Mon, Nov 25, 6:28 AM CST

Renderosity Forums / Poser - OFFICIAL



Welcome to the Poser - OFFICIAL Forum

Forum Coordinators: RedPhantom

Poser - OFFICIAL F.A.Q (Last Updated: 2024 Nov 24 8:11 pm)



Subject: ...HACKER (S) Working the Renderosity Marketplace?


  • 1
  • 2
Veritas777 ( ) posted Wed, 26 January 2005 at 2:54 PM · edited Mon, 25 November 2024 at 6:27 AM

I've had several experiences over the past two-three weeks that lead me to believe that a hacker (or hackers) are working the Renderosity Marketplace- most likely to steal password info- and- to download models maybe? My first experience was about two-three weeks ago when I entered the marketplace page and saw a Pop-Up that offered computer games for sale. I have NEVER seen a pop-up like this before at Renderosity as I have my all Norton settings fairly high (and current). This was followed days later by a "MS-SQL_Packet_DoS" intrusion attempt, and then again on a later day- and then on a later day I had my printer software disabled (and subsequently had to re-install it) while browsing in the marketplace. I can tell when my printer port is being "hit" because my printer makes a distinct port-hit sound. More recently I was alerted by Norton that a "MS-SQL_NullPacket_DoS" threat had happened while in the marketplace- Norton says- "This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening." Then today I entered the marketplace an was alerted with a "Tcp_Xmas_Scan" - which Norton describes as "a condition that indicates an attempted IP spoofing attack." I really have to think that this is either someone who is "inside" Renderosity- or it working with the help of someone at Renderosity- perhaps from another location. Anyone else see stuff like this happening?


Penguinisto ( ) posted Wed, 26 January 2005 at 3:06 PM

Err, R'osity doesn't use Microsoft SQL... at least they used MySQL as a base the last time I saw an error msg from it. Also, a Norton client wouldn't have any way of accessing enough of the RMP's server to determine what everyone else is doing there (IOW, you can't see everyone else's connections to the RMP, just yours. Consequently, unless your own machine has been compromised to alert someone when you hit a certain URL, there's no way for a "hacker" to tell whether or not you're connected to the RMP.) Are you sure that your own computer hasn't been popped? Setting Norton to "high" security don't mean jack when there are a plethora of security holes gaping wide in XP (even with Service Pack 2 installed...) If you're using Internet Explorer the odds of catching something nasty are even better. To top it off, your firewall and A/V software are only as good as the last time you patched it. Heh - glad I use Linux and OSX to do all my Internet shit... /P


Aeneas ( ) posted Wed, 26 January 2005 at 3:08 PM

I've had some bizarre experiences also, now that you talk about it. the mysql I also had (yesterday?), and also my browser trying to connect to other pages whilst here in the marketplace...

I have tried prudent planning long enough. From now I'll be mad. (Rumi)


Scarab ( ) posted Wed, 26 January 2005 at 3:41 PM

My firewall just intercepted a "Xmas tree" attack. When I traced it back the address leads to the renderosity marketplace (avalon bondware), so SOMEthing funny is going on. How 'bout it, admins? Scarab


SAMS3D ( ) posted Wed, 26 January 2005 at 4:06 PM

:-(...oh no....hope it is going to be alright? Sharen


XENOPHONZ ( ) posted Wed, 26 January 2005 at 4:17 PM

I hate being attacked by Xmas trees.

Something To Do At 3:00AM 



Penguinisto ( ) posted Wed, 26 January 2005 at 4:20 PM

yeah... leaves needles all over the fscking carpet. /P


Jovial ( ) posted Wed, 26 January 2005 at 4:36 PM

My firewall has also just blocked the Xmas Scan

Symantec Personal Firewall reports:
Details: Attempted Intrusion "TCP_Xmas_Scan" against your machine was detected and blocked.
Intruder: market.renderosity.com(66.18.106.198)(http(80)).
Risk Level: Low.
Protocol: TCP.

Not good. Probably not a good time to go shopping at R'osity.

Regards,
Jovial.


XENOPHONZ ( ) posted Wed, 26 January 2005 at 4:47 PM

That does it! They are off of my Xmas card list.

Something To Do At 3:00AM 



mateo_sancarlos ( ) posted Wed, 26 January 2005 at 4:50 PM

I thought they do use MySQL. Maybe one of their machines has been infected, or is being used as a slave machine by some hacker at a remote location.


Veritas777 ( ) posted Wed, 26 January 2005 at 4:52 PM

A hacker could have a great time downloading models from various people's accounts- once they could log in under your own account name. In this respect I think Renderosity has the most LOW TECH security system of any website like it. But RDNA uses Bondware also, and once logged-in, you can freely download a couple of years worth of model purchases! If I was a MERCHANT, all of this would really make me CRINGE at the thought that hackers could be robbing their sales and future income. But the earlier Pop-Up of someone trying to sell computer games might be a clue as to who might be doing this. I have my Norton log of where these attacks are (or appear to be) coming from- (but I'm not posting them here...)


Kalypso ( ) posted Wed, 26 January 2005 at 4:52 PM
Site Admin


spothmann ( ) posted Wed, 26 January 2005 at 4:56 PM

Alright... have to say a few things. First, the evil people who all have nothing else to do but trying to get hold of your computer via the net are not hackers, they are called crackers or scriptkiddies. Second. If you are 'browsing Renderosity', you are not only only 'browsing Renderosity'. Your computer is permanently connected to the net at that moment, with its own IP address which usually is given to you by your ISP for the time you're online. If you severe the connection and dial in anew, you will probably have a different IP address, because those are given away dynamically. And that's where those 'attacks' often come from: Imagine someone else has the IP 1235 and is playing an online game, which identifies him by his IP address. Now that playing person turns off the computer. The IP 1235 is available again. If you now dial in and your ISP gives that 1235 to you. The game server is still 'looking' if the player at 1235 is present by sending data packets to him. And now - surprise - your firewall pops up with something like 'Attempted Intrusion "TCP_violent_gameserver" against your machine was detected and blocked' - even if you were 'just' checking your emails or browsing Renderosity. See what this is about? Of course, there is the faint possibility that someone is doing a portscan on your computer - with a billion possible IPs to scan, this is still more unlikely than being struck by lightning. But that would not result in one, but in possibly several thousand messages from your firewall... And if your ports are correctly configured, you don't need to be afraid (but then you also would not need a firewall, right...?). But then there's still another possibility: the server of Renderosity has caught a virus or worm. That, however, would be, let's say, rather not so good....


maxxxmodelz ( ) posted Wed, 26 January 2005 at 5:01 PM

If it only happens when you log into the marketplace, I'd be more worried they're trying to steal your credit card info rather than your downloads. Sounds more like you guys all got hit with a spyware virus that is triggered by keywords that may appear in the taskbar of your browser... like 'market'. Try going somewhere else that also has the word 'market' in the URL, and see if it happens again. That should narrow it down to being possible spyware, or something fishy with this marketplace in particular.


Tools :  3dsmax 2015, Daz Studio 4.6, PoserPro 2012, Blender v2.74

System: Pentium QuadCore i7, under Win 8, GeForce GTX 780 / 2GB GPU.


ziggie ( ) posted Wed, 26 January 2005 at 5:02 PM

file_175274.jpg

Beware the mutant Xmas trees....!

"You don't have to be mad to use Poser... but it helps"


XENOPHONZ ( ) posted Wed, 26 January 2005 at 5:13 PM

ziggie -- Yes, that's the way it happens. It's horrible. Worst of all is when it spews tinsel, and then ties someone up in it.

Something To Do At 3:00AM 



zippyozzy ( ) posted Wed, 26 January 2005 at 5:20 PM · edited Wed, 26 January 2005 at 5:25 PM

I have yet to experience any of this. For those of you using windows you should turn on your windows firewall if you have XP Pro. I browse this site at all different times as I work the odd shift and have never been attacked on the web or this site. The firewall will stop all incoming messages from windows. It doesn't sound like a hacker. A real hacker wouldn't be bothered with this site. It wouldn't be worth their trouble. Hackers, the real ones, do not lower themselves to script kiddie level. Sounds to me like you picked up something from your browsers not this site and it infected your machine, hence, the popups. I haven't had any popups appear from this site when browsing and I dont use any fancy software. Just windows firewall. ;)

Message edited on: 01/26/2005 17:25


wolf359 ( ) posted Wed, 26 January 2005 at 5:33 PM

MAC OSX .... accept no substitutes.... ;-)



My website

YouTube Channel



Veritas777 ( ) posted Wed, 26 January 2005 at 5:43 PM

I visit RDNA, Poser Pros and DAZ on a regular, almost daily basis, and it doesn't happen over there. Never seen anything like this on the other sites- so right now I would have to narrow it down to someone targeting the RMP. And the FACT IS, there are models worth THOUSANDS of Bucks to be downloaded and resold, etc. I think those who are trying to laugh this off have me wondering where they are coming from. I think its a SERIOUS threat to people who might be getting their personal info ripped off and to venders who could be losing $$$ in sales. It's nothing to be laughed at... I've been on the internet for over 15 years, manage over 20 websites and a large server- and while I'm not a true techie (I have others doing that for me)- I'm not stupid either. I have the latest firewall and Norton packages and updates- which probably does protect me from script-kiddies, but NOT from a hacker with SERIOUS TOOLS, or maybe an INSIDE ACCESS- where Administrator Powers can do almost ANYTHING once you are logged into someone else's domain...


Jovial ( ) posted Wed, 26 January 2005 at 5:49 PM

Hi all,

It is a nice theory that those of us who have SEEN the messages warning of blocked intrusions into our PCs have actually already been compromised BUT this neglects the following facts:

  • Hackers don't attack sites, Zombie (compromised) PCs and servers do.
  • I am running Symantec Antivirus + Firewall, AdAware and MS Antispyware (all updated, usually every day). The problem really does not appear to be at my end!
  • My IP address is dynamically assigned so the chances of getting a spoof TCP attack to me, supposedly from marketplace is pretty tiny.

Can't someone wake up a techie at R'osity?

Jovial.


XENOPHONZ ( ) posted Wed, 26 January 2005 at 6:08 PM

I agree that this is something that should be looked into by RR staff -- but (at this point) I don't think that it represents a particularly serious threat. My firewall fends off 100's of various types of scans every week. And it has done so for years. So, a mere scan doesn't get me started. Besides, that's why I've got both hardware and software firewalls in the first place.

Something To Do At 3:00AM 



Veritas777 ( ) posted Wed, 26 January 2005 at 6:24 PM

Well- if you read my original post- it is NOT just one "mere scan"- this is a regular pattern that has been going on for nearly three weeks- all ONLY HERE at RMP. Among the MANY attempts reported by Norton was "MS-SQL_NullPacket_DoS" A threat which happened while in the RMP- Norton says- "This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening." So there is no "mere scan" or low level threat here- someone is trying a SERIES of attempts using a variety of methods- and they are INCREASING in frequency... Just because YOUR MACHINE software hasn't warned you, doesn't mean that it is NOT happening on your machine! Maybe you just haven't DISCOVERED it yet- or the hacker(s) hasn't reached your machine yet...


Moonbiter ( ) posted Wed, 26 January 2005 at 6:35 PM

Crap I thought this was another post about some new Poser like software that would render better than Vue or have a cartoon plugin. :(


JeniferC ( ) posted Wed, 26 January 2005 at 6:37 PM

Yes, avalon/bondware is the Renderosity Marketplace server. Without doing any diggin yet, it seems (or I'd like to hope) that someone is just spoofing our information. It does seem strange. I have looked over the Marketplace server and I don't see anything out of the ordinary. However, I have reported this to the real "techies" for them to make sure it's not a problem. They are currently dealing with backbone connection issues right now, so it may be a little while before they can look into this. I'll let you know something as soon as we find out more. Thanks to everyone that has notified us about it. Jenifer Keeling Rendeorsity Admin

 


JeniferC ( ) posted Wed, 26 January 2005 at 6:47 PM

Attached Link: http://www.whitehats.com/info/ids144

This is what I read about the error from Norton's site: *"Tcp_Xmas_Scan Severity: Low This attack poses a minor threat. Corrective action may not be possible or is not required. Attack Category: Suspicious Activity Anomalous network conditions or traffic patterns. A suspicious activity signature, for example, might detect two systems with identical IP addresses, a condition that indicates an attempted IP spoofing attack. Description This signature detects a TCP packet that contains a sequence number of zero, and with the FIN, URG, and PUSH bits set. Sending invalid combinations can result in DoS, Enumerations, and Reconnaissance. Additional Information There are reported incidents where legitimate traffic may cause an intrusion detection system to raise "false positive" alerts for this event."* More info at link

 


Veritas777 ( ) posted Wed, 26 January 2005 at 7:22 PM

Attached Link: http://securityresponse.symantec.com/avcenter/attack_sigs/sigs/MS-SQL_NullPacket_DoS.html

From Symantec's Website... MS-SQL_NullPacket_DoS Attack Category: Denial of Service Severity: High This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening. Description This signature detects an attempt to exploit the NULL byte vulnerability in MS SQL Server. If Microsoft SQL Server 7.0 receives a TDS header with three or more NULL bytes as data, it will crash. The crash will generate an event in the log with ID 17055 "fatal exception EXCEPTION_ACCESS VIOLATION." Links SecurityFocus Website, BID: 817 Common Vulnerabilities and Exposures (CVE) Website, CVE-1999-0999 Microsoft Security Bulletin MS99-059


MindVision-GDS ( ) posted Wed, 26 January 2005 at 7:57 PM

hmmm.. well...hmmmm...



wolf359 ( ) posted Wed, 26 January 2005 at 8:05 PM

"And the FACT IS, there are models worth THOUSANDS of Bucks to be downloaded and resold, etc. I think those who are trying to laugh this off have me wondering where they are coming from." Perhaps from this place called "reality" where these "thousands of bucks worth of models" can be had freely from P2P networks by any half blind chimpanzee with an internet connection all accomplished without some elaborate ghost in the shell backdoor campaign requiring one to assume the virtual identity of each os us merchants and login to renderosity directlyas that person and then .......sheesh!!!! do i even need to finish this paragraph??.



My website

YouTube Channel



Sarte ( ) posted Wed, 26 January 2005 at 8:06 PM

We are so screwed.

Do the impossible, see the invisible

ROW ROW FIGHT THE POWER

Touch the untouchable, break the unbreakable

ROW ROW FIGHT THE POWER



MindVision-GDS ( ) posted Wed, 26 January 2005 at 8:09 PM

hey now wolf...be nice..not everyone is brilliant :P



Dale B ( ) posted Wed, 26 January 2005 at 8:25 PM

Don't forget the woody points of cracking a high traffic site...and let's face it, if a kiddie could infect the Rosity backbone servers with a DoS worm, think of how many zombies might be created, just waiting to attack...


SamTherapy ( ) posted Wed, 26 January 2005 at 8:50 PM

[Bad Scottish Accent] Aye, we're doomed. Doomed, I tell ye. [/Bad Scottish Accent]

Coppula eam se non posit acceptera jocularum.

My Store

My Gallery


XENOPHONZ ( ) posted Wed, 26 January 2005 at 9:27 PM

I don't view this as a major threat. It's not the type of thing that I'll lose any sleep over. And, believe me......when it comes to internet security issues: I'm paranoid. This one doesn't rise to the level of a serious concern. Sorry if that disappoints anybody........

Something To Do At 3:00AM 



Veritas777 ( ) posted Wed, 26 January 2005 at 9:35 PM

If its not happening to YOU- then you are NOT concerned... But since some of the above seem to make it clear that they get their software and models from P2P- which basically means theft and piracy- I'm not surprised at their LACK of concern about security issues. I guess I must be one of the few people who still BUY their software and models. I hadn't realized that the acceptance of THEFT is so wide-spread and basically "cheered"... (Only STUPID people still BUY their software and models, according to some of the above posts...)


XENOPHONZ ( ) posted Wed, 26 January 2005 at 9:53 PM

*But since some of the above seem to make it clear that they get their software and models from P2P- which basically means theft and piracy- I'm not surprised at their LACK of concern about security issues.

I guess I must be one of the few people who still BUY their software and models. I hadn't realized that the acceptance of THEFT is so wide-spread and basically "cheered"...

(Only STUPID people still BUY their software and models, according to some of the above posts...)*

Oops. I think that you are misinterpeting wolf359's post. He's one of the last people that I would accuse of using P2P for purposes of theft.

He was merely stating that since it's so easy to steal models by the services of P2P, then why would any hacker expend the great effort that's required to swipe the models directly? Not to mention the risks involved to the thief. P2P is so much easier.

BTW - I don't have any P2P software. I know some people that use Kaazaa -- and there are legit uses for that software -- but I don't have it. Or any others like it.

As for wolf359, he's an old hand in the Poser community -- well known. No P2P going on there, I wouldn't think.

If its not happening to YOU- then you are NOT concerned...

No.....I just don't see this one as a serious threat.

And that's my honest opinion.

If I did perceive this to be a matter of deep concern, then I'd say so -- whether it was happening to me or not.

Something To Do At 3:00AM 



Moonbiter ( ) posted Wed, 26 January 2005 at 9:54 PM

Game over man! Game over! What are we gonna do now?! No one above seemed to make it clear that they got anything from a peer to peer network, they said it would be much easier than trying some complicated hack as you were 'theorizing'. So lay off the snide insinuations. I'm sorry your getting bent out of shape that some folks are not taking your cries of alarm to seriously but as JennyK covered in the info about the Xmas deal "There are reported incidents where legitimate traffic may cause an intrusion detection system to raise "false positive" alerts for this event." As a computer technician who does this sort of thing for a living, I consider Nortons to be slightly above actually being infected with a virus. It's buggy, gives false positives far to often, and many times indicates the wrong type of attack is occurring.


elizabyte ( ) posted Wed, 26 January 2005 at 11:38 PM

If people really were breaking in to Renderosity to steal stuff, why on earth would they be pinging people and otherwise attracting attention? Why is it only apparently affecting one person? What do the alerts actually mean? There are more questions than anything else here, as far as I can see. bonni

"When a man gives his opinion, he's a man. When a woman gives her opinion, she's a bitch." - Bette Davis


hauksdottir ( ) posted Thu, 27 January 2005 at 12:37 AM

Just because people are bouncing up and down excitedly on the trampoline with you doesn't mean that they are all skulking sneak thieves! Maybe they have other protections. Maybe they use other operating systems. Maybe they've seen enough of Norton's quirks not to panic. Maybe they even have severe real world issues more worth worrying over than whatever is going on inside YOUR machine. Given all the sites that you visit, you ought to be more worried about that. And, BTW, it is crackers, not hackers. Carolly


Scarab ( ) posted Thu, 27 January 2005 at 1:29 AM

Oooorah! ....sorry....wasn't that my line? ....(shit!) Scarab <-(will never work in this town again, yadda yadda)


Seraphira ( ) posted Thu, 27 January 2005 at 2:00 AM

well, at least it brings to our attention to have better at home and server security that is the issue here. Sigh Unfortantly there will always be some taffer trying to invade servers, which I know all to well because Myself I have two large servers. I do doubt that hackers are stealing passwords from renderosity though, I mean their security is pretty tight from what understand, but nothing is perfect. PHP problem: As a merchant finding my products on warez cds and other cd's being sold I am quite pissed off, of course it effects sales and thing is what can i do? contact jenyk I gather and hope for a reslove? This is my idea, purely therological though. I believe that the "crackers" as haunksdottir so corrected. Is ethier buying and reselling or putting it up on PHP servers for mass distrobution. >:(. Sera


kawecki ( ) posted Thu, 27 January 2005 at 2:13 AM · edited Thu, 27 January 2005 at 2:17 AM

Is like the vampires, they only enter if you open the door.
Renderosity can have ten thousands of hackers, crackers, trackers, packers, but they only can enter if your computer has something that opens the door.
The problem is your computer and not Renderosity, probably you have some spy or virus installed on it.
I have no Norton, no firewall, no active antivirus and I live in peace and very happy, of course I have no XP neither use IE!

Message edited on: 01/27/2005 02:16

Message edited on: 01/27/2005 02:17

Stupidity also evolves!


Khai ( ) posted Thu, 27 January 2005 at 2:22 AM

I think it's Norton at fault here. ZoneAlarm Pro shows nothing when going to the marketplace. and put it this way, ZA Pro is 20 times the firewall than norton will ever be. Plus the logs from my hardware firewall..... show nothing as well. false positive to norton again.


Andi3d ( ) posted Thu, 27 January 2005 at 2:43 AM

Not wishing to be contentious, but I can verify that Wolf359 DOES buy, and, without going into specifics, I would be very very surprised indeed if he/she was stealing stuff via p2p.

 "That which doesn't kill you is probably re-loading"


Porthos ( ) posted Thu, 27 January 2005 at 3:00 AM

Nothing showing up on ZA Pro logs here either!

MS Windows 7 Home Premium 64-bit SP1
Intel Core i7-2600 CPU @ 3.40GHz, 12.0GB RAM, AMD Radeon HD 7770

PoserPro 2012 (SR1) - Units: Metres , Corel PSP X4 and PSE 9


Kalypso ( ) posted Thu, 27 January 2005 at 3:29 AM
Site Admin

Attached Link: http://www.renderosity.com/messages.ez?ForumID=12357&Form.ShowMessage=2092238

Recently I came across a thread in the Community Center forum with a link to Mike Bonnel's wallpaper site which I HAD been to months ago but just re-visited to refresh my memory. I got the same exact alert as Veritas did the MSSQL Nul Packet DoS. Just mentioning this in case anyone can figure out where these are coming from - I'd guess one of the ads?


12rounds ( ) posted Thu, 27 January 2005 at 6:30 AM

"I have no Norton, no firewall, no active antivirus and I live in peace and very happy, of course I have no XP neither use IE!" Good luck in the future. I don't have XP nor use IE nor anything remotely associated with Outlook, but I don't rely on being lucky - I have a firewall (which btw reports access attemps every freaking day - about 1/100 of them being reported as blocked high-security risks), av-software and anti-spyware software. I consider having the protection BEFOREHAND a wise precaution.


wolf359 ( ) posted Thu, 27 January 2005 at 6:32 AM

Thanks to all that have "defended" me even though it was not even necessary, I thought it was *common knowledge that P2P existed and poser items,Mp3's as well as entire major 3D packages can be Gotten from those sources. without this frankly ridiculous scheme of assuming a particular merchants identity just to steal his/her "conforming latex thigh boots" :-) But Alas Some people now seem upset that they have taken time from playing "flight simulator" in thier luxury Hawaiin condo, to post yet another EARTH SHATTERING revalation that will save us all. and we, the great unwashed masses, have yet again shown a complete lack of apreciation for the wisdom and grand vision of our would be saviour:-) Same old, Same old ( walks away, shaking head ruefully)



My website

YouTube Channel



Poisen ( ) posted Thu, 27 January 2005 at 6:35 AM

<---- puts on his tinfoil beanie hat.


JHoagland ( ) posted Thu, 27 January 2005 at 8:40 AM

I don't mean to spoil the fun, but what does this have to do with Poser? Why is this in the Poser Forum? I only ask because I've had messages moved that had a lot more to do with Poser than this message. And I agree with wolf359- there are a lot easier ways to obtain Poser products than by trying to hack into this site. Just install [no name], so a search for "Poser" or "Renderosity" or "DAZ" and you'll be able to download hundreds of items. (I left out the name of the actual p2p program so the 10 people who don't know about p2p file-sharing won't figure it out.) --John


VanishingPoint... Advanced 3D Modeling Solutions


ArtyMotion ( ) posted Thu, 27 January 2005 at 8:58 AM

I don't mean to spoil the fun, but what does this have to do with Poser? Why is this in the Poser Forum? I only ask because I've had messages moved that had a lot more to do with Poser than this message. << Because the off topic forum is gone. 8-)


Moonbiter ( ) posted Thu, 27 January 2005 at 9:37 AM

Seven Days? We're not gonna last seven hours? Incase you haven't been keeping up with current events we just got our asses kicked out there! (i no longer have anything constructive to say, just felt like adding to the comedic hysteria the thread is losing) :)


  • 1
  • 2

Privacy Notice

This site uses cookies to deliver the best experience. Our own cookies make user accounts and other features possible. Third-party cookies are used to display relevant ads and to analyze how Renderosity is used. By using our site, you acknowledge that you have read and understood our Terms of Service, including our Cookie Policy and our Privacy Policy.