Probably bad news on the PHF!!!

[Jmman]

I just this morning received a threatening email from an @Home user telling me not to hack into their computer again or he was going to come after me. The key part of it was that he accused me of installing the RC5 client(with my email) onto his computer. I think we have definitive proof that these blocks are from hacked machines...

 

[Robor]

Hacked machines? :Q Well that sure changes things doesn't it! Hopefully the actions of this person don't discredit Team Anandtech.

Rob

 

[Engine]

Send the guy an email back, and see if he has any idea how the client got on his machine. Maybe we can help track the PHF down.

 

[Beefcake]

Always said from the beginning that this PHF was way too dodgy to be true! looks like we were right! Have no idea how DNet are going to sort those bad blocks out, wont be easy!

 

[Jagators]

Check this out !!!!!

http://sysopt.earthweb.com/forum/Forum7/HTML/000882.html

 

[Tuinhark]

This @Home user... Is that @home America or the Netherlands or something? (some_user@home.nl)

 

[BoberFett]

%!@#, how many times did we ask D.net to look into this and either heard nothing in response or were told that they didn't see antying wrong with it.

If this is a fact I'm gonna be mighty pissed off. If D.net is gonna get lazy and stupid I may just switch my hold whole herd to GF.

 

[Jmman]

It was from an @home USA user. He was not very pleasant or happy, so I do not think he will be very cooperative in this effort. Someone needs to let Dnet know that the PHF mystery definitely needs further investigation. The mystery of how PHF was giving away 500k blocks to anyone that asked seems to be answered, but I don't know what we need to do about it.....

***Here is the text of the message***I don't know who you are or why you have inserted directory and registry entries on my system. This is abuse as defined by the FCC and the terms of my agreement with the @home network. Should you continue this type of activity I will not hesitate to contact my ISP to take corrective action. I have deleted the inf\rc5 and \distributed.net directories as well as all registry entries to block your further attempts. New entries will immediately be reported.

I have no time or patients for this type of activity and I will persist until this stops.****

 

[Russ]

Jmman,

I hope you eMailed him back and explained that you had nothing to do with it; point him to this forum if he believes otherwise. You should also, if you haven't already done it, report this to dnet immediately. I find their casual attitude toward this whole PhF situation very surprising.

Russ, NCNE

 

[Jmman]

Russ,

I did exactly that. I just emailed him about this thread and if he has any further information to feel free to post it here. I am just now composing an email to Dnet concerning this situation. I hope it gets straightened out.....

 

[Jmman]

double post....

 

[Scorpion]

I'm in total agreement with Russ. Be polite and nice to the guy and explain to him that You had nothing to do with this. He'll most likely lighten up towards you. The fact that you responded would most likely indicate you aren't a threatening hacker.

And I too am very surprised in D.net's "lax" attitude towards this fiasco.

I for one want that PhF to STOP immediatly. This has gotten way out of hand. It was fun for a while, but now it's not anymore. Please shutdown your herd or create your own account. We do not want our team to earn a bad rep because of this. If you have any compassion in you please stop or at least come forwards. I for one and fed up with it.

 

[Possessed Freak]

the problem is that the d.net client is very very easy to install because of the variety of machines and conditions on these machines. All d.net can do is look at the hostnames, contact the people who are contributing blocks and ask them a simple yes/no (did you know the client existed.) then d.net NEEDS to make their future clients less trojanable. Possible solutions means you no longer enter an email into an ini, but a password you recieved via email. Every block you crack now has your password in it so when you submit they know who to credit it to. Heck they could use rc5 encryption of the password when you submit

 

[xrayman]

Jmman,

Suggest we try to make amends with the @home user. He needs a firewall. He can learn more here at Steve Gibson's site;

http://grc.com/default.htm, Click on the "Shields Up" logo.

and he can a get a super FREE firewall here;

http://www.zonelabs.com/download_ZA.htm

Just trying to help...

 

[Scorpion]

"Heck they could use rc5 encryption of the password when you submit"

HAHA! So true! They should!

 

[GizmoNL]

I dont't think D.net can punish AT for the actions of the PhF, bacause you've mentioned it to them before. So it's their problem, not yours.
Further I know someone who hasn't send in any blocks lately, but has received some blocks from the PhF, might be interesting to see for D.net what IP-adress sended those blocks, then again you have an infected machine, which could lead into the right direction.

For privacy reasons I cannot give you his name or number on this forum, but if you guys are really interested, I could ask him if he wants to help.

(he gets 500 to 1000 blocks a day from mr PhF)

 

[bphantom]

This is in defense of D.Net, just because it is "believed" they have the know all ability. All D.Net receives with the cracked blocks is the IP address of the sender. Doing a nslookup of that IP in most instances will NOT reveal any sort of identity of the user. For example, my ISP's modem pool is all slc****.modem.xmission.com. D.Net would have to contact my ISP, give them the IP and date stamp, and truely hope my ISP gives them that info (for my ISP, they probably will not get any information unless under court order). Same with my cable modem hostname. c******.***.home.com will not reveal my email address.

Please understand D.Net cannot just magically retrieve the trojan'ed users email address and notify them. They are in a no win situation. Look at Nugget's stats, he is being propelled by trojan clients. Filters would have to be added to the stats run to differentiate possible IP's Nuggets legit blocks would come through and then pipe all excess blocks somewhere else. Would a solution like this work for the amount of people affected from PhF? You can already tell D.Net did not persue a solution like this. I'm putting words in their mouths when I say there is really nothing they can do. The best thing to do is just make known that you believe part of your stats are being propelled by possible trojan clients. This way you are protecting yourself if the trojan'ed users start complaining to D.Net.

As for the trojan client being on this @Home users machine. It could have gotten there quite a few different ways. The user received/downloaded (ftp, www, or email) an unsuspecting program and ran it (my belief is that this is the common reason), someone else loaded it locally or remotely (possible BO variety of tools), file sharing was active and someone injected the executible onto the machine as a general use program that would be run sometime fairly soon. A firewall or being a bit more suspicious of what you download and run can go a LONG way.

Sorry if I came off long winded, but I needed to get that out of my system. Brad..

Edit: Oh, and for the record I'm recieving ~6,000 blocks a day from PhF.

 

[JollyP]

Sorry to interupt your discussion, but it seems to me that D.net doesn't have a clue what is going on here, which is very surprising after all the comotion about the PhF. There seem to to be at least 3 teams "benefitting" from the PhF: AT, DPC and SysOpt.

I think now is the time, viewing the latest evidence, that D.net has to be honest with us:

1) They don't have a clue
2) They didn't know
3 They don't care
4 The PhF is a D.net member
5 At least let all of us know what they are doing about it

I sincerely hope this whole matter will be sorted out in the next couple of days

Never mind all the spelling mistakes, I am getting quit sick of this this PhFthing.


greetings
JollyP

 

[BoberFett]

bphantom

I heartily disagree. There aren't too many ways for one person which to crack hundreds of thousands of blocks per day. The only way I can think of to do this is to use a corporate network. Since most people here flush through Mika's, that should be the only IP address that shows up in D.net's logs. Anything IP other than that came from the PhF. A simple reverse lookup on the IPs of those blocks will generally determine which network they came from. In this case, it would have been shown that an @home computer was submitting these blocks. @home is not the provider for any major corporate networks that I know of. Someone who can generate hundreds of thousands of blocks from home computer networks either has A LOT of friends, or they're using a trojan.

No doubt, you can't just magically get user information based off IP addresses. But a little bit of intelligent detective work and a picture can start to be drawn from the evidence.

<< It could have gotten there quite a few different ways >>

But with one of our team members name in it? At the same time he's receiving blocks from the PhF? That's not just a coincidence.

I find D.net's apparent disregard for this issue to be inexcusable.

 

[Russ]

bphantom,

My concern is not the lack of investigation on dnet's part. I understand the difficulty in pinning something like this down. With all they have to do, I certainly don't expect them to expend precious manhours in the pursuit.

My concern is this: They clearly stated in one of the threads that it is NOT a trojan. Well, I think the evidence is mounting that it is. If they don't believe it is, and yet it turns out to be, what does that say for the integrity of the project?

Russ, NCNE

 

[DAM]

sorry to barge in, but how can the blocks not be legit? lets supposed:

PhF hacked into a computer installed RC5 then added some user so he/she would get the blocks, the owner of computer finds out, removes the client and try to find who hacked into his/her system. will the blocks cracked on that machine be removed? if so, why?


just curious, this sounds awfully interesting, specially since i just quietly crack in my corner of the forum.



dam(42)

 

[Possessed Freak]

then here is another solution: stamp more info on the blocks you flush. Like the name you registered through windows, or wheather or not the client was actually installed or just running off a batch with no registry commands. Or something along those lines, I really don't know what they can transmit that would aid the punishment of trojaned computers..

 

[Skaven]

This is semi related, but did you guys know that McAfee Virus-scan reads RC5 as a virus?!

I was copying the dnetc.exe to a computer here at the office, and BOOM &quot;Virus-sheild has detected a virus!&quot;

I thought it was on the disk.. but is the actual file!

<shrug>

-Skaven

 

[BoberFett]

bphantom

I'll add this as long as I'm ranting.

You gave your own host name as an example of D.net's inability to track down a perpetrator, but I'll use it to prove my point. I only submit blocks through a couple locations. In that case, the only IPs that should show up under my name are known to me. If D.net sent me a list of IPs I could easily determine which were my blocks and which weren't. I could then do a reverse lookup and find the network they came from. Even if the only info I could get back was ***.xmission.com I'd know something was up. A quick trip to xmissions web site tells me that they're a local ISP in SLC and surrounding area. But wait, how did a dnet client and an .ini with MY E-MAIL ADDRESS in it get to Utah. Seems pretty obvious at that point that something fishy is going on.

Perhaps in the future, finished blocks should retain an IP trail from each proxy they hit?

 

[GizmoNL]

DAM,

D.net has clearly stated that it's not allowed to install the client on a computer you don't own, or have the approval of the owner. In general, also the main-user is allowed (look at corporate networks, who owns them PC's), but this is clearly a case of infecting, that's also probably why Mcaffee thinks it's a virus, ( I only hope thay stay away from my herd, I use mcaffee, but haven't seen a single message from it)