Note: The Rootsweb Mailing Lists will be shut down on April 6, 2023. (More info)
RootsWeb.com Mailing Lists
Home

Results for list 'state-coord'

Total: 5/5
    1. Re: [STATE-COORD] REINFECTION
    2. Jan Cortez

    3. Joy, If what you are saying here is correct, that *we are the problem*, how is it that the Census Project, which was just announced on that list, has now been hacked and we haven't had pw access in about ten days? I find it hard to believe that *we* can infect something that we don't have access to. Jan ----- Original Message ----- From: "Joy Fisher" <[email protected]> Not quite true, Jan. We are the problem, not IX. If you move infected files to another server, you are just infecting another server. Someone (or maybe many someones) has a trojan on his/her personal computer which is transmitting to the hacker the userid and pw when he/she uploads files. New userids and pws can be reissued ad infinitum, but until the underlying problem is found and cleaned, you will be bailing out a leaky row boat. --- On Wed, 10/21/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Wednesday, October 21, 2009, 1:43 PM > I think the best solution is to get > off their server. I've already moved > both of my sites and know of quite a few others that are > going as well. All > I want is a pw for now for a redirect, so it won't be long > that the only one > there will be the National website holding the bag. > <sigh> They can talk > all they want about other hosts, but, I'm not seeing it. > All I keep seeing > is IX Web Hosting. Same problem, same server, over > and over and that sure > tells me something. > > Something rotten there. > > Jan > > ----- Original Message ----- > From: <[email protected]> > > > > Might not be part of the solution, just throwing out > something I found. If > > you hate technical reading then delete this now. > > > > For those that know about servers and programming, I > found a technical > > article that was interesting. > > Run a google search on > > CGI Vulnerabilities > > First link should be a four page article by Aleksandar > Stancin - for Help > > Net Security > > > > Page 3 had "By using a cgi scanner you can safely find > out by yourself for > > any insecure CGI's on your system." > > > > Back to page 2, "In order for an attacker to find an > vulnerable CGI, all > > he > > has to do is to connect to port 80 and repeatedly send > a GET request to > > CGI's on the server or suspecting they are on the > server. Simply by > > checking > > your logs for repeated GET requests from a single > remote host resulting in > > a > > 404, the 'file not found' error can give you an idea > that something wicked > > is > > going on. As time passes, that same attacker may come > up with an unsecure > > CGI on your system. If that is the case, he'll most > probably try to > > exploit > > the vulnerability." > > > > Maybe something the hosting companies need to glance > at. > > Michael Andrews, ASC Minnesota > > > > ------------------------------- > > To unsubscribe from the list, please send an email to > > > [email protected] > with the word 'unsubscribe' without the > > quotes in the subject and the body of the message > > > -------------------------------------------------------------------------------- > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.24/2449 - Release > Date: 10/20/09 > 18:42:00 > > > ------------------------------- > To unsubscribe from the list, please send an email to > [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message > ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message -------------------------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.26/2451 - Release Date: 10/22/09 08:51:00

    10/25/2009 11:24:50
    1. Re: [STATE-COORD] REINFECTION
    2. Joy Fisher

    3. I believe Maggie moved her files some time ago. (At least she told me she was moving). I do not have access to the account either, so I cannot check to see who has gotten in or how they got in. --- On Sun, 10/25/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Sunday, October 25, 2009, 2:24 PM > Joy, > > If what you are saying here is correct, that *we are the > problem*, how is it > that the Census Project, which was just announced on that > list,  has now > been hacked and we haven't had pw access in about ten > days?  I find it hard > to believe that *we* can infect something that we don't > have access to. > > Jan > > ----- Original Message ----- > From: "Joy Fisher" <[email protected]> > > > Not quite true, Jan. > > We are the problem, not IX. If you move infected files to > another server, > you are just infecting another server. > > Someone (or maybe many someones) has a trojan on his/her > personal computer > which is transmitting to the hacker the userid and pw when > he/she uploads > files. New userids and pws can be reissued ad infinitum, > but until the > underlying problem is found and cleaned, you will be > bailing out a leaky row > boat. > > --- On Wed, 10/21/09, Jan Cortez <[email protected]> > wrote: > > > From: Jan Cortez <[email protected]> > > Subject: Re: [STATE-COORD] REINFECTION > > To: [email protected] > > Date: Wednesday, October 21, 2009, 1:43 PM > > I think the best solution is to get > > off their server. I've already moved > > both of my sites and know of quite a few others that > are > > going as well. All > > I want is a pw for now for a redirect, so it won't be > long > > that the only one > > there will be the National website holding the bag. > > <sigh> They can talk > > all they want about other hosts, but, I'm not seeing > it. > > All I keep seeing > > is IX Web Hosting. Same problem, same server, over > > and over and that sure > > tells me something. > > > > Something rotten there. > > > > Jan > > > > ----- Original Message ----- > > From: <[email protected]> > > > > > > > Might not be part of the solution, just throwing > out > > something I found. If > > > you hate technical reading then delete this now. > > > > > > For those that know about servers and > programming, I > > found a technical > > > article that was interesting. > > > Run a google search on > > > CGI Vulnerabilities > > > First link should be a four page article by > Aleksandar > > Stancin - for Help > > > Net Security > > > > > > Page 3 had "By using a cgi scanner you can safely > find > > out by yourself for > > > any insecure CGI's on your system." > > > > > > Back to page 2, "In order for an attacker to find > an > > vulnerable CGI, all > > > he > > > has to do is to connect to port 80 and repeatedly > send > > a GET request to > > > CGI's on the server or suspecting they are on > the > > server. Simply by > > > checking > > > your logs for repeated GET requests from a > single > > remote host resulting in > > > a > > > 404, the 'file not found' error can give you an > idea > > that something wicked > > > is > > > going on. As time passes, that same attacker may > come > > up with an unsecure > > > CGI on your system. If that is the case, he'll > most > > probably try to > > > exploit > > > the vulnerability." > > > > > > Maybe something the hosting companies need to > glance > > at. > > > Michael Andrews, ASC Minnesota > > > > > > ------------------------------- > > > To unsubscribe from the list, please send an > email to > > > > > [email protected] > > with the word 'unsubscribe' without the > > > quotes in the subject and the body of the > message > > > > > > > -------------------------------------------------------------------------------- > > > > > > > > No virus found in this incoming message. > > Checked by AVG - www.avg.com > > Version: 8.5.423 / Virus Database: 270.14.24/2449 - > Release > > Date: 10/20/09 > > 18:42:00 > > > > > > ------------------------------- > > To unsubscribe from the list, please send an email to > > > [email protected] > > with the word 'unsubscribe' without the quotes in the > > subject and the body of the message > > > > > > > > ------------------------------- > To unsubscribe from the list, please send an email to > [email protected] > with the word 'unsubscribe' without the > quotes in the subject and the body of the message > > > -------------------------------------------------------------------------------- > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.26/2451 - Release > Date: 10/22/09 > 08:51:00 > > > ------------------------------- > To unsubscribe from the list, please send an email to [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message >

    10/25/2009 09:00:35
    1. Re: [STATE-COORD] REINFECTION
    2. Sherri

    3. Jan, Password access to sites on the same account with theusgenweb.org and usgenweb.org was removed late on 21 October. I'm not sure when Maggie moved her site, but she most likely moved infected files - or maybe her backup was infected. As I've been going through folders, I'd not paid any attention to any of the files from Maggie's Census Project because she'd told me she'd moved her site. I did take a quick look at some of her files that remained on theusgenweb.org server and they contained some of the code that I've found in files from other sites. Since I have no idea what she was finding, I don't know if it was the same or not as what we've found. Sherri -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jan Cortez Sent: Sunday, October 25, 2009 5:25 PM To: [email protected] Subject: Re: [STATE-COORD] REINFECTION Joy, If what you are saying here is correct, that *we are the problem*, how is it that the Census Project, which was just announced on that list, has now been hacked and we haven't had pw access in about ten days? I find it hard to believe that *we* can infect something that we don't have access to. Jan ----- Original Message ----- From: "Joy Fisher" <[email protected]> Not quite true, Jan. We are the problem, not IX. If you move infected files to another server, you are just infecting another server. Someone (or maybe many someones) has a trojan on his/her personal computer which is transmitting to the hacker the userid and pw when he/she uploads files. New userids and pws can be reissued ad infinitum, but until the underlying problem is found and cleaned, you will be bailing out a leaky row boat. --- On Wed, 10/21/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Wednesday, October 21, 2009, 1:43 PM > I think the best solution is to get > off their server. I've already moved > both of my sites and know of quite a few others that are > going as well. All > I want is a pw for now for a redirect, so it won't be long > that the only one > there will be the National website holding the bag. > <sigh> They can talk > all they want about other hosts, but, I'm not seeing it. > All I keep seeing > is IX Web Hosting. Same problem, same server, over > and over and that sure > tells me something. > > Something rotten there. > > Jan > > ----- Original Message ----- > From: <[email protected]> > > > > Might not be part of the solution, just throwing out > something I found. If > > you hate technical reading then delete this now. > > > > For those that know about servers and programming, I > found a technical > > article that was interesting. > > Run a google search on > > CGI Vulnerabilities > > First link should be a four page article by Aleksandar > Stancin - for Help > > Net Security > > > > Page 3 had "By using a cgi scanner you can safely find > out by yourself for > > any insecure CGI's on your system." > > > > Back to page 2, "In order for an attacker to find an > vulnerable CGI, all > > he > > has to do is to connect to port 80 and repeatedly send > a GET request to > > CGI's on the server or suspecting they are on the > server. Simply by > > checking > > your logs for repeated GET requests from a single > remote host resulting in > > a > > 404, the 'file not found' error can give you an idea > that something wicked > > is > > going on. As time passes, that same attacker may come > up with an unsecure > > CGI on your system. If that is the case, he'll most > probably try to > > exploit > > the vulnerability." > > > > Maybe something the hosting companies need to glance > at. > > Michael Andrews, ASC Minnesota > > > > ------------------------------- > > To unsubscribe from the list, please send an email to > > > [email protected] > with the word 'unsubscribe' without the > > quotes in the subject and the body of the message > > > ---------------------------------------------------------------------------- ---- > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.24/2449 - Release > Date: 10/20/09 > 18:42:00 > > > ------------------------------- > To unsubscribe from the list, please send an email to > [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message > ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message ---------------------------------------------------------------------------- ---- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.26/2451 - Release Date: 10/22/09 08:51:00 ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message

    10/25/2009 01:53:43
    1. Re: [STATE-COORD] REINFECTION
    2. Jan Cortez

    3. PW access to the sites was removed on the 15th of this month and no further pw's have ever been forthcoming. This was the day I reported the start of this last bit again. That was 11 days ago. Here is a snip from your email that evening: ----- Original Message ----- From: "Sherri" <[email protected]> Sent: Thursday, October 15, 2009 7:30 PM Subject: [USGENWEB-DISCUSS] Hacker Attack (Again) > ********************* Please forward to all Project Lists > ********************************** >> All sites that are hosted on theusgenweb.org server will have the >> passwords > changed before you can log in again. I'll be starting on this immediately > so that the downtime will be minimized as much as possible. ----- Original Message ----- From: "Sherri" <[email protected]> > Jan, > > Password access to sites on the same account with theusgenweb.org and > usgenweb.org was removed late on 21 October. I'm not sure when Maggie > moved > her site, but she most likely moved infected files - or maybe her backup > was > infected. As I've been going through folders, I'd not paid any attention > to > any of the files from Maggie's Census Project because she'd told me she'd > moved her site. I did take a quick look at some of her files that > remained > on theusgenweb.org server and they contained some of the code that I've > found in files from other sites. Since I have no idea what she was > finding, > I don't know if it was the same or not as what we've found.

    10/25/2009 02:07:54
    1. Re: [STATE-COORD] REINFECTION
    2. Maggie Stewart

    3. Jan, The CP was moved to my account in IX in september (not sure on the day). The files were clean at that time and the files I uploaded came from old backups that are on DVDs. We were reinfected around 24 hours after theUSGenWeb.org site. I've been confering with Sheri most of the evening & we have found php files in the images directories and image files somehow infected. I assume those weren't found when they did the clean. I'm going through folder by folder and checking for things that don't belong there. I've even found .html files that I didn't put there. I sent Sherri a list of IP addresses that have accessed our account. I'm guessing what we have is some hacker that got in and left like a time release "something" that modifies something every few hours or so. You think you have it clean and whap. I'm finding it in php files (btw I just hadn't deleted them but I'm using an outside source that's just a link for signups and things) and in my cgi files. I thank my husband for making me paranoid. I make backups once a week. Have them all over the place so I can look at file sizes and such. Sorry for the long message but I'm hoping we have this sorted out and can get back to normal soon. Too bad we can't focus the hackers into helping us instead of creating havoc. Hope you all have a great week, Maggie ----- Original Message ----- From: "Sherri" <[email protected]> To: <[email protected]> Sent: Sunday, October 25, 2009 6:53 PM Subject: Re: [STATE-COORD] REINFECTION Jan, Password access to sites on the same account with theusgenweb.org and usgenweb.org was removed late on 21 October. I'm not sure when Maggie moved her site, but she most likely moved infected files - or maybe her backup was infected. As I've been going through folders, I'd not paid any attention to any of the files from Maggie's Census Project because she'd told me she'd moved her site. I did take a quick look at some of her files that remained on theusgenweb.org server and they contained some of the code that I've found in files from other sites. Since I have no idea what she was finding, I don't know if it was the same or not as what we've found. Sherri -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jan Cortez Sent: Sunday, October 25, 2009 5:25 PM To: [email protected] Subject: Re: [STATE-COORD] REINFECTION Joy, If what you are saying here is correct, that *we are the problem*, how is it that the Census Project, which was just announced on that list, has now been hacked and we haven't had pw access in about ten days? I find it hard to believe that *we* can infect something that we don't have access to. Jan ----- Original Message ----- From: "Joy Fisher" <[email protected]> Not quite true, Jan. We are the problem, not IX. If you move infected files to another server, you are just infecting another server. Someone (or maybe many someones) has a trojan on his/her personal computer which is transmitting to the hacker the userid and pw when he/she uploads files. New userids and pws can be reissued ad infinitum, but until the underlying problem is found and cleaned, you will be bailing out a leaky row boat. --- On Wed, 10/21/09, Jan Cortez <[email protected]> wrote: > From: Jan Cortez <[email protected]> > Subject: Re: [STATE-COORD] REINFECTION > To: [email protected] > Date: Wednesday, October 21, 2009, 1:43 PM > I think the best solution is to get > off their server. I've already moved > both of my sites and know of quite a few others that are > going as well. All > I want is a pw for now for a redirect, so it won't be long > that the only one > there will be the National website holding the bag. > <sigh> They can talk > all they want about other hosts, but, I'm not seeing it. > All I keep seeing > is IX Web Hosting. Same problem, same server, over > and over and that sure > tells me something. > > Something rotten there. > > Jan > > ----- Original Message ----- > From: <[email protected]> > > > > Might not be part of the solution, just throwing out > something I found. If > > you hate technical reading then delete this now. > > > > For those that know about servers and programming, I > found a technical > > article that was interesting. > > Run a google search on > > CGI Vulnerabilities > > First link should be a four page article by Aleksandar > Stancin - for Help > > Net Security > > > > Page 3 had "By using a cgi scanner you can safely find > out by yourself for > > any insecure CGI's on your system." > > > > Back to page 2, "In order for an attacker to find an > vulnerable CGI, all > > he > > has to do is to connect to port 80 and repeatedly send > a GET request to > > CGI's on the server or suspecting they are on the > server. Simply by > > checking > > your logs for repeated GET requests from a single > remote host resulting in > > a > > 404, the 'file not found' error can give you an idea > that something wicked > > is > > going on. As time passes, that same attacker may come > up with an unsecure > > CGI on your system. If that is the case, he'll most > probably try to > > exploit > > the vulnerability." > > > > Maybe something the hosting companies need to glance > at. > > Michael Andrews, ASC Minnesota > > > > ------------------------------- > > To unsubscribe from the list, please send an email to > > > [email protected] > with the word 'unsubscribe' without the > > quotes in the subject and the body of the message > > > ---------------------------------------------------------------------------- ---- > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.423 / Virus Database: 270.14.24/2449 - Release > Date: 10/20/09 > 18:42:00 > > > ------------------------------- > To unsubscribe from the list, please send an email to > [email protected] > with the word 'unsubscribe' without the quotes in the > subject and the body of the message > ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message ---------------------------------------------------------------------------- ---- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.423 / Virus Database: 270.14.26/2451 - Release Date: 10/22/09 08:51:00 ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message ------------------------------- To unsubscribe from the list, please send an email to [email protected] with the word 'unsubscribe' without the quotes in the subject and the body of the message

    10/25/2009 06:22:52