Project Perfect Mod Forums
:: Home :: Get Hosted :: PPM FAQ :: Forum FAQ :: Privacy Policy :: Search :: Memberlist :: Usergroups :: Register :: Profile :: Log in to check your private messages :: Log in ::


The time now is Thu Mar 28, 2024 2:19 pm
All times are UTC + 0
YRArg infested?
Moderators: Global Moderators
Post new topic   Reply to topic Page 1 of 1 [21 Posts] Mark the topic unread ::  View previous topic :: View next topic
Author Message
kenosis
Commander


Joined: 19 Aug 2009
Location: Moscow State University

PostPosted: Sat May 24, 2014 2:23 pm    Post subject:  YRArg infested? Reply with quote  Mark this post and the followings unread

received a mail like this



1.jpg
 Description:
 Filesize:  73.37 KB
 Viewed:  6462 Time(s)

1.jpg



_________________
Tired of grabbing my random SHP conversions? Why not learn to create SHPs for yourself?

Back to top
View user's profile Send private message Send e-mail Visit poster's website Skype Account Yahoo Messenger Account
Banshee
Supreme Banshee


Also Known As: banshee_revora (Steam)
Joined: 15 Aug 2002
Location: Brazil

PostPosted: Sat May 24, 2014 2:36 pm    Post subject: Reply with quote  Mark this post and the followings unread

Could you inform the IP of the sender of this email?

Back to top
View user's profile Send private message Visit poster's website Skype Account
kenosis
Commander


Joined: 19 Aug 2009
Location: Moscow State University

PostPosted: Wed May 28, 2014 8:18 am    Post subject: Reply with quote  Mark this post and the followings unread

once more. I can do nothing.



2.png
 Description:
 Filesize:  19.12 KB
 Viewed:  6327 Time(s)

2.png



_________________
Tired of grabbing my random SHP conversions? Why not learn to create SHPs for yourself?

Back to top
View user's profile Send private message Send e-mail Visit poster's website Skype Account Yahoo Messenger Account
Banshee
Supreme Banshee


Also Known As: banshee_revora (Steam)
Joined: 15 Aug 2002
Location: Brazil

PostPosted: Wed May 28, 2014 12:04 pm    Post subject: Reply with quote  Mark this post and the followings unread

What is the IP address of the creature who has sent you this email?

You can find this data by viewing the message source, which should be one of the options at the buttons above the title of the message.


We neeed to know if it was really sent by this server.

Back to top
View user's profile Send private message Visit poster's website Skype Account
kenosis
Commander


Joined: 19 Aug 2009
Location: Moscow State University

PostPosted: Wed May 28, 2014 5:47 pm    Post subject: Reply with quote  Mark this post and the followings unread

Code:

Received: from 46.165.192.213 (unknown [46.165.192.213])
   by newmx27.qq.com (NewMx) with SMTP id
   for <moderkenosis@qq.com>; Wed, 28 May 2014 04:47:54 +0800
X-QQ-SPAM: true
X-QQ-SSF: 010000000100000001F000010000021
X-QQ-mid: usamxproxy11t1401223675t5aou0i
X-QQ-FEAT: 35lICRDxLd1mqV1DSTtFacRqql6zetkzofEmnORMuxrRsadLUIxzqh7icRnH8
   ASQhaLfwWV25VeSV6vLqBoHyO9C7oya/BId2rvcimyisGStIzIb1sRADBbvS8B0pTkrZ1eD
   EzwEMl9eqzAfZO7OaQ==
X-KK-mid:usamxproxy11t1401223675t5aou0i
Received: from yrarg by dobby.icetex-hosting.net with local (Exim 4.82)
   (envelope-from <martinoz1811@gmail.com>)
   id 1WpOHo-0000Dx-Lc
   for moderkenosis@qq.com; Tue, 27 May 2014 22:47:52 +0200
To: moderkenosis@qq.com
Subject: YR Argentina - Welcome to YR Argentina, no.1 place for Red Alert 2 and Yuri's Revenge resources. We've got the biggest collection of voxels, SHPs and other assets for modding here.: http://worldcup-jerseys.org
Date: Tue, 27 May 2014 22:47:52 +0200
From: YR Argentina <martinoz1811@gmail.com>
Reply-To: world cup soccer shop <nvqcum@gmail.com>
Message-ID: <1d88944998f88836681d55b16f5a19ea@yrarg.cncguild.net>
X-Priority: 3
X-Mailer: PHPMailer 5.2.1 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - dobby.icetex-hosting.net
X-AntiAbuse: Original Domain - qq.com
X-AntiAbuse: Originator/Caller UID/GID - [539 538] / [47 12]
X-AntiAbuse: Sender Address Domain - gmail.com
X-Get-Message-Sender-Via: dobby.icetex-hosting.net: authenticated_id: yrarg/only user confirmed/virtual account not confirmed

This is an enquiry email via http://yrarg.cncguild.net/ from:
world cup soccer shop <nvqcum@gmail.com>

Try These Out
world cup soccer shop http://worldcup-jerseys.org


Perhaps this is what you want? My mail provider only gives these.

_________________
Tired of grabbing my random SHP conversions? Why not learn to create SHPs for yourself?

Back to top
View user's profile Send private message Send e-mail Visit poster's website Skype Account Yahoo Messenger Account
Graion Dilach
Defense Minister


Joined: 22 Nov 2010
Location: Iszkaszentgyorgy, Hungary

PostPosted: Wed May 28, 2014 6:01 pm    Post subject: Reply with quote  Mark this post and the followings unread

Woah, that IS YRArg. Yes, that's more than enough.

_________________
"If you didn't get angry and mad and frustrated, that means you don't care about the end result, and are doing something wrong." - Greg Kroah-Hartman
=======================
Past C&C projects: Attacque Supérior (2010-2019); Valiant Shades (2019-2021)
=======================
WeiDU mods: Random Graion Tweaks | Graion's Soundsets
Maintainance: Extra Expanded Enhanced Encounters! | BGEESpawn
Contributions: EE Fixpack | Enhanced Edition Trilogy | DSotSC (Trilogy) | UB_IWD | SotSC & a lot more...

Back to top
View user's profile Send private message Visit poster's website ModDB Profile ID
Banshee
Supreme Banshee


Also Known As: banshee_revora (Steam)
Joined: 15 Aug 2002
Location: Brazil

PostPosted: Wed May 28, 2014 10:33 pm    Post subject: Reply with quote  Mark this post and the followings unread

Yea, that's correct. We've updated the site software, but keep informing us if that is still happening. Sorry for any inconvenience.

Back to top
View user's profile Send private message Visit poster's website Skype Account
Atomic_Noodles
Defense Minister


Joined: 05 Oct 2011

PostPosted: Mon Jun 02, 2014 7:15 am    Post subject: Reply with quote  Mark this post and the followings unread

Just got one from someone posing as Renegade telling me to buy his viagra?

_________________
~ Excelsior ~

Back to top
View user's profile Send private message Visit poster's website
Banshee
Supreme Banshee


Also Known As: banshee_revora (Steam)
Joined: 15 Aug 2002
Location: Brazil

PostPosted: Mon Jun 02, 2014 10:04 am    Post subject: Reply with quote  Mark this post and the followings unread

Is it from YR Argentina? Was it sent by 46.165.192.213 (Dobby, aka this server) like the message that Kenosis has pointed out above?

Back to top
View user's profile Send private message Visit poster's website Skype Account
Atomic_Noodles
Defense Minister


Joined: 05 Oct 2011

PostPosted: Mon Jun 02, 2014 10:14 am    Post subject: Reply with quote  Mark this post and the followings unread

Yep same IP.

Code:
From YR Argentina Wed May 28 14:21:23 2014
X-Apparently-To: jrmloh@yahoo.com via 98.139.244.133; Wed, 28 May 2014 21:21:25 +0000
Return-Path: <martinoz1811@gmail.com>
Received-SPF: softfail (transitioning domain of gmail.com does not designate 46.165.192.213 as permitted sender)
 cmcuY25jZ3VpbGQubmV0LyBmcm9tOiBSZW5lZ2FkZV9UZXN0IDxub3RyZWxl
 dmFudEBleGFtcGxlLmNvbT4gT01HIGJ1eSBteSB2aWFncmEhIEFsc28gcG9z
 dCB0aGlzIHRvIFBQTS4gATABAQEB
X-YMailISG: 9VXOt7MWLDsfaXDNMIw4TCZ5vmI1Px2cbofMKnHS2KnuPQYS
 oFTrLZOLTD_hTqaa.zhz6sEIQz4kphdqhVmydhumhS9s0l6JOaPH5fgPIlq4
 oKHo7abaxOwDJIVUgOwuQXcx3oagaOdTfEvznahQiEVYmG33xZ5x13tQidaC
 wrd6evBNa5_a8EmvcR2_SuzXZ2GDkY_MNteoWzi_8MdBEGf_YDySe05.wZFJ
 kk6eTeUUODcONajyr7jePlpZVXntwnqQER0VVTZrIcxXDZE7a.Ss_wsgliCh
 nLCNevBU2XNDknTLt2D.6HTJCETZHnYry4t5hYpYEXRKnqr.Abz.Wmw65OYx
 gSYDHJ8sMJxJtRswpG7Q9HH1xnd4efnq.NTmyxVwnYbeLWOMiA4lZb81igHn
 XcQVu.nFoeS0.dkxyWW9FEAPx9Q2Ynyj.3746MzZG3Bsq5gHQKeexqe7vw9F
 QOg5UMuNvGZtWY0XLVUHYS2dcJTfc2.HV5yT3xX0gLfpKnnoRHXrrL.iYI_t
 Ue_ra85pNj5tuhqHl_y_HN0ZMNZ7L6FCOhOhVMGU9ho6_8ivDGZGYNFgvoGo
 df835kdPVMyDY0EQ96Lb0soVOPP7wkuusshTQRAs3NAzDffx_HosY0AExLqw
 lheYXDKdGRk6Mlb.xuCFPC2b96ogLKBc7yjqCWaVu._EYw5wd9uVnDF8A_W.
 Li_la3l7MtsCtmmc5LuHQwIxi9Wu9xSAaE5kmc_EnXAm5RKHIMW8CHd9hCNi
 7TozxxhHMCmNQSivnY5EbM6GF3lL7ugPjsWcJIzIiilO3Goq4x5.GiUcKzT3
 HErTwenas8OXS7IBHotmCxeoJ_po6CSGefTMSFzkWXm9x6j5vZ0EyS1xAtws
 3EypwPhyrKnKL2LpEIydX_zwHXhDIGFOD.eLIK0sqcCJyFJVLu7nW3xn0NJE
 QEzO15_p2axOFKZaDau2U61qu4RV.ex2Gvp2XI3xti_aKOjJdqbrbNR1QNk4
 MHXsibUtYuhVsLOs3kiWlz7snoEdhICQPSLtqpiY.AW.ieYMv.K9KyhhHysO
 VUY8_suKIczRqA.odEbrj5tIIll5j6pWZ3PrbyZ_oghWWNCG7b4zG7yhFuZp
 4nAtO7Grptw1Ewl2x5zvs9e.byULmoOm18LbF_E9xWfvC2Rm6Py8OT2XOvU7
 R7EDiNbj3W.ClgK.uVnNlAVgVZfwo2iYnOrl7NWXJ_W0nIQoBBCh.9jRihmc
 OnQ.2KvPJug9VmbOJA.p8zhfbWEAD.Q1j0Xxdp3F8PAJrZvXvZ8BMoCR9BY3
 yz1awXc8cgveF4Tn7l9YOvXL8gGo8C0gTNoxo_dHqyOmjl5fWlex6_YvDkph
 nvcH0oTS9fleuP6iF5gjnBsZ5J8Z4mSVeqay6mrDb3ug1OvkIA.cLIa2vw--
X-Originating-IP: [46.165.192.213]
Authentication-Results: mta1043.mail.gq1.yahoo.com  from=gmail.com; domainkeys=neutral (no sig);  from=gmail.com; dkim=neutral (no sig)
Received: from 98.139.244.133 (98.139.244.133) by 98.139.210.154(98.139.210.154); Wed, 28 May 2014 21:21:25 +0000
Received: from 127.0.0.1  (EHLO dobby.icetex-hosting.net) (46.165.192.213)
  by mta1043.mail.gq1.yahoo.com with SMTPS; Wed, 28 May 2014 21:21:25 +0000
Received: from yrarg by dobby.icetex-hosting.net with local (Exim 4.82)
   (envelope-from <martinoz1811@gmail.com>)
   id 1WplHn-0004Fi-LD
   for jrmloh@yahoo.com; Wed, 28 May 2014 23:21:23 +0200
To: jrmloh@yahoo.com
Subject: YR Argentina - Welcome to YR Argentina, no.1 place for Red Alert 2 and Yuri's Revenge resources. We've got the biggest collection of voxels, SHPs and other assets for modding here.: This is a Test
Date: Wed, 28 May 2014 23:21:23 +0200
From: YR Argentina <martinoz1811@gmail.com>
Reply-To: Renegade_Test <notrelevant@example.com>
Message-ID: <b6c1e9448096f780b9e91a02564fa244@yrarg.cncguild.net>
X-Priority: 3
X-Mailer: PHPMailer 5.2.1 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - dobby.icetex-hosting.net
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [539 538] / [47 12]
X-AntiAbuse: Sender Address Domain - gmail.com
X-Get-Message-Sender-Via: dobby.icetex-hosting.net: authenticated_id: yrarg/only user confirmed/virtual account not confirmed
Content-Length: 147

_________________
~ Excelsior ~

Back to top
View user's profile Send private message Visit poster's website
Banshee
Supreme Banshee


Also Known As: banshee_revora (Steam)
Joined: 15 Aug 2002
Location: Brazil

PostPosted: Mon Jun 02, 2014 10:45 am    Post subject: Reply with quote  Mark this post and the followings unread

Thanks for the information. I'm still trying to figure out which vulnerability is being used and if there is some undesirable script inside the server. So far, we couldn't find anything wrong at YR Argentina's FTP and database. But I'm sure something is wrong there...

Back to top
View user's profile Send private message Visit poster's website Skype Account
Renegade
Cyborg Artillery


Joined: 21 May 2006
Location: Hamburg, Germany

PostPosted: Mon Jun 02, 2014 4:19 pm    Post subject: Reply with quote  Mark this post and the followings unread

"just" is funny. The date is May 28. As you can see from the name, e-mail address and subject, it was a test.

Given that you received it, I can tell you a possible attack vector: YR Arg has contact forms for certain members (for anonymous visitors, members of the admin team have them - not sure if logged in users can contact all other users).

I sent that message by browsing to the contact form of the first user and changing the target user by editing the hidden form field containing the user id.

Then I just submitted it.

I would have to see the post body to tell if it was altered - I'm rather sure the content I put was something along the lines of "this is a test, post on PPM if you received it". I wouldn't put it past me to have jokingly offered some viagra deals, but if it's a bona fide viagra spam message now, then very most likely the message subsystem of YR Arg has been infected, replacing submitted messages through spam.

In case anyone was wondering "why?": Because the messages kenosis posted actually imply the mail isn't coming from the system itself. "This is an enquiry email via http//yrarg.cncguild.net/ from:" - not from YR Arg but via YR Arg, from someone else.
The subject line actually also looks very simple. It's probably something like "${longPageTitle}: ${messageSubject}"

So we're looking for a system that belongs to YR Arg's CMS and allows outside users to send e-mail to registered users through it.

Took me less than five minutes to find the contact form, and less than one minute to "hack" it to send to someone else.

I just needed confirmation it actually worked, but a certain someone took a week to report. #Tongue

Edited to add: If you unsuspend the site, you will find the contact form used here. You would have to test whether Martinoz, as the site admin, is always set as the sender, or if it uses the user whose page the form was on. Since Martinez has ID 1, if would still be plausible for him to consistently appear as the sender, since UID 1 is a safe bet for the admin account.

_________________
#renproj:renegadeprojects.com via Matrix - direct link

Back to top
View user's profile Send private message Visit poster's website
Banshee
Supreme Banshee


Also Known As: banshee_revora (Steam)
Joined: 15 Aug 2002
Location: Brazil

PostPosted: Mon Jun 02, 2014 6:53 pm    Post subject: Reply with quote  Mark this post and the followings unread

Thanks for the clarification, Renegade.

Ill unsuspend it in a couple of hours and try to figure out how to disable this feature of YR Argentina in order to stop the spam there.

Back to top
View user's profile Send private message Visit poster's website Skype Account
Banshee
Supreme Banshee


Also Known As: banshee_revora (Steam)
Joined: 15 Aug 2002
Location: Brazil

PostPosted: Tue Jun 03, 2014 3:46 am    Post subject: Reply with quote  Mark this post and the followings unread

YR Argentina is back online. I'd appreciate if somebody could re-test the vulnerability mentioned above by Renegade. I want to confirm that no one will receive these emails anymore. To be honest, I don't think anyone will miss them at all, since according to my experience with contact forms, only bots use them.

Back to top
View user's profile Send private message Visit poster's website Skype Account
Renegade
Cyborg Artillery


Joined: 21 May 2006
Location: Hamburg, Germany

PostPosted: Tue Jun 03, 2014 1:54 pm    Post subject: Reply with quote  Mark this post and the followings unread

I have submitted another message. We will have to wait for feedback from His Noodly Appendage to know whether I'm still a spammer. Wink

_________________
#renproj:renegadeprojects.com via Matrix - direct link

Back to top
View user's profile Send private message Visit poster's website
Graion Dilach
Defense Minister


Joined: 22 Nov 2010
Location: Iszkaszentgyorgy, Hungary

PostPosted: Tue Jun 03, 2014 6:53 pm    Post subject: Reply with quote  Mark this post and the followings unread

I've tried to send an email to myself via that form. While I don't know if I had luck or it was Microsoft not even accepting it, I did not got that email.

_________________
"If you didn't get angry and mad and frustrated, that means you don't care about the end result, and are doing something wrong." - Greg Kroah-Hartman
=======================
Past C&C projects: Attacque Supérior (2010-2019); Valiant Shades (2019-2021)
=======================
WeiDU mods: Random Graion Tweaks | Graion's Soundsets
Maintainance: Extra Expanded Enhanced Encounters! | BGEESpawn
Contributions: EE Fixpack | Enhanced Edition Trilogy | DSotSC (Trilogy) | UB_IWD | SotSC & a lot more...

Back to top
View user's profile Send private message Visit poster's website ModDB Profile ID
Atomic_Noodles
Defense Minister


Joined: 05 Oct 2011

PostPosted: Wed Jun 04, 2014 12:06 am    Post subject: Reply with quote  Mark this post and the followings unread

I didn't get your spam mail again.

_________________
~ Excelsior ~

Back to top
View user's profile Send private message Visit poster's website
Banshee
Supreme Banshee


Also Known As: banshee_revora (Steam)
Joined: 15 Aug 2002
Location: Brazil

PostPosted: Wed Jun 04, 2014 11:05 pm    Post subject: Reply with quote  Mark this post and the followings unread

Awesome! Then, my solution works. But still, if anyone gets a spam from YR Argentina after this event, please, post here.

Back to top
View user's profile Send private message Visit poster's website Skype Account
kenosis
Commander


Joined: 19 Aug 2009
Location: Moscow State University

PostPosted: Fri Jun 13, 2014 10:49 am    Post subject: Reply with quote  Mark this post and the followings unread

Code:
Received: from 46.165.192.213 (unknown [46.165.192.213])
   by newmx17.qq.com (NewMx) with SMTP id
   for <moderkenosis@qq.com>; Fri, 13 Jun 2014 18:35:29 +0800
X-QQ-SPAM: true
X-QQ-SSF: 010000000100000001F000010000021
X-QQ-mid: usamxproxy10t1402655732tyu5vd7
X-QQ-FEAT: 35lICRDxLd1mqV1DSTtFacRqql6zetkzd9PkDqRsui2r3uk54A5z9rfhmqw+H
   RnWdGyFiL2kGyk2a0jfP0YLe0+aR0JaFCSgi4dO2Mf0hCBsa2RA1Ic4EKrEkJ4vEaHoMlMP
   EtRkeFdvriSw8J603w==
X-KK-mid:usamxproxy10t1402655732tyu5vd7
Received: from yrarg by dobby.icetex-hosting.net with local (Exim 4.82)
   (envelope-from <martinoz1811@gmail.com>)
   id 1WvOpS-0003UW-Qm
   for moderkenosis@qq.com; Fri, 13 Jun 2014 12:35:26 +0200
To: moderkenosis@qq.com
Subject: YR Argentina - Welcome to YR Argentina, no.1 place for Red Alert 2 and Yuri's Revenge resources. We've got the biggest collection of voxels, SHPs and other assets for modding here.: http://mexicoworldcup2014jersey.com
Date: Fri, 13 Jun 2014 12:35:26 +0200
From: YR Argentina <martinoz1811@gmail.com>
Reply-To: mexico new jersey 2014 world cup <rojcsfbq@gmail.com>
Message-ID: <9b77095346d1ea9669269ceb1be8fbc2@yrarg.cncguild.net>
X-Priority: 3
X-Mailer: PHPMailer 5.2.1 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - dobby.icetex-hosting.net
X-AntiAbuse: Original Domain - qq.com
X-AntiAbuse: Originator/Caller UID/GID - [539 538] / [47 12]
X-AntiAbuse: Sender Address Domain - gmail.com
X-Get-Message-Sender-Via: dobby.icetex-hosting.net: authenticated_id: yrarg/only user confirmed/virtual account not confirmed

This is an enquiry email via http://yrarg.cncguild.net/ from:
mexico new jersey 2014 world cup <rojcsfbq@gmail.com>

nice articles
mexico new jersey 2014 world cup http://mexicoworldcup2014jersey.com

.



1.png
 Description:
 Filesize:  22.62 KB
 Viewed:  5755 Time(s)

1.png



_________________
Tired of grabbing my random SHP conversions? Why not learn to create SHPs for yourself?

Back to top
View user's profile Send private message Send e-mail Visit poster's website Skype Account Yahoo Messenger Account
Banshee
Supreme Banshee


Also Known As: banshee_revora (Steam)
Joined: 15 Aug 2002
Location: Brazil

PostPosted: Fri Jun 13, 2014 11:14 am    Post subject: Reply with quote  Mark this post and the followings unread

Some genius has disabled my solution in order to update the site software. I've re-uploaded it.

Back to top
View user's profile Send private message Visit poster's website Skype Account
Renegade
Cyborg Artillery


Joined: 21 May 2006
Location: Hamburg, Germany

PostPosted: Sat Jun 14, 2014 12:38 am    Post subject: Reply with quote  Mark this post and the followings unread

lol. IT-business as usual. Laughing

_________________
#renproj:renegadeprojects.com via Matrix - direct link

Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic Page 1 of 1 [21 Posts] Mark the topic unread ::  View previous topic :: View next topic
 
Share on TwitterShare on FacebookShare on Google+Share on DiggShare on RedditShare on PInterestShare on Del.icio.usShare on Stumble Upon
Quick Reply
Username:


If you are visually impaired or cannot otherwise answer the challenges below please contact the Administrator for help.


Write only two of the following words separated by a sharp: Brotherhood, unity, peace! 

 
You cannot post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © phpBB Group

[ Time: 0.1784s ][ Queries: 16 (0.0130s) ][ Debug on ]