|
|
JapanGamer
Known Hero
|
posted October 25, 2008 03:13 AM |
|
|
Killa Bee is mad and blaming me for hacking him, and I tried to redirect him to this thread for awnsers.. Maybe he will redeem himself by killing the hacker.
____________
Pictures of god
|
|
Cepheus
Honorable
Legendary Hero
Far-flung Keeper
|
|
posted October 26, 2008 09:46 PM |
|
|
|
Ngaaaagh, it's happening again. I opened the front page about thirty seconds ago and immediately closed my browser when the dreaded Adobe Reader logo showed up.
|
|
Geny
Responsible
Undefeatable Hero
What if Elvin was female?
|
|
posted October 26, 2008 09:48 PM |
|
|
|
JapanGamer
Known Hero
|
|
posted October 26, 2008 09:51 PM |
|
|
|
No new server alterations on this end, as far as noscript can see.. I got HC blocked anyways.
|
|
Asheera
Honorable
Undefeatable Hero
Elite Assassin
|
|
posted October 26, 2008 09:54 PM |
|
|
Poor Val, he'll have to fix these again
Blasted hackers
____________
|
|
Adrius
Honorable
Undefeatable Hero
Stand and fight!
|
|
posted October 26, 2008 09:55 PM |
|
|
Guess I'll let HC stay blocked then... 
____________
|
|
OmegaDestroyer
Hero of Order
Fox or Chicken?
|
|
posted October 26, 2008 10:01 PM |
|
|
Got it again.
____________
The giant has awakened
You drink my blood and drown
Wrath and raving I will not stop
You'll never take me down
|
|
Valeriy
Mage of the Land
Naughty, Naughty Valeriy
|
|
posted October 26, 2008 11:24 PM |
|
|
Hacked again, cleaned again... 
____________
You can wait for others to do it, but if they don't know how, you'll wait forever.
Be an example of what you want to see on HC and in the world.
http://www.heroesofmightandmagic.com
|
|
Asheera
Honorable
Undefeatable Hero
Elite Assassin
|
|
posted October 27, 2008 10:43 PM |
|
|
Hi Val, I don't know much about networking and servers, but I did follow a forum discussion about this hack which I found with Google. There is an interesting post by someone who seems rather knowledgeable about stuff like this. Maybe his post will help you out, so I'll post it here: Quote:
We were also hit by this
We are also hosted by layered technologies.
What we can tell you from our experience from this:
We have multiple servers hosted by LT
Only 2 of our servers with LT were affected by this.
Server 1 - All accounts affected (register_globals enabled)
Server 2 - Only around 5 accounts affected (register_globals enabled)
NOTE: On both of these servers that were affected we have logged that new clients have signed up very recently and requested that php function: fopen be enabled on the server for a "Ebay listing" script to work. So we went ahead and enabled it
All other servers: fopen never requested to be enabled
Now on server1 we realized that all accounts were affected once we received emails from our customers. We then immediately turned of register_globals on all servers as we realized what was going on.
Now as you can see on "server 2" only around 5 accounts were affected. We believe this is because we turned off register_globals just in time.
This is what has happened on the servers that were affected:
1. All accounts in the /home directory were chowned to a different user. Now as we are running suphp this screws up all php applications as they have to be run under the actual account owner. (big headache)
2. many files in ALL user directories with extensions such as .php and .html were injected with the code many of you are talking about
(ALSO NOTE: that even files completely written in php code and even some zend/ioncube encrypted files had the code injected to them seamlessly. We have even seen the code injected into complex php code, not just at the last line of every file.
Then after a while the entire php/apache structure on "server 1" complete became corrupt.
Basically all php sites came up with 500 errors. We checked the error log and it displayed absolutely no error logs and reasons why.
So we went ahead and tried to recompile the entire apache system and php configuration.
What happened? After every recompile it would compile entirely back to the version that we were running before that was corrupt.
After checking the configuration files it showed that somehow it was edited to make it always go back to the version that was corrupted.
Once we got this fixed we recompiled and everything was back to normal. But then we still had the 500 errors. This is because of all of the files by the users had been chowned to a different user.
Now if you host many users on a server thats going to be a headache to chown every single file. So here is a script that you can use to have all ownerships set back to normal.
1. log in to ssh
2. touch perm
3. chmod 777 perm
4. pico perm
5. Insert this code
#!/bin/bash
cd /var/cpanel/users
for user in *
do
chown -R $user.$user /home/$user/public_html/*
done
6. Then save file
7. execute the file: ./perm
That should fix all permissions of your users.
We then also went ahead and re-hardened our php.
We are currently running with register_globals disabled and fopen disabled.
Heres a list of other php functions that we recommend disabling also:
exec, shell_exec, system, passthru, shell_exec, popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate
You are then going to want to install mod_security as this will really help against web based attacks if it is configured well.
Everything is now back to normal on the affected servers
Hope this helps other web hosts out there. Wish we could submit more information but as you can see we are bogged down with security issues.
____________
|
|
sith_of_ziost
Promising
Supreme Hero
Scouting the Multiverse
|
|
posted October 28, 2008 02:36 AM |
|
|
|
I recall these blips, and I don't believe I did anything about them. How far back did they extend? I have about six AV programs working simultaneously though, so the virus has to go through a Phalanx to get to me.
|
|
broadstrong
Promising
Known Hero
Level 20 Vassal of Light
|
|
posted October 29, 2008 12:23 PM |
|
|
It seems like the three attacks were made on weekends (either saturday or sunday), I hope this is not indicative of a worm or something in the HC servers.
____________
The queer part of the Carcity/Broadstrong/Zamfir[
/b] threeway, equipped with sailing, summon allies, spatial travel and supermover.
Many current projects on hand.
|
|
TheDeath
Responsible
Undefeatable Hero
with serious business
|
|
posted October 29, 2008 12:41 PM |
|
|
Quote:
I have about six AV programs working simultaneously though, so the virus has to go through a Phalanx to get to me.
LOL that's bad practice dude, they might conflict or not do they job well, because most of AV programs need almost full access to your comp, and you can't have that with more than one without conflict, so basically only one of them is the one "active".
If you really want to scan a file (not actively) with a lot of anti-viruses, try Virus Total.
____________
The above post is subject to SIRIOUSness.
No jokes were harmed during the making of this signature.
|
|
Fauch
Responsible
Undefeatable Hero
|
|
posted November 05, 2008 02:10 PM |
|
|
yesterday, when I tried refreshing a page, I got a page full of sql errors. then I couldn't access the site during a few minutes, because I got the errors page each time.
it's ok now, you only have to hope no hackers saw it 
|
|
Asheera
Honorable
Undefeatable Hero
Elite Assassin
|
|
posted November 05, 2008 02:10 PM |
|
|
Yes it happened to me as well... I was afraid HC got hacked.
____________
|
|
Mamgaeater
Legendary Hero
Shroud, Flying, Trample, Haste
|
|
posted November 05, 2008 08:42 PM |
|
|
who would want to hack hC?
____________
Protection From Everything.
dota
|
|
RedSoxFan3
Admirable
Legendary Hero
Fan of Red Sox
|
|
posted November 05, 2008 08:42 PM |
|
|
Another really good thread by Asheera.
I haven't been coming here often enough to see this happen.
____________
Go Red Sox!
|
|
OmegaDestroyer
Hero of Order
Fox or Chicken?
|
|
posted November 05, 2008 08:50 PM |
|
|
Take that Radar!
____________
The giant has awakened
You drink my blood and drown
Wrath and raving I will not stop
You'll never take me down
|
|
Valeriy
Mage of the Land
Naughty, Naughty Valeriy
|
|
posted November 06, 2008 07:07 AM |
|
|
SQL errors for a minute or so were my doing  Attacks havent recurred since but I'm yet to look into prevention further.
____________
You can wait for others to do it, but if they don't know how, you'll wait forever.
Be an example of what you want to see on HC and in the world.
http://www.heroesofmightandmagic.com
|
|
Lexxan
Honorable
Undefeatable Hero
Unimpressed by your logic
|
|
posted November 06, 2008 09:09 AM |
|
|
Quote:
who would want to hack hC?
Do I really have to make a list on people who would?
____________
Coincidence? I think not!!!!
|
|
friendofgunnar
Honorable
Legendary Hero
able to speed up time
|
|
posted November 10, 2008 10:49 PM |
|
|
This morning I noticed that my modem was processing some information even though I didn't have any browsers open.
I used the netstat program to find out what was going on. (to use netstat, open up the run function on windows, and type in
netstat -a 5
It will show you a list of all the connections that your computer is running and it will update every few seconds)
I found a connection with a computer with an isp of 91.203.93.51, worse I found a syn_sent signal.
Q: What does a SYN_SENT connection mean? [Back to top]
A: It isn't technically a connection, but one waiting to be born. SYN_SENT means that a program on your PC has made a request for TCP communication to another computer, but has not yet received an acknowledgment (SYN_ACK). It can be indicative (but not always) of a network problem somewhere between you and the remote computer.
If you do an isp lookup on this you'll find it belongs to the "RIPE Network Coordination Centre", which is I believe a masking service.
If you lookup that isp on the RIPE network lookup, you will find it belongs to Mark Liberman. Google that and you will find
I had (have) a keystroke logger on my computer.
I'm almost certain this is from when HC was infected. I used that Unhackme program that Shadow linked to but it didn't remove it. Also, I have my firewall on, and a rounter so it's impervious to both of those. Also, when I first logged onto HC that day, Internet Explorer gave me a pop-up that said "IE has blocked some active content blahblah", all of which led me to believe that I was safe. I was not.
I encourage everybody to use netstat frequently and check if they're still infected. If you're computer is trying to open up a connection with anybody from RIPE (91.0.0.0 - 91.255.255.255) it means you probably have a keystroke logger.
Meanwhile, I'm going to have to reset all my passwords, call my credit card companies for some new numbers, bomb my hard drive and reinstall windows
|
|
|
|
This thread is pages long: 
