Page 3 of 3 FirstFirst 123
Results 31 to 44 of 44
  1. #31
    abaaaabbbb63's Avatar
    Join Date
    Jul 2011
    Gender
    male
    Location
    My room
    Posts
    115
    Reputation
    10
    Thanks
    796
    My Mood
    Devilish
    Someone posted a suspect similar thread a few minutes ago. Good thing it was rapidly deleted.

    If you do this command netstat -ano and encounter some unknown ip, just right click in cmd, check Mark, select the adress and port, press Ctrl+C, then go to this site:
    Trace An IP - Our IP Address Locator & Tracer Can Track Any Location
    and paste it there. It usually gives a company name if it's legit.
    Last edited by abaaaabbbb63; 01-10-2013 at 12:01 PM.
    Don't hesitate to use the Thanks! button if I helped.

  2. #32
    Dexwest's Avatar
    Join Date
    Nov 2012
    Gender
    male
    Posts
    9
    Reputation
    10
    Thanks
    2
    My Mood
    Tired
    thanks jorndel

  3. The Following User Says Thank You to Dexwest For This Useful Post:

    [MPGH]Jorndel (01-10-2013)

  4. #33
    TrollArchSoda's Avatar
    Join Date
    Dec 2012
    Gender
    male
    Posts
    3
    Reputation
    10
    Thanks
    0
    Holy shit dude you scared the hell out of me i tought soon i will i read this i will going to be hacked , Ty for warning :P

  5. #34
    crazycake12432's Avatar
    Join Date
    May 2012
    Gender
    male
    Posts
    19
    Reputation
    10
    Thanks
    1
    thanks for the warning

  6. #35
    qwertyup's Avatar
    Join Date
    May 2010
    Gender
    male
    Posts
    2
    Reputation
    10
    Thanks
    0
    Again to all it happened, all hacks on this site are AT YOUR OWN RISK If it happened to you, clean it out or reformat, this will be the best way to get rid of it.

    I have a test laptop at home, and downloaded the file. Reformat worked best because it reset all my registry and ip tables for the network i run.

  7. #36
    Iwashere94's Avatar
    Join Date
    Jan 2013
    Gender
    male
    Posts
    2
    Reputation
    10
    Thanks
    0
    My Mood
    Sick
    ya i downloaded the " hack " and it appeared a anonymous chat telling me he was from steam support and she asked me the year i was born and my secret answer. that mf.... Care Guys!

  8. #37
    poocheesey2's Avatar
    Join Date
    Oct 2012
    Gender
    male
    Posts
    22
    Reputation
    10
    Thanks
    11
    My Mood
    Buzzed
    yah that is the hacker he asked me sign into my paypal to cancel a order he placed i told him to fuck off and before he could do any thing else i kicked him off and had my workmate trace him and also to every one who was wondering about my involvement with mpgh wile working fro GMD. I have a 14 year old sun who uses my computer to do his video gaming stuff and he uses this web site.
    Quote Originally Posted by Iwashere94 View Post
    ya i downloaded the " hack " and it appeared a anonymous chat telling me he was from steam support and she asked me the year i was born and my secret answer. that mf.... Care Guys!

  9. #38
    Lulz$ecurity's Avatar
    Join Date
    Jun 2012
    Gender
    male
    Location
    Kaesong
    Posts
    721
    Reputation
    15
    Thanks
    177
    Quote Originally Posted by madnessgodlike7 View Post
    Happend to me. he infected with virus my pc. -_-
    you should blame your brains
    anyways format your OS

  10. #39
    aIW|Convery's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    2,876
    Reputation
    124
    Thanks
    595
    My Mood
    Cynical
    Click random links as you're desperate to get hacks for the game your mom bought you -> Get banned -> Cry about viruses -> Make a scare thread saying that TCP connections are 1337 hacks (even though no virus or hacker would use TCP) -> get thanks -> show your mom that others believe you got hacked so she'll buy you a new computer/game for you.

    Really simple

    And really, is this what the term 'hacker' have devolved into? Kids are 'hackers' because they are asking you for your password and secret question so they can 'hack' your accounts?

    ps. Got to love how people that can't write in proper English are always 40+(loving wife, CEO and all that..) with a kid 10-16 years old that downloads everything that messes them up. Luckly with their expert computer knowledge they can tell the 'hacker'; 'no!' when he asks for more passwords and then trace him via google..

    *sigh* Threads like this where kids whine about them being hacked by giving out their parents credit cards to anyone that claims they can hack them a higher level in minecraft, they are what makes me lose all faith in humanity and want to start cutting myself..
    Last edited by aIW|Convery; 01-11-2013 at 12:39 AM.

  11. #40
    Nachos's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Location
    Between Equator and The North Pole
    Posts
    2,986
    Reputation
    176
    Thanks
    913
    My Mood
    Blah
    These links were only available for a couple of hours and the user has been banned.

    And just to clear things up, you didn't download a hacker if you downloaded it. You downloaded some malware that gives a hacker access to your computer. Also, most AVs should be able to detect this.

    If any of you got this or think you got this you should stay up to date with this thread and section. I will try to find out some more details about and get them posted. @master131 If you could take a look in to this I'm sure it would be appreciated. The thread is in the CoD archive, the link is still in the thread if you wanna look at the file.
    Last edited by Nachos; 01-11-2013 at 06:20 AM.


    The lines in my Steam are i's

  12. #41
    master131's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    Melbourne, Australia
    Posts
    8,802
    Reputation
    3165
    Thanks
    73,318
    My Mood
    Breezy
    Alright, I've looked into it. You guys should know never to download files that are directly linked or are not approved yet. There's a reason we implement this stuff into the forum. Here is the VirusTotal result:
    https://www.virustotal.com/file/ef16...is/1357953718/

    As you can see, there aren't many detections due to the fact that it's coded in AutoIt. I'm in the process of analysing the script. As ESET is the only vendor that detected the file and provides an online virus scanning service, please scan your computer using this: http://www.eset.com/us/online-scanner/

    It can also pick up DarkComet and other RAT software so if you think you're computer has been compromised, please scan it immediately.

    Here is the picture that was included with this so called hack:


    EDIT - Alright, I've looked into the script. It seems to avoid AV detection because of the way it stores the malware and also insert over a million junk lines into the script (probably to try slow down my tools or something). For security's sake, I'm not going to try to extract or write this file to my computer to see what it is so yeah.

    Code:
    FILEINSTALL(<path removed>,TEMPDIR&"\run.exe")
    REGWRITE("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", SCRIPTNAME,"REG_SZ", SCRIPTFULLPATH)
    Perhaps you guys should check your Temporary directory for "run.exe". Also check your startup entries for the path to the fake hack.

    Also as a final note @poocheesey2 @MLG_ProTryhard Just because a connection is ESTABLISHED, does not mean you are hacked, don't give misleading information.

    EDIT 2 - Turns out "run.exe" is harmless and is the fake hack seen in the screenshot above. When you click the buttons, it simply closes. The AutoIt script tries to delete all files/folders in drives from C to K. It also creates a readme.txt file which I'm still looking into. A connection is also made to an IP located in Germany, the same country where the RAR file was hosted. That's still being looked into too.

    EDIT 3 - The AutoIt script also contains RAT/BOTNET code and will perform requests like SYN/HTTP/UDP flooding as well as play sounds and whatnot. Deleting the file should essentially render the whole thing useless as far as I know.



    Thanks to @aIW|Convery for doing this for me.
    Last edited by master131; 01-12-2013 at 12:05 AM.
    Donate:
    BTC: 1GEny3y5tsYfw8E8A45upK6PKVAEcUDNv9


    Handy Tools/Hacks:
    Extreme Injector v3.6.1 *NEW* Windows 10 compatible!
    A powerful and advanced injector in a simple GUI.
    Can scramble DLLs on injection making them harder to detect and even make detected hacks work again!

    Minion Since: 13th January 2011
    Moderator Since: 6th May 2011
    Global Moderator Since: 29th April 2012
    Super User/Unknown Since: 23rd July 2013
    'Game Hacking' Team Since: 30th July 2013

    --My Art--
    [Roxas - Pixel Art, WIP]
    [Natsu - Drawn]
    [Natsu - Coloured]


    All drawings are coloured using Photoshop.

    --Gifts--
    [Kyle]

  13. The Following User Says Thank You to master131 For This Useful Post:

    [MPGH]Jorndel (01-11-2013)

  14. #42
    aIW|Convery's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    2,876
    Reputation
    124
    Thanks
    595
    My Mood
    Cynical
    To remove it:
    Kill the process and use regedit to remove it from HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run..

  15. #43
    master131's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    Melbourne, Australia
    Posts
    8,802
    Reputation
    3165
    Thanks
    73,318
    My Mood
    Breezy
    Quote Originally Posted by aIW|Convery View Post
    To remove it:
    Kill the process and use regedit to remove it from HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run..
    This. That's all you have to do. Also, the AutoIt has a DarkComet RAT inside it that is loaded into itself so it is not written to disk to evade AV detection. I was able to decrypt and decompress it despite the script being heavy obfuscated. Here is the VT scan of the DarkComet RAT:
    https://www.virustotal.com/file/5abd...is/1357975799/

    If anyone is interested in the "crypto" stuff, then read on:
    The script uses alot of public AutoIt sources to do what it does.

    Firstly it does some basic checks that will cause it to exit immediately if it is true. These checks will see if Sandboxie is present by checking for 2 of its processes. It then checks if it's being analysed by Anubis (online analysis service) by comparing computer name, OS name, service pack, username and startup list.

    Afterwards, does a check with the computers name to see if it's not "RAZOR-LAPTOP". It then does another check to see if the running script is an EXE or not. If it's not an EXE, it will create a batch script and a VBS script. The batch script will use "del *.* /q /s" from drives C to K to try delete everything inside it. The VBS script is to hide the Command Prompt window that pops up when the batch is executed. All of that of course won't happen because the script that this "RAZOR" person released was an EXE.

    After that, a file named "run.exe" is created into the %TEMP% folder and run. This is the fake hack that was in the screenshot that "RAZOR" posted. A massive base64 string inside the script is then decoded using CryptStringToBinary (in crypt32.dll) and that string is then decompressed using an undocumented function in ntdll.dll called RtlDecompressBuffer which uses the LZNT1 compression format to decompress the data. Then that data is then decrypted using AutoIt's _Crypt_DecryptData function (found in Crypt.au3) with the CALG_AES_256 algorithm using the password "32c5235c235Y". Finally, that decrypted data is then mapped into memory instead of writing to disk and then executed which essentially loads the DarkComet RAT inside the AutoIt script's process to avoid anti-virus detection.

    Nice try "RAZOR", but your method aint going to work on me.
    Last edited by master131; 01-12-2013 at 03:57 AM.
    Donate:
    BTC: 1GEny3y5tsYfw8E8A45upK6PKVAEcUDNv9


    Handy Tools/Hacks:
    Extreme Injector v3.6.1 *NEW* Windows 10 compatible!
    A powerful and advanced injector in a simple GUI.
    Can scramble DLLs on injection making them harder to detect and even make detected hacks work again!

    Minion Since: 13th January 2011
    Moderator Since: 6th May 2011
    Global Moderator Since: 29th April 2012
    Super User/Unknown Since: 23rd July 2013
    'Game Hacking' Team Since: 30th July 2013

    --My Art--
    [Roxas - Pixel Art, WIP]
    [Natsu - Drawn]
    [Natsu - Coloured]


    All drawings are coloured using Photoshop.

    --Gifts--
    [Kyle]

  16. The Following 2 Users Say Thank You to master131 For This Useful Post:

    aIW|Convery (01-12-2013),rawr im a tiger (01-12-2013)

  17. #44
    aIW|Convery's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    2,876
    Reputation
    124
    Thanks
    595
    My Mood
    Cynical
    It is moral to say that "RAZOR" controls the infected computers from morrisftw123.zapto.org (77.10.89.79:1604)?
    Oops..
    Whatever you guys do, don't try to get revenge and don't do anything illegal..

    EDIT: Also, he's running it on a Nokia Lumia N900 (don't ask), but I guess Blackhat pays..
    Last edited by aIW|Convery; 01-12-2013 at 04:28 AM.

  18. The Following 6 Users Say Thank You to aIW|Convery For This Useful Post:

    [MPGH]Horror (01-12-2013),[MPGH]Jorndel (01-12-2013),[MPGH]MarkHC (01-12-2013),[MPGH]master131 (01-12-2013),Nachos (01-12-2013),rawr im a tiger (01-12-2013)

Page 3 of 3 FirstFirst 123

Similar Threads

  1. Warning from Nexon to Hackers :3
    By CrimsonFlames in forum Vindictus Discussions
    Replies: 42
    Last Post: 07-12-2011, 03:24 PM
  2. A warning to your hackers/botters
    By mastowns in forum World of Tanks Hacks & Cheats
    Replies: 1
    Last Post: 03-20-2011, 02:41 PM
  3. A Warning to ALL Hackers as of May 8, 2010.
    By Asian Dynasty in forum Combat Arms Discussions
    Replies: 11
    Last Post: 05-09-2010, 12:32 AM
  4. A Warning to ALL Hackers as of May 5, 2010.
    By Asian Dynasty in forum Combat Arms Discussions
    Replies: 27
    Last Post: 05-06-2010, 06:04 PM
  5. [Info] warning cf Account hacker
    By v3v2v1 in forum CrossFire Hacks & Cheats
    Replies: 37
    Last Post: 10-26-2009, 07:14 AM