Uh...

[deadly7]

Sunray is something that's designed to help against hacking and theft of information and stuff on the computer.. do you have it installed?

And someone tried to login to darkside with those ID's mentioned and got an error with an authorization, and it returned a packet to them.  I don't know what the packet said though.. I've never seen PAM_CONV_ERR before. I'm assuming it's PAM(what is PAM* on your computer iago) Conversation Error.. and it probably returned some info that the exploiter needed.

Edit: iago, what versions of:
Apache
mySQL
PHP

are you running?

[Sidoh]

I know he's running 1.3.33 Apache.  I don't know about MySQL or PHP, but I'd guess 4.4.0+ for PHP.

[Newby]

What. the. fuck?

[Sidoh]

Fucking shit... theme just changed on me.  You guys?

Nevermind, just took a look.  Default Theme is changed...

There's no real reason to upgrade to 1.3.34.  They fixed a "vulnerability" that could lead to http smuggling attacks or something stupid.  Nothing I'm worried about

Maybe it's something he should have worried about?

[deadly7]

beautiful, it was PHC..

[Newby]

Uh...

[iago]

Ok, I need to get some homework done and go to bed.  For the time being:

- There are no odd services listening or connections established.  But that doesn't mean anything.
- I've changed the root password, but I don't believe that he ever got access to root.
- I've changed the MySQL password (you might have noticed the authentication failure). 
- I've hacked the SMF board to give myself administrator-type power.  I don't have time to muck around with names and stuff tonight, maybe later.  If you're nice.
- I've disconnected everybody who had an active connection.

For everything else, I'm going to leave it as business as usual.  I can't tell what happened, so there's no sense in closing the gate after the horse escaped. 

To be continued...

[deadly7]

It was PHC.
When i had gone to http://www.x86labs.org/forum/ a second ago it said "PHC OWNED YOU" in the corner with no images or anything.

[Sidoh]

Yep, it said "Oh my goddess, it's a Phrack High Council"

[iago]

Everything should be ok now.  I'm reasonably sure he didn't have root, and the passwords have been changed.  I doubt whoever did it had the presense of mind to leave a backdoor.  I'll look into it tomorrow.

[Sidoh]

Everything should be ok now.  I'm reasonably sure he didn't have root, and the passwords have been changed.  I doubt whoever did it had the presense of mind to leave a backdoor.  I'll look into it tomorrow.

Alright, have fun with your homework.

[Joe]

- I've disconnected everybody who had an active connection.

For the record, my SSH connection is still open.

Also, I'd like to remind you that SQL isn't exposed to the open internet, which means its automatically excluded from being the entry-point of the hacking. It was exploited through something else.

[Newby]

- I've disconnected everybody who had an active connection.

For the record, my SSH connection is still open.

Also, I'd like to remind you that SQL isn't exposed to the open internet, which means its automatically excluded from being the entry-point of the hacking. It was exploited through something else.

Did you connect after he did it? Perhaps he didn't kill anyone on port 22, seeing as how he had to connect to it via port 22 to do anything.

[iago]

- I've disconnected everybody who had an active connection.

For the record, my SSH connection is still open.

Also, I'd like to remind you that SQL isn't exposed to the open internet, which means its automatically excluded from being the entry-point of the hacking. It was exploited through something else.

Don't forget that web apps (like, any programs written in php by anybody on this forum) also have access to MySQL.

[deadly7]

 [22:29:48.289] <deadly7[x86]> Hrm.
 [22:29:52.385] <deadly7[x86]> Whoever did it had complete access to /forum/
 [22:30:02.159] <deadly7[x86]> The mySQL database password is PLAINTEXT in it.
 [22:30:09.159] <deadly7[x86]> Which is SMF's fault..
 [22:30:15.178] <deadly7[x86]> IPB, LDU, all others don' thave plaintext mysql