I'm still worried about that Xmas Tree thing......ziggie's picture was a warning to us all......

I haven't been to the site lately, but I've got a URL to show what OS/Systems, etc. a web site is running. At last check (few months ago), I seem to remember it was about 10 Linux servers, and one Microsoft box. I can dig the URL up if anyone's interested..
Now that you guys mention it, when I logged onto 'rosity last night, instead of the usual Vickie clothing advert in the upper right hand corner, I saw one for finding out about my credit score (which is 0, so there's no sense looking even if it was legit..;). That didn't look normal. Time to drag out ad-aware and do another scan
Re warez- I went there about 3 years ago, and it was something like what I've heard about the pr*n sites; thumbnails that direct you to sites with more thumnails that direct you to sites with more thumbnails, etc..ad infinitum. Then I got a virus, so I'd steer clear of 'em. Not worth the trouble.

Speaking from a position of ignorance, are you looking at the wrong side of the equation? Which is more valuable to the crook? A random Marketplace item, or a customer's credit-card details? But how paranoid do you want to get?

The most probable cause are the off-site banners (like Smiley Central). Renderosity has no control over what those other sites are doing. I've read another thread about SmileyCentral and nasty script kiddies. A bit OT maybe, but I think it would be a good idea to remove all off-site banners (okay, RDNA, PoserPros and other RESPECTABLE sites about 3D would be fine!) and reserve that space for merchants. That would also increase trips to the MP. Right now, I don't trust the banners anymore, so I don't click them anymore (and I consider blocking them). That's a loss for the MP.

It's always the easiest solution to say that people need to check their own puters instead of warning that they met with something bizarre here at R. (or another site).
My puter is free of Adware, I have no Trojans, viruses or whatever.
And I see no reason whatsoever to try and ridiculise someone who starts a thread like this and asks for a second opinion (because to him also this seems unlikely).
It is very cheap to try and make fun about it.

Message edited on: 01/27/2005 13:14

Anyone concerned about this Norton warning should do a search on "TCP_Xmas_Scan" to see that it is a relatively common warning that does NOT usually require action. If you do a search, you'll see it's rather common. It is possible that our site having multiple IP addresses causes some to get that warning. I use Norton too, but haven't received that message. I think it's because I don't have my settings as sensitive (I don't care to know about minor things that don't need attention). I can say that the site was running slow due to backbone/bandwidth issues. That caused several SQL errors, but the slowness was not related to the Norton message you received (above). We do occassionally get DoS attacks and have to fight over zealous crawlers (search bots), but we try hard to keep the site (servers) running at their best. We do have adds running that do not direct back to us, so seeing ads about credit reviews isn't highjacked banners :) We did get complaints about the "Central Smileys" banner ad that was running (because when you go to their site it does want to load a bunch of junk on your computer) so we have removed it. Our Marketplace does not load spyware. If you have pop-ups when you're browsing the MP, then it's ad ware that is already on your computer. I hope that helps resolve any concerns about the RMP. Thanks, Jenifer

**Among the MANY attempts reported by Norton was
"MS-SQL_NullPacket_DoS"
A threat which happened while in the RMP- Norton says-

"This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening."**

Norton is too buggy and untrustworthy. I'd trust my windows firewall before I'd trust what Norton tells me.

I think you guys need to lookup the term "HACKER" again: a real hacker WOULD NOT be interested in this site. Not even for credit card info. They target sites like GOV or FBI, etc. This site would not be a challenge to any real hacker. You can actually DL Poser figures from P2P so they wouldnt bother with this site at all. They would NOT lower themselves to script kiddie level and even a script kiddie would not be able to hack into this site. and if that was the real case this site would have gone down for the count, bigtime if it was under a hack, dont get so paranoid. One hack attack and the admins here would catch it in a heartbeat. :)
Message edited on: 01/27/2005 13:24

Agreed that off-site banners are a risk -- I've known other places where the adverts have caused me browser problems, perhaps because they throw some Javascript at me which my browser doesn't like.

I do not browse with IE. I do not have Norton. My own puter is very well protected, so I am not worrying about something that might be installed on my puter through the MP. I am shure that R. does everything possible to protect their servers,and that they have the necessary specialists that can block 99,9% of the eventual attacks. Yet it is not true that one of the biggest Poser-related vendor site with many customers paying either with a credit card or Paypal would not be interesting for someone with dishonest intentions. I am not saying someone got through the safety, but I see no problem in someone warning that something bizarre happened and asking for a second opinion. We all have to be attentive.

If people from here are getting popups from the MP that means they could also have a Trojan already embedded in their system or a worm from a previous site and didnt look in their system folders to clean it out. Popup banners lead to browser hijacking, which will, in turn, place trojans & worms on your machine. Norton wont always catch it. If you got caught and keep on experiencing popups on certain sites that don't have em then you will need to cleanout your computer. Virus software doesn't always prevent your browsers from being hijacked especially in IE. No virus software catches everything that's out there.

Strange thing - this morning I saw a banner here that advertised a Hess Visa or Mastercard. Ran Ad Aware just 'cause I do so about once a week. Now the banner is a definite Poser merchant. Was that Hess banner ad a hijacking of some sort? It definitely wasn't Poser related.

It's the freakin' military man! Yeah! Just like that Twilight Zone episode where they turned off the electricity and phones on this one block to see how they'd react to losing their technology. They started accusing each other of being aliens and killing each other... yeah that's what's happening... it's aliens.... OH MY GOD THEY'RE EVERYWHERE!!!!!!!!! AAAAAAAAAAAHHHHHHHHHH!!!!!!! yes doctor, i'm sorry i'll take my pills now

The other websites I visit- like DAZ, RDNA and PoserPros don't have these Norton alerts. I have been visiting RMP for years and have never seen this type of activity before. As I stated, this began about three weeks ago- when the first alert came up. I regularly run several programs to check for viruses, trojans, spy-ware, etc. I am also VERY cautious about clicking on links. I skip over a lot of Free Stuff now because I don't like the looks of some of these offers- which seem to be fronts for other activities. I don't visit game sites, other than, yes, Flight Simulator sites in the US and UK, and I don't get these Norton alerts there either. I have NEVER seen a pop-up ad at Renderosity until I saw the full page pop-up advertising computer games for sale in the RMP about two weeks ago. I can't buy into the idea at all that hackers, etc- would NOT be interested in RMP. A lot of hackers aren't just going after FBI websites- they are DRUGGIES going for where ever they can get some cash- or something (anything) to turn into cash. The fact that just a password can get you access to a couple of YEARS worth of model purchases- is well worth a hacker's efforts if they want to get a lot of models for free... and since Renderosity AND RDNA have the most LAX of security policies reguarding this. (DAZ and PoserPros are obviously more aware or "paranoid" -I wonder why???) Bottom line: I have bought a lot of models over the years at RMP- and if my software says its becoming a place to get hacked- I'm not shopping here anymore- I'm going to safer websites where I don't get bogus ad pop-ups and alert warnings. I would rather trust what my computer firewall software is saying rather than some half-baked Pollyana view that everything is "o.k.". I DON'T think so...

Wow. Have you considered that maybe "YOUR" firewall software is actually that which is chuffed?

"I can't buy into the idea at all that hackers, etc- would NOT be interested in RMP. A lot of hackers aren't just going after FBI websites- they are DRUGGIES going for where ever they can get some cash- or something (anything) to turn into cash." --------------------------------------------------------------------------------------- Ya and desparate "druggies" inevitably steal cash value items from,family friends and realworld retailers to suppot their habits. Think about what you are saying citizen, who, in all of creation, is going to pay cash for some ill gotten internet downloads of poser specific fetishwear etc.?????? Please ;-/

two words. False Positive. funny that ZoneAlarm reports nothing. Black Ice reports nothing. Windows Firewall reports nothing. move on ppl. nothing to see here. no mutant christmas trees....EK!

no mutant christmas trees....

Huh. At midnight, when a full moon is shining through your window......when you hear a strange rustling noise coming from somewhere down the hall....coming from your living room......closer......closer........

Just keep repeating to yourself, over and over again: "It's not real......it's not real.........it doesn't exist.........."

If crackers/script kiddies ARE interested in 'rosity, it won't be for the models. Script kiddies go for the "fun" of bringing down a high-traffic site (but they'd do it using a distributed DoS attack), crackers would go after credit card info - and 'rosity doesn't store that info. About port scans: I expect to see several port scans per day in my logs, those are just the automated ones used by crackers and script kiddies in search of vulnerable systems. Any decent firewall (yes, even the WinXP firewall) is sufficient to fool those port scanners. I'm not worried. But I still don't trust offsite banners.

Okay kiddies I'm bored at work so quiz time: Scenario 1: I'm a druggie. I need another fix. Do I a: learn how to run a series of scripts so I crack my way into Veritas's Renderosity session, steal his password, download tons of models and then trade them for drugs? b: tell the dealer how to download them from a p2p network for drugs. c: sell my computer for drugs. d: go into rehab. Scenario 2: When Nortons tells me that my PC is under attack do I: a: Seek information on the type of attack to determine if it is a serious threat to my pc or information then act accordingly? b: Panic and scream the equivalency of the sky is falling and attack anyone who doesn't agree with me? c: Shoot my PC and stop the cracker cold? d: Unistall Nortons after realizing that the Xmas attack is another false positive and get Zone Alarm which offers some real protection? Scenario 3: After being told that the 'attack' on my pc was most likely a 'false positive' or if real not a big deal I should: a: Claim that attack was the work of a gang of druggies seeking to steal tons of models in their 'Bytes for Snorts' campaign. b: Assure myself that everyone else is crazy, even if they are professionals, because the Xmas_Scan is out to get me. c: Take the advice offered try Zone Alarm and see if I still get reports of these attacks. d: Click the big red x in the corner and forget I ever posted last night? :)

if you answered : Question 1: A Question 2: B Question 3: A then please enter our "most likely to get it wrong again" contest! First Prize is a Tinfoil Hat donated by everyone that answered C, D, C.

There is a black market for Poser's props, you can buy a nuke for a Vicky3, a side-road bomb for a chair prop and a sling for a background plane.

LMAO. I just don't think a hacker/cracker or even a script kiddie would bother with RMP. A 'cracker' cracks software & databases for passwords. THEY DO NOT HACK INTO WEBSITES. Hackers DO NOT GO into 3D sites to hack for 3D Models or figures. I know plenty about website security and what hackers go after they target Bill Gates before they'd target this site. Hackers are too busy hacking Microsoft to be bothered with Renderosity's MP. Hacker's do not bother with stolen software sorry, not even a druggie would bother with Poser items, even for cash.

Attached Link: mySQL virus

you may have the newly discovered MySQL bot/trojan virus.

ZoneAlarm reports nothing. Black Ice reports nothing. Windows Firewall reports nothing. Sygate Personal Firewall reports nothing. Just thought I'd mention it. bonni

Just to be clear, musicat!

Is that a link about the virus or the virus itself?!?!?

Message edited on: 01/27/2005 20:18

Attached Link: http://news.zdnet.com/2100-1009_22-5553570.html?tag=nl.e589

It's a link to an article at zdnet. :-) Link attached. ;-) bonni

MySQL bot/trojan virus.. "......infects computers running the Microsoft Windows operating system and open-source database known as MySQL.... ..installed alongside open-source operating systems, such as Linux". From what pakled posted, that sounds exactly like Rendo's server set-up. SWAMP

The link i provided is the Zdnet info on the virus. thanx eliz

Message edited on: 01/27/2005 22:33

Attached Link: http://www.javacoolsoftware.com/

Get SpyBlaster. It is free with no gimmicks or adware and all that junk. I use Norton Anti-virus, Ad-aware, Microsoft anti-spyware, and Yahoo Anti-Spy. Since installing Spy-Blaster I haven't received any notices of spy-ware on my computer from any of these programs. Forgot to mention: Spyblaster doesn't find spyware or ads on your computer; its job is to prevent them from getting into your computer. You can find Spy-Blaster here: www.javacoolsoftware.com/

Attached Link: http://www.eweek.com/article2/0,1759,1756090,00.asp

Thanks to those who have provided some useful help and further useful information. Having a few SANE people join this thread is great (instead of the usual Yo-Yo's)... ********************************************************* MySQL 'Bot' Attacks Windows Systems January 27, 2005 Malicious hackers have launched a zero-day bot attack against default Windows installations of the MySQL database engine, infecting vulnerable systems at the rate of 100 per minute, security experts warned on Thursday. The bot takes advantage of the publicly released "MySQL UDF Dynamic Library Exploit" to break into the open-source MySQL package. Once a database is hijacked, infected systems will connect to an IRC (Internet Relay Chat) server and retrieve propagation instructions. Johannes Ullrich, chief technology officer at the SANS Internet Storm Center, said his handlers discovered more than 8,000 hosts connected to the IRC server during the day on Thursday. MySQL is a freely available database engine designed to provide fast access to stored data. It is installed on more than 8 million systems worldwide, according to MySQL AB, the Cupertino, Calif.-based firm that develops and manages the program. Because of the wild popularity of MySQL, it is likely that many more MySQL systems could be infected but blocked from connecting to the swamped IRC server, Ullrich told eWEEK.com. In order to launch the exploit, Ullrich said the bot first has to authenticate to "mysql" as "root" user. Once authenticated, brute-force attacks are launched using a list of passwords included with the bot. Jacques Erasmus, security consultant at host intrusion detection firm Prevx, said the hijacked database engines are creating a zombie network of machines capable of being misused. Attacking all MySQL Windows installations, Erasmus said the bot, identified as MySpooler, opens three listening ports on the target machine and drops in an eight-character random file name. He said MySpooler also provides a backdoor for the attack to access the machine and deliver payload. According to an advisory from the SANS ISC, the bot creates a table called "bla" using the database "mysql," which is typically used to store such administrative information as passwords. Ullrich said the bot includes the usual set of bot features such as a DDoS (distributed denial of service) engine, various scanners, commands to solicit information like system stats and software registration keys from infected systems. "This bot does not use any vulnerability in MySQL. The fundamental weakness it uses is a weak 'root' account," he said. The SANS ISC recommends that MySQL users select a strong password for the "root" account on Windows installations. Administrators should also set up restricted access to root accounts and apply firewall rules to make sure MySQL servers are not exposed to attackers.

Attached Link: http://www.computerworld.com/securitytopics/security/virus/story/0,10801,99282,00.html

MySQL installations targeted by Forbot worm variant JANUARY 27, 2005 (IDG NEWS SERVICE A new wormlike threat spreading on the Internet targets computers running the MySQL open-source database software, and thousands of Windows machines running MySQL have already been infected, according to one security expert. The new pest is a version of a common network worm named Forbot. It infects machines by exploiting loosely secured MySQL installations running on Windows machines connected to the Internet. The new Forbot variant is one of the first known examples of an automated Internet threat targeting MySQL and could infect machines running a wide range of database applications that use MySQL, according to Joe Stewart, a senior security researcher at LURHQ Corp. MySQL is an open-source database software program that is managed by MySQL AB. The product runs on Unix, Linux and Windows systems and is a popular alternative to Microsoft's proprietary SQL Server database among Web developers. The MySQL AB Web site claims more than 5 million MySQL installations worldwide. MySQL AB didn't immediately respond to a request for comment. The new threat was first detected yesterday, when Web developers in Australia reported infections by a program called spoolcll.exe, which was attempting to connect to an Internet Relay Chat channel in Sweden, according to Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center. The ISC also noted a spike in scans for MySQL port 3306, which is associated with infection by the new Forbot variant, Ullrich said. A check of the IRC channel today showed more than 8,000 systems connected. Many more MySQL systems could be infected but may be prevented from connecting by the overwhelmed IRC server, Ullrich said. The new version of Forbot infects machines by taking advantage of administrator accounts with weak or nonexistent passwords. The worm cracks the accounts by trying values from a predefined list of around 1,000 possible passwords, Ullrich said. First discovered in July, Forbot is a network worm with built-in backdoor features, according to antivirus company Sophos PLC. Dozens of Forbot variants have been identified. Once the worm gains access to the MySQL root account, it uses a known exploit, called the MySQL UDF Dynamic Library Exploit, to upload and install malicious code to the infected system. The exploit used by Forbot was first noted in December and allows an attacker with so-called "root" administrator permissions to expand the default functions available to the root account dynamically, Stewart said. "I'm not even sure it's an exploit so much as a feature -- the ability to create new functions on the fly," he said. Systems infected with the new Forbot variant connect to an IRC channel that is controlled by the worm author and receive instructions through that channel, Stewart said. Right now, the systems are being instructed to scan for and infect other MySQL systems. But those instructions could be changed to instruct the infected systems to launch a denial-of-service attack or other actions, which would stop the worm's spread, at least temporarily, he said. To be infected, MySQL has to be configured to allow the root account to log in remotely to the system. By default, the root account is allowed to log on only at the machine running MySQL, rather than remotely. The root account also has to use a password that is on Forbot's list of passwords, Ullrich said. The worm poses the most risk to Web developers who may be running the product on loosely secured workstations that are connected to the Internet but do not have firewall software running, he said. However, MySQL is commonly used in third-party database-driven applications, as an inexpensive and open-source alternative to Microsoft SQL. That could expand the pool of likely victims beyond the developer community to "power users," Stewart said. Stewart said that the new Forbot variant will probably not rate a severe threat, noting that the number of computers running MySQL is much smaller than the number of systems running programs like Windows or Microsoft Office. However, the worm is notable for being one of the first automated attacks on MySQL, Ullrich and Stewart said. MySQL administrators were encouraged to strengthen their root account password, make sure that MySQL does not allow remote logins for the root account and use a firewall to prevent direct access to port 3306 from the Internet.

OK, jus curious here... I've read through & noticed 3 sides to this issue; those who have had this activity, those who haven't, & those who couldn't give a rat's ass whether they have or not. What I've (almost) deduced from ny obsevation is a question...What Browser/ AV setup are those experiencing this phenomenon running? To me it looks universally like IE/ Norton. My suggestion; Get a better browser & A/V ( I heartily agree w/ seveal others above that Norton is a PoS, & we all know 'bout Microsoft & security, right?)

"The new threat was first detected yesterday, when Web developers in Australia reported infections by a program called spoolcll.exe, " If it is spoolcll.exe it means that are running Microsoft Windows or DOS, programs with the extension .exe does not work under Linux, FreeBDS, Unix and as I know Renderosity doesn't use Microsoft's servers!

So what's the "logic" that because people running Norton were gettings these alerts- that Norton is shit? Norton was RIGHT! The news stories just out PROVE THIS! People who were running a current and up-to-date Norton Firewall setup SAW IT, while the rest did NOT! How can it be "better" that firewalls and software that did NOT detect this activity is BETTER? Is just the OPPOSITE! Anyone who is in Science or Medicine would want tools that DETECT things- not HIDE them! (That would be totally stupid!) How can these be FALSE DETECTIONS when the above stories show that the alerts I and others were getting were TRUE DETECTIONS of the signatures of this virus/worm. Because people are not seeing them NOW is because we would have to assume that the Renderosity techs have found the problem and corrected it. But I really DOUBT they will ever admit to it. The articles on this virus/worm indicate that the problem is really due to LACK of good security measures, and no one wants to admit that. RMP has one of the most LOW-TECH and easy to pilfer and plunder setups of any marketplace anywhere. By just getting passwords (that are easy to crack) people can get access to SEVERAL YEARS WORTH of model purchases-- worth THOUSANDS in some cases- yet a LOT of people here seem to LIKE THIS setup! I think RMP mechants are being RIPPED OFF like crazy and it makes RMP just like a big P2P Piracy setup for those who get the passwords. But OBVIOUSLY NOBODY here wants to talk about this really lousey "security" at RMP. DAZ and PoserPro's don't operate with such a really sloppy and loose security setup over customers model purchases...

Attached Link: windows processes

here is a process list found in windows. before disabling it in the configuration section, read the info here. this is a very good site for giving basic info on faulty windows processes that run in the background.

Message edited on: 01/28/2005 23:10

Don't forget the hidden ptocesses that you normaly are not able to know that there are running. Also I should like to know how do you do for running spoolcll.exe under Linux, maybe with Lin4Win?

oh shut up veritas. you running a MySQL setup at home? hmm? like spreading panic? hmmm? talk to the Admins. and shut up for a change will you? thats a good little shouty person.

I use Norton, and have had no such alerts. Veritas777, let me give you some friendly advice. You did your part by trying to alert people to a problem you experienced. You may be right, or the problem could be caused by something unknown going on behind the scenes. Some of us might be interested enough to ask more questions, or point out some possible alternative explanations. But you did your part, and you can take care of yourself. Let the rest of us worry about ourselves.

Veritas, you're clueless. Yeah there is a new mysql worm out there. But your little Norton alerts you screamed about have nothing to do with it. Nor did the info you posted about it say anything about Nortons being the only thing finding it. That is a conclusion you made up to back up your rantings. I'm also pretty sure that all the papers I've read on this worm didn't say anything about druggies creating it in order to steal poser content. In addition IF and I repeat IF rendo was infected then only their root login would be in danger, not your PC unless you are running an unprotected mySql database. I also doubt that you have the technical background to judge the quality of any sites security measures regarding root/admin accounts or data security. What it comes down to is that you are trying to pass off information you read but obviously don't understand as back up for your parinoid rantings. That's wrong plain and simple.

This thread has run its corse and is getting out of hand I am locking this thread. SndCastie Poser Moderator