October 29, 2005

Trojans and the Like

Tonight, someone going by the handle "hypermind" went to the Ritualistic forums and posted links to a site that redirected people to a site that tried to infect people's machines with trojans.

This kind of stuff really pisses me off.

So, if you know the person behind the "whois" dump below, please do me a favor and kick them in the crotch. It's the very least that they're asking for...
Domain ID:D82425367-LROR
Domain Name:NIMP.ORG
Created On:14-Jan-2002 00:52:01 UTC
Last Updated On:13-Jan-2005 09:01:14 UTC
Expiration Date:14-Jan-2007 00:52:01 UTC
Sponsoring Registrar:Gandi SARL (R42-LROR)
Registrant ID:0-529765-Gandi
Registrant Name:the Nimp Team
Registrant Organization:the Nimp Team
Registrant Street1:3, rue A. Thomas
Registrant Street2:
Registrant Street3:
Registrant City:Freyming-Merlebach
Registrant State/Province:
Registrant Postal Code:57800
Registrant Country:FR
Registrant Phone:+33.681122062
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:sam@zoy.org
Admin Name:Samuel Hocevar
Admin Street1:22 rue de Plaisance
Admin Street2:
Admin Street3:
Admin City:Paris
Admin State/Province:
Admin Postal Code:75014
Admin Country:FR
Admin Phone:+33.681122062
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:sam@zoy.org
Tech Name:CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois
Tech Organization:GANDI SARL
Tech Street1:see also whois.gandi.net
Tech Street2:
Tech Street3:
Tech City:Paris
Tech State/Province:
Tech Postal Code:75003
Tech Country:FR
Tech Phone:+33.1
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:support@gandi.net
Name Server:NS1.ZOY.ORG
Name Server:NS2.ZOY.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:


igor said...
This comment has been removed by a blog administrator.
Sam Hocevar said...

Wow, dude, I should have you kicked in the crotch for posting my personal information and calling publicly for violence to my person. There are no trojans on that website and never were, just standard Flash, AJAX etc. and a few pictures that you may not like but then don't visit websites.

Michael Russell said...

Sam, since your E-mail address is bouncing my replies, here is what I tried to send to you.

At the time this was posted, I worked at Ritual and a user named "hypermind" posted several dozen links to a site nobody recognized.

When I tried to visit the site to moderate the link, the page that was linked to was redirecting to a page on nimp.org that caused multiple virus scanners to freak out. After verifying that it wasn't existing software on my machine by trying it from a different machine, I suspended the account that posted the links, deleted the posts, and notified your ISP's abuse address as part of our standard policy at the time.

As for the information, it's copy/pasted from a WHOIS lookup. Now while someone may have been able to compromise your site and upload a bad file, in which case I feel for you as I've had that happen myself in the past, in the end we (as site owners) are responsible for the content of our domains. Have you done a content audit since October 2005 to look for unauthorized files on your domain?

Sam Hocevar said...

I think I know perfectly what is on my system, thank you. The particular website you are referring to is even opensource software that anyone can install and audit.

As for the personal information, you may have noticed that it is nowhere to be found on any whois server. Don't get me wrong: I am a grownup and I am willing to take responsibility for my actions. But since I do not live at that address, I find calls for physical violence rather unappropriate. You have a blog, I don't think I need to explain how stupid people can be.

I am sorry about my e-mail address bouncing; it should be back within a few hours. If you would have preferred this conversation to be private, let me know and I will remove my comments.