NukeCops - Spywareinfo Hacked By Meanies!

I received this in an email from lockergnome... thought it may be useful here...

By Meryl K. Evans

I talked with Mike Healan, the editor of SpywareInfo, a resource providing the latest spyware threats, forums, and links to related articles and information so that your system can stay free and clean.

Mike has a dedicated server in Atlanta which hosts spywareinfo.com/net/org, merijn.org, tomcoyote.org, dogreader.com and mikehealan.com. On Feb 6, there were a few sporadic DDoS attacks that were easily filtered out.

On Feb 11th about 8am, several hundred PCs infected with some sort of trojan started hammering the server with bogus traffic to port 80 (HTTP). Mike's Web host started blocking IPs trying to open too many connections and brought the server up. 10 minutes later, 2,000 more PCs hit the server and knocked it down again. The data center started blocking wide ranges of IP addresses and stopped the attack again. They attacked again after that and the data center finally firewalled the IP address of the server.

On Feb 12, we switched IP addresses and brought the server back up. 2,000 - 3,000 PCs brought the server down again about 15 minutes later and the data center firewalled the new IP address at port 80 (HTTP). That's why Mike's e-mail works, but not the site.

On the 13, Mike moved tomcoyote.org to hostpc.com and merijn.org to xblock.com. He put out a newsletter using tomcoyote.org explaining what was going on and asking for some donations to help cover costs. The next day, several thousand PCs attacked merijn.org and knocked down merijn and xblock. Several thousand more hit tomcoyote.org and knocked it down along with one of hostpc's servers. Both sites are still down, xblock is back up, and the status of hostpc is up in the air.

On Feb 18, the crew put up two proxy servers that pulled data from the server in Atlanta and used a "round robin" DNS failover system to load balance traffic between the two proxies. Spywareinfo was running again and dogreader was partially working the next day. The bad guys hit the servers with about 2,000 PCs and the proxies lasted about 36 hours before they were knocked offline. Both servers have been shut down by their data centers.

On the 19th, the meanies also attacked Net-Integration.net, which hosts the support forums for Spybot S&D. A lot of the moderators and helpers at SWI are also admins or moderators for that support board. N-I is back up.

That's where they currently stand.

Starting tonight or tomorrow (hopefully), spywareinfo will have dozens (maybe hundreds) of redundant proxy servers provided by a new corporate sponsor (that can't be named yet). They will provide however many servers and IP addresses it takes to keep the site running in exchange for a newsletter plug and an ad on the main site.

At this point, we don't know who is responsible or what they're using. There is a suspect, but we can't prove it yet.

One guy wrote to say his firewall was logging an enormous number of connections to Mike's site and he couldn't figure out why. He contacted Norton's tech support and they said they were also showing something making connections to his site, so we may be about to get our hands on whatever they are using.

He has been in touch with the FBI about this, but they're playing phone tag. Unfortunately, he's used up $2,500 so far, hostpc about $1,400, xblock at least $2,000, plus some losses for their other customers on their server. Lord knows what it's going to cost overall.

Mike appreciates all the support from his readers and from other antispyware companies. Donations (or plug paypal@spywareinfo.com into paypal) are appreciated as these are free resource sites that have to pay their bills like everyone else.

Thanks to Chance for bringing the situation to my attention.