TROJAN HORSE

[Goauld]

On 28/07/03 I visited this site, spending a great deal of time here and downloaded the EQ Emu, alongwith various updates.

Having been busy lately, my G/F had been using the machine, but I had not made any updates to my AV for about a week.

Having just updated my definitions, I find that I'm carrying the `Backdoor Coreflood' trojan (used for DOS attacks and comeplete system control, as I understand). Having checked my site access for the day and checking against the creation dates for the EXE & 2 DLL's this entailed (not to mention the registery modification) I am certain that this minefield-like site is the culprit.

To the owners, I'd like to think that you might take this as a useful reminder that such a disjointed board can hide a multitude of sins.

To the casual browser, I would advise extreme caution in light of this incident.

I hope I can get a positive response from the site owners, rather than just this post being deleted for `pissing someone off'


And to the miscreant responsible for this breech, I can only suggest that you take a look outside the window, if you have one, and go find something better to do - like play with traffic on the freeway.

[sweet_sauce0]

I dont like your tone mr.


BARK BARK little pussie

[Merth]

We get this sort of accusation from time to time. I have yet to find one with credibility, or some sort of sound argument. It always seems to be "i have a virus and i visited your site, therefore you are spreading a virus".

It's really quite simple to pinpoint whether or not the binaries you downloaded from here contain a trojan or virus: just download them again and run them through a pitbull of a virus check. That seems pretty definitive to me!

Now, I don't know about a Trojan Horse, but if we build a large wooden badger, then Lancelot, Gallahad, and I can leap out...

[devn00b]

or even beter (omg) look at the source code! jesus. peeps make acuasations and dont even bother to look.

Its all right there for you to look at..

[Goauld]

Read the post before you bandy about "handbags at twenty oaces" type comments. I did not claim it was in the EQ Emu app, I visited a lot of posts trying to track down info relating to the emu and at some point on one of these threads, have been mislead in what has been downloaded.

TBH, at this juncture I'd like to add that although I'm sure you guys work long and hard into the night, consuming much coke and not getting enough sunlight in the name of the game, EQ Emu and my experience so far have left a somewhat bitter taste....

So I'm off fer a rinse

[Merth]

At this point in the thread, my understanding is that you downloaded a trojan from somewhere on the internet.

Thanks for the heads up!

[Goauld]

Sarcasm..........cool.......

[Shawn319]

we should include an empty virus.cpp to scare people away.

[Sabyre]

Quote:

I hope I can get a positive response from the site owners, rather than just this post being deleted for `pissing someone off'

Go home!

You are not needed here!

Ignorance shall not be tollerated.

:twisted:

[Goauld]

I know where the Trojan came from.

I'd advise everyone to steer clear of the EQEmu IRC channel if they wish to avoid this.

Here's a li'l link to help you out. See that `ServerOp - Forever Hacking' in Shawn319's sig? That is also the IRC Channel that the Codeflood.Backdoor connects to whenever an internet connection is established.

Call me a newb, but do not insult my intelligence. It's a lamer type trick and easy enough to remove.

[Merth]

Quote:

Call me a newb, but do not insult my intelligence. It's a lamer type trick and easy enough to remove.

Please do not insult our intelligence, either. Just show us how you figured this out. What is your evidence?

If I was tracking down a trojan, I would look at what IP connections are made (netstat -a). Connecting to a specific IRC channel would not be reported by netstat because that is not IP - it's a layer above the IP layer. That leads me to believe that you are not looking in the correct place, hence the desire I have for you to provide evidence.

No need to take offense to the fact that I am asking for evidence. It happens everyday in courtrooms across the country I am from.

[Goauld]

It didn't take too much to track it down. If you read back, I was alerted after updating my AV definitions. Subsequently, I restarted after disabling System Restore and removed the offending dll's and exe alongwith the registry entry pertaining to the exe.

If you look back, you'll see that by the date of the initial post, this trojan had been on my comp for about a week.....by which time my logs have been overwritten due to a limited cache that I set. In future, you can be assured that my limits will be set higher so that this does not pass unnoticed.

Evidence? I can assure you that I pretty much spent the whole day on your site ( no others in my browser cache for the date the exe & dll appeared on my system and my memory isn't that of a stoner or goldfish....), but obviously, my current logs hold no record going back that far.

Rest assured, that I will be scouring my sys for more compelling evidence of the origins of this nuisance over the next day or two (time permitting). Obviously the word of an administrator who runs a company LAN for a living isn't good enough for you. It would seem that it is my own ill fortune that I got a little lax at home on a system that is shortly scheduled for a reinstall and lockdown.

May I enquire as to whether you guys keep server side logs on the IRC? If so, publish them raw. Personally, if someone posted a message or dropped a mail in indicating that somebody was abusing company resources I'd be duty bound to investigate on the server side, at the very least to make sure that there wasn't a server side compromise....and at best to reassure users that they weren't placing themselves at risk just by stopping by.

So far, I've seen no positive feedback or an ivestigation of your own logs. Just cries of "Prove it". That in itself is disturbing enough.

[Rofls]

Not trying to say it came from your irc channel, but i downloaded mirc, join your channel then had IRCbot.gen trojan in my computer, coincidence? Dont think so

Today i installed everything needed to, run a server, play on a server, and the IRC from http://www.eqemu.com/index.php?irc .
did this on 2 computers, one i set up to run a 4.4 the other .5, after using 3 different ainti virus programs i did not recieve 1 virus.

[Hardy]

I have uninstalled and reinstalled mIRC so many times and joined their channels, I have NEVER recieved anything bad from them. I think its just your imagination.

Lets take a poll!
Who else has gotten a trojen or virus from here? *puts his hand down*