Hi folks
I just received this, and thought I would share it with others.
This is just frightening.
Go here (http://200.46.156.19) ...if the link doesn't work, type it in your browser.
Hey Norm...TonyT..GrEed...blebs...croc... how can this be averted.
This just frosts me :mad:

I'm speechless on this one. :(

F*ck.

I clicked on it.

they have a site tracking tool.

I copied the source and hosted it on my server. this means they have my IP number.

Click here instead. I removed the tracking device in the coding. (http://zooner.ranchoweb.com/spysoft.html)

page will be hosted for 24 hours.

This is news to me as well. Checked out ComputerCops and came up with nothing. Off to DSLR.
This program comes out in quite a few forms.
Just copy/paste "Remote Spy - (RRD) Rapid Remote Deployment" (using the " ") into Google and search.

Croc.

OK zooner....
You are too smart for MY own good....lo..J/kl
(BTW..that is meant as a complement)
How do you know they have a tracking tool embedded in their web page?...did you read the HTML code?
Anyway, thanks for letting us know about it, and hosting it on your server (with tracking tool removed)...much appreciated.
Am I the only one who didn't know about this "Remote Spy" thing?

So how would you beable to detect this if you had it?

I was sent something the other day, when I opened it, I recieved a warning that if I continued my security was going to be at risk. It freaked me out so I shut down the internet and closed the IE window. Reading that has made me nervous about the link I went to??

^BUMP

^trip

I really don't know, Suzie cause no one has sent it to me. If Script is used to load it onto your system then there are some programs that stand guard at the door.
One is called ScriptSentry.
I have had contact with the developer before so I will send him the link to the page to see if he knows.
May take a while.

Croc.

Thanks croc. I'll be watching for you to post info hopefully on this.

The link I clicked on from the e-mail took me to a site and said a friend had sent me a card. I didn't even really get to the page because as soon as IE opened, the warning I received took over the whole IE page. As soon as I read the warning, I didn't read any further, I just shut it all down....

Damn, those servers have been well compromised. A quick audit on the original server in question revealed the following user accounts:

500,Administrator,,"Built-in account for administering the computer/domain",,"46days 9h 27m 11s",Administrator,513,,,,normal,,,,,,*,,,,,,,,"Mon Oct 28 15:49:40 2002",unknown,never,81,2,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,,\\*,,,,,,unlimited,hours,0,0
501,Guest,,"Built-in account for guest access to the computer/domain",,"0days 0h 0m 0s",Guest,513,,,,normal,*,,*,*,,*,,,,,,,,"no logon",unknown,never,0,0,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,,\\*,,,,,,unlimited,hours,0,0
1001,IUSR_JASON,"Internet Guest Account","Built-in account for anonymous access to Internet Information Services","Built-in account for anonymous access to Internet Information Services","44days 12h 2m 7s",Guest,513,,,,normal,,,*,*,,*,,,,,,,,"Wed Oct 30 06:32:28 2002",unknown,never,134,0,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,,\\*,,,,,,unlimited,hours,0,0
1002,IWAM_JASON,"Launch IIS Process Account","Built-in account for Internet Information Services to start out of process applications","Built-in account for Internet Information Services to start out of process applications","71days 18h 40m 47s",Guest,513,,,,normal,,,*,*,,*,,,,,,,,"Mon Oct 28 21:49:35 2002",unknown,never,40,0,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,,\\*,,,,,,unlimited,hours,0,0
1006,ILS_ANONYMOUS_USER,"ILS Anonymous Account","Anonymous Account for ILS Server",,"44days 12h 0m 38s",Guest,513,,,,normal,,,*,*,,*,,,,,,,,"no logon",unknown,never,0,0,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,,\\*,,,,,,unlimited,hours,0,0
1007,TsInternetUser,TsInternetUser,"This user account is used by Terminal Services.",,"0days 19h 6m 29s",Guest,513,,,,normal,,,*,*,,*,,,,,,,,"no logon",unknown,never,0,0,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,,\\*,,,,,,unlimited,hours,0,0
1008,dandada,Danboy,,,"3days 11h 46m 28s",User,513,,,,normal,,,,,,*,,,,,,,,"Thu Oct 17 15:50:28 2002",unknown,never,4,0,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,,\\*,,,,,,unlimited,hours,0,0
1009,BCServerAccount,,,,"33days 2h 7m 49s",Administrator,513,,,,normal,,,,,,*,,,,,,,,"Mon Oct 28 15:42:59 2002",unknown,never,38,0,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,,\\*,,,,,,unlimited,hours,0,0
1011,robert,robert,admin,,"13days 16h 55m 16s",User,513,,,,normal,,,,,,*,,,,,,,,"no logon",unknown,never,0,0,FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF,,\\*,,,,,,unlimited,hours,0,0

Funny thing is if you look at the account "IUSR_JASON" (which is a anonymous account for IIS) the login times is 134. Funny.
Also if you look at the submission source on the order page it points to another compromised server, which tries to sell sat. dishes for free or something, <sarcasm>well thought bounce attack</sarcasm>.

If you want to get the server kicked contact the following:
TechEmail: hostmaster@lacnic.net
and explain .. I'm too lazy ;)

kind regards,
greEd

Damm GreEd...you are GOOD.
Thanks pal...terrific job....

I only knew he was tracking cause I do the same thing.

it just shows what your IP address is and what time you were there. However, I do it cause I like to see what members of the family were by. I dont even want to think what he's going to use that for! thank god I have dsl... changing IP number.

Well I have a reply and the program is supposedly similar to NetBus, BackOrifice and Sub7 not to list all the others out there doing the same things. All can be installed without knowledge and maybe sometime soon it also will be able to be detected in the same way that the other 3 are.

That's some post greED. Thanks for the info. Now all most of us have to do is understand what it all means. :D

Croc.

hmm... what does that mean?

kinda what I hear when I was younger and my mom kept talking... and talking... and talking...

I sorta felt the same way, zooner and then I realised one thing.

The program is a buy for $90+ and only after registration so it wasn't checked out.
I posted what info I received.

Croc.