Neowin under attack, Originating from Ukraine

Today Neowin suffered yet another attack on its forums and main news pages. An exploit allowed the attacker to place an iframe linking to a website that prompts visitors to download a plug-in.

Not content with doing that alone, the attacker also managed to send out a bulk mail asking forum members to install a trojan called win32.exe, we hope our guests never install anything they aren't sure of and secondly Neowin would never ask you to run an executable from a bulk mailer.

The message is as follows, please disregard it if you have received it.

From: Neowin Forums [noreply@neowin.net]
Sent: 06 December 2007 3:41 PM
To: Tom Warren
Subject: Our New Software! ( Neowin Forums )

Dear creamhackered, our forum presents you our new software: NeoWin 1.0. It will ease your browsing our site and forum. Please download and install it.

NeoWin 1.0: Snipped URL to trojan


At the moment we are trying to trace how the attacker was able to modify Neowin so it can be avoided in the future. One thing is for sure though, you suck whoever you are.

Update: OK it seems like the guy got in through a flaw in our phpMyAdmin software. Timdorr is working on it with Marcel Klum, the other staff have all been busy removing IFRAMES from the forum and Main page. Thanks Rob!

Link: Here is where the "hacker" lives

Report a problem with article
Previous Story

Hachamovitch: Please don't mistake silence for inaction

Next Story

Broadband customers put on hold

138 Comments

Commenting is disabled on this article.

Funnily enough, I just came back from a day trip to Ukraine (from England). Eery place....... strangest country I've ever been to - "a world away" is how I'd describe it...

Well, that IP address you got, it's probably a routed one. I'm not sure if anyone clever enough to cause this mess would simply ignore hiding his IP.

But why would anyone want to do this to Neowin - I just don't understand.

The people who use this forum are so knowledgeable and friendly I just don't get it.

Whenever I had a problem I didn't know how to fix someone on here has helped me out within minutes of the post.


Long may Neowin and its members prosper!

And someone whack that Ukranian hacker with a laptop for doing this.

Actually I tried mine and it wasn't quite right. Put me about 30 miles away. Another site was a little more accurate, but still centered my IP on my main city address rather than any real physical address. Which is a good thing.

I hate hackers, what an idiot I hope you banned his ip (That is if you know what it is).

Hope everything gets back to normal, good luck. :)

Please don't prosecute me for calling the hacker an idiot. I know I've gotten crucified for calling someone an idiot before, but isn't this an exception?:P

Ha!

I knew something wasn't right when the email was just a one liner and the URL didn't point to the software section of the site!

Quickly came over to Neowin and found this post. Maybe this should be made sticky on the homepage or something...

Ukraine, didn't they win the Eurovision song content some year ago? Awful song ...

Granted those IP tests aren't extremely valid, but god I just ran myself through it and it is closer than I'd like ... field about 5 minutes away from my house - scary how much people can find out these days :O I best remember not to hack or spam you people There goes my Sunday morning

SimpleRules said,
Ukraine, didn't they win the Eurovision song content some year ago? Awful song ...

You've got that right

This may sound like a bizarre question but does anyone have a copy of the trojan? (or at least a link to it)

I'm fairly skilled in malware analysis so I may be able to shed some light as to what this trojan does, where it transmits information to, etc.

PHPMyAdmin has been a continuous hacker door. Maybe the developers need to hire someone from Microsoft's Security Initiative Taskforce. Naah. It'll be secure some day on its own.

Just an observation from having experimented with it and then removed it after some bad experiences.

How can you be sure you have tha hacker's real IP, I mean hackers have been known to use proxies after all! Even if it was the real IP it wont be as acurate to show which house its from. Seriously some innocent kid in the Ukraine is gonna get flaming bags of dog**** for no reason.

I come from Ukraine. You not say Ukraine weak. Ukraine is game to you?! Howbout I take your little board and smash it!! :nuts:


solardog said,
I come from Ukraine. You not say Ukraine weak. Ukraine is game to you?! Howbout I take your little board and smash it!! :nuts:

Haha... Anyway, hope the 'hacker' rot!

how were they able to access the neowin phpmyadmin ? i have a few boxes with phpmyadmin on them but i never expose the phpmyadmin console to the web just wondering out of curiosity how they managed to access it ?

Hmm, Did anyone find the address of where the Attack came from. I'll Gladly hop on over to the country and beat the little punk who tried to ruin Neowin for me.. (FYI I am in Poland, I can hop over and drop kick this guys ass)

Anyways... Good Job to the Site administrators for keeping their cool and working through the problems :0

hm... wonder if i got a trojan... nod3.0 didn't alert me to anything, plus i viewed the source and saw the iframe... running under vista (maybe UAC got my back... dunno)

when i visited neowin's site this morning i was met with the BO trojan. Mcaffee caught it and got rid of it. did a full scan. I hope they get this guy.

yeah i would have to say that it is way off. being that i hide behind several proxies, and and private DNS i live in ohio (i tell you this because i love this site and i honestly dont care) and it tells me i live in greenland

I hope all goes well fininding this guy and he gets punished. This is the best site, I get all my technology news and talk from this site. I love it.

"Here is where the "hacker" lives" | <-- That is NOT his house. Try typing in your own IP, it will pinpoint a place in your city but faaaaaar from your actual residence.

MindTrickz said,
"Here is where the "hacker" lives" | <-- That is NOT his house. Try typing in your own IP, it will pinpoint a place in your city but faaaaaar from your actual residence.

I'm pretty sure that wasn't ment to say hey here is his house. but here is the area he lives... when I use my IP it comes back as Pittsburgh, Pa... its around the area I live... no IP ties back to a house unless you get a court order to get the ISP to give you the address... which I am sure with the evidence we have we could do... if we had a legal team

none of this happened to me since i use firefox with noscript
not quite an owned, but almost there :)

also use gmail which would have stopped the email if it ever even was sent to me muahaha
probably was a script kiddie, i mean if this guy was good he would have done alot more than this

arrg the gits.....on the nicer side of things at least it shows you that our beloved neowin is quite popular :P if it wasnt they wouldnt have bothered.

hats off to the admins for clearing it up as soon as it was discovered.


Remember everyone its always good to change your password every so often (preferably every 90 days) right now is a good time to do this to make sure no one has access to your account!

And remember make your password harder to crack... use a number, special char or character caseing to make it less prone to a dictionary attack

neufuse said,
Remember everyone its always good to change your password every so often (preferably every 90 days) right now is a good time to do this to make sure no one has access to your account!

And remember make your password harder to crack... use a number, special char or character caseing to make it less prone to a dictionary attack

Are passwords here stored in cleartext? :blink:
Or is it comparing hashes?

markjensen said,
Are passwords here stored in cleartext? :blink:
Or is it comparing hashes?

I'd sure hope hashes... but hashes are suceptable to dictionary attacks also!

neufuse said,

I'd sure hope hashes... but hashes are suceptable to dictionary attacks also!


Invision Power Board (which is used here) MD5's your passwords.

i have to agree with you here... better safe than sorry.

i would recommend something like "Password Safe" to store (and generate random) passwords (free and open source i believe)

cause with the random generation of long passwords it's highly unlikely someone would ever guess it (assuming the site dont get hacked etc)

Chris UK said,


Invision Power Board (which is used here) MD5's your passwords.

md5(md5(salt).md5(password))

Salted MD5's to be exact... the passwords are pretty secure and given how many members there are... I can't see them brute forcing everyone's pass's.

In all honesty, changing your password right now would be foolish... who knows what alterations have been made to the board. I would wait until the staff have checked, double checked and re checked again that there is no evidence to suggest foul play with any of the board scripts... then, maybe, change the password then.

neufuse said,

mmmmmmm salted hash *drools like homer*


They dont have to crack the hash to get into your account, all they would do is simply spoof there cookies with your hash.

Not sure what the exact figure is but its probably around a few trillion combinations with a salt. And by the time you tried a few hundred (if cookies are disabled to get around the forum login limit) I'm sure the IT team would notice and you'd be blocked from the server

jmc777 said,
What happened?

Installed crap load of spyware, changed the home page of IE to pornograb.com, added a lot of phishing sites to the HOST files etc etc.

Emon said,
Installed crap load of spyware, changed the home page of IE to pornograb.com, added a lot of phishing sites to the HOST files etc etc.

It will ease your browsing our site and forum.

Emon said,

Installed crap load of spyware, changed the home page of IE to pornograb.com, added a lot of phishing sites to the HOST files etc etc.


And how is that different or "interesting" given that pretty much every other trojan does the same thing?

Does this mean I should brace for more spam than I already get or was the bulk-mailing done through the server?

:Here is where the "hacker" lives:

That link should be renamed because that's -not- where he lives. Probably the surrounding area but definately not THERE. Just put your ip address in there and you'll see that it's far off from your house.

How can you guys be sure that's him ? He could have used someome's infected PC to redirect the attack, no ?

xplatinum said,
:Here is where the "hacker" lives:

That link should be renamed because that's -not- where he lives. Probably the surrounding area but definately not THERE. Just put your ip address in there and you'll see that it's far off from your house.

How can you guys be sure that's him ? I could have used someome's infected PC to redirect the attack, no ?


Wait, So your saying you could of used anyones pc. lol

This morning I got an email from Neowin, but it was to an old name I don't use anymore.. I know its just a coincidence, but its weird as I have never received any email from Neowin before. This email had no attachment.

quite true...in fact that could be as far as 40 miles or more from where he's from...I tried my IP address on that site, and it listed it as somewhere in oakland, Califoria, which is about 35 miles from my actual house.

see the link where he lives?
IP Address state: Kyyivs'ka Oblast'
it looks like his house was o-blasted away! is that a concrete park?

littleneutrino said,
wait a minutes we have a neowin mafia why arent they hunting down this criminal and giving them a set of cement shoes.

Or, to quote them -

"You annoya meeya, you getta concrete bootsa and go for a swim in the lake"

I want to go to Ukraine, sit near to there, and baseball bat the first person to go on neowin over there.

perhaps we should just do a simple network monitor and when the attack happens send out information on the IRC and we can hack them back... or at least just shut them down... we might even be able to find information about them and turn them in or something.

Hmm...I wonder if these are the very same people who attacked the msghelp IRC network today...they were in the same general location that your IP resolves...could be a coincidence...Similar Characteristics...Did they happen to leave anything like "xp b0tnet VulcanIzate" or anything like that anywhere :-P?

Looks like someones trying to collect comps, maybe for a botnet and they have targeted neowin because of the high traffic, maybe neowin should apply Mod_Security with some decent rulesets too, i never seen the last attack but going by the previous attack, they seem pretty skiddish.

Nienor said,
"Nuclear Launch Detected"

Good job softening them up. My Dark Archons will take care of the rest.

En Taro Adun, you hacky bastitch.

kidd0 anyone?

should we see what info we can find on this person the same as they did back in the day of kidd0 :shift:

Hehehe, it's nowhere near as bad as kidd0's ddos. And it's not like any neowin member would fall for such a joke. "It will ease your browsing our site and forum. Please download and install it." Un-hun.

Vandals, virtual or not are pratts to the core...

other than email addresses, what other info could have gotten out? do we need to worry about any personal info??

Zhivago said,
The forums still remain affected somehow.
I just think that the staff hasn't gotten around to that part yet. They are probably cleaning and checking what they can and brought the main page up. I trust forums will be back as soon as possible.

91.124.59.75 sent the bulk email out and that resolves to: 75-59-124-91.pool.ukrtel.net who is responsible for all of this.

I hope you can get it resolved by having a legal team contact abuse@ukrtel.net.

You should hopefully have a pretty good approximation of the time when this happened, and with this information along with the IP address, the ISP should hopefully be able to pinpoint the specific user account that was logged on with the IP at the time. Just because the user was malicious will hopefully not mean that the ISP won't act professionally here. I doubt an ISP would like their image tainted like this too, and they're often helpful in these matters.

Since the ".pool." part is there, it sounds like a modem pool with dynamic IP's, possibly something like DSL. But that won't help him much if you know IP + time and the ISP is helpful.

Edit: You can also try contacting Ukrtelecom's domain registrar Alexander Remiga at aremiga@ukrtel.net in hopes of getting in contact with a human there. More info here: https://codebeamer.com/cb/whois.do;jsession...pool.ukrtel.net

seamer said,

Fecal matter? Oh my, your vocabulary is huge. Here's a reminder to change the day on your calendar's "new word for today" setting.

What the poster meant was, fighting with fire with fire isn't smart. An eye for an eye. Two wrongs don't make a right. Ping the guy for what he did and he'll do something else to retaliate.

<snipped>

We got some virus alert 2 days back..and we informed to this forum too...i think it came from the ads..
You neowin's stop those suckers coming in again!!

...honestly. A sniper? Are you some kind of psycho?

And Neowin - are you a bunch of two year olds? 'Outing' the hacker may scare him/her/them but if you have the wrong person by some accident, you could be up on charges! You can't go around pointing the finger of blame in some attempt to say "look how tough I am".

Fix the problem and pretend it never happened (like Apple would do). Don't post a "we got hacked" on your front page. Does Quicktime have a popup everytime you open it saying "A Ukranian hacked me. It's that persons fault!"?

..and no, I'm not saying that they shouldn't warn us. Just don't make a big fuss about the whos and hows. Just fix it and move on.

mrmckeb said,
...honestly. A sniper? Are you some kind of psycho?

And Neowin - are you a bunch of two year olds? 'Outing' the hacker may scare him/her/them but if you have the wrong person by some accident, you could be up on charges! You can't go around pointing the finger of blame in some attempt to say "look how tough I am".

Fix the problem and pretend it never happened (like Apple would do). Don't post a "we got hacked" on your front page. Does Quicktime have a popup everytime you open it saying "A Ukranian hacked me. It's that persons fault!"?

..and no, I'm not saying that they shouldn't warn us. Just don't make a big fuss about the whos and hows. Just fix it and move on.

Thats cuz apple is part of the....oh wrong forum/dont wanna flame bait...but apple forces you to install quicktime with itunes, thats a problem in itself right there...but anyways, you're right....acting like a bunch of kids and making comments to the character of the person that did this isn't being "the bigger man" fix the problem, try to persue legal action against those/he who did this, and move on with life...life is waay too short to be acting like a child all the time

Sadly, there's nothing the authorities can do to assist the owners/administrators of this website.

It is an awful act of vandalism and whoever did will never be brought to justice, unfortunately.

I also want to thank the admins for acting professionally and for bringing the website back as soon as they could.

Disavowed said,
So saying 'You suck whoever you are' will really endear yourself to whomever did this. Nice work.

Actually, if you reaction is that - I'd say that you were the one who hacked the computer; to say anything less than the individual is a 'scum sucking roach' makes you either the one or working in concert with the person who attacked the site.

kaiwai said,

Actually, if you reaction is that - I'd say that you were the one who hacked the computer; to say anything less than the individual is a 'scum sucking roach' makes you either the one or working in concert with the person who attacked the site.

saying 'you suck whoever you are' is rather immature if you ask me, and yeah its not going to make them stop, more likely they will just hack it again. sites get hacked all the time, get over it

kaiwai said,
Actually, if you reaction is that - I'd say that you were the one who hacked the computer; to say anything less than the individual is a 'scum sucking roach' makes you either the one or working in concert with the person who attacked the site.

Wow, you should work for the Police force.

Idiot.

CelticWhisper said,
Best of luck getting this resolved quickly. Please keep us posted as you figure it out.
Agreed!

I don't like going without my Neowin fix. I get the shakes something fierce! :P


EDIT: Is it wise to include the address (even if not clickable) to the malicious software? I mean, I can't get it to run under wine, but others may be able to execute it.