server hack? - GoFuckYourself.com

emmanuelle · 11-10-2004, 04:51 PM

My friend just had a bunch of his index pages replaced with
"SPYKIDS .. irc.chatplus.com.br #spykids.. enjoy "

Anybody know who's behind this stuff and how they tend to get in?

BIGTYMER · 11-10-2004, 05:00 PM

They get in via an exploit of some sort. You need to harden and keep your box patched and updated.

Alky · 11-10-2004, 05:02 PM

Quote:

Originally posted by Kingpins
They get in via an exploit of some sort. You need to harden and keep your box patched and updated.

good advice

NetRodent · 11-10-2004, 05:02 PM

Why not ask the people on the irc channel #spykids on the server irc.chatplus.com.br.

Ad3pt · 11-10-2004, 05:04 PM

Quote:

Originally posted by emmanuelle
My friend just had a bunch of his index pages replaced with
"SPYKIDS .. irc.chatplus.com.br #spykids.. enjoy "

Anybody know who's behind this stuff and how they tend to get in?

server spec's?

BIGTYMER · 11-10-2004, 05:04 PM

Quote:

Originally posted by Alky
good advice

And you've got better?

Ad3pt · 11-10-2004, 05:05 PM

Quote:

Originally posted by Kingpins
They get in via an exploit of some sort. You need to harden and keep your box patched and updated.

how do you know this to be the case?

Dirty F · 11-10-2004, 05:05 PM

Quote:

Originally posted by emmanuelle

Anybody know who's behind this stuff and how they tend to get in?

Just a wild guess but maybe these guys:

SPYKIDS .. irc.chatplus.com.br

I did some research.

BIGTYMER · 11-10-2004, 05:07 PM

Quote:

Originally posted by Ad3pt
how do you know this to be the case?

How else would they get in? Did they login via ftp with his u/p? I hight doubt it. And its showing an IRC page and IRC is know for its carding, hacking kiddies.

Ad3pt · 11-10-2004, 05:11 PM

Quote:

Originally posted by Kingpins
How else would they get in? Did they login via ftp with his u/p? I hight doubt it. And its showing an IRC page and IRC is know for its carding, hacking kiddies.

If they have the ftp u/p it's not an exploit.

On the other hand, if their local workstation is owned by a trojan/keylogger that would be an exploit.

Only point Im trying to make is that having this guy jump to conclusions isn't going to give him the info he needs.

Dirty D · 11-10-2004, 05:12 PM

It looks like someone got root access to the server.

There are many exploits to get root access.

Here are some tools to check for and fix rootkits

http://www.chkrootkit.org

My advice:

Eliminate any backdoors (rootkit)
Restore the domains
Change all user and root passwords
Verify linux and apache are up to date.

BIGTYMER · 11-10-2004, 05:15 PM

Quote:

Originally posted by Ad3pt
If they have the ftp u/p it's not an exploit.

On the other hand, if their local workstation is owned by a trojan/keylogger that would be an exploit.

Only point Im trying to make is that having this guy jump to conclusions isn't going to give him the info he needs.

Yes, but the chances are greater that they got in via an exploit.

erehwon · 11-10-2004, 05:19 PM

Quote:

Originally posted by emmanuelle
My friend just had a bunch of his index pages replaced with
"SPYKIDS .. irc.chatplus.com.br #spykids.. enjoy "

Anybody know who's behind this stuff and how they tend to get in?

It sounds like a run of the mill defacement, your friend probably didn't patch something they should have.

The hackers likely went to a database like Packetstorm and found something to break into the server.

Have your friend drop these guys, http://www.ibouncer.com a line, to lock things down

V_RocKs · 11-10-2004, 05:22 PM

What domains were effected?

11-10-2004, 04:51 PM	#1
emmanuelle Confirmed User Join Date: Mar 2003 Location: Oh Canada! Posts: 3,662	server hack? My friend just had a bunch of his index pages replaced with "SPYKIDS .. irc.chatplus.com.br #spykids.. enjoy " Anybody know who's behind this stuff and how they tend to get in?

11-10-2004, 05:02 PM	#4
NetRodent Confirmed User Join Date: Jan 2002 Location: In the walls of your house. Posts: 3,985	Why not ask the people on the irc channel #spykids on the server irc.chatplus.com.br. __________________ "Every normal man must be tempted, at times, to spit on his hands, hoist the black flag, and begin slitting throats." --H.L. Mencken

11-10-2004, 05:12 PM	#11
Dirty D Confirmed User Join Date: May 2002 Location: Paying Webmasters Millions Since 1999 Posts: 4,044	It looks like someone got root access to the server. There are many exploits to get root access. Here are some tools to check for and fix rootkits http://www.chkrootkit.org My advice: Eliminate any backdoors (rootkit) Restore the domains Change all user and root passwords Verify linux and apache are up to date. __________________ Dirty D - ICQ #1326843 - $1 Million Dollars of Bonus Money - 8,000+ FHG! Glory Hole Girlz - Crack Whore Confessions - Tampa Bukkake - Slut Wife Training - Fuck a Fan Electricity Play - Porn Video Drive - Theater Sluts - Skunk Riley - Ukraine Amateurs - Strapon Sessions

11-10-2004, 05:00 PM	#2
BIGTYMER Junior Achiever Industry Role: Join Date: Nov 2004 Location: Walled Garden Posts: 17,066	They get in via an exploit of some sort. You need to harden and keep your box patched and updated.

11-10-2004, 05:22 PM	#14
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,409	What domains were effected?