Hacked, I tell you!!

[Stun Grenade]

Well it all started today. I get home from a stinking day at school and mum, straight away tells me she had to ring the ISP.

"Why?"

"The internet isn't working. They say you have a virus or something..". I was stumped. How can a virus stop the connectivity of the modem when I glanced at it that second. I told mum to ring back for more details.

 

Overhearing the conversation I was amazed to hear that the man on the other end thinks my linux server is running a fraud website. Well I did know I was running my blog and other private sites but not to my knowledge I was running a fraud website.

"That's bull mum" I yelled then at the moment the phone was tossed my way. The man told me what he told mum and I hung up the phone and investigated.

 

I dug at the first folder and found nothing. I went through all the folders but didn't find anything. I gave up and had tea until I realised I needed to google something. For that, I need the internet. I told mum to get the phone ready while I sat searching through the folders again. I came accross the images folder in my blog folder. What the flamming hell!!! 'www1.royalbank.com'.

 

"Royal Bank?" I yelled. I went in for a closer look.. three dodgy websites. I was convinced, this was obviously dodgy and I made mum ring straight away that I rectified the problem and that the internet should be restored to me. Oh, did I tell you they stopped the connection to our line since even countries like Canada complained to the ISP about the scam?

 

It didn't stop there.. I went back the images folder. What the fu....boyo.php, divel.php, foot.php, head.php, index.php - all modified two days ago. I haven't used my blog for 4months!! I edited the boyo.php and found this:

 

		c99shell.php v.1.0 pre-release build #16
*							Freeware license.
*								ｩ CCTeaM.
*  c99shell - 鴉-・淲蓙褞 ・www-碣ⅴ鈑・
*  ﾂ・・趺 砒・・璞瑣・・裝・ 粢・ 浯 蒡・裨 湜・・鮏:
  https://******/releases/c99shell
*
*  WEB: ******
*  ICQ UIN #: ******

 

I also found an interesting PHP Mailer in bill_form.htm. I googled and found this was a known issue.. Well, thats the end for my rant and blog.

 

~SG

[Matri]

Now that's just nasty. Looks like you were hijacked and used to phish.

[Mikal]

Which firewalls did you have in place and what other methods of security do you use? I'll understand if you don't want to say.

[Stun Grenade]

Well basically this blog I used had a major security hole which allowed the hacker to inject a CGI script to get my blog password and username. I think that the permissions to the images folder was 777 (not too sure) or that they ran the script locally to grab my password (password was stored in a text file in one of the folders but encrypted).

 

I have a simple firewall on my linux server that only allows certain ports and also forwards ports. Example,

# Version:	@(#)skeleton  1.9.1  08-Apr-2002  miquels@cistron.nl
#

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/sbin/iptables
NAME=iptables
DESC="firewall"
EXTIF=eth0
INTIF=eth1

[Slaughter]

Sorry to hear about your trouble SG! I would so love to get my hands on a spammer, cracker or the likes...

 

On the bright side you've learnt quite a bit these last few hours

[Stun Grenade]

I sure have Slaughter, its told me not to use blogs ever again . I want to do some payback....

 

I also learnt that the php mailer that they put in my server used my SQL email address to email people around the world telling them to go to a fake Royal Bank of Canada website. The real Canada Bank mob rang my ISP

[Kernel]

* Quickly goes and check's security rights to his own blog *

 

Woah, that doesn't sound good.

What blog software did you use?

[Stun Grenade]

Kernel,

 

I'm sure your blog is fine. I was using Simple PHP Blog. My version just needed to be patched so I guess it was my fault