Running Nats? BLOCK THIS IP NOW - Active Hacker

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • SplitInfinity
    Confirmed User
    • Dec 2002
    • 3047

    #1

    Running Nats? BLOCK THIS IP NOW - Active Hacker

    65.110.62.120

    Heads up GFYers... We have stopped a hacker dead in his tracks
    who is going after nats db's. This guy is not to be taken lightly
    he is skillfull and methodical and if left ignored, WILL own your server.
    He is in our honeypot as I type this and we are watching him closely.

    We have complained to sagonet about this guy, who has his home there.
    I have been working in conjunction with others on this and we have been
    trying to get sagonet to shut down this guys server, but they ignore the
    issue.

    Everyoine should email sagonet's abuse and tell them to get rid of 65.110.62.120 as he is a threat to everyone.

    So there is your heads up. Hope I helped.

    [email protected]

    Best regards,

    Chris Jester
    SplitInfinity
  • SplitInfinity
    Confirmed User
    • Dec 2002
    • 3047

    #2
    Posted to NANOG about this issue since SAGO like to ignore their abuse:


    65.110.62.120

    Sagonet,

    We have a serious hacker here who is ACTIVLY engaged in logins
    on our network (have him in a honeypot at the moment). He is running exploits from your network and
    also I have been hearing from others that you have been notified of this
    a few times yet have done nothing about it. Can we get someone to handle
    this immediately please?

    This hacker has rooted at least 35 servers on a friends network (friendly competitor) and now hes scanning ours...

    This is what was said by my friend after contacting you guys about this:
    "Good... They will not listen... I have provided them logs, screen shots, etc..."

    Additionally, I would LOVE to know what is on that server... this guy is
    not to be taken lightly, he is VERY methodical and patient. He's problably
    owning your network too.

    [root@mail /home]# netstat -an
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 0.0.0.0:21 0.0.0.0 LISTEN
    tcp 0 0 :::38300 :: LISTEN
    tcp 0 0 ::ffff:66.11.112.15:38300 ::ffff:65.110.62.120:59979 ESTABLISHED
    ESTABLISHED
    posted to nanog

    Comment

    • CaptainHowdy
      Too lazy to set a custom title
      • Dec 2004
      • 94735

      #3
      Get 'Em !!

      Comment

      • scottybuzz
        Too lazy to set a custom title
        • May 2006
        • 14799

        #4
        bump for awareness!
        $$$$$ MAKE HUGE MONEY IN CAMS - CLICK HERE $$$$$

        Comment

        • Superterrorizer
          Confirmed User
          • Sep 2003
          • 509

          #5
          Why would you post that to nanog? What does any of this have to do with "network" security? Why don't you post some actual details instead of saying he "rooted" 35 of your friends servers? Sounds like your friend needs a lesson in server security. Maybe you can send split_joel over to show him the ropes.

          Comment

          • SplitInfinity
            Confirmed User
            • Dec 2002
            • 3047

            #6
            Posted to nanog because sagonet people are on nanog and pay attention there.
            Their help desk peeps tend to ignore issues like this.

            AND yes, it has alot to do with network security because he is DDoSing routers and the like as well... and joel is not a security guy... Karlin and Ariel and I are. Joel is a tech/admin/apache kinda guy...

            Were teaching him that stuff though.... so maybe some day we can call him a security guy. :-)

            Comment

            • The Shame
              Confirmed User
              • Oct 2006
              • 394

              #7
              bump.....
              Mess with the best, die like the rest.

              Comment

              • Superterrorizer
                Confirmed User
                • Sep 2003
                • 509

                #8
                You don't mention anything about DDoSing routers in your nanog post, in fact your nanog post doesn't really appear to meet their posting criteria. Forwarding an email to the list from webair support should get the nanog trolls out of bed. Should be a fun afternoon.

                Comment

                • Pimpin_J
                  Confirmed User
                  • Jul 2006
                  • 3637

                  #9
                  65.110.62.120 <- i dont think its the server of the hacker.. just a allready hacked one i guess. He would be stupid to hack from his own server. And if he is skilled like you just said, he woudnt be that stupid.

                  Comment

                  • SplitInfinity
                    Confirmed User
                    • Dec 2002
                    • 3047

                    #10
                    You fit your name well.

                    :-)

                    Comment

                    • SplitInfinity
                      Confirmed User
                      • Dec 2002
                      • 3047

                      #11
                      "65.110.62.120 <- i dont think its the server of the hacker.. just a allready hacked one i guess. He would be stupid to hack from his own server. And if he is skilled like you just said, he woudnt be that stupid."


                      Right, I agree. However I cannot ignore the fact that he has been calling that server home for a while now.

                      Comment

                      • Pimpin_J
                        Confirmed User
                        • Jul 2006
                        • 3637

                        #12
                        Wake up bro!
                        Its 2006 and the host wont help you. They maybe tell the real owner of the server (65.110.62.120) that he got a trojan on his server and should watch out.
                        But they cant just shut down a box YOU want shut down. If they would handle it like this i would send millions of those mails each day and half of the internet would be down...

                        Comment

                        • More Booze
                          Confirmed User
                          • Mar 2004
                          • 5116

                          #13
                          MayorsMoneys:

                          NATS has found a problem

                          mysql_connect(): Can't connect to MySQL server on '8.2.119.104' (4)

                          /a/nats/includes/database.php:207


                          I hope it's nothing serious :/

                          Comment

                          • JFK
                            FUBAR the ORIGINATOR
                            • Jan 2002
                            • 67373

                            #14
                            Originally posted by More Booze
                            MayorsMoneys:

                            NATS has found a problem

                            mysql_connect(): Can't connect to MySQL server on '8.2.119.104' (4)

                            /a/nats/includes/database.php:207


                            I hope it's nothing serious :/
                            Its the end of the world as we know it :/

                            FUBAR Webmasters - The FUBAR Times - FUBAR Webmasters Mobile - FUBARTV.XXX
                            For promo opps contact jfk at fubarwebmasters dot com

                            Comment

                            • SplitInfinity
                              Confirmed User
                              • Dec 2002
                              • 3047

                              #15
                              It is the hosts responsibility to keep abusive servers off of their network.
                              If you told us we had a hacked box, we would surely get out of our chair and
                              secure it.

                              Comment

                              • More Booze
                                Confirmed User
                                • Mar 2004
                                • 5116

                                #16
                                Originally posted by JFK
                                Its the end of the world as we know it :/
                                Maybe not but I do lose signups if NATS doesn't count them.

                                Comment

                                • TMM_John
                                  Confirmed User
                                  • May 2004
                                  • 6664

                                  #17
                                  SI, etc. if there is anything we can do to help please let us know right away.

                                  Re: Mayor's money, their mysql server appears to be down, contact them rather than post about it in a totally unrelated thread


                                  Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

                                  Comment

                                  • interracialtoons
                                    Confirmed User
                                    • May 2006
                                    • 1910

                                    #18
                                    I don't see the connection to NATs. He is hacking a server right?
                                    Done.

                                    Comment

                                    • TMM_John
                                      Confirmed User
                                      • May 2004
                                      • 6664

                                      #19
                                      Originally posted by interracialtoons
                                      I don't see the connection to NATs. He is hacking a server right?
                                      Could be a NATS exploit, could be a hacker targetting NATS users and hacking with general random hacks just to get on the box then fucking with things.

                                      We're looking into it with everyone involved.


                                      Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

                                      Comment

                                      • teksonline
                                        So Fucking Banned
                                        • Jan 2005
                                        • 2904

                                        #20
                                        edit, nevermind, i misread that

                                        Comment

                                        • TMM_John
                                          Confirmed User
                                          • May 2004
                                          • 6664

                                          #21
                                          Originally posted by teksonline
                                          why are you not firewalling it?
                                          I'm pretty sure if that were a valid solution Chris would have thought of it

                                          Good chance they're doing things thru port 80 which is kinda rough to firewall.


                                          Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

                                          Comment

                                          • ladida
                                            Confirmed User
                                            • Nov 2005
                                            • 2179

                                            #22
                                            Rofl. Shutting 65.110.62.120 will only get you so you have no idea where the attack is coming from. If you know what you're doing, you'll secure the box/es, and follow the ip to see do you have any breaches, and hope that he'll stay on that box forever, as it will be like a beacon when he comes.
                                            agentGFY *at* gmail.com

                                            Comment

                                            • teksonline
                                              So Fucking Banned
                                              • Jan 2005
                                              • 2904

                                              #23
                                              naah, i was eating and under impression he was still hacking live as he typed that... BTW, you can firewall an ip via inbound/output on any individial port or all, which I am sure they have done

                                              Comment

                                              • TMM_John
                                                Confirmed User
                                                • May 2004
                                                • 6664

                                                #24
                                                Originally posted by teksonline
                                                naah, i was eating and under impression he was still hacking live as he typed that... BTW, you can firewall an ip via inbound/output on any individial port or all, which I am sure they have done
                                                Of course you can, considering his thread topic was "Block this IP" I think it was obvious he had done that in some fashion


                                                Too Much Media - Makers of the Industry's Leading Payite Management Platform, NATS!

                                                Comment

                                                • MaddCaz
                                                  Confirmed User
                                                  • Mar 2006
                                                  • 9483

                                                  #25
                                                  Geet Hiimmmmmm

                                                  BigCocks.com -
                                                  MatureWomen.com -
                                                  Tranny.com -
                                                  DrunkGirls.com -
                                                  TeenGirls.com -
                                                  MonsterCock.com and
                                                  many more... Click
                                                  here to see them all!

                                                  Comment

                                                  • SplitInfinity
                                                    Confirmed User
                                                    • Dec 2002
                                                    • 3047

                                                    #26
                                                    Ok UPDATES.....

                                                    I have been in several boxes around the world that this guy is in...
                                                    It seems this it not a NATS specific hack, but this hacker is targeting
                                                    nats systems that use epassporte since thats the only ones he can
                                                    steal money from.

                                                    He is using some mysql injection exploit to find nats databases.

                                                    You should check your servers for the following:

                                                    Directories that should not be there... if they are, contact me...
                                                    /dev/k4rd
                                                    /dev/k4rd/proc.k4rd

                                                    In your /lib directory, this will surely tell you your system has been rooted:

                                                    [root@mail ~]# cd /lib
                                                    [root@mail lib]# grep k4rd *
                                                    Binary file libutil-2.3.3.so matches
                                                    Binary file libutil-2.3.4.so matches
                                                    Binary file libutil-2.3.5.so matches


                                                    All three of those files are kernel libs that totally give the guy control
                                                    of your system. In our case, were owning him right now...... lol

                                                    Note to all: Nats has been VERY helpful in the situation.
                                                    they have heard of this same person before, he is apparantly in australia.

                                                    I want to say that anyone using NATS is in good hands, these guys are all
                                                    talking to me as I uncover all of this so they can jump on whatever they need to jump on to get things fixed (if they need to advise people to upgrade mysql for example or whatever)

                                                    Comment

                                                    • TheSenator
                                                      Too lazy to set a custom title
                                                      • Feb 2003
                                                      • 13340

                                                      #27
                                                      bump.. FUCK HIM Up!
                                                      ISeekGirls.com since 2005

                                                      Comment

                                                      • fris
                                                        Too lazy to set a custom title
                                                        • Aug 2002
                                                        • 55679

                                                        #28
                                                        PORT STATE SERVICE
                                                        22/tcp open ssh
                                                        25/tcp open smtp
                                                        53/tcp open domain
                                                        80/tcp open http
                                                        135/tcp filtered msrpc
                                                        136/tcp filtered profile
                                                        137/tcp filtered netbios-ns
                                                        138/tcp filtered netbios-dgm
                                                        139/tcp filtered netbios-ssn
                                                        143/tcp open imap
                                                        993/tcp open imaps
                                                        1080/tcp filtered socks
                                                        2121/tcp open ccproxy-ftp
                                                        3128/tcp filtered squid-http
                                                        3306/tcp open mysql
                                                        6588/tcp filtered analogx
                                                        8081/tcp filtered blackice-icecap
                                                        Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                                                        Comment

                                                        • SplitInfinity
                                                          Confirmed User
                                                          • Dec 2002
                                                          • 3047

                                                          #29
                                                          Just to let you know what is in one of those lib files... study the strings...
                                                          you can see he runs a sniffer and other find stuff... this kernel module is the shit... VERY intelligent hacker...


                                                          [root@mail lib]# strings libutil-2.3.3.so|more
                                                          _DYNAMIC
                                                          _GLOBAL_OFFSET_TABLE_
                                                          dkgm_control
                                                          dkg_pid_alive
                                                          dkg_pid_add
                                                          dkg_pid_delete
                                                          kill
                                                          dkg_open_pscore
                                                          umask
                                                          ftruncate
                                                          mmap
                                                          dkg_close_pscore
                                                          munmap
                                                          dkg_pid_check
                                                          dkg_pid_cself
                                                          getpid
                                                          dkg_proc_hidden
                                                          dkg_o_sym
                                                          dlsym
                                                          dkg_is_auth
                                                          dkg_file_hidden
                                                          strlen
                                                          strcmp
                                                          readdir
                                                          readdir64
                                                          dkg_proc
                                                          opendir
                                                          closedir
                                                          clone
                                                          vfork
                                                          dkg_check_bd
                                                          memset
                                                          strncpy
                                                          memmem
                                                          strncmp
                                                          alarm
                                                          setreuid
                                                          setregid
                                                          write
                                                          dkg_login
                                                          ioctl
                                                          drg_read
                                                          strchr
                                                          read64
                                                          memcpy
                                                          recv
                                                          strstr
                                                          execve
                                                          getuid
                                                          geteuid
                                                          drg_open
                                                          open64
                                                          fopen
                                                          fileno
                                                          create_nl
                                                          create_net_struc
                                                          drg_close
                                                          close64
                                                          fclose
                                                          free
                                                          fgets
                                                          feof
                                                          malloc
                                                          lseek
                                                          create_net_tab
                                                          strip_net
                                                          fill_netlist
                                                          strcpy
                                                          sprintf
                                                          readlink
                                                          atoi
                                                          dkg_envp
                                                          dkg_argv
                                                          dkg_hup
                                                          _exit
                                                          dkg_get_tty
                                                          dkg_open_tty
                                                          openpty
                                                          dkg_enprint
                                                          setpgid
                                                          setsid
                                                          __sysv_signal
                                                          dup2
                                                          chdir
                                                          hupty
                                                          select
                                                          memchr
                                                          __xstat
                                                          __fxstat
                                                          libdl.so.2
                                                          libutil.so.1
                                                          _edata
                                                          __bss_start
                                                          _end
                                                          GLIBC_2.0
                                                          jBhh;
                                                          Phtcp
                                                          Phudp
                                                          Phraw
                                                          0he<
                                                          8 u$
                                                          8 t!
                                                          /dev/k4rd/proc.k4rd
                                                          k4rd
                                                          ld.so.preload
                                                          readdir
                                                          readdir64
                                                          opendir
                                                          /proc
                                                          closedir
                                                          clone
                                                          fork
                                                          dKg!:anuslicker
                                                          +dKg!
                                                          read
                                                          /dev/k4rd/.sniffer
                                                          recv
                                                          write
                                                          ssword:
                                                          phrase:
                                                          execve
                                                          getuid
                                                          open
                                                          open64
                                                          fopen
                                                          close
                                                          close64
                                                          fclose
                                                          fgets
                                                          feof
                                                          /proc/net/
                                                          /proc/
                                                          socket:[
                                                          TERM=linux
                                                          SHELL=/bin/bash
                                                          PS1=\[\033[1;30m\][\[\033[0;32m\]\u\[\033[1;32m\]@\[\033[0;32m\]\h \[\033[1;37m\]\W\[\033[1;30m\]]\[\033[0m\]\$
                                                          HISTFILE=/dev/null
                                                          HOME=/dev/k4rd
                                                          PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:./bin:/dev/k4rd:/dev/k4rd/bin
                                                          pqrstuvwxyzabcde
                                                          0123456789abcdef
                                                          /dev/ptmx
                                                          Can't open a tty, all in use ?
                                                          Can't fork subshell, there is no way...
                                                          /dev/k4rd
                                                          /bin/sh
                                                          Can't execve shell!
                                                          login
                                                          telnet
                                                          rlogin
                                                          rexec
                                                          passwd
                                                          adduser
                                                          mysql
                                                          sudo

                                                          Comment

                                                          • Pete-KT
                                                            Workin With The Devil
                                                            • Oct 2004
                                                            • 51532

                                                            #30
                                                            Good work guys, when i get into the office tomo, i will check our servers to make sure he hasnt got into our systems

                                                            Comment

                                                            • SplitInfinity
                                                              Confirmed User
                                                              • Dec 2002
                                                              • 3047

                                                              #31
                                                              chris-jesters-powerbook-g4-17:~ chris$ whois -a 65.110.62.120
                                                              Sago Networks SAGO-20030401 (NET-65-110-32-0-1)
                                                              65.110.32.0 - 65.110.63.255
                                                              Anton Tenev SAGO-65-110-62-120 (NET-65-110-62-120-1)
                                                              65.110.62.120 - 65.110.62.129


                                                              Sagonet swips their ips into the customers name...

                                                              This guy may not be the hacker, but he owns the box that the hacker
                                                              has been osama-bin-lading on....

                                                              CustName: Anton Tenev
                                                              Address: Dianabad bl.5b
                                                              City: Sofia
                                                              StateProv: -1
                                                              PostalCode: 1000
                                                              Country: BG
                                                              RegDate: 2005-04-15
                                                              Updated: 2005-04-15

                                                              NetRange: 65.110.62.120 - 65.110.62.129
                                                              CIDR: 65.110.62.120/29, 65.110.62.128/31
                                                              NetName: SAGO-65-110-62-120
                                                              NetHandle: NET-65-110-62-120-1
                                                              Parent: NET-65-110-32-0-1
                                                              NetType: Reassigned

                                                              Comment

                                                              • ladida
                                                                Confirmed User
                                                                • Nov 2005
                                                                • 2179

                                                                #32
                                                                Originally posted by SplitInfinity
                                                                You should check your servers for the following:

                                                                Directories that should not be there... if they are, contact me...
                                                                /dev/k4rd
                                                                /dev/k4rd/proc.k4rd

                                                                In your /lib directory, this will surely tell you your system has been rooted:

                                                                [root@mail ~]# cd /lib
                                                                [root@mail lib]# grep k4rd *
                                                                Binary file libutil-2.3.3.so matches
                                                                Binary file libutil-2.3.4.so matches
                                                                Binary file libutil-2.3.5.so matches


                                                                All three of those files are kernel libs that totally give the guy control
                                                                of your system. In our case, were owning him right now...... lol

                                                                Note to all: Nats has been VERY helpful in the situation.
                                                                they have heard of this same person before, he is apparantly in australia.

                                                                I want to say that anyone using NATS is in good hands, these guys are all
                                                                talking to me as I uncover all of this so they can jump on whatever they need to jump on to get things fixed (if they need to advise people to upgrade mysql for example or whatever)
                                                                And now ask yourself, how did he get inside? How was he able to write in /dev or /lib, and what did he do to secure the access to return back. The sniffer is least of your problems.
                                                                agentGFY *at* gmail.com

                                                                Comment

                                                                • Superterrorizer
                                                                  Confirmed User
                                                                  • Sep 2003
                                                                  • 509

                                                                  #33
                                                                  And now ask yourself, how did he get inside? How was he able to write in /dev or /lib, and what did he do to secure the access to return back. The sniffer is least of your problems.
                                                                  Word. Logging in as root when it's not needed is also a bad thing, sudo is your friend. (Among other things I could nit pick about)

                                                                  I have been in several boxes around the world that this guy is in...
                                                                  Sure you have.

                                                                  Comment

                                                                  • SplitInfinity
                                                                    Confirmed User
                                                                    • Dec 2002
                                                                    • 3047

                                                                    #34
                                                                    "Sure you have."

                                                                    The box affected is not managed by us, so poop on you. Were lending a hand.
                                                                    Logging in as root to a hosed box doesnt matter tard. The box is being cleaned and reinstalled anyways.

                                                                    And in regards to your Superterrorizer style comment "Sure you have.", I have been working with others all day today on different networks who have seen the SAME hacker on their nets... No why dont you go do something productive like find osama or something. you guys have alot of catching up to do.... be sure and show him you owned me on GFY lameass. LOL

                                                                    Comment

                                                                    • DWB
                                                                      Registered User
                                                                      • Jul 2003
                                                                      • 31779

                                                                      #35
                                                                      Get 'er done boys!!!

                                                                      Bump to keep it at the top.

                                                                      Comment

                                                                      • Superterrorizer
                                                                        Confirmed User
                                                                        • Sep 2003
                                                                        • 509

                                                                        #36
                                                                        "Sure you have."

                                                                        The box affected is not managed by us, so poop on you. Were lending a hand.
                                                                        Logging in as root to a hosed box doesnt matter tard. The box is being cleaned and reinstalled anyways.

                                                                        And in regards to your Superterrorizer style comment "Sure you have.", I have been working with others all day today on different networks who have seen the SAME hacker on their nets... No why dont you go do something productive like find osama or something. you guys have alot of catching up to do.... be sure and show him you owned me on GFY lameass. LOL
                                                                        You said "several boxes around the world", now you're saying it's just one box. Would be great if you could get your story straight, you've been saying one thing, then another.

                                                                        You say the box affected is not managed by you, yet the netstat -na you posted shows 66.11.112.15, which is on your network. Let me guess, it's a colo box, right? Wrong, it's mail.suavemente.net, which I suspect is your mail server. So let's recap the REAL story for everyone who is reading:

                                                                        1) Someone pwned your mail server
                                                                        2) You said it was a server not managed by you, but several servers around the world
                                                                        3) You called me a tard
                                                                        4) You get pwned by the tard

                                                                        Would sure like to know what your mail server getting rooted has to do with NATS, so why don't you fill us in on that.

                                                                        I don't dispute the fact that someone has installed a rootkit on your mailserver, and possibly other servers. What I take exception to is your inability to keep your story straight and your resorting to calling me names.

                                                                        Oh by the way, I just got off the phone with Osama. I told him I owned you on GFY, he said "Death to the infidels, dirkah dirkah mohammed jihad".

                                                                        Comment

                                                                        • ladida
                                                                          Confirmed User
                                                                          • Nov 2005
                                                                          • 2179

                                                                          #37
                                                                          root@mail
                                                                          agentGFY *at* gmail.com

                                                                          Comment

                                                                          • CaptainWolfy
                                                                            Playa
                                                                            • Dec 2005
                                                                            • 8439

                                                                            #38
                                                                            get that hacker that we could sleep tight!

                                                                            Comment

                                                                            • MikeHawk
                                                                              Confirmed User
                                                                              • Jan 2004
                                                                              • 6683

                                                                              #39
                                                                              Originally posted by SplitInfinity
                                                                              Ok UPDATES.....

                                                                              I have been in several boxes around the world that this guy is in...
                                                                              It seems this it not a NATS specific hack, but this hacker is targeting
                                                                              nats systems that use epassporte since thats the only ones he can
                                                                              steal money from.

                                                                              He is using some mysql injection exploit to find nats databases.

                                                                              You should check your servers for the following:

                                                                              Directories that should not be there... if they are, contact me...
                                                                              /dev/k4rd
                                                                              /dev/k4rd/proc.k4rd

                                                                              In your /lib directory, this will surely tell you your system has been rooted:

                                                                              [root@mail ~]# cd /lib
                                                                              [root@mail lib]# grep k4rd *
                                                                              Binary file libutil-2.3.3.so matches
                                                                              Binary file libutil-2.3.4.so matches
                                                                              Binary file libutil-2.3.5.so matches


                                                                              All three of those files are kernel libs that totally give the guy control
                                                                              of your system. In our case, were owning him right now...... lol

                                                                              Note to all: Nats has been VERY helpful in the situation.
                                                                              they have heard of this same person before, he is apparantly in australia.

                                                                              I want to say that anyone using NATS is in good hands, these guys are all
                                                                              talking to me as I uncover all of this so they can jump on whatever they need to jump on to get things fixed (if they need to advise people to upgrade mysql for example or whatever)

                                                                              We caught thiis fucker awhilie ago....Epass shut down his account, they know who he is or what named he used last time.....we were tracking his epass activity and found what city and hotel he was in, i was about to jump on a plane and go pay him a visit with a few friends...lol....

                                                                              Great work Chris...see you in LA?
                                                                              THE AMBUSH INTERVIEW

                                                                              Comment

                                                                              • fris
                                                                                Too lazy to set a custom title
                                                                                • Aug 2002
                                                                                • 55679

                                                                                #40
                                                                                be sure its the owner of the box really doing it, i know interland a while back people were hacking all their servers, and doing DDOS attacks using the machines.
                                                                                Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                                                                                Comment

                                                                                • SplitInfinity
                                                                                  Confirmed User
                                                                                  • Dec 2002
                                                                                  • 3047

                                                                                  #41
                                                                                  Fris, you are right, we will surely talk to the box owner first. And if its not him, well advise him of what he needs to do to secure it box... It very well may not be him, but I do know sagonet had received many many complaints about it.
                                                                                  Odd that it would not be fixed months ago.

                                                                                  Superterrorizer - You are such a putz. Im here giving people info on something going on related to nats and all you can do is look for "story" changing? Perhaps the box was on another ip because I moved the HD
                                                                                  so I could examine the drive under a clean kernel and os..... I dont
                                                                                  need to explain anything to you, and yes I will call you names if i like. ;-)

                                                                                  Hence the title of this board: GFY.

                                                                                  You are just an idiot looking for drama and trouble and I dont respect that.
                                                                                  So be nice and Im nice, otherwise Im not nice... thats it.

                                                                                  Comment

                                                                                  • SplitInfinity
                                                                                    Confirmed User
                                                                                    • Dec 2002
                                                                                    • 3047

                                                                                    #42
                                                                                    Mike, yes, LA! Lets hook up.

                                                                                    Comment

                                                                                    • Superterrorizer
                                                                                      Confirmed User
                                                                                      • Sep 2003
                                                                                      • 509

                                                                                      #43
                                                                                      Superterrorizer - You are such a putz. Im here giving people info on something going on related to nats and all you can do is look for "story" changing? Perhaps the box was on another ip because I moved the HD
                                                                                      so I could examine the drive under a clean kernel and os..... I dont
                                                                                      need to explain anything to you, and yes I will call you names if i like. ;-)
                                                                                      Bullshit. 100% bullshit. Your mailserver got hacked and you know it.

                                                                                      Why would you put a known compromised hard drive IN YOUR MAIL SERVER?

                                                                                      Why would that "hackers" IP have an established connection to the IP of your mail server? The only explaination is that your mail server was compromised and you posted the evidence right here yourself.

                                                                                      You can call me all the names you want but that doesn't change the fact that _YOU_ are not being honest with the people on this board. I am simply pointing out the anomalies in your posts, and rather than explaining how this has anything at all to do with NATS (Or anything other than your mailserver being hacked) you simply resort to calling me names. You were trying to make yourself look like some kind of internet hero and it backfired.


                                                                                      You are the one looking for drama by posting this shit in the first place so please don't try and make me look like the bad guy. Just keep spewing that bullshit. Do you think that there aren't guys who read/post on this board who have made the same conclusions I have? This place is filled with nerds (Some of them UBER nerds), both posters and lurkers.


                                                                                      Hence the title of this board: GFY.
                                                                                      Yeah you did kind of fuck yourself by not removing the ip of your mailserver from your post, didn't you.

                                                                                      You are just an idiot looking for drama and trouble and I dont respect that.
                                                                                      So be nice and Im nice, otherwise Im not nice... thats it.
                                                                                      If I am an idiot looking for drama and trouble then that must make anybody who has read this thread (Which still doesn't appear to have anything at all to do with NATS or anything other than you not being able to keep up with those pesky root exploits on your mail server) an idiot for having had to read your bullshit. This isn't a matter of respect, I could fucking care less if you respected me or not. I'm just looking for a little bit of truth and that's a commodity in short order in your posts in this thread.

                                                                                      Comment

                                                                                      • split_joel
                                                                                        Confirmed User
                                                                                        • Jan 2005
                                                                                        • 2270

                                                                                        #44
                                                                                        I just got to put my two cents in this thread. How many times has chris made seucirty post and tried to help people out, there's no reason why anyone should attack him regardless of how much we all can't stand him *lol* just kidding. All I am saying is he's tryin to help simple as that. Bring the drama somewhere else.
                                                                                        E-mail marketing - Automation Scripting - IP Space
                                                                                        AIM: splitjoelp ICQ: 254759453 skype - splitjoelp 702-941-6465

                                                                                        Comment

                                                                                        • prodiac
                                                                                          Confirmed User
                                                                                          • Sep 2003
                                                                                          • 419

                                                                                          #45
                                                                                          Originally posted by split_joel
                                                                                          I just got to put my two cents in this thread. How many times has chris made seucirty post and tried to help people out, there's no reason why anyone should attack him regardless of how much we all can't stand him *lol* just kidding. All I am saying is he's tryin to help simple as that. Bring the drama somewhere else.
                                                                                          Should have at least put in a dime, your two cents are pretty much worthless.

                                                                                          While the idea of this thread seems like a good one, it seems to be lacking some information. I fail to see how this specifically had anything to do with NATS in the first place, and why it was included in the subject. It made it sound as if it was specifically related to NATS.

                                                                                          Though, the thread did take a turn for the comedic side I must admit, as the lies continue to pour in and be danced around. How on earth would putting the rooted drive in your mail server, to mount the file system from it, allow the same hacker to connect to your mail server?

                                                                                          Oddities aside, if your intent is to provide information to the public to help awareness of this issue, do you have anymore useful information you could provide in regards to the affected servers? Such as any commonalities in them. What OS were they running? Were any of them running outdated Apache/PHP installs? Was this a common thing across the board? Since these don't sound to all be NATS servers, what other scripts do they all have that could be the point or origin?

                                                                                          Just trying to get some better ideas of the issue at hand that you are seeing, as I'm sure everyone here would appreciate more detailed information.

                                                                                          Comment

                                                                                          • prodiac
                                                                                            Confirmed User
                                                                                            • Sep 2003
                                                                                            • 419

                                                                                            #46
                                                                                            Originally posted by split_joel
                                                                                            I just got to put my two cents in this thread. How many times has chris made seucirty post and tried to help people out, there's no reason why anyone should attack him regardless of how much we all can't stand him *lol* just kidding. All I am saying is he's tryin to help simple as that. Bring the drama somewhere else.
                                                                                            Also, I wanted to give you a heads up. Firefox 2.0 is out now, it has a built in spell checker. Alarms sound and everything when I click reply on your message.

                                                                                            Really though, it underlines your mistakes while you're typing.

                                                                                            Comment

                                                                                            • SplitInfinity
                                                                                              Confirmed User
                                                                                              • Dec 2002
                                                                                              • 3047

                                                                                              #47
                                                                                              "Why would you put a known compromised hard drive IN YOUR MAIL SERVER?
                                                                                              "

                                                                                              Who ever said the server was live and in use? Just because the host name looked good to you? LOL Instead of poking at me, why dont you listen to what was said.... Block the ip, that guy is AFTER NATS BOXES. That is how it
                                                                                              has to do with nats. I have been working with the folks at nats today on this.
                                                                                              We are trying to hunt this guy down and also find out what exploits he is
                                                                                              using to get into nats servers. Right, the hack it self has not much to do with nats, seems more like a mysql injection exploit at this time, however the warning was clear - Block the ip if you are running nats, especially if you use epassporte with nats because he is most interested in those than anything.

                                                                                              You guys just made assumptions and tried to make me look dumb, thats not
                                                                                              cool. Perhaps in the future I'll refrain from disclosing known live hacker activity. Some people just love to hate.

                                                                                              Comment

                                                                                              • SplitInfinity
                                                                                                Confirmed User
                                                                                                • Dec 2002
                                                                                                • 3047

                                                                                                #48
                                                                                                From NANOG:

                                                                                                It saddens me to mention this, as I am a Amateur Radio operator as
                                                                                                well (N3YMY).

                                                                                                k4rd could be a Amateur Radio call sign.

                                                                                                This one actually does exist and has the following information
                                                                                                (www.qrz.com):

                                                                                                K4RD
                                                                                                WILLIAM E GREESON
                                                                                                1500 E TERRAMAR DR
                                                                                                LAUDERDALE BYTHE SEA FL 33062
                                                                                                USA

                                                                                                33062 is a zip code in Tampa, FL.

                                                                                                Sagonet is in Tampa. (whois.arin.net)

                                                                                                traceroute shows packets for 65.110.62.120 flowing into Tampa.

                                                                                                It may all be coincidence; however, it's *mighty* interesting...

                                                                                                Comment

                                                                                                • split_joel
                                                                                                  Confirmed User
                                                                                                  • Jan 2005
                                                                                                  • 2270

                                                                                                  #49
                                                                                                  Originally posted by prodiac
                                                                                                  Should have at least put in a dime, your two cents are pretty much worthless.
                                                                                                  .
                                                                                                  With all due respect eastman, all the hours of sleep I lost cleaning up the mess you made over the years working for split makes any input in this thread useless.

                                                                                                  To add to the fact. You have been a bitter dick sence you left split.

                                                                                                  Any chance you get you try to attack anything chris and I say, yet you forget where you came from.

                                                                                                  From what I remeber you were just some idiot who worked for a dieing dial up company, who got lucky to get a job you weren't qualified for.

                                                                                                  Years later after learning shit from chris then going on your own and learning shit you get a big load of confidence and think your the shit and you go looking for the bigger buck.

                                                                                                  Fact is your an asshole dude and I don't how much you think you know, but I will say this.

                                                                                                  I hope you know more then you did when you were here because were still fixing your mistakes.
                                                                                                  E-mail marketing - Automation Scripting - IP Space
                                                                                                  AIM: splitjoelp ICQ: 254759453 skype - splitjoelp 702-941-6465

                                                                                                  Comment

                                                                                                  • SplitInfinity
                                                                                                    Confirmed User
                                                                                                    • Dec 2002
                                                                                                    • 3047

                                                                                                    #50
                                                                                                    Joel, I hate to disagree with you, but Prodiac is good people.
                                                                                                    I know you are angry that he picks on you, but Joel, we didnt clean up
                                                                                                    any "mess" of his, so if you are going to post, please don't post comments
                                                                                                    from the company in anger... He is a good tech and left no messes,
                                                                                                    your comments above were made incorrectly. If you wanna fight with him,
                                                                                                    I suggest a game of poker. :-) Fact is, you didnt work with him for the many years I did... so your post is biased. Dont be mad, your spelling does suck. :-) LOL

                                                                                                    On the other hand: Superterrorizer is a dork. I can state that because I experienced it. See the difference Joel? :-)

                                                                                                    Comment

                                                                                                    Working...