Login

***anyweb*** · 2003-12-23, 12:59 PM

hi guys

the site was defaced probably due to really old openssl versions etc

heres the servers details

Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.2 PHP/4.3.4 FrontPage/5.0.2.2634 mod_ssl/2.8.16 OpenSSL/0.9.6b

its more than likely rootkitted by now

ive put up a temp index.php page just to alert people that its down but below is a screenshot of the defaced page

cheers

anyweb

<a class="ipsAttachLink ipsAttachLink_image" href="<fileStore.core_Attachment>/post-38-1072184360.png" data-fileid="12">[img]<fileStore.core_Attachment>/post-38-1072184360.png[/img]</a>

***anyweb*** · (This post was last modified: 2003-12-23, 04:39 PM by anyweb.)

from what i can see the website was hacked at 1:58AM

the hacker copied index.html (946 bytes) to every single folder in the website layout,

i am attempting to remove the offending file from all those folders, and im making a backup of the site right now (takes time over ftp)

however, if they got in, then the site/server is compromised and could have rootkits installed

the hacker... uses 'their' logo from this address

[/url][url=http://www.tr0yck.blogger.com.br/]http://www.tr0yck.blogger.com.br/ which is in brazil channel #Ir4dex on irc.brasnet.org

so thats where you can start to look for them,

cheers

anyweb

kZo · 2003-12-23, 02:05 PM

Nice. At leas the deface wasn't anything explictive or anything. That's at least a positive side. Thanks for that info, this could be the start of something fun. :P

Sorry to hear about the defacing, but I like a challenge, and I feel like fighting back. Go go go....

[img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img][img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img][img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img][img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img][img]<___base_url___>/uploads/emoticons/default_ph34r.png[/img]

***anyweb*** · 2003-12-23, 06:06 PM

478 index.html 's man these guys are assholes...

hijinks · 2003-12-23, 06:35 PM

it looks like everything was up to date. My guess is they got someone's account and got in that way

[HTAS]OneUp! · 2003-12-23, 06:38 PM

Hacked? [img]<___base_url___>/uploads/emoticons/default_ohmy.png[/img] lol...... [img]<___base_url___>/uploads/emoticons/default_rolleyes.gif[/img]

Riqtam · 2003-12-23, 06:55 PM

Anyweb mate it's your forums you're the one that supposed to help others lol!

***anyweb*** · (This post was last modified: 2003-12-23, 07:47 PM by anyweb.)

its NOT my forums dude, its the forums of a CLAN that i happen to be a member of,

the site that was hacked was [/url][url=http://www.clanhtas.net]http://www.clanhtas.net

their site was rooted, i'm just reporting it here and doing what i can to help

my site (https://www.linux-noob.com) has nothing to do with the clan site,

cheers

anyweb

***anyweb*** · 2003-12-24, 12:26 PM

i got the site back up by

ftping the entire content down locally,

deleting all index.htmls and index.php's that were created

taking a backup of the site from october and overwriting the current one with that and then ftp'ing that all back to the site

seems to work now at least, and the host says the server wasnt rooted, that the hackers exploted a vulnerability (which they wont tell) and all is updated and ok now

thats good for xmas

cheers

anyweb

Riqtam · 2003-12-24, 01:01 PM

I meant that this linux n00b is your forums...

What can u and longbow do to secure HTAS' forums and prevent the bored hackers from hacking to our site again?

And thanks a lot to you and longbow for fixing the site :)

Login
Username/Email:
Password:	Lost Password?
	Remember me