[jitsi-dev] scam site


#1

Someone just pointed this to me:

http://tijsi.com/

I haven't checked but my guess would be that the modified "exe" they give you also comes with some malware.

I wonder what our courses of action would be.

Emil

···

--
https://jitsi.org


#2

jitsy.com is taken too

Skype have registered skipe.com for themselves

This is one reason to encourage people to use packages from official
sources like Debian, Ubuntu, Fedora, etc. The package manager always
checks signatures and verifies that things have come through official
channels.

···

On 22/01/14 10:32, Emil Ivov wrote:

Someone just pointed this to me:

http://tijsi.com/

I haven't checked but my guess would be that the modified "exe" they
give you also comes with some malware.

I wonder what our courses of action would be.

Emil


#3

I haven't checked but my guess would be that the modified "exe" they
give you also comes with some malware.

Yes, it contains rfusclient, a Trojan known as "Remote Manipulator System".

I wonder what our courses of action would be.

Possibly contacting mihostingweb, or the logo referencing PremiumHosting ->
http://premiumhosting.cl/support/contact-us.php

There's not much else we can do.

Emil

Ingo


#4

I just noticced that Jitsi (2.5.5054 now) writes to disk almost constantly, with very brief pauses. Iotop shows 150-160 KB/s disk writes. I have packet logging disabled (in the gui at least )since forever.
The log file or the doesnt seem to change at that rate, so what is Jitsi doing?

I have something like this almost constantly:

Total DISK READ : 0.00 B/s | Total DISK WRITE : 160.75 K/s
Actual DISK READ: 0.00 B/s | Actual DISK WRITE: 160.75 K/s
   TID PRIO USER DISK READ DISK WRITE SWAPIN IO> COMMAND
17091 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.17 % udisks-da~g /dev/sr0
18043 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.16 % [kworker/2:0]
25640 be/4 laca 0.00 B/s 160.75 K/s 0.00 % 0.00 % java -cli~mmunicator
     1 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % init [2]
     2 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kthreadd]
     3 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/0]
     5 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/0:0H]
     7 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_sched]
     8 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [rcu_bh]
     9 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/0]
    10 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/0]
    11 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/1]
    12 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/1]
    13 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/1]
    15 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/1:0H]
    16 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [watchdog/2]
    17 rt/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [migration/2]
    18 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [ksoftirqd/2]
  3075 be/4 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % console-k~on [gmain]
    20 be/0 root 0.00 B/s 0.00 B/s 0.00 % 0.00 % [kworker/2:0H]

I use Debian 64-bit.

···

--
O zi buna,
Kertesz Laszlo


#5

Might be useful:

http://www.google.com/safebrowsing/report_phish/

At least if Google marks it as dangerous, most browsers won't go there
without a fight.

···

On 22/01/14 13:08, Sean Whalen wrote:

Please do not contact premiumhosting[.]cl about this. That is a
(unrelated?) web host , not the domain registrar, who would need to be
the one to be contacted about this.

WHOIS records show that tijisi[.]com in registered to
PrivacyGuardian.org, which is a domain registration privacy service of
namesilo.com <http://namesilo.com>

https://www.robtex.com/dns/tijsi.com.html?tab=result#whois

PrivacyGuardian.org has a "Report Abuse" form. Use that to report the
malicious site. As project lead, it would probably be best if a report
came from Emil. However, the more people who report this, the better.
Explain in detail how it is a malicious clone of the Jitsi site. You
may want to include the links below, which identifies the content as
malicious.

https://www.virustotal.com/en/url/2edae265dca2ddf42c7619615e61f830f8dc462bd1fa39438d9a6d52f8cb770a/analysis/1390391446/

https://www.virustotal.com/en/file/f8fed8fd820d183c42a9ef1b798322cf8b9c4889c7ed3e682af48dbf02c067a2/analysis/1390391461/

It looks like very few AV engines detect the malware right now,
increasing the danger to those interested in Jitsi.

If the registrar fails to respond is a timely manner, you could try
calling them at +1 602-492-8198.

I'm not exactly sure what happens to a malicious domain after it has
been deemed abusive by the registrar.

I hope this is helpful. Please reply to this if anyone gets a response
from the registrar.

- Sean

> I haven't checked but my guess would be that the modified "exe" they
> give you also comes with some malware.

Yes, it contains rfusclient, a Trojan known as "Remote Manipulator
System".

> I wonder what our courses of action would be.

Possibly contacting mihostingweb, or the logo referencing
PremiumHosting ->
http://premiumhosting.cl/support/contact-us.php

There's not much else we can do.

> Emil

Ingo

_______________________________________________
dev mailing list
dev@jitsi.org <mailto:dev@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

*Toby Pinder | **Telemetry Software Engineer*


#6

Please do not contact premiumhosting[.]cl about this. That is a
(unrelated?) web host , not the domain registrar, who would need to be the
one to be contacted about this.

WHOIS records show that tijisi[.]com in registered to PrivacyGuardian.org,
which is a domain registration privacy service of namesilo.com

https://www.robtex.com/dns/tijsi.com.html?tab=result#whois

PrivacyGuardian.org has a "Report Abuse" form. Use that to report the
malicious site. As project lead, it would probably be best if a report came
from Emil. However, the more people who report this, the better. Explain in
detail how it is a malicious clone of the Jitsi site. You may want to
include the links below, which identifies the content as malicious.

https://www.virustotal.com/en/url/2edae265dca2ddf42c7619615e61f830f8dc462bd1fa39438d9a6d52f8cb770a/analysis/1390391446/

https://www.virustotal.com/en/file/f8fed8fd820d183c42a9ef1b798322cf8b9c4889c7ed3e682af48dbf02c067a2/analysis/1390391461/

It looks like very few AV engines detect the malware right now, increasing
the danger to those interested in Jitsi.

If the registrar fails to respond is a timely manner, you could try calling
them at +1 602-492-8198.

I'm not exactly sure what happens to a malicious domain after it has been
deemed abusive by the registrar.

I hope this is helpful. Please reply to this if anyone gets a response from
the registrar.

- Sean

I haven't checked but my guess would be that the modified "exe" they
give you also comes with some malware.

Yes, it contains rfusclient, a Trojan known as "Remote Manipulator System".

I wonder what our courses of action would be.

Possibly contacting mihostingweb, or the logo referencing PremiumHosting ->
http://premiumhosting.cl/support/contact-us.php

There's not much else we can do.

Emil

Ingo

···

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#7

They actually are hosting the malware, and would want to know.
lee@dev01:~$ ping tijsi.com
PING tijsi.com (162.248.50.103) 56(84) bytes of data.
64 bytes from lightning.premiumhosting.cl (162.248.50.103): icmp_req=1 ttl=53 time=53.5 ms
64 bytes from lightning.premiumhosting.cl (162.248.50.103): icmp_req=2 ttl=53 time=48.1 ms
64 bytes from lightning.premiumhosting.cl (162.248.50.103): icmp_req=3 ttl=53 time=47.0 ms

They are also hosting the DNS at NS1.MIHOSTINGWEB.NET because www.MIHOSTINGWEB.NET resolves to http://premiumhosting.cl/

Privacy guardian is securing the registrant details, so report abuse here. http://www.privacyguardian.org/

Name Silo is who has the domain, so contact them here. http://www.namesilo.com/contact_us.php

As stated, report them to
http://www.google.com/safebrowsing/report_badware/ (Use this link, as it is not phishing)

But also use;
https://www.microsoft.com/security/portal/submission/submit.aspx
http://www.anti-malvertising.com/report-malware
And report to several vendors here.
http://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm

And yes, the more people reporting, the better!

      Lee Sharp

···

On 01/22/2014 07:08 AM, Sean Whalen wrote:

Please do not contact premiumhosting[.]cl about this. That is a
(unrelated?) web host , not the domain registrar, who would need to be
the one to be contacted about this.