No announcement yet.

hackers and such..

  • Filter
  • Time
  • Show
Clear All
new posts

  • hackers and such..

    I made a post this past weekend in another section about my site having issues after being hacked. This is not about that, per se, but just a bit of information for the rest of you.

    I run a dedicated server with FreeBSD 4.8 STABLE. The server has cpanel on it, but I never use the thing, and prefer to work from the prompt. Well, I had an older version of ProFTPd on the server, and the dude was able to use a vulnerability within proftpd and PAM to gain access to the server. However, he only was logged in as that user, but was oblivious to the fact he could have done much worse. So here is the point:

    After having a ton of data deleted on the server this past Saturday, and realizing it would require a fair amount of work, I just reuploaded a clean copy of vBulletin and went on with life and started scanning the hard drive for any files modified within a 48 hour period. One immediately stuck out like a sore thumb even before I began the search.. hack.php in my webroot directory for that specific site. I go to it via the web, and holy crap did I freak out. I immediately logged back into the server via ssh, moved the file to a directory not accessible from the web and finally moved it off the server to my local hard drive. Started then the scan of the servers HD and found "yeah.jpg" and "back" in the /tmp directory. I just deleted both from the server, but wish I'd have gotten them as well.

    The dude doing the hacking on my server called it a defacement in progess on all the little so-called security sites, such as zone-h. For ****s and giggles, I just blocked his entire Class A subnet until I could figure everything out. So if any of you Dutchies out there can't get to anymore, I apologize. But none of you have ever heard of it, so no biggie.

    The dude doing the hacking was madturk/damar or whatever name he goes by on any given day. Here is a pic of my site after his foolishness:

    another of the images I found elsewhere..

    A link to the "security info":

    And what's more hilarious is that the file he did that to.. It was no longer used. For anything.

    So the point here is if you notice anything like this going on, search your server/website directories/world writeable directories for the files I mention here, and start working that firewall a bit.

    It sucked over the weekend, but lesson learned. The hard way.

    If anyone within the vBulletin team would like a copy of the hack.php file I mention, just let me know. As best I can tell, nothing in vB was touched, and I was using an old version.. 3.0.0

  • #2
    Can you send me a copy of hack.php, i will take a look at it.
    Send me a PM, and i will give you my email address..
    Microsoft Beta Team


    • #3
      Why would they post a URL to there website? can't it get shut down?


      • #4
        Depends on where it is hosted.


        • #5
          Originally posted by Joe Gronlund View Post
          Can you send me a copy of hack.php, i will take a look at it.
          Send me a PM, and i will give you my email address..
          No offense, Joe, but I'd rather not just distribute the file as it is a pretty malicious file in the wrong hands.

          I will tell you though, once it's on the server, the possibilities are just about limitless.