Joan, If you'll send the site names to me privately, I'll check on them. Sherri -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joan Asche Sent: Monday, October 26, 2009 6:08 AM To: [email protected] Subject: [STATE-COORD] Sites on theusgenweb.org My two sites on http://theusgenweb.org went down yesterday and have not returned. Where are they? For some time the national page was down too but I see that it's been restored. J. Asche 403 Error - Forbidden You have recieved this message because the resource you have requested is not accessable by the webserver due to file permissions or other locking conditions. Please verify that you have access rights to the requested resource or that the Apache daemon has access rights to the requested resource before trying again. ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message

My two sites on http://theusgenweb.org went down yesterday and have not returned. Where are they? For some time the national page was down too but I see that it's been restored. J. Asche 403 Error - Forbidden You have recieved this message because the resource you have requested is not accessable by the webserver due to file permissions or other locking conditions. Please verify that you have access rights to the requested resource or that the Apache daemon has access rights to the requested resource before trying again.

Jan, The CP was moved to my account in IX in september (not sure on the day). The files were clean at that time and the files I uploaded came from old backups that are on DVDs. We were reinfected around 24 hours after theUSGenWeb.org site. I've been confering with Sheri most of the evening & we have found php files in the images directories and image files somehow infected. I assume those weren't found when they did the clean. I'm going through folder by folder and checking for things that don't belong there. I've even found .html files that I didn't put there. I sent Sherri a list of IP addresses that have accessed our account. I'm guessing what we have is some hacker that got in and left like a time release "something" that modifies something every few hours or so. You think you have it clean and whap. I'm finding it in php files (btw I just hadn't deleted them but I'm using an outside source that's just a link for signups and things) and in my cgi files. I thank my husband for making me paranoid. I make backups once a week. Have them all over the place so I can look at file sizes and such. Sorry for the long message but I'm hoping we have this sorted out and can get back to normal soon. Too bad we can't focus the hackers into helping us instead of creating havoc. Hope you all have a great week, Maggie ----- Original Message ----- From: "Sherri" <[email protected]> To: <[email protected]> Sent: Sunday, October 25, 2009 6:53 PM Subject: Re: [STATE-COORD] REINFECTION Jan, Password access to sites on the same account with theusgenweb.org and usgenweb.org was removed late on 21 October. I'm not sure when Maggie moved her site, but she most likely moved infected files - or maybe her backup was infected. As I've been going through folders, I'd not paid any attention to any of the files from Maggie's Census Project because she'd told me she'd moved her site. I did take a quick look at some of her files that remained on theusgenweb.org server and they contained some of the code that I've found in files from other sites. Since I have no idea what she was finding, I don't know if it was the same or not as what we've found. Sherri -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jan Cortez Sent: Sunday, October 25, 2009 5:25 PM To: [email protected] Subject: Re: [STATE-COORD] REINFECTION Joy, If what you are saying here is correct, that *we are the problem*, how is it that the Census Project, which was just announced on that list, has now been hacked and we haven't had pw access in about ten days? I find it hard to believe that *we* can infect something that we don't have access to. Jan ----- Original Message ----- From: "Joy Fisher" <[email protected]> Not quite true, Jan. We are the problem, not IX. If you move infected files to another server, you are just infecting another server. Someone (or maybe many someones) has a trojan on his/her personal computer which is transmitting to the hacker the userid and pw when he/she uploads files. New userids and pws can be reissued ad infinitum, but until the underlying problem is found and cleaned, you will be bailing out a leaky row boat. --- On Wed, 10/21/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Wednesday, October 21, 2009, 1:43 PM > I think the best solution is to get > off their server. I've already moved > both of my sites and know of quite a few others that are > going as well. All > I want is a pw for now for a redirect, so it won't be long > that the only one > there will be the National website holding the bag. > <sigh> They can talk > all they want about other hosts, but, I'm not seeing it. > All I keep seeing > is IX Web Hosting. Same problem, same server, over > and over and that sure > tells me something. > > Something rotten there. > > Jan > > ----- Original Message ----- > From: <[email protected]> > > > > Might not be part of the solution, just throwing out > something I found. If > > you hate technical reading then delete this now. > > > > For those that know about servers and programming, I > found a technical > > article that was interesting. > > Run a google search on > > CGI Vulnerabilities > > First link should be a four page article by Aleksandar > Stancin - for Help > > Net Security > > > > Page 3 had "By using a cgi scanner you can safely find > out by yourself for > > any insecure CGI's on your system." > > > > Back to page 2, "In order for an attacker to find an > vulnerable CGI, all > > he > > has to do is to connect to port 80 and repeatedly send > a GET request to > > CGI's on the server or suspecting they are on the > server. Simply by > > checking > > your logs for repeated GET requests from a single > remote host resulting in > > a > > 404, the 'file not found' error can give you an idea > that something wicked > > is > > going on. As time passes, that same attacker may come > up with an unsecure > > CGI on your system. If that is the case, he'll most > probably try to > > exploit > > the vulnerability." > > > > Maybe something the hosting companies need to glance > at. > > Michael Andrews, ASC Minnesota > > > > ------------------------------- > > To unsubscribe from the list, please send an email to > > > [email protected] > with the word 'unsubscribe' without the > > quotes in the subject and the body of the message > > > ---------------------------------------------------------------------------- ---- > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.24/2449 - Release > Date: 10/20/09 > 18:42:00 > > > ------------------------------- > To unsubscribe from the list, please send an email to > [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message > ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message ---------------------------------------------------------------------------- ---- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.26/2451 - Release Date: 10/22/09 08:51:00 ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message

*************************** Please Forward to Applicable Project Lists ******************************* I wanted to give everyone an update on the sites that are hosted at theusgenweb.org or MTGenWeb, WIGenWeb, SDGenWeb - Hopefully I've not missed any. Due to the latest infection, ftp access was removed from all websites hosted on the above domains late evening on the 21st of October. We chose to take this course so that we could determine where the infected files were coming from. With only a couple of us changing files, it has made it easy to see what other IP addresses have been gaining access to the server account. By shutting down ftp access, it appears that we contained the infection, thank goodness. We want to be sure of that, though, so until we can make our way through everything one more time, no passwords will be issued. I realize that many of you are chomping at the bit to get back to working on your sites. We will get you back to them as soon as we can. In the meantime, you should know that we're removing scripts and php from sites that don't use them. If you use php or any script that is loaded on the server, you'll need to let me know and it will be reinstalled for your site. This step is being taken because most of the infections are using either cgi scripts or php - and we want to curtail any opportunity for infection of our/your sites. Any sites that are not being used are also being deleted. Again, this is so that we don't give the hackers easy places to hide his/her files. If we delete a site and you decide you want to host your site on theusgenweb.org, let me know and we'll rebuild it. We don't want to prevent anyone from hosting their site on this account, we just want to tighten things up. Thanks for your patience as we continute to work through these issues. Again, I'd love to turn everyone loose to work on your sites, but need to be sure that we've got clean sites for our visitors and researchers, much less ourselves. Sherri Bradley National Coordinator USGenWeb Project Information about the USGenWeb Project at http://usgenweb.org Advisory Board Agenda http://usgenweb.org/agenda2.php

Jan, Some passwords had been reissued before the infection on the 19th. I did not make it through the entire list sending out the new ones before the reinfection. Late on the 21st, all ftp access was disabled, whether you'd received a new password or not. This has allowed us to control access, which we were unable to do before, obviously. Sherri -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jan Cortez Sent: Sunday, October 25, 2009 8:08 PM To: [email protected] Subject: Re: [STATE-COORD] REINFECTION PW access to the sites was removed on the 15th of this month and no further pw's have ever been forthcoming. This was the day I reported the start of this last bit again. That was 11 days ago. Here is a snip from your email that evening: ----- Original Message ----- From: "Sherri" <[email protected]> Sent: Thursday, October 15, 2009 7:30 PM Subject: [USGENWEB-DISCUSS] Hacker Attack (Again) > ********************* Please forward to all Project Lists > ********************************** >> All sites that are hosted on theusgenweb.org server will have the >> passwords > changed before you can log in again. I'll be starting on this immediately > so that the downtime will be minimized as much as possible. ----- Original Message ----- From: "Sherri" <[email protected]> > Jan, > > Password access to sites on the same account with theusgenweb.org and > usgenweb.org was removed late on 21 October. I'm not sure when Maggie > moved > her site, but she most likely moved infected files - or maybe her backup > was > infected. As I've been going through folders, I'd not paid any attention > to > any of the files from Maggie's Census Project because she'd told me she'd > moved her site. I did take a quick look at some of her files that > remained > on theusgenweb.org server and they contained some of the code that I've > found in files from other sites. Since I have no idea what she was > finding, > I don't know if it was the same or not as what we've found. ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message

Ah - I finally get it - it's hopeless and will never be cleared up. ----- Original Message ----- From: "Joy Fisher" <[email protected]> Jan: There is an infected file somewhere. What the scammer/hacker does is take a common file (like the USGW logo, for example) and put their virus in there. Then every time someone accesses the web site, their browser triggers a re-infection. You do not have to have the hacker come back and re-infect the account. The infected trigger file must be found and removed. This is akin to you brushing your teeth every night while having a cold. Then getting re-infected if you do not replace your toothbrush. You do not have to catch the cold from someone else, you are your own worse enemy. --- On Sun, 10/25/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Sunday, October 25, 2009, 5:07 PM > PW access to the sites was removed on > the 15th of this month and no further > pw's have ever been forthcoming. This was the day I > reported the start of > this last bit again. That was 11 days ago. > > Here is a snip from your email that evening: > > ----- Original Message ----- > From: "Sherri" <[email protected]> > Sent: Thursday, October 15, 2009 7:30 PM > Subject: [USGENWEB-DISCUSS] Hacker Attack (Again) > > > > ********************* Please forward to all Project > Lists > > ********************************** > >> All sites that are hosted on theusgenweb.org > server will have the > >> passwords > > changed before you can log in again. I'll be > starting on this immediately > > so that the downtime will be minimized as much as > possible. > > > > > ----- Original Message ----- > From: "Sherri" <[email protected]> > > > > Jan, > > > > Password access to sites on the same account with > theusgenweb.org and > > usgenweb.org was removed late on 21 October. I'm > not sure when Maggie > > moved > > her site, but she most likely moved infected files - > or maybe her backup > > was > > infected. As I've been going through folders, > I'd not paid any attention > > to > > any of the files from Maggie's Census Project because > she'd told me she'd > > moved her site. I did take a quick look at some > of her files that > > remained > > on theusgenweb.org server and they contained some of > the code that I've > > found in files from other sites. Since I have no > idea what she was > > finding, > > I don't know if it was the same or not as what we've > found. > > > ------------------------------- > To unsubscribe from the list, please send an email to > [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message > ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.31/2458 - Release Date: 10/25/09 08:10:00

PW access to the sites was removed on the 15th of this month and no further pw's have ever been forthcoming. This was the day I reported the start of this last bit again. That was 11 days ago. Here is a snip from your email that evening: ----- Original Message ----- From: "Sherri" <[email protected]> Sent: Thursday, October 15, 2009 7:30 PM Subject: [USGENWEB-DISCUSS] Hacker Attack (Again) > ********************* Please forward to all Project Lists > ********************************** >> All sites that are hosted on theusgenweb.org server will have the >> passwords > changed before you can log in again. I'll be starting on this immediately > so that the downtime will be minimized as much as possible. ----- Original Message ----- From: "Sherri" <[email protected]> > Jan, > > Password access to sites on the same account with theusgenweb.org and > usgenweb.org was removed late on 21 October. I'm not sure when Maggie > moved > her site, but she most likely moved infected files - or maybe her backup > was > infected. As I've been going through folders, I'd not paid any attention > to > any of the files from Maggie's Census Project because she'd told me she'd > moved her site. I did take a quick look at some of her files that > remained > on theusgenweb.org server and they contained some of the code that I've > found in files from other sites. Since I have no idea what she was > finding, > I don't know if it was the same or not as what we've found.

On Yahoo Answers, plenty look for free anti-virus software every single day. I have tried to help on computer problems for about 6 months now. You can search for question with Free Virus and see 1000s of questions on it. These two seem to be fairly popular among the geeks. _http://free.avg.com/_ (http://free.avg.com/) _http://www.malwarebytes.org/_ (http://www.malwarebytes.org/) Next is not anti-virus. Another free one is CCleaner. _http://www.ccleaner.com/_ (http://www.ccleaner.com/) CCleaner has a registry feature. One problem I had with it was disabling my Java so I had to reinstall. The registry cleaner still whines about Java but I ignore it. I spent $40 at McAfee for a 3 license deal. Michael Andrews, ASC Minesota

Jan, Password access to sites on the same account with theusgenweb.org and usgenweb.org was removed late on 21 October. I'm not sure when Maggie moved her site, but she most likely moved infected files - or maybe her backup was infected. As I've been going through folders, I'd not paid any attention to any of the files from Maggie's Census Project because she'd told me she'd moved her site. I did take a quick look at some of her files that remained on theusgenweb.org server and they contained some of the code that I've found in files from other sites. Since I have no idea what she was finding, I don't know if it was the same or not as what we've found. Sherri -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jan Cortez Sent: Sunday, October 25, 2009 5:25 PM To: [email protected] Subject: Re: [STATE-COORD] REINFECTION Joy, If what you are saying here is correct, that *we are the problem*, how is it that the Census Project, which was just announced on that list, has now been hacked and we haven't had pw access in about ten days? I find it hard to believe that *we* can infect something that we don't have access to. Jan ----- Original Message ----- From: "Joy Fisher" <[email protected]> Not quite true, Jan. We are the problem, not IX. If you move infected files to another server, you are just infecting another server. Someone (or maybe many someones) has a trojan on his/her personal computer which is transmitting to the hacker the userid and pw when he/she uploads files. New userids and pws can be reissued ad infinitum, but until the underlying problem is found and cleaned, you will be bailing out a leaky row boat. --- On Wed, 10/21/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Wednesday, October 21, 2009, 1:43 PM > I think the best solution is to get > off their server. I've already moved > both of my sites and know of quite a few others that are > going as well. All > I want is a pw for now for a redirect, so it won't be long > that the only one > there will be the National website holding the bag. > <sigh> They can talk > all they want about other hosts, but, I'm not seeing it. > All I keep seeing > is IX Web Hosting. Same problem, same server, over > and over and that sure > tells me something. > > Something rotten there. > > Jan > > ----- Original Message ----- > From: <[email protected]> > > > > Might not be part of the solution, just throwing out > something I found. If > > you hate technical reading then delete this now. > > > > For those that know about servers and programming, I > found a technical > > article that was interesting. > > Run a google search on > > CGI Vulnerabilities > > First link should be a four page article by Aleksandar > Stancin - for Help > > Net Security > > > > Page 3 had "By using a cgi scanner you can safely find > out by yourself for > > any insecure CGI's on your system." > > > > Back to page 2, "In order for an attacker to find an > vulnerable CGI, all > > he > > has to do is to connect to port 80 and repeatedly send > a GET request to > > CGI's on the server or suspecting they are on the > server. Simply by > > checking > > your logs for repeated GET requests from a single > remote host resulting in > > a > > 404, the 'file not found' error can give you an idea > that something wicked > > is > > going on. As time passes, that same attacker may come > up with an unsecure > > CGI on your system. If that is the case, he'll most > probably try to > > exploit > > the vulnerability." > > > > Maybe something the hosting companies need to glance > at. > > Michael Andrews, ASC Minnesota > > > > ------------------------------- > > To unsubscribe from the list, please send an email to > > > [email protected] > with the word 'unsubscribe' without the > > quotes in the subject and the body of the message > > > ---------------------------------------------------------------------------- ---- > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.24/2449 - Release > Date: 10/20/09 > 18:42:00 > > > ------------------------------- > To unsubscribe from the list, please send an email to > [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message > ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message ---------------------------------------------------------------------------- ---- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.26/2451 - Release Date: 10/22/09 08:51:00 ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message

Add Super Anti-Spyware http://www.superantispyware.com/ --- On Sun, 10/25/09, [email protected] <[email protected]> wrote: > From: [email protected] <[email protected]> > Subject: [STATE-COORD] Free anti-virus software > To: [email protected] > Date: Sunday, October 25, 2009, 5:02 PM > On Yahoo Answers, plenty look for > free anti-virus software every single > day. I have tried to help on computer problems for about 6 > months now.  You can > search for question with Free Virus and see 1000s of > questions on it.  > These two seem to be fairly popular among the geeks. > _http://free.avg.com/_ (http://free.avg.com/) > _http://www.malwarebytes.org/_ (http://www.malwarebytes.org/) > > Next is not anti-virus.  Another free one is > CCleaner. > _http://www.ccleaner.com/_ (http://www.ccleaner.com/) > CCleaner has a registry feature.  One problem I had > with it was disabling > my Java so I had to reinstall.  The registry cleaner > still whines about Java > but I ignore it. > > I spent $40 at McAfee for a 3 license deal. > Michael Andrews, ASC Minesota > > ------------------------------- > To unsubscribe from the list, please send an email to [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message >

Jan: There is an infected file somewhere. What the scammer/hacker does is take a common file (like the USGW logo, for example) and put their virus in there. Then every time someone accesses the web site, their browser triggers a re-infection. You do not have to have the hacker come back and re-infect the account. The infected trigger file must be found and removed. This is akin to you brushing your teeth every night while having a cold. Then getting re-infected if you do not replace your toothbrush. You do not have to catch the cold from someone else, you are your own worse enemy. --- On Sun, 10/25/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Sunday, October 25, 2009, 5:07 PM > PW access to the sites was removed on > the 15th of this month and no further > pw's have ever been forthcoming.  This was the day I > reported the start of > this last bit again.  That was 11 days ago. > > Here is a snip from your email that evening: > > ----- Original Message ----- > From: "Sherri" <[email protected]> > Sent: Thursday, October 15, 2009 7:30 PM > Subject: [USGENWEB-DISCUSS] Hacker Attack (Again) > > > > ********************* Please forward to all Project > Lists > > ********************************** > >> All sites that are hosted on theusgenweb.org > server will have the > >> passwords > > changed before you can log in again.  I'll be > starting on this immediately > > so that the downtime will be minimized as much as > possible. > > > > > ----- Original Message ----- > From: "Sherri" <[email protected]> > > > > Jan, > > > > Password access to sites on the same account with > theusgenweb.org and > > usgenweb.org was removed late on 21 October.  I'm > not sure when Maggie > > moved > > her site, but she most likely moved infected files - > or maybe her backup > > was > > infected.  As I've been going through folders, > I'd not paid any attention > > to > > any of the files from Maggie's Census Project because > she'd told me she'd > > moved her site.  I did take a quick look at some > of her files that > > remained > > on theusgenweb.org server and they contained some of > the code that I've > > found in files from other sites.  Since I have no > idea what she was > > finding, > > I don't know if it was the same or not as what we've > found. > > > ------------------------------- > To unsubscribe from the list, please send an email to [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message >

Joy, If what you are saying here is correct, that *we are the problem*, how is it that the Census Project, which was just announced on that list, has now been hacked and we haven't had pw access in about ten days? I find it hard to believe that *we* can infect something that we don't have access to. Jan ----- Original Message ----- From: "Joy Fisher" <[email protected]> Not quite true, Jan. We are the problem, not IX. If you move infected files to another server, you are just infecting another server. Someone (or maybe many someones) has a trojan on his/her personal computer which is transmitting to the hacker the userid and pw when he/she uploads files. New userids and pws can be reissued ad infinitum, but until the underlying problem is found and cleaned, you will be bailing out a leaky row boat. --- On Wed, 10/21/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Wednesday, October 21, 2009, 1:43 PM > I think the best solution is to get > off their server. I've already moved > both of my sites and know of quite a few others that are > going as well. All > I want is a pw for now for a redirect, so it won't be long > that the only one > there will be the National website holding the bag. > <sigh> They can talk > all they want about other hosts, but, I'm not seeing it. > All I keep seeing > is IX Web Hosting. Same problem, same server, over > and over and that sure > tells me something. > > Something rotten there. > > Jan > > ----- Original Message ----- > From: <[email protected]> > > > > Might not be part of the solution, just throwing out > something I found. If > > you hate technical reading then delete this now. > > > > For those that know about servers and programming, I > found a technical > > article that was interesting. > > Run a google search on > > CGI Vulnerabilities > > First link should be a four page article by Aleksandar > Stancin - for Help > > Net Security > > > > Page 3 had "By using a cgi scanner you can safely find > out by yourself for > > any insecure CGI's on your system." > > > > Back to page 2, "In order for an attacker to find an > vulnerable CGI, all > > he > > has to do is to connect to port 80 and repeatedly send > a GET request to > > CGI's on the server or suspecting they are on the > server. Simply by > > checking > > your logs for repeated GET requests from a single > remote host resulting in > > a > > 404, the 'file not found' error can give you an idea > that something wicked > > is > > going on. As time passes, that same attacker may come > up with an unsecure > > CGI on your system. If that is the case, he'll most > probably try to > > exploit > > the vulnerability." > > > > Maybe something the hosting companies need to glance > at. > > Michael Andrews, ASC Minnesota > > > > ------------------------------- > > To unsubscribe from the list, please send an email to > > > [email protected] > with the word 'unsubscribe' without the > > quotes in the subject and the body of the message > > > -------------------------------------------------------------------------------- > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.24/2449 - Release > Date: 10/20/09 > 18:42:00 > > > ------------------------------- > To unsubscribe from the list, please send an email to > [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message > ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.26/2451 - Release Date: 10/22/09 08:51:00

I believe Maggie moved her files some time ago. (At least she told me she was moving). I do not have access to the account either, so I cannot check to see who has gotten in or how they got in. --- On Sun, 10/25/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Sunday, October 25, 2009, 2:24 PM > Joy, > > If what you are saying here is correct, that *we are the > problem*, how is it > that the Census Project, which was just announced on that > list,  has now > been hacked and we haven't had pw access in about ten > days?  I find it hard > to believe that *we* can infect something that we don't > have access to. > > Jan > > ----- Original Message ----- > From: "Joy Fisher" <[email protected]> > > > Not quite true, Jan. > > We are the problem, not IX. If you move infected files to > another server, > you are just infecting another server. > > Someone (or maybe many someones) has a trojan on his/her > personal computer > which is transmitting to the hacker the userid and pw when > he/she uploads > files. New userids and pws can be reissued ad infinitum, > but until the > underlying problem is found and cleaned, you will be > bailing out a leaky row > boat. > > --- On Wed, 10/21/09, Jan Cortez <[email protected]> > wrote: > > > From: Jan Cortez <[email protected]> > > Subject: Re: [STATE-COORD] REINFECTION > > To: [email protected] > > Date: Wednesday, October 21, 2009, 1:43 PM > > I think the best solution is to get > > off their server. I've already moved > > both of my sites and know of quite a few others that > are > > going as well. All > > I want is a pw for now for a redirect, so it won't be > long > > that the only one > > there will be the National website holding the bag. > > <sigh> They can talk > > all they want about other hosts, but, I'm not seeing > it. > > All I keep seeing > > is IX Web Hosting. Same problem, same server, over > > and over and that sure > > tells me something. > > > > Something rotten there. > > > > Jan > > > > ----- Original Message ----- > > From: <[email protected]> > > > > > > > Might not be part of the solution, just throwing > out > > something I found. If > > > you hate technical reading then delete this now. > > > > > > For those that know about servers and > programming, I > > found a technical > > > article that was interesting. > > > Run a google search on > > > CGI Vulnerabilities > > > First link should be a four page article by > Aleksandar > > Stancin - for Help > > > Net Security > > > > > > Page 3 had "By using a cgi scanner you can safely > find > > out by yourself for > > > any insecure CGI's on your system." > > > > > > Back to page 2, "In order for an attacker to find > an > > vulnerable CGI, all > > > he > > > has to do is to connect to port 80 and repeatedly > send > > a GET request to > > > CGI's on the server or suspecting they are on > the > > server. Simply by > > > checking > > > your logs for repeated GET requests from a > single > > remote host resulting in > > > a > > > 404, the 'file not found' error can give you an > idea > > that something wicked > > > is > > > going on. As time passes, that same attacker may > come > > up with an unsecure > > > CGI on your system. If that is the case, he'll > most > > probably try to > > > exploit > > > the vulnerability." > > > > > > Maybe something the hosting companies need to > glance > > at. > > > Michael Andrews, ASC Minnesota > > > > > > ------------------------------- > > > To unsubscribe from the list, please send an > email to > > > > > [email protected] > > with the word 'unsubscribe' without the > > > quotes in the subject and the body of the > message > > > > > > > -------------------------------------------------------------------------------- > > > > > > > > No virus found in this incoming message. > > Checked by AVG - www.avg.com > > Version: 8.5.423 / Virus Database: 270.14.24/2449 - > Release > > Date: 10/20/09 > > 18:42:00 > > > > > > ------------------------------- > > To unsubscribe from the list, please send an email to > > > [email protected] > > with the word 'unsubscribe' without the quotes in the > > subject and the body of the message > > > > > > > > ------------------------------- > To unsubscribe from the list, please send an email to > [email protected] > with the word 'unsubscribe' without the > quotes in the subject and the body of the message > > > -------------------------------------------------------------------------------- > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.26/2451 - Release > Date: 10/22/09 > 08:51:00 > > > ------------------------------- > To unsubscribe from the list, please send an email to [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message >

Just a suggestion but one way to find out, only allow five people at a time to ftp anything. If reinfection occurs you can then take them one by one to find the victim. Sharon A. Craig Hamilton Co. InGenWeb Coordinator Assistant In GenWeb State Coordinator   --- On Thu, 10/22/09, Cheryl Rothwell <[email protected]> wrote: From: Cheryl Rothwell <[email protected]> Subject: Re: [STATE-COORD] REINFECTION To: [email protected] Date: Thursday, October 22, 2009, 3:40 PM They can't clean it out if a user is reinfecting every time. You may be cleaning your computer but not everyone is. I'm willing to bet there are people out there who haven't bothered because they KNOW they aren't the problem. It could also be that the person who is doing it is not even aware of the issue, hasn't gotten the word that their computer needs to be cleaned. There's always one who isn't paying attention. ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message

So, in other words, what you are saying is that regardless of whether I have gone thru everyone of my files that was on IX and made sure they were all clean, and I have virus and malware scanned my computer numerous times, that I should leave those infected sites on IX Web Hosting, ad finitum? Keep the patrons coming back for another dose of this same infection? To be quite honest with you four times is enough. Personally, and I am not a computer expert, I do think that there is something wrong there at IX that they can't clean this out and identify where the problem is. But, then again, what do I know? Jan ----- Original Message ----- From: "Joy Fisher" <[email protected]> Not quite true, Jan. We are the problem, not IX. If you move infected files to another server, you are just infecting another server. Someone (or maybe many someones) has a trojan on his/her personal computer which is transmitting to the hacker the userid and pw when he/she uploads files. New userids and pws can be reissued ad infinitum, but until the underlying problem is found and cleaned, you will be bailing out a leaky row boat. --- On Wed, 10/21/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Wednesday, October 21, 2009, 1:43 PM > I think the best solution is to get > off their server. I've already moved > both of my sites and know of quite a few others that are > going as well. All > I want is a pw for now for a redirect, so it won't be long > that the only one > there will be the National website holding the bag. > <sigh> They can talk > all they want about other hosts, but, I'm not seeing it. > All I keep seeing > is IX Web Hosting. Same problem, same server, over > and over and that sure > tells me something. > > Something rotten there. > > Jan > > ----- Original Message ----- > From: <[email protected]> > > > > Might not be part of the solution, just throwing out > something I found. If > > you hate technical reading then delete this now. > > > > For those that know about servers and programming, I > found a technical > > article that was interesting. > > Run a google search on > > CGI Vulnerabilities > > First link should be a four page article by Aleksandar > Stancin - for Help > > Net Security > > > > Page 3 had "By using a cgi scanner you can safely find > out by yourself for > > any insecure CGI's on your system." > > > > Back to page 2, "In order for an attacker to find an > vulnerable CGI, all > > he > > has to do is to connect to port 80 and repeatedly send > a GET request to > > CGI's on the server or suspecting they are on the > server. Simply by > > checking > > your logs for repeated GET requests from a single > remote host resulting in > > a > > 404, the 'file not found' error can give you an idea > that something wicked > > is > > going on. As time passes, that same attacker may come > up with an unsecure > > CGI on your system. If that is the case, he'll most > probably try to > > exploit > > the vulnerability." > > > > Maybe something the hosting companies need to glance > at. > > Michael Andrews, ASC Minnesota > > > > ------------------------------- > > To unsubscribe from the list, please send an email to > > > [email protected] > with the word 'unsubscribe' without the > > quotes in the subject and the body of the message > > > -------------------------------------------------------------------------------- > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.24/2449 - Release > Date: 10/20/09 > 18:42:00 > > > ------------------------------- > To unsubscribe from the list, please send an email to > [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message > ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.26/2451 - Release Date: 10/22/09 08:51:00

Harold, I have seen on several forums where a program on your computer will cause this alert. Here is one quote: "I too, have had Norton Anti Virus detect the backdoor.graybird virus... on two computers no less. After pulling my hair out for several hours, scouring the internet for answers (Including Symantec), I discovered that my Webroot Spysweeper software (recently updated) was the culprit. If you have this software, uncheck the load at startup and reboot. I have not had the problem since. I subsequently removed spysweeper from my computer. " I have also seen where SpywareDoctor caused the same false positive alert. Also where PC Tools, the maker of Spyware Doctor, has posted in their FAQ section that it will cause a false positive. Hope this is of some help. Elaine Martin Harold Kilmer wrote: > I would like for a computer inter-net expert to contact me at [email protected] . > > Knowledge of: > > Backdoor Graybird Virus > > An intrusion attempt by 174.132.104.34 ---- > > and more.. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Harold Kilmer, NMGenWeb SC http://www.nmgenweb.us/ > > > > ------------------------------- > To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message > > -- Even if the voices are not real, they have some good ideas.

They can't clean it out if a user is reinfecting every time. You may be cleaning your computer but not everyone is. I'm willing to bet there are people out there who haven't bothered because they KNOW they aren't the problem. It could also be that the person who is doing it is not even aware of the issue, hasn't gotten the word that their computer needs to be cleaned. There's always one who isn't paying attention.

I would like for a computer inter-net expert to contact me at [email protected] . Knowledge of: Backdoor Graybird Virus An intrusion attempt by 174.132.104.34 ---- and more.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Harold Kilmer, NMGenWeb SC http://www.nmgenweb.us/

Not quite true, Jan. We are the problem, not IX. If you move infected files to another server, you are just infecting another server. Someone (or maybe many someones) has a trojan on his/her personal computer which is transmitting to the hacker the userid and pw when he/she uploads files. New userids and pws can be reissued ad infinitum, but until the underlying problem is found and cleaned, you will be bailing out a leaky row boat. --- On Wed, 10/21/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Wednesday, October 21, 2009, 1:43 PM > I think the best solution is to get > off their server.  I've already moved > both of my sites and know of quite a few others that are > going as well.  All > I want is a pw for now for a redirect, so it won't be long > that the only one > there will be the National website holding the bag.  > <sigh>  They can talk > all they want about other hosts, but, I'm not seeing it. > All I keep seeing > is IX Web Hosting.  Same problem, same server, over > and over and that sure > tells me something. > > Something rotten there. > > Jan > > ----- Original Message ----- > From: <[email protected]> > > > > Might not be part of the solution, just throwing out > something I found. If > > you hate technical reading then delete this now. > > > > For those that know about servers and programming, I > found a technical > > article that was interesting. > > Run a google search on > > CGI Vulnerabilities > > First link should be a four page article by Aleksandar > Stancin - for Help > > Net Security > > > > Page 3 had "By using a cgi scanner you can safely find > out by yourself for > > any insecure CGI's on your system." > > > > Back to page 2, "In order for an attacker to find an > vulnerable CGI, all > > he > > has to do is to connect to port 80 and repeatedly send > a GET request to > > CGI's on the server or suspecting they are on the > server. Simply by > > checking > > your logs for repeated GET requests from a single > remote host resulting in > > a > > 404, the 'file not found' error can give you an idea > that something wicked > > is > > going on. As time passes, that same attacker may come > up with an unsecure > > CGI on your system. If that is the case, he'll most > probably try to > > exploit > > the vulnerability." > > > > Maybe something the hosting companies need to glance > at. > > Michael Andrews, ASC Minnesota > > > > ------------------------------- > > To unsubscribe from the list, please send an email to > > > [email protected] > with the word 'unsubscribe' without the > > quotes in the subject and the body of the message > > > -------------------------------------------------------------------------------- > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.24/2449 - Release > Date: 10/20/09 > 18:42:00 > > > ------------------------------- > To unsubscribe from the list, please send an email to [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message >

**************************** Please forward to all Project lists ******************************** Sherri Bradley National Coordinator USGenWeb Project Information about the USGenWeb Project at http://usgenweb.org Advisory Board Agenda http://usgenweb.org/agenda2.php -----Original Message----- From: Mike & Diane [mailto:[email protected]] Sent: Wednesday, October 21, 2009 10:39 AM To: Sherri Bradley Subject: Grievance Committee Calls for Mediators and Arbitrators Please forward to all Project lists. The Grievance Committee chair solicits the project for volunteer mediators and arbitrators so that we might address grievances brought before the committee. If you have a desire to be a voluntary mediator or arbitrator you are advised to read the grievance procedures : http://usgenweb.org/volunteers/standard-rules.shtml#section5 Send an email to the Grievance Chair with your desire to be a mediator and/or arbitrator. Diane Siniard [email protected] In the body of your email, please state your qualifications for the position and if you have had training to be either a mediator or arbitrator. Diane Siniard Grievance Committee Chair NCGenWeb SC NCGenWeb CC NCGenWeb Special Projects MO Special Projects