Author Topic: Uh...  (Read 29148 times)

0 Members and 9 Guests are viewing this topic.

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: Uh...
« Reply #30 on: December 01, 2005, 11:16:00 pm »
Sunray is something that's designed to help against hacking and theft of information and stuff on the computer.. do you have it installed?

And someone tried to login to darkside with those ID's mentioned and got an error with an authorization, and it returned a packet to them.  I don't know what the packet said though.. I've never seen PAM_CONV_ERR before. I'm assuming it's PAM(what is PAM* on your computer iago) Conversation Error.. and it probably returned some info that the exploiter needed.

Edit: iago, what versions of:
Apache
mySQL
PHP

are you running?
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Uh...
« Reply #31 on: December 01, 2005, 11:18:12 pm »
I know he's running 1.3.33 Apache.  I don't know about MySQL or PHP, but I'd guess 4.4.0+ for PHP.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Uh...
« Reply #32 on: December 01, 2005, 11:20:57 pm »
What. the. fuck?
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Uh...
« Reply #33 on: December 01, 2005, 11:21:35 pm »
Fucking shit... theme just changed on me.  You guys?

Nevermind, just took a look.  Default Theme is changed...

There's no real reason to upgrade to 1.3.34.  They fixed a "vulnerability" that could lead to http smuggling attacks or something stupid.  Nothing I'm worried about :)

Maybe it's something he should have worried about? :(

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: Uh...
« Reply #34 on: December 01, 2005, 11:21:45 pm »
beautiful, it was PHC..
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Uh...
« Reply #35 on: December 01, 2005, 11:22:46 pm »
Uh...
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Uh...
« Reply #36 on: December 01, 2005, 11:23:21 pm »
Ok, I need to get some homework done and go to bed.  For the time being:

- There are no odd services listening or connections established.  But that doesn't mean anything.
- I've changed the root password, but I don't believe that he ever got access to root.
- I've changed the MySQL password (you might have noticed the authentication failure). 
- I've hacked the SMF board to give myself administrator-type power.  I don't have time to muck around with names and stuff tonight, maybe later.  If you're nice.
- I've disconnected everybody who had an active connection.

For everything else, I'm going to leave it as business as usual.  I can't tell what happened, so there's no sense in closing the gate after the horse escaped. 

To be continued...

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: Uh...
« Reply #37 on: December 01, 2005, 11:24:44 pm »
It was PHC.
When i had gone to http://www.x86labs.org/forum/ a second ago it said "PHC OWNED YOU" in the corner with no images or anything.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Uh...
« Reply #38 on: December 01, 2005, 11:25:21 pm »
Yep, it said "Oh my goddess, it's a Phrack High Council"

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Uh...
« Reply #39 on: December 01, 2005, 11:26:23 pm »
Everything should be ok now.  I'm reasonably sure he didn't have root, and the passwords have been changed.  I doubt whoever did it had the presense of mind to leave a backdoor.  I'll look into it tomorrow.


Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Uh...
« Reply #40 on: December 01, 2005, 11:27:33 pm »
Everything should be ok now.  I'm reasonably sure he didn't have root, and the passwords have been changed.  I doubt whoever did it had the presense of mind to leave a backdoor.  I'll look into it tomorrow.

Alright, have fun with your homework.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Uh...
« Reply #41 on: December 01, 2005, 11:27:49 pm »
Quote
- I've disconnected everybody who had an active connection.

For the record, my SSH connection is still open.

Also, I'd like to remind you that SQL isn't exposed to the open internet, which means its automatically excluded from being the entry-point of the hacking. It was exploited through something else.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Uh...
« Reply #42 on: December 01, 2005, 11:28:29 pm »
Quote
- I've disconnected everybody who had an active connection.

For the record, my SSH connection is still open.

Also, I'd like to remind you that SQL isn't exposed to the open internet, which means its automatically excluded from being the entry-point of the hacking. It was exploited through something else.

Did you connect after he did it? Perhaps he didn't kill anyone on port 22, seeing as how he had to connect to it via port 22 to do anything.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Uh...
« Reply #43 on: December 01, 2005, 11:29:22 pm »
Quote
- I've disconnected everybody who had an active connection.

For the record, my SSH connection is still open.

Also, I'd like to remind you that SQL isn't exposed to the open internet, which means its automatically excluded from being the entry-point of the hacking. It was exploited through something else.

Don't forget that web apps (like, any programs written in php by anybody on this forum) also have access to MySQL.

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: Uh...
« Reply #44 on: December 01, 2005, 11:30:37 pm »
 [22:29:48.289] <deadly7[x86]> Hrm.
 [22:29:52.385] <deadly7[x86]> Whoever did it had complete access to /forum/
 [22:30:02.159] <deadly7[x86]> The mySQL database password is PLAINTEXT in it.
 [22:30:09.159] <deadly7[x86]> Which is SMF's fault..
 [22:30:15.178] <deadly7[x86]> IPB, LDU, all others don' thave plaintext mysql
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine