houston StateProv: TX PostalCode: 77002 Country: US Comment: RegDate: 2006-02-13 Updated: 2006-02-13 Phone: +1-713-739-0415 2002 (Office) Email: mailto:arin.support@alphared.com Node #11: Spoiler Node #11: IP = 64.72.116.197 OrgName: Alpha Red, INC OrgID: ALPHA-14 Address: 1415 Louisiana Address: STE 2220 City: Houston StateProv: TX PostalCode: 77002 Country: US ReferralServer: rwhois://rwhois.alphared.com:4321/ NetRange: 64.72.112.0 - 64.72.127.255 CIDR: 64.72.112.0/20 NetName: ALPHARED-HOUSTON-A NetHandle: NET-64-72-112-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: DNS1.ALPHARED.COM NameServer: DNS2.ALPHARED.COM NameServer: DNS3.ALPHARED.COM NameServer: DNS4.ALPHARED.COM Comment: RegDate: 2006-02-10 Updated: 2007-09-24 RAbuseHandle: ALPHA-ARIN RAbuseName: AlphaRed Abuse RAbusePhone: +1-713-739-0415 RAbuseEmail: mailto:abuse@alphared.com RTechHandle: ARS21-ARIN RTechName: Alpha Red Support RTechPhone: +1-713-739-0415 RTechEmail: mailto:arin.support@alphared.com OrgAbuseHandle: ALPHA-ARIN OrgAbuseName: AlphaRed Abuse OrgAbusePhone: +1-713-739-0415 OrgAbuseEmail: mailto:abuse@alphared.com OrgTechHandle: ARS21-ARIN OrgTechName: Alpha Red Support OrgTechPhone: +1-713-739-0415 OrgTechEmail: mailto:arin.support@alphared.com Name: Alpha Red Support Handle: ARS21-ARIN Company: Alpha Red, INC Address: 1415 Lousiana Address: STE 2220 City: Houston StateProv: TX PostalCode: 77002 Country: US Comment: RegDate: 2006-02-13 Updated: 2006-02-13 Phone: +1-713-739-0415 2002 (Office) Email: mailto:arin.support@alphared.com It is quite noticable that some of this information is fake, and altered by the attacker and/or attacker's host. However, this is more than enough information to reach any resolution that you seek, and a helpful tunneling entry.
I'd say either put a section about it in the front page or redirect users to this page after logging in. A lot of people don't read these things. Thanks for the heads up. ^_^
Expon already know who did it, it was an old member that has gotten banned here several times: DEATHADDER I doubt there is anything to do about him now anyway.
Well, thats great to know, and not lol.. depends on how you look at it. I personally don't act on these type of situations, nor would as it's currently not a responsiblity of mine. Although, I did completely lock my pc from the user's true ip, and relative proxies for additional security measures. Thanks for updating.
Wasn't he the guy who was banned, then unbanned then banned again and so on ??? I'm here since dec. 06 and this name remains me something. I think he was stealing code from others and claim to be his...