Uh...

[iago]

As MyndFyre said (while I was typing this, *grr*), he straightened everything up.  You can fix your names (Except Sigh Dough.. we alll agree that you should keep that name). 

As far as we can tell, somebody either found out or guessed an Administrator's password on the forum (probably Quik, he's a n00b (kidding)).  We've fixed it so he can't get back in through that route.  Hopefully that's all he did...

Hopefully, it's all back to normal.  I'm still going to dig through some logs and see if I can find out who actually did it.  All I know at this point is that he was going through a proxy, but I might be able to dig up some records on the proxy, who knows?

Stay tuned!

[Ergot]

I like it as Sigh Dough . This is better than any movie this year o_o.

[Joe]

OK, iago got me back my permissions and I reset the admins. People should be able to update their names again. Sidoh should do so

If anyone has any problems with anything, please let me know. The permissions were kind of weird, but I think I got them back to normal.

yeah I'm not moderator of off-topic yet..

[iago]

OK, iago got me back my permissions and I reset the admins. People should be able to update their names again. Sidoh should do so

If anyone has any problems with anything, please let me know. The permissions were kind of weird, but I think I got them back to normal.

yeah I'm not moderator of off-topic yet..

Hmm, how'd we miss that?  Well, I'll get right on that. 

[iago]

Hmm, I was checking up on some things, and I wonder if this might be a problem:

root@darkside:~# chkrootkit
ROOTDIR is `/'
Checking `amd'... not infected
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... INFECTED
Checking `chsh'... INFECTED
Checking `cron'... not infected
Checking `date'... INFECTED
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `killall'... not infected
Checking `ldsopreload'... not tested
Checking `login'... not infected
Checking `ls'... INFECTED
Checking `lsof'... not found
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not found
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... INFECTED
.............. [it goes on like that]

*** WARNING: illegal modifications were made to certain system files, indicative of an infection!!!
*** the infection started between 06 Nov 2005 18:10:00 and 06 Nov 2005 18:30:00
*** BACK UP ALL IMPORTANT DATA AND SHUT DOWN IMMEDIATELY

:-/

Anybody remember what happened on November 6?  It was a long time ago

[Newby]

What happened November 6th? :|

[Towelie]

no idea, that sucks :-P

[Screenor]

Ugh, this is a perfect application as to why you do not run porn.wmv.exe.

Nov 6 was about the time BnetAxe was hacked..that's about it.

[iago]

Hmm, on that day there was a lot of traffic from 207.180.144.222...

Also, I checked up on the proxy that the "pnc" account was using.. I found their logs, an it turns out that 207.180.144.222 was the ip that was posting as phc, so I'm sure it's the same guy.

So I looked up the ip 207.180.144.222 on the forums, and there is one account associated with it: Hitmen

Also, Nov, 6 was the day that Hitmen created his account on this forum. 

Also, Dec. 1 (the day of the "incident") was Hitmen's birthday. 

Now, the problem is, I always thought that the Hitmen I knew was inept.  So how, suddenly, did this happen? 

Your answer is as good as mine..... for the time being, I'm not sure how to proceed...

[Newby]

Hmm....

Wtf?

Well, I'm gonna ban Hitmen, and have a very long discussion on AIM.

[Newby]

Ugh, this is a perfect application as to why you do not run porn.wmv.exe.

Nov 6 was about the time BnetAxe was hacked..that's about it.

Eh, wouldn't affect you in Linux.

[Screenor]

But why would Hitmen do it? Possibly not the real Hitmen? I don't know him really at all, but he seems a bit more controlled then that.

Also, who does all that then leaves it to be that obvious. Almost as if someone wanted Hitmen gone.

[Joe]

And whos to say this wasn't meant to be a nice little tap on the shoulder saying "you're not as secure as you think"? We all thought darkside was imbreachable, but aparently he wasn't. If he was a real "blackhat", he would have just deleted the whole database. He distroyed next to nothing, except maybe 30 minutes of MyndFyre's time when he set permissions back.

[Warrior]

Who is this "We"? Nothing is inbreachable. Maybe you sleep at nighty knowing that but I sure don't.

[Blaze]

I don't know hitmen very well, but he doesn't seem to be a person to do something stupid like that...