What if there was an organisation that was employed by some of the largest publishing conglomerates in the world that not only had the capability to interdict content digitally, but did so, illegally and boasted of their prowess to do so.
What if these people had utilities to make themselves almost invisible to the operating system, the log files and knew how to clean up after themselves to ALMOST make it appear as if they were never there.?
What would happen if these Internet Corporate Spetnatz Cyber Comandos decided to take on the small (less than 50 average readers per day) website of an aging and nearly extinguished Internet entrepreneur?)
… and whatif that internet entrepreneur had been hacked a few times in his life, had a reasonable knowledge of Unix, PID’s, ascii txt log files as a supplement to MYSQL datafiles and made lote of diverse backups of everything?
Last week the unthinkable happened. I had the pleasure to come to the attention of just such an organisation and of course, they injected [pun intended] themselves into the focus of my attention.
I also had the “luck” to be logged in and observed and captured (using Camtasia video screen capture) their antics in real
time as they went about destroying my Blog site.
Their actions could not be called piracy, as they didn’t take anything.
They didn’t physically harm anyone.
Yet approximately 12 people were possibly infected with a virus and I
lost two days of my life exploring the damage by looking into several
hundred PHP files. Testing their scripts and tracking the IP numbers
that they deleted from the log files and the SQL server.
In our upcoming article entitled “Corporate interests Hijacking the
Net” we will discover who is behind the Hacking of KoVTr.com,
who are their shareholders and Directors and why they appear to be
able to move around the net at will, invisibly wrecking havoc on web
sites globally.
No need to keep checking back, just follow me on Twitter and you will
receive a Tweet when I post.
The additional benefit is that I have set-up a number of alternative
sites, as I believe that this suite will be targeted so the company
involved can protect it’s interests.
Comment to the Internet Spetnatz Commandos….
The incursion last night into my home computer system failed.
The Sony VGNA-190 that you took down the MBR for was an unprotected seven
or eight year old computer used only as a Media Server for the
family. (It took eight minutes to restore the MBR, because first I
had to remember where I left the USB key….. and then I had to find
the Sony boot CD……). However the Router captured all traffic to
and from the Sony and the log file has been written out to a computer
not on the net. Sec B1 & Class C-a)
The score for Round 1 at half time
Group NBT Plc Spetnatz Internet Raiding Party 1
vs
Koltai, ageing internet entrepreneur 0
Lets see how we do later in the week…….
For those 12 persons that were infected by the virus, it has been identified as:
Virus – Brief Description |
Winantivirus belongs to the category of Potentially Unwanted Programs, also PUPs are programs that, due to their features or means of
The evaluation criteria of PUPs are based on the proposals Winantivirus uses the following propagation or distribution methods:
|
The Notice on KOVTR whilst it was down over the weekend.
We apologise, KOVTR is down whilst we remove the virus that was placed there by the
kind people from Envisional Ltd Who were hired by the nice people
at:
To place a If you We apologise and suggest that you NOT turn off or reboot your machine. |
At 1:12 am on the 7th of May, an employee of Envisional or a contractor sanctioned by
the owner of IP number [62.128.158.145] that in-addr-arpa resolves as
dedi158-145.envisional.net did cause a scruipt to be executed on
KOVTR.com that altered approximately 224 php files in the WordPress
area of KOVTR and caused them to be infected with a downloadable
virus file.
The insertion code in the PHP files starts <?php /**/ eval(base64_decode(“aWYoZnVuY3R… and is executed by the browser on the client side to binary decode Otherwise please run a good virus removal tool We apologise for this incursion and assure you that we will publish the complete log-files proving Was responsible for inflicting this damage on our readers computers. KoVTr will be back up within seven hours. (Sorry – it’s taking longer than I thought – estimated time of “reappearance is now approximately 14:30 We just need to go and close a few WordPress security holes and reset the rat-trap shoebox filters Envisional Guys – sometimes you should check who you’re messing with before such a I will be sending you a bill for my time and I will be asking my readers to estimate the time and Either way, please be advised that you will be hearing from our solicitors. Each and every key stroke was logged (okay, byte uploaded) its; just keystroke logged sounds so We suggest you have a quick whip around from your clients for the upcoming legals…… Whilst there is the tiniest possibility that they were not the ones that placed the file on Their action can only understood by comparing it to a zealot religious Proctor, circa 1650 in Olde We sincerely doubt that any such comparable arrangement/defacto agreement now exists between the Additionally, the Priests didn’t leave behind nice little virus easter eggs that would cause the Our opinion is that this activity borders on criminal malfeasance and is certainly in contravention |
Tom I only just saw all this and though I am concerned I was wondering if you recently seen the WordPress problems that have recently occurred with GoDaddy accounts, Especially *nix ones [latest details at http://www.wpsecuritylock.com/exploit-on-wordpress-returns-go-daddy-responds/ ]
For some info and how to detect, remove and counteract both
http://www.wpsecuritylock.com/cechriecom-com-script-wordpress-hacked-on-godaddy-case-study/
and
http://blog.sucuri.net/2010/02/removing-malware-from-wordpress-blog.html
are probably the best sites.
I have come across these malware phishing exploiters before and though I am not saying that 62.128.158.145 did not do it, what I am saying is that they could be actually patsies, by the way the proxies get used by these exploiters. Or their ubiquitous polling via their spiders could be seen as part of it all.
Envision are at their basic (though their are some nefarious activities) a media monitor service. Which like all monitors annoy any site owner who has to pay for bandwidth. I normally suggest to stick em in robots.txt Though Envisional could be up to their old tricks again that they did in 2004 where they were ignoring the robots file entirely [http://www.wecltd.eu/badrobots/index.en.php last entry on table]
Email me if you have any probs Tom. Cheers
Thanks Graeme, but at this point in time, I have some reasonably damming evidence. Including the script that deleted their traces out of the MYSQL Database.
They (the hackers) forgot about unix level logging, like ps-eaux|>/k/k/koltai/pidlogfile and apache access logs.
If I hadnt been sitting there watching them through a wordpress pluggin, I would never have known I had been hacked….. until Google started listing me as a malware site to the whole world.
What an absolute brilliant methodology of discrediting a blogger…… install a 3 year old almost harmless antivirus software package that goggle recognises as malware. Voila traffic decreases, problem doesnt exist for Vivendi, Microsoft, Fox, RIAA, IFPI etc etc usual suspects. What I find fascinating is that the insurance companies and banks are now joining the customer list.