GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Recent uniqcontent / megacount trojan exploits summary

boneprone · 10-09-2006, 11:10 PM

My server Support guy:

"Founnd nudedorms.com/htdocs/aff/geoip.php - r57shell exploit. dated Oct 8, 8:56am
I renamed it from geoip.php to geoip.php.txt so it cant be executed, but we can read it. I already made a copy for myself, so delete it if you want.
http://nudedorms.com/aff/geoip.php.txt

It was owned by webmaster, and not the apache user, so it wasnt a php exploit.

A corresponding login during that time was from as the user MuratAT3, Gavin suspected that was one of the hackers IPs,

So if it was a weak password, and they guessed it, thats one way they could have done this. Or maybe they somehow got the password via some other way, but one thing is for sure, they just straight up logged in and knew the password, then uploaded their junk. "

They are convinced the server wasnt comprimised... But that indeed the hacker got his login and pass from some other means and simply walked on in with info on hand..

And It couldnt have been a corrupt file that I uploaded, casue I never used the username MuratAT3.. ITs an old user name to the box.

Naturally its been removed by now.. But thats what these guys used so it seems.

10-09-2006, 11:10 PM
boneprone Hall Of Fame Industry Role: Join Date: Jan 2001 Location: Portland Oregon USA Posts: 34,415	My server Support guy: "Founnd nudedorms.com/htdocs/aff/geoip.php - r57shell exploit. dated Oct 8, 8:56am I renamed it from geoip.php to geoip.php.txt so it cant be executed, but we can read it. I already made a copy for myself, so delete it if you want. http://nudedorms.com/aff/geoip.php.txt It was owned by webmaster, and not the apache user, so it wasnt a php exploit. A corresponding login during that time was from as the user MuratAT3, Gavin suspected that was one of the hackers IPs, So if it was a weak password, and they guessed it, thats one way they could have done this. Or maybe they somehow got the password via some other way, but one thing is for sure, they just straight up logged in and knew the password, then uploaded their junk. " They are convinced the server wasnt comprimised... But that indeed the hacker got his login and pass from some other means and simply walked on in with info on hand.. And It couldnt have been a corrupt file that I uploaded, casue I never used the username MuratAT3.. ITs an old user name to the box. Naturally its been removed by now.. But thats what these guys used so it seems. __________________ Industry Hall Of Fame Legend Mike Jones Bow to the Power - Still BP4L http://gfyawards.com/hall-of-fame Learn about it kids.