Home

Back online

December 26, 2009 - 13:15 — Rune

Just cutting and pasting (and editing slightly) from http://matchent.wordpress.com/2009/12/24/matchent-com-hacked/ .
I'm still not quite sure how they got in.
It has probably more to do with my skills than any holes in Drupal.

A shell (GNY.Shell - findex.php) and a proxy (proxy.php) was uploaded, but where the weakness was (is?) is not known to me.

I would not be very much surprised if this turned out to be a part of the christmas hacking at evilzone.org.
In that aspect it fits in with the previous posting here.

If you can read Norwegian, there is also something here:
http://skriblerier.adesign.no/index.php?q=node/63

User Agent:
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 3.5.30729)

Update some hours later

The shell that was uploaded:
http://www.virustotal.com/analisis/723df5a4fa11cf36f3998152707008a7c6e3978f2b82556f406b6874f39b925e-1261683007

Goes by various names: Backdoor.PHP.C99Shell.y, probably a variant of PHP/Rst.S, PHP.ShellBot.K, Trojan.Script.212277.

"Score" at virustotal is 16/41.

Update December 25 - 28, 2009

A few other interesting IPs:
62.16.238.118 <----- "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html"?
Umm, don't think so. More likely a pimplefaced teenager from Trondheim in Norway. With hits on at least three of my domains.
Also using the UA string "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5".

88.91.112.99 <----- Telenor in Norway. I have seen one very close one earlier, 88.91.112.130 (and 84.208.191.113, perhaps 85.165.173.203 too).
Now, how many Telenor users are skiddies? Quite a lot probably. But I'll bet my money on that this is the one who used 88.91.112.130 to log in to h4cky0u as []Volume earlier this year. Now admin at evilzone.org and nationalhacker.org. If anyone is interested, they can check out how the Christmas hacking over at evilzone.org is going.
I have not registered to have a look.
But I trust that Andre Rings Hans, ph 470 .2 0.3 from Nesodden in Norway, is doing a good job in herding his "crew".
Also admin at the former 1nj3ct.org. Which went down when he got a bit nervous after a little slap on the wrist from the police. nordicws.org is another one of his "masterpieces". Oh, he changed that one.

68.68.107.40 <---- Right now I have forgotten why this one is interesting.

195.47.247.176. Hits in logs at atleast two of my domains. 195.47.247.176 is also hosting nordicws.org.
Lots of coincidences here.