Stopping a Virus Writer - Page 3
Page 3 of 7 FirstFirst 12345 ... LastLast
Results 21 to 30 of 68

Thread: Stopping a Virus Writer

  1. #21
    Junior Member
    Join Date
    May 2005
    Posts
    13

    I'm the Admin of CnQ

    Hi guys and gals,

    A huge thanks to jett1960 for getting me over here. I have friends in Network Security, but they are unfamiliar with vBullitin. They have been able to pull-up some of the ISP Owner info for our attacker. I just do not know the steps to take to "smack down" this/these idjits.

    I have several AIM and MSMessenger IDs being reported to me as part of the harrassment. I have many, many AOL IP Addys that are on the hot list (and used by many, many of my members -- I hate Dynamic IP). It's been over 3 weeks since this started and I want it over. I'm tired of having to read every post of from newbies to see if it's related to the problem. And once I flag them "clear" after about 10 posts, I do not have the band-width to read 100% of the posts going up. That's when things got to hell in a handbasket with a bow on top.

    I'm going to re-read the questions and requests and compile answers. I hope we can get to the bottom of this before the end of the month.

    Greatful,
    Sandra

  2. #22
    Junior Member
    Join Date
    Apr 2005
    Posts
    2
    I believe that with vBulletin you can ban an IP range. If the culprit is using a service like AOL or other ISP that uses dynamic IP addresses, you can ban the subnet (correct terminology?) Be aware that any legitimate members on the same subnet would be banned too, however.

    Also, opening attachments that you aren't explicitly expecting, even if the e-mail is supposedly "from a friend," is a bad idea these days. I never let my wife open e-mail attachments from her sister, because her sister's husband visits unsavory sites and their PC is probably virus infested.

  3. #23
    Junior Member
    Join Date
    May 2005
    Posts
    13
    HardCode, that's my problem...he's been using the same sub-set of addresses as dozens of legit members. I can't knock them all off-line!

    And *I* know better re: attachments. My background includes being the Admin Assistant to the MIS departments of a non-profit in NYC and RandomHouse Books, back when we were taking typewriters away and giving them Macs or PCs (Win 3.x)...I feel old.

  4. #24
    Junior Member
    Join Date
    May 2005
    Posts
    13

    Angry Extremely Long and Detailed...

    Foxyloxley : I've been dealing with the backside stuff for almost a year now (or so it seems). I did not create the Forum, nor am I fluent in all that vB can do for me. As an Admin Assistant, I can learn software quickly when it makes sense. vB doesn't always make sense to me. I also just deleted ~4k users, and have about 37k threads waiting for double checks (they're about 18 months old) before we totally delete them.

    DISLEX : I've held off on ramping up the warnings posted to the group. Those who have been tangling with him, are getting PMs (Private Messages) from me to ignore everything they get from unknown IDs and to block them immediately. I do want to re-write the entire Forum's FAQ, but that takes time and needs to be approved by the Forum Owners who are busy running their own business to keep this afloat. I'm just a lowly volunteer who's a good friend of their's and sits at a desk all day waiting for (real) work to come in.

    As for time line of attacks ? I tend to get an IM via AIM from DirkBlackwell about 5-10 minutes after someone posts about the users: hitoll or hedgiemommie . Hitoll and hedgiemommie are a couple (or so I'm told). Hitoll is apparently gay, but I have nothing against that...40% of my friends are Family.

    Hitoll's data:
    IP registered with: Aim Chat: Yahoo! ID:
    hitoll, hitoll2@yahoo.com; 207.191.206.208 dirkblackwell hitoll2
    207-191-206-208.cpe.ats.mcleodusa.net is in Louisiana?
    hitoll2, rock_rapids_virgin_muff@yahoo.com;
    207.191.206.208 dirkblackwell hitoll2
    hitoll2525, llotih@yahoo.com207.191.201.59 dirkblackwell hitoll2

    Hedgiemommie's data:

    hedgiemommie, amber_abrams2000@yahoo.com 207.191.220.68
    207-191-220-68.cpe.ats.mcleodusa.net
    kaiteedydlies, (deleted as it looked like the person he was hunting) 152.163.100.195 cache-rtc-ad01.proxy.aol.com

    kristyfriends, 152.163.100.198 (cache-rtc-ad04.proxy.aol.com) kristy_friends2000@yahoo.com

    Anuslicker, Pokeypete, and such deleted without regard to where created...

    SUSPECT (but not 100% sure yet): Hedgehogsrock88, 68.202.157.37, (37.157.202.68.cfl.res.rr.com) and 68.202.157.138, (138.157.202.68.cfl.res.rr.com)

    I've been told by DirkBlackwell, that I "took out" 4 of his computers and half of his home town. Sadly, I know he's found another ID to use, and we think it's: hedgehog69

    Hedgehog69's data:

    hedgehog69, klk00069@BEER.COM 64.12.116.195
    cache-mtc-ad01.proxy.aol.com
    152.163.100.195 AOL
    152.163.100.198 AOL
    205.188.116.201 AOL
    205.188.117.7 AOL
    64.12.116.195 AOL
    64.12.116.198 AOL

    We've also been just deleting all IDs created using obscene language, as I'm not wasting my time with all those junk yahoo.com accounts.

    Is there anything else I can pull together to help with getting this under control?

  5. #25
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Hi Tindala, do you keep any log files that will be able to 'prove' this individual is on the AOL network (something that lists his/her IP?). If so, collect as much as you can and forward it to the abuse email for AOL. Now I have never used AOL, but others here don't seem to have a very high opinion of their service, but this may be a start. I doubt your going to get this solved by the end of the month unless AOL thinks its serious enough.

    It's still a good idea to post a warning to your members that this type of abuse is going on and until you can get it resolved with AOL, members should be extremly careful of any email attachments.

    Cheers:
    DjM

  6. #26
    Junior Member
    Join Date
    May 2005
    Posts
    13

    Yes, we have logs...lots of logs...

    I have logs that tell me that a user has used a particular IP address. I'm not sure where I would find time stamp data...I'm sure it's available. Everything else seems to be.

    The key here, is that I've been told they are using Qwest...and I'm not seeing Qwest IPs. Do they "sub-let" buckets of addresses from AOHell?

  7. #27
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Re: Yes, we have logs...lots of logs...

    Originally posted here by Tindala
    I have logs that tell me that a user has used a particular IP address. I'm not sure where I would find time stamp data...I'm sure it's available. Everything else seems to be.

    The key here, is that I've been told they are using Qwest...and I'm not seeing Qwest IPs. Do they "sub-let" buckets of addresses from AOHell?
    Who "told" you they were using Qwest? The IP's you have list above for Hedgehog69 all trace back to AOL.

    There is a phone number for the abuse line at AOL 703-265-4670, I am not sure if that will get you anything, but it might be worth a try.

    Cheers:
    DjM

  8. #28
    Junior Member
    Join Date
    May 2005
    Posts
    13
    DirkBlackwell...in AIM. I baited him with "I'veblocked the AOL IPs has far up as I'm comfortable,since there are manyusers on AOL"...DB came back with "AOL??? We're on Qwest DSL."

  9. #29
    What are the possibilities that this guy is using a proxy server to mask his true IP? Oh and Tindala, if he's not using a proxy then that last statement might just be this guy trying to throw you off his track. If someone were to call me out on something like that my first reaction wouldn't be "oh man, you got me! LOL, how'd you find my ISP?!?!". This sounds like it might be a kid who is on AOL and very bored. If he thinks you found him out he's going to do whatever it takes to get you off his back.
    And so at last the beast fell and the unbelievers rejoiced. But all was not lost, for from the ash rose a great bird. The bird gazed down upon the unbelievers and cast fire and thunder upon them. For the beast had been reborn with its strength renewed, and the followers of Mammon cowered in horror. -from The Book of Mozilla, 7:15

  10. #30
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    What ID is the troll currently using? (or do you suppect many?).

    Cheers:
    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides