FIXED - forum database compromised

[asidana]

just received this email

Code:

The following is an email sent to you by an administrator of "Official BS.Player forum". If this message is spam, contains abusive or other comments you find offensive please contact the webmaster of the board at the following address:

ssharmi24@gmail.com

Include this full email (particularly the headers). 

Message sent to you follows:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Dear BSPlayer user,

It has come to our attion that our current version off BSPlayer has some security issues
We recommend you to update your version off BSPlayer with the link supplied below


FIXED:
- Fixed vulnerability
- movie settings (position) were not remembered in some cases, fixed
- in some cases chapters were not properly detected in MKV files, fixed
- problem with ML on secondary monitors

Download:
Click HERE


Regards,

The BSPlayer.org Management

[vaughny]

I got this email too. :shock:

[Px]

Same here

[GreGnet]

Yes, same for me... :?

[adicoto]

Hotmail sent it directly to junk folder :D

[Ico-man]

We are on it. :!:

[Px]

RFC822 header from letter

Code:

Return-path: <nobody>
Received: from [212.18.63.30] (port=40982 helo=fortis.presentia.si)
        by mx53.mail.ru with esmtp 
        id 1LRXWV-000GGi-00; Mon, 26 Jan 2009 22:53:31 +0300
Received-SPF: none (mx53.mail.ru: 212.18.63.30 is neither permitted nor denied by domain of fortis.presentia.si) client-ip=212.18.63.30; envelope-from=nobody@fortis.presentia.si; helo=fortis.presentia.si;
X-Mru-PTR: fortis.presentia.si
X-Mru-NR: 100
X-Mru-OF: Linux (ethernet/modem)
X-Mru-RC: SI
Received: from nobody by fortis.presentia.si with local (Exim 4.69)
        (envelope-from <nobody>)
        id 1LRWWO-0002Ha-Fk; Mon, 26 Jan 2009 19:49:22 +0100
To: ssharmi24@gmail.com
Subject: IMPORTANT MESSAGE - Update your BSPlayer
Reply-to: ssharmi24@gmail.com
From: ssharmi24@gmail.com
Message-ID: <63a56c8b2179bf5d31f7ddf620090708>
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8bit
Date: Mon, 26 Jan 2009 19:49:20 +0100
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: PHP
X-MimeOLE: Produced By phpBB2
X-AntiAbuse: Board servername - bsplayer.com
X-AntiAbuse: User_id - 3214
X-AntiAbuse: Username - Tizio
X-AntiAbuse: User IP - 90.67.121.154
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - fortis.presentia.si
X-AntiAbuse: Original Domain - mail.ru
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - fortis.presentia.si
X-Spam: Not detected
X-Mras: Ok

[adicoto]

Quote:

bsplayer0

Oh, sorry, i've missed this topic

[adicoto]

In fact, message originated from a Slovenian mailserver.

[BSPeter]

Ditto here (I sent an email to Mat2000 to place a warning on the website).
But fortunately who (in his right mind) would honestly believe BSPlayer team would make an update available through rapidshare! (and advise users accordingly using a gmail.com email-address)?
Nevertheless, the apparent exposure of BS.Player users' e-mail addresses seems a real SERIOUS and worrysome matter enough!!

In message displayed above Tizio is mentioned, however in message I received it reads:
X-AntiAbuse: Username - Mat2000

[Px]

Quote:

In message displayed above Tizio is mentioned, however in message I received it reads:
X-AntiAbuse: Username - Mat2000

Ah, my fault, copied wrong header, right

Code:

Return-path: <nobody>
Received: from [212.18.63.30] (port=40982 helo=fortis.presentia.si)
        by mx53.mail.ru with esmtp 
        id 1LRXWV-000GGi-00; Mon, 26 Jan 2009 22:53:31 +0300
Received-SPF: none (mx53.mail.ru: 212.18.63.30 is neither permitted nor denied by domain of fortis.presentia.si) client-ip=212.18.63.30; envelope-from=nobody@fortis.presentia.si; helo=fortis.presentia.si;
X-Mru-PTR: fortis.presentia.si
X-Mru-NR: 100
X-Mru-OF: Linux (ethernet/modem)
X-Mru-RC: SI
Received: from nobody by fortis.presentia.si with local (Exim 4.69)
        (envelope-from <nobody>)
        id 1LRWWO-0002Ha-Fk; Mon, 26 Jan 2009 19:49:22 +0100
To: ssharmi24@gmail.com
Subject: IMPORTANT MESSAGE - Update your BSPlayer
Reply-to: ssharmi24@gmail.com
From: ssharmi24@gmail.com
Message-ID: <63a56c8b2179bf5d31f7ddf620090708>
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8bit
Date: Mon, 26 Jan 2009 19:49:20 +0100
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: PHP
X-MimeOLE: Produced By phpBB2
X-AntiAbuse: Board servername - bsplayer.com
X-AntiAbuse: User_id - 3284
X-AntiAbuse: Username - Mat2000
X-AntiAbuse: User IP - 90.57.121.154
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - fortis.presentia.si
X-AntiAbuse: Original Domain - mail.ru
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - fortis.presentia.si
X-Spam: Not detected
X-Mras: Ok

[Kenfer]

Quote:

Originally Posted by BSPeter

But fortunately who (in his right mind) would honestly believe BSPlayer team would make an update available through rapidshare! (and advise users accordingly using a gmail.com email-address)?

unfortunately, there is lots of people who don't really know what "trusted source" is and why RS and Gmail is wrong.

[Px]

Hm, it's strange - I've looked my inbox, and all other messages are from this topic, and their header is different, while in original message two strings differs from the post above

Code:

X-AntiAbuse: User_id - 3284
X-AntiAbuse: Username - Mat2000

Is someone edited my post for a joke, or problem is deeper? :)

[laser21]

I got the same message...

It is suspicious at the first look for advanced users...but not everyone.

I guess making a sticky somewhere would be helpful...

[Caos]

I got the same message...

:twisted: :twisted:

[bardos]

yes, i got this message this morning and was immediately suspicious.


Received: (qmail 17484 invoked by uid 503); 26 Jan 2009 22:31:11 -0000
Received: from unknown (HELO fortis.presentia.si) (212.18.63.30)
by server260.com with ESMTPS (DHE-RSA-AES256-SHA encrypted); 26 Jan 2009 22:31:11 -0000
Received: from nobody by fortis.presentia.si with local (Exim 4.69)
(envelope-from <nobody@fortis.presentia.si>)
id 1LRWWO-0002Ha-Fk; Mon, 26 Jan 2009 19:49:22 +0100
To: ssharmi24@gmail.com

[Ico-man]

Please do not download anything from here: http://rapidshare.com/files/18978772...4.980_clip.exe
because it contains harmfull software (it doesn't have BS.Player in it).

We would never host our files on rapidshare, they are already alerted and they will remove the link in 24 hours. (Meanwhile, the link was removed.) We are not editing posts, so the problem is deeper. We are fixing it as we speak.

[GregorBS]

Here is another E-Mail Header just in case :) ... I received this mail on my Yahoo account:

Code:

From ssharmi24@gmail.com Mon Jan 26 18:49:20 2009
Return-Path: <nobody>
Authentication-Results: mta354.mail.mud.yahoo.com  from=gmail.com; domainkeys=neutral (no sig)
Received: from 212.18.63.30  (EHLO fortis.presentia.si) (212.18.63.30)
  by mta354.mail.mud.yahoo.com with SMTP; Mon, 26 Jan 2009 22:32:13 -0800
Received: from nobody by fortis.presentia.si with local (Exim 4.69)
	(envelope-from <nobody>)
	id 1LRWWO-0002Ha-Fk; Mon, 26 Jan 2009 19:49:22 +0100
To: ssharmi24@gmail.com
Subject: IMPORTANT MESSAGE - Update your BSPlayer
Reply-to: ssharmi24@gmail.com
From: ssharmi24@gmail.com
Message-ID: <63a56c8b2179bf5d31f7ddf620090708>
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8bit
Date: Mon, 26 Jan 2009 19:49:20 +0100
Content-Length: 926

[Tizio]

Quote:

Originally Posted by Px

Quote:

Ah, my fault, copied wrong header, right

Code:

Return-path: <nobody>
Received: from [212.18.63.30] (port=40982 helo=fortis.presentia.si)
        by mx53.mail.ru with esmtp 
        id 1LRXWV-000GGi-00; Mon, 26 Jan 2009 22:53:31 +0300
Received-SPF: none (mx53.mail.ru: 212.18.63.30 is neither permitted nor denied by domain of fortis.presentia.si) client-ip=212.18.63.30; envelope-from=nobody@fortis.presentia.si; helo=fortis.presentia.si;
X-Mru-PTR: fortis.presentia.si
X-Mru-NR: 100
X-Mru-OF: Linux (ethernet/modem)
X-Mru-RC: SI
Received: from nobody by fortis.presentia.si with local (Exim 4.69)
        (envelope-from <nobody>)
        id 1LRWWO-0002Ha-Fk; Mon, 26 Jan 2009 19:49:22 +0100
To: ssharmi24@gmail.com
Subject: IMPORTANT MESSAGE - Update your BSPlayer
Reply-to: ssharmi24@gmail.com
From: ssharmi24@gmail.com
Message-ID: <63a56c8b2179bf5d31f7ddf620090708>
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8bit
Date: Mon, 26 Jan 2009 19:49:20 +0100
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: PHP
X-MimeOLE: Produced By phpBB2
X-AntiAbuse: Board servername - bsplayer.com
X-AntiAbuse: User_id - 3284
X-AntiAbuse: Username - Mat2000
X-AntiAbuse: User IP - 90.57.121.154
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - fortis.presentia.si
X-AntiAbuse: Original Domain - mail.ru
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - fortis.presentia.si
X-Spam: Not detected
X-Mras: Ok

:shock: if you copied the wrong header where did you get an header with my username in from?
Anyway also the mail I received has Mat2000 as AntiAbuse Username

Yesterday I saw Mat2000 online more or less at the same hour my mailbox received the mail message (but I read the message only now) :roll:

[mihhkel]

Another download-BS.player-from-RapidShare topic: http://bsplayer.com/forum/viewtopic.php?t=13411
And the apparent poster is ico-man :shock:
Something's wrong here...