Still getting spam from APC - Site feedback

HeyPK · 06-30-2008, 07:23 AM

I have been getting "Reported post from" emails from APC containing porn site addresses. When APC was on Xoxide servers, the spam came from them, and now that APC has been transferred to CrowdGather, the same spam is coming from CrowdGather. It must be coming from some virus embedded in the APC code. I seem to be the only moderator getting this spam. it comes around every other day. Here is the latest example:

Received: from planet1.crowdgather.com ([74.55.232.130])
by isp.att.net (frfwmxc10) with ESMTP
id <20080630131115M1000r6a30e>; Mon, 30 Jun 2008 13:11:15 +0000
X-Originating-IP: [74.55.232.130]
Received: from localhost ([127.0.0.1] helo=127.0.0.1)
by planet1.crowdgather.com with smtp (Exim 4.69)
(envelope-from <webmaster@aquaticplantcentral.com>)
id 1KDJA2-0002B1-EH
for pkrombholz@-----------; Mon, 30 Jun 2008 08:11:14 -0500
Date: Mon, 30 Jun 2008 13:11:14 +0000
To: pkrombholz@-------------
From: "Aquatic Plant Central" <webmaster@aquaticplantcentral.com>
Auto-Submitted: auto-generated
Message-ID: <200806301314.5e0017282855@www.aquaticplantcentral .com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Subject: Reported post from
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - planet1.crowdgather.com
X-AntiAbuse: Original Domain - bellsouth.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - aquaticplantcentral.com

Josh ( mailto: ) has reported this post:

Prison Momma
http://www.aquaticplantcentral.com/f...i=5431#post552

This is the reason that the user gave:
Must have: , <a href="http://www.gtagaming.com/forums/member.php?u=55477">nice boobs</a>, nice boobs, http://www.gtagaming.com/forums/member.php?u=55477 nice boobs, <a href="http://forums.vogue.com.au/member.php?u=82906">real natural boobs</a>, real natural boobs, http://forums.vogue.com.au/member.php?u=82906 real natural boobs, <a href="http://www.epinions.com/user-or8c8o/show_~View_Profile">sexy striptease shows boobs</a>, sexy striptease shows boobs, http://www.epinions.com/user-or8c8o/show_~View_Profile sexy striptease shows boobs, <a href="http://www.cleveland.com/forums/profile.ssf?nickname=zs8f8f">black natural boobs</a>, black natural boobs, http://www.cleveland.com/forums/prof...ickname=zs8f8f black natural boobs, <a href="http://www.epinions.com/user-o8ya8ebu/show_~View_Profile">boobs bouncing slo mo</a>, boobs bouncing slo mo, http://www.epinions.com/user-o8ya8eb..._~View_Profile boobs bouncing slo mo,

This message has been sent to all moderators of this category and all administrators.

Please respond to this post as applicable.

I wonder if the virus came in on a suspicious video that was posted about 5 times in the Aquatic Plant Pictures. I deleted it and banned the sender each time, and got Jason, at Xoxide, to look at it. Here is what Jason found:

Quote:

Originally Posted by aquaticjason

I found one today. It is not a good file at all...

Here is the message I got from Norton's:

Scan type: Auto-Protect Scan
Event: Security Risk Found!
Risk: PHP.RSTBackdoor

Please make sure to delete these as they are a backdoor/trojan virus. I am not sure how to go about keeping the spammer away, but I will make sure that the above IPs are banned.

I will see what I can do to stop this from happening anymore, but for now we must make sure to delete these when they get uploaded as we do not want our visitors to be infected.

I will keep you guys posted when I figure out a solution to this problem.

Thanks,

Jason