http://img160.imageshack.us/img160/9154/whatnow3uz.jpg
Now for the story of how I managed to get this pic...
Who remembers seeing those generally vague posts about Parsers/Bots with links to exes named POS_Logger.exe and DamageProc.exe? Viruses of course, cue the picture of "This guy seems legit" that priran posted. Anyway using a trick that aurik (don't tell anyone what it was, I plan on doing this again if he makes another post) showed me I managed to get the contents of the exe in a somewhat readable format. I located the IP of the server that the trojan horse phoned home to and ran a quick portscan to see what services were running on it. Found: Port 21 (FTP). So I go back and dig through the exe and find 2 lines in there:
Admin
gGPaK45w
I did what any normal geek would do and logged in to his FTP and started poking around. Tons of porn, some Final Fantasy Roms, some Music but whats this...a folder called accounts? Jackpot. I tried to copy as much as I could, but by 1pm Central today he found out I was leeching his server hard (over 1000 folders in that directory, and FTP doesn't like transfering tons of small files so it went sloooow) and I got shut out. I started with the old ones in april (stupid me), and moved up to the newer ones. I made it up to June 14th. All in all I'd guess about 8-12 different computers were compromised, I'm not sure how many were compromised from yesterday's posting as I didn't make it up the logs that far =(. These 1000+ folders were all filled with keylogs, detailed records of every keystroke done on the compromised machine. Thats a ton of shit to look through.
Anyway some of you may know Totien. I'm sure he's wisened up by now and is using a password a little more secure than "budlight" lol. Accodring to what I see here his machine was compromised on April 18th of this year.
I've got a lot more interesting tidbits I found out about in here, but I'm not going to compromise ANY accounts if I find any passwords, rather I will do everything I can to contact that person and have them prevent anything happening to their character.
So far I've found:
Morie - Bahamut server
Totien - Not sure what server but its too late =(
Etern - Bahamut server (japanese)
Avid - Bahamut? (japanese)
Pyoi - Bahamut Server (japanese in zigma's Wyrm Shell lol) it is also possible Akuby was compromised as a result of this since it loos like Pyoi and Akuby are the same person from the information I have, or they share accounts/computers.
Anyway, I'll update this as I find more. Theres is just way too much stuff to sort through. If you are on bahamut please contact these people and instruct them to do a full wipe of their computer.
VIRUS SCANS DO NOT DETECT THIS TROJAN HORSE