As most people know by now, SpywareInfo, TomCoyote.org and merijn.org disappeared last week. This is due to a colossal, ongoing distributed denial of service attack. Several thousand trojaned PCs are throwing millions of HTTP GET requests at the apache server. The attacker is very determined to keep these sites off the net. Every time we filter out the attack, thousand of new machines join in. For now, the server is firewalled and all traffic is being null routed.

No one has claimed responsibility and there has been no attempt to break into the server. We are examining files from some of the infected machines involved in the attacks. At this time, I cannot confirm or deny the rumors floating around that coolwebsearch.com or one of their affiliated sites is responsible for these attacks.

TomCoyote.org is up and running again on a new server and the forums there are available to help people: http://forums.tomcoyote.org/. The private mailing list and malware repository for antispyware developers is also up and running on a new server.

SpywareInfo and merijn.org will continue to be down for the next several days. My hosting service and I are working on setting up a system of multiple redundant proxy servers to shield the main server from these attacks. I hope to have this running within the next week or so.

There are several mirrors for HijackThis and CWShredder. I believe Majorgeeks.com has the current version of both.
HijackThis: http://www.majorgeeks.com/download.php?det=3155
CWShredder: http://www.majorgeeks.com/download4086.html

If anyone would like to contribute a server, please contact me at mike@tomcoyote.org. There are some minimum requirements for each server. I need a minimum PII 300MHz 128RAM, dedicated IP address, apache 1.3x on linux (preferably red hat) with root access via SSH and minimum of 100GB bandwidth/month. A Virtual Private Server (VPS) will work fine (I don't need a whole box).

SpywareInfo will be back. It will take more than this to keep us off the net.

Mike Healan
SpywareInfo

-{ Quote: "SpywareInfo will be back. It will take more than this to keep us off the net.
" }-

That's the spirit Mike! :) All power to your elbow ;D

This is (overall) good to hear/read. Tonight, I will toast to the good guys ;)

Go get em Mike. >:(

They will surely be defeated. ;D




snowbound

Mike - What's a VPS, where do you get one and how do you set it up?

If, for instance I was thinking about helping you out, I mean. Pete

X-Block (http://www.xblock.com) has offered to host merijn.org on one of their servers and Merijn's site should be up and running again in a few days. SWI, TomCoyote, and Merijn will now be separated and no longer vulnerable to any single attack.

A VPS is an account on a server that looks and smells like a box all to itself and allows for "virtual" root access. More expensive than normal shared hosting but not as expensive as an entire box.

Oh. I think I'm too broke to be of help in that way, then. Sorry. Pete

No worries Pete. I appreciate the offer ;)

http://www.merijn.org is ONLINE AND RUNNING!

If you can't reach the site, add the following to your HOSTS files:

216.40.225.12 merijn.org
216.40.225.12 www.merijn.org

-{ Quote: " quoting: Mike Healan link=board=22;threadid=21950;start=0#msg131670 date=1076883930]
No worries Pete. I appreciate the offer ;)

http://www.merijn.org is ONLINE AND RUNNING!

If you can't reach the site, add the following to your HOSTS files:

216.40.225.12 merijn.org
216.40.225.12 www.merijn.org
" }-

Sorry for my ignorance, but how do I add the suggested to my XP Home HOSTS file?

Hi Pretender :)

Here is a link on host files,

http://www.accs-net.com/hosts/how_to_use_hosts.html

u need to use notepad to open your host file.


Hope this helps.



snowbound

Spywareinfo, Tomcoyotes merijn.org and Net-Intergration.net ALL DOWN as we speak

Dell forum is still open - bookmark now - it has a malware removal board for us to use.

http://forums.us.dell.com/supportforums

If all else fails PM me at Dell.

I can get to Merijn's site okay after downloading HOSTS file as indicated by Snowbound and placing entries as stated by Mike Healan. Not able to access Tomcoyotes site right now.

I did have a problem with just using the HOSTS file sample by MS and adding the entries stated by Mike Healan in the HOSTS file though. So I had to download the zip/add the entries and it works now. Not real familiar with this HOSTS file thing, but learning quickly.

I found out why I had a problem with the HOSTS file sample by MS and kicking myself for it. When I went to the site that Snowbound suggested then it gave me a choice of downloading the zip file by the author or downloading a HOSTS file which would allow me to put just my entries into it (MS sample file). I didn't get a download dialog box so I copied the file/put it in a notepad.exe page/and entered it where it should be on XP Home and added the entries stated by Mike Healan. There's my mistake. I should have chosen "save as" and put it in the appropriate folder/added the entries from Mike/and renamed the folder "HOSTS". I've done that now and guess what? It works. :-[

"Not real familiar with this HOSTS file thing, but learning quickly." Please have mercy!

WE'RE BACK!

http://www.spywareinfoforum.com/
http://www.spywareinfoforum.com/

Very cool! http://www.wilderssecurity.com/images/icons/icon14.gif

Mike, I get "backing up the database. Come back in 5 min". Oh I am hoping it's just 5 min. :-[

LOL ;D

I decided to make a backup since no one was on the board anyway ;)

FYI, for the moment we're using http://www.spywareinfoforum.com/forums/. There seems to be a DNS problem in some places for the normal address.

WOW...it was just 5 minutes! LOL

Yes, I could not get to the regular address, but I can get to the forums now. whoohoo!! Good work Mike! :-*

Well done MH!, Getting there no trouble at the moment. :)

-{ Quote: " quoting: Mike Healan link=board=22;threadid=21950;start=0#msg132691 date=1077093018]
WE'RE BACK!" }-


Great! Let's hope this time it will be for good 8)

regards.

paul

Errr, can you guys get any further then just the "main screen"
Any link I click in there gets timed out. :(

Pieter

Yes all OK for me.

Fine here Pieter at the moment. :)

Pieter, I can log in and move in and out of the forums without any problems (it's fast), but I did notice that there is no "on-line" list at the bottom of the forum. So, I'm not showing up as logged in.

This is great news, have been anxiously waiting for you to get back, I needed a couple of definations.

Still major problems at the moment at SpywareInfo

We will keep you posted, but at the moment you may not be able to get in.

Read the GOOD NEWS - Mike has posted here:-

http://forums.net-integration.net/index.php?s=3cd2700b5b072633867d2de74fac21fb&showtopic=10803&st=120&#entry54943

http://www.spywareinfoforum.com

And the corporate sponsor who came to the rescue is........ ;)

Great work to all those involved!!!

Long health and (better) fortune to SpywareInfo!

Its up and running - go look see who is the new sponsor.

The tide of the war is to now change - we will be on the offensive.

BOOT CAMP IS OPEN FOR RECRUTES

???Where do I sign up ???
I'll have plenty of question concerning this particular type of thing. I just don't know how to phrase them inteligently just yet. This is why I come to Wilders. To figure out how to prevent this exact thing from happening to me.

(Not to go OT, especially since this deserves a thread of its own which I've posted in this forum, but on the note of taking the offensive particularly in light of the recent DDoS attacks, the FTC will be hosting a public workshop on Spyware, etc. Posted by Kevin M at BBR: http://www.dslreports.com/forum/remark,9458905~mode=flat )

All those that wish to join boot camp you need to do the following

Go to

http://www.spywareinfoforum.com/forums/index.php register with the name of your choice.

then go to this thread http://www.spywareinfoforum.com/forums/index.php?showtopic=32637 and ask to be enroled.

Please post back here after you have joined, so we at Wilders know how many are going.

Remember.

The pay is peanuts, the hours are long, the food is bad, but your w.w.w needs you. So line up.

Unfortunately, today I still cannot reach spywareinfo. I cannot update CWShredder either. I checked for spyware, looked in my hosts file, deleted all cookies and emptied my internet cache. To no avail.

Anybody else with the same problem?

Yes, over at BBR. John2g posted a direct link to the CWS 1.50 full program download that works, fwiw. Link to the thread there: http://www.dslreports.com/forum/remark,9469518~mode=flat

Another mirror for cwshredder, hijackthis etc etc

www.zerosrealm.com look in downloads section

While the DDOS attacks continue cwshredder will not be able to auto update, download the new version over the old.

is it just me or is spywareinfo down again :(

da cat

It is down again, not sure when it will be up - watch this space

Wonder if it may be time to see if a class action suit can be addressed on behalf of users of computer security forums?????????? Any Lawyers out there for a pro bono attempt????

Net-integration has some info about the status and events: http://forums.net-integration.net/index.php?showtopic=10834&st=15&#entry55744

I understand the FBI typically says it doesn't look into such matters unless there is a cost/loss of $5,000 or more involved. But that threshold may be met in this instance. And there may other aspects that interest them as well.

Merijn has posted here

http://forums.net-integration.net/index.php?s=58a5eb4ead4c5770bf7962ae119f0139&showtopic=10803&st=165&#entry55862

Copy of post
------------------------
Guys, it seems the DDoS attack will be going on for awhile. We're doing everything we can to get things working again, but since the zombie bots just resolve domains and target the resulting IPs, changing servers won't help much.

We need samples of this zombie bot. Be on the lookout for users with zombie-like problems! If users come to help forums saying their firewall is logging numerous connection attempts to SWI, TC or Merijn.org, take their machines apart and try to get a copy of the dos bot. Only that might allow us to actually stop the attack, instead of continuously dodging it.

Thanks for all your support!

-{ Quote: " quoting: ChrisRLG link=board=22;threadid=21950;start=30#msg135303 date=1077643101]
Merijn has posted here

http://forums.net-integration.net/index.php?s=58a5eb4ead4c5770bf7962ae119f0139&showtopic=10803&st=165&#entry55862

Copy of post
------------------------
Guys, it seems the DDoS attack will be going on for awhile. We're doing everything we can to get things working again, but since the zombie bots just resolve domains and target the resulting IPs, changing servers won't help much.

We need samples of this zombie bot. Be on the lookout for users with zombie-like problems! If users come to help forums saying their firewall is logging numerous connection attempts to SWI, TC or Merijn.org, take their machines apart and try to get a copy of the dos bot. Only that might allow us to actually stop the attack, instead of continuously dodging it.

Thanks for all your support!

" }-

I'm using free version of ZoneAlarm and let http://www.mynetwatchman.com keep an eye on all goings on. Question?: Would this be of any help in determining information on the bot and, if so, should others perhaps consider using the netwatchman to keep an eye on ZoneAlarm so that information can be gathered at one place? I may be totally off base here as I really don't know how all of this works.

Nor do I - But it looks like at NI one of these may be found by just such notice of a firewalls log.

http://forums.net-integration.net/index.php?act=ST&f=27&t=10803&st=165#entry55916

We are all waiting with baited breath.

And now net-integration is down...?!?

Seems like it - don't know if it is connected to the DDOS or not.

we are down. >:(

We are working to address the matter as quickly as possible. Unfortunately we hadn't completed setting up up our backup contingencies for just such a situation. But it will be completed post haste and we'll be back online very soon. :)

-{ Quote: " quoting: Eagle1 link=board=22;threadid=21950;start=45#msg136034 date=1077805893]
But it will be completed post haste and we'll be back online very soon. :)
" }-

Looking forward to that. :)

Good luck,

Pieter

We are all with you in our thoughts... It's so frustrating that we cannot help... Keep UP the good work (literally ;))

:)Standing by to Stand by!
???Is there another way to get funds to you besides paypal, I prefer snail mailed cashiers check.

Hi if its to SpywareInfo

Here is the link to mikes page - with a snail mail address, please note his name is not mike (lol).

http://www.spywareinfoforum.com/support.php

:-[I gotta learn! Read the whole page!!!
got it, checks in the mail.

-{ Quote: " quoting: Eagle1 link=board=22;threadid=21950;start=45#msg136034 date=1077805893]
we are down. >:(

We are working to address the matter as quickly as possible. Unfortunately we hadn't completed setting up up our backup contingencies for just such a situation. But it will be completed post haste and we'll be back online very soon. :)
" }-


Maybe NI won't be back online as quickly as I thought. This is bigger than first thought and is going to take more $$$$ than I can personally afford right now. I'm not sure what I'm going to do about NI yet. But I am going to set up SBSD support forums on another domain on another server in the meantime. This will only take a few hours.

Then I'll try to figure what to do next.

:( >:( :'( terribly sorry to hear that... Is it a part of SWI&Merijn&TC attack?

I believe once the ^%^%^&% doing this realized NI was part of the picture it became a target.

Our host is trying to do a couple things themselves but it's fruitless IMO. They've already tried assigning different IP addresses to NI, changing nameservers and using an internal proxy and IMO they won't work for more than an hour or 2, if at all.

Until the attack stops there is little they will be able to do. And I can't afford to set up a slew of proxies. So...like I said we'll see what happens.

:) Hello Eagle1!

That was fast work! Net-Integration SpybotS&D (http://forums.net-integration.net/) is back.

As pro-spyware interests are becoming more aggressive I have noticed a shift in the attitudes of the online Security Communities. There's nothing like a common cause/foe to draw people together who are ready, willing and able to provide a united stand against spyware, hackers and hijackers!

Keep your chins up everyone!


Larry ;)

Its not going to last. Everything they do will only partially succeed IMO or be temporary. Until the attack lets off its unlikely the site will remain live long.

>:(Ok! so maybe this is completely off the wall.
What if a large number of ( good addresses logged into the server or site or the site were full with known addresses ) would that stop the bad from getting on?
Just a shot in the dark!

:) Interesting idea.

A less open way of doing internet. Hmmm. The idea would be to limit the number of addresses and then keep it full. There would need to be a way for valid members to sign on? Would this be workable--even as a "shot in the dark?" (starring Peter Sellers LOL)


Best regards.

The attack is now be successfully filtered. I'm not going to like the bill at all but NI won't go down again because of this attack.

SWI is up for now.....

http://www.spywareinfoforum.com/forums/index.php?s=975b88245012679f5468429f24850d42

Take care

It's good to see both SWI and Net-Intergration back up again ;D

We are under a new bigger attack and I'm not so sure how long it will be before this one is contained. >:(

My forums will be opening under a new domain in a couple hours. Its about the best I can do for now.

-{ Quote: " quoting: Eagle1 link=board=22;threadid=21950;start=60#msg136458 date=1077874245]
We are under a new bigger attack and I'm not so sure how long it will be before this one is contained. >:(" }-

Ahmad, verry sorry to hear so. In case you want to discuss all this, don't hesitate to drop me an email.

regards.

paul

Thanks for the kind words Paul.

This attack just keeps getting bigger. >:(

Now they have somehow managed to find 2 of my 15 or so client sites and are now hitting them which is now taking down my client server too. So now all my clients are being affected. >:( >:(

I'm not so sure I can afford to weather this storm. Its grown beyond my means and I can't expect my ISP to tolerate this much longer despite what they may tell me. Its affecting their entire network and they must have clients complaing.

I just don't understand this crap at all.

Ahmad,

That's terrible! Drop me an email anyway - discussing possible options never hurts.

regards.

paul

As soon as my cable ISPs mail server goes back online I'll email. They are down for another hour for maintenance and of course I have no website related email accounts working at the moment.

Seems net-integrations is down with a DOS attack too. Feb. 28, 04 Is this ever going to end? >:(

NI is finally back up. I'll be sending an email shortly Paul.

Down again... >:(

Email coming now

-{ Quote: " quoting: Eagle1 link=board=22;threadid=21950;start=60#msg137002 date=1077985403]
Down again... >:( " }-

>:(

-{ Quote: "Email coming now " }-

Looking forward to it.

regards.

paul

For the time being Net-Integration is turned off. We (myself Tommy and ISP) tried setting up proxies and they were taken down almost instantly.

At this point we are stumped as to what to do. We will be discussing and comparing notes with the others struck by similar attacks in hopes of determing the cause and/or finding a way to filter them effectively.

But in the meantime NI is being left offline without DNS. I can't afford to do anything else at the moment.

I've been having mail issues all day including with my ISP (whose regular maintenance seems to have broke it >:( ). I'm setting up some other email accounts so I can communicate again.

Its coming Paul. Sorry if its too long....but your a great sounding board and always have good advice.

Eagle1

I would like to express my deepest sympathy concerning your recent problems with your DoS problem and NI. You must be on the right path to have become a target of these attacks, as SWI, and TC before you. Please realize you have a lot of people pulling for you. Hope you know you're in our thoughts and prayers.

P.T.

Sympathy, Eagle1

The only possibly effective filtering I can think of would be one based on frequency of page requests. Any IP sending - say - more than 2 requests a second is blocked for an amount of time. This would require high capacity hard- and software.

Don't know whether such filter proxies have been developed by major companies, but DDoS-attacks are known in practice since more than four years.

This probably doesn't help you on short term, but anyway.

BTW Have you opened an account for donations?

_______
Wiskonst

Eagle1 , grummy here. Thank you for using Wilders as as communication link. SWI is running but many are having posting problems and log-on problems. Don't even try to bring NI back up until you are ready. Hopefully Paul and other tech people will offer ideas. Meantime, just know our emotions and prayers are with you. 8)

Ahmad,

Please check your PM inbox over here ;)

regards.

paul

Just did Paul. Pm coming back to you in a second.

I truly appreciate everyone's kind words of support. Thank you

For those having the desire to help and were looking for a paypal donation location here it is.
http://www.emfc.com/nisupport.html

And believe me Grummy I have no intention of firing NI back up until I know I'm able to handle whatever it will take to keep it that way. I'm looking at some alternatives now too. I've been somewhat disabled because I've been without email now for over a day. My cable ISP did maintenance and screwed it up..go figure.. But it is working again as of about 10 minutes ago and I should be able to get things rolling a little more quickly now.

I received an SQL error when trying to get to SpywareInfo.







- Removed the screen shot as the MySQL error listed is not actually significant to resolving the issue. LWM

Some adjustments are being made to proxy servers...he'll be back soon

Is this important, or is it way off base?

http://www.securitytracker.com/alerts/2004/Feb/1009257.html

Take care

-{ Quote: " quoting: RJ100 link=board=22;threadid=21950;start=75#msg137894 date=1078106114]Is this important, or is it way off base?

http://www.securitytracker.com/alerts/2004/Feb/1009257.html " }-

Well, yes that item is important in terms of it being an exploit that needs to be addressed, but it is not related to what's going on with SWI overall or the SQL error that was noted above. (Basically, the error removed above was simply that the database wasn't accessible, which I could cause to happen here if I simply triggered a restart of the MySQL server processes.)

Most of us running forums use publicly available bulletin board software, either free or commercial packages, for which various exploits get discovered and then patched. Just a few days ago there was one for YaBB SE (what we use here) that was extremely similar - an uncheck parameter that could allow SQL commands to be executed... The fix was readily available and we applied it. (SOP - Standard Operating Procedure) :)

Well stated as per usual LWM. Thanks for the clarification ;)
Chocolate-chip cookie headin' your way to go with that coffee.

Take care

Eagle1

Here's a message left for you at cexx forum
-{ Quote: "AplusWebMaster



Joined: 07 Dec 2003
Posts: 101
Location: Philly, PA
Posted: Sun Feb 29, 2004 7:25 pm Post subject:

--------------------------------------------------------------------------------

From the Internet Storm Center:

- http://isc.sans.org/diary.html?date=2004-02-29
"...We have had a report that some popular anti-Spyware forums were under a DDoS attack, but, no further information has been provided. If anyone has some follow up information on this, drop the Handler on Duty a line..."
- http://isc.sans.org/contact.html

(Anyone know how to contact Eagle1 to have him read this post?)
.
_________________
AplusWebMaster ~ www.apluswebmaster.net
Are you up to date or vulnerable to Hackers?
" }-

Question and Comment:

The suggestion was given to add

216.40.225.12 merijn.org
216.40.225.12 www.merijn.org

To our hosts file. I do know how to do this the question is why? I am not intentionally being dense, however, what is happening differently than if we simply type www.merjin.org. Specifically, is it that our search engine might not be up to date, or is it that there is something intentionally trying to reroute us from the correct address, and this insures that that will not happen. (By the way, ironically, this is the first address other than 127.0.0.1 that my host file has ever seen! Even more ironic, I have never even considered using it this way...sign of the times I guess).

Comment to the user that is weighing whether to expend the effort to figure out this host file thing. It is actually pretty simple. Attend:

the "hosts" file location in XP is in this folder

C:\Windows\sytem32\drivers\ect

hosts has no extension but if you add .txt you can edit it as you would any text file (only when you are finished rename it again to hosts without the .txt).

if it is read only, then of course you will need to right click and uncheck the read only box.

if you use spybot search and destroy, or similar products you will see a long list of unsavory sights preceded by 127.0.0.1 That is the local host (that is you) it tells your browser not to go to those unsavory sites, but to stay put if you try to link to them. Follow the pattern and add any sites you are sick of seeing.

Or in this case just add the lines

216.40.225.12 merijn.org
216.40.225.12 www.merijn.org

to make you go the the correct address whenever your browser is looking for www.merijn.org

By the way, everything following a # on a line is reguarded as a comment and is ignored by the system when it is using the file to attempt to find addresses to link with site names. This allows you to add little notes that are used to help people remember or make catagories like say

# My additions of sites featuring Barney

I know that most of you reading this already know verywell everything I said, and that it is probably said better by following the link that was provided. This is just in case it helps someone get to www.merijn.org and because it might benefit people like myself who might assume that stuff is more complicated than it is...or they would already know it!!!

- HandsOff

don't worry, u CAN and you WILL soon stop this nasty attack, don't give up and keep trying. ;)
There is still hope even in your darkest hour.

www.net-integration.net is being reactivated and should return very shortly for everyone. It is in the process of resolving DNS internally. Mail has started working again so the site should not be far behind.

The filtering in place may need some tweaking and the potential is there we will go offline a few times again for short periods as we adjust. Its hoped this is not the case but I don't know for certain.

This is not the permanent arrangment for this site. Over the course of the next several days I'm going to be implementing changes which I hope will prevent this from happening again and in a permanent location.

In any event it should not be much longer and NI will be live again.

Good News Eagle1 8)

Glad to hear it :)

Its working again :)

Looking good. Congrats. :)

-{ Quote: " quoting: Eagle1 link=board=22;threadid=21950;start=75#msg139743 date=1078450008]
Its working again :)" }-guess you need to tweek it a little more got there but the board ate my post :o http://www.emotipad.com/newemoticons/Big-Thumbs-Up.gif glad your back up again!!!!

Yeah, it looks like they're just making adjustments... An odd flurry of SQL errors and such, but they are there. It's probably only a matter of a few server side tweaks at this point.

This is a mysql issue and nothing to do with the attack. Seem to havea couple of rouge tables that don't like to play nice. :)

Looks like I may have a few corrupted files. Seems there was too many post attempts in the same topic at the same time.

Friendly fire took out the forum db. LOL

I'm working on trying to repair it now.

Everything is working good now.

The ddos is under control at the moment and the forum database is fixed.

Congratulations!

_______
Wiskonst

Weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

Lets go get em...........

Super News, just posted at NI and all is working good. Congrats !

And tomcoyote is back up too

www.tomcoyote.com

-{ Quote: " quoting: ChrisRLG link=board=22;threadid=21950;start=90#msg146556 date=1079708682]
And tomcoyote is back up too

www.tomcoyote.com
" }-

This is great news! 8)

Congratulations on getting it back online again. ;D



snowbound

Seems that there is another attack on Xblock.com Anyone have any info?