I know this is just as much my fault for leaving a world writable directory on my web server by accident, but still... goddamn fucktards! And I don't swear lightly.

While I'm pissed off at this, I'm also offering myself up as an example of what not to do if you run a server of any description. I mean lets face it, we've all made pissy little mistakes that have blown up in our faces.

Some toss-pot has managed to find a directory on my web server that was world writeable/readable. The scum bucket checked every single directory they could find on the server, and attempted to upload a file to it, eventually finding one obscure directory that was free to write too.

The file was a tar file containing a fake eBay site. Once the file was loaded up to my server (according to the log, it was hosted at http://nimeni2005.go.ro/ ip: 81.196.20.134). There is a web server hosted at that IP, but the DNS no longer works.

Anyways, the php page was then used to send out spam email to people asking them to confirm their eBay logins, which were recorded, and used to make fraudulent bids.

Top marks to iiNet who acted within a few hours of this happening. They cut off port 80 and the mail ports on my connection, and called me immediately. They also stayed on the line suggesting places on the server that might have been comprimised.

I'll be zipping up the affected files, and sending them to iiNet tonight. Also, I'll be burning all the affected files to CD, so that when eBay comes looking for them, they can have them.

So, let this be a warning to you all... check your systems for holes. You may now commence your laughing at me.... now.

:ha: :ha: :ha: :ha: :ha:

:ha: :ha: :ha: :ha: :ha:

Thanks Gunsella for starting the laugh-a-thon :)

One freaking directory! One... the prick that did this really should go outside and see the sun from time to time.

i got plennny more where that came from, but only coz you asked for it:

You may now commence your laughing at me....

honestly tho, i really feel for you dude. it sucks to be exploited like that.

i got plennny more where that came from, but only coz you asked for it:



honestly tho, i really feel for you dude. it sucks to be exploited like that.

Yeah... thought I learned my lesson last time when my server got hit by Code Red, way back when I used to run Windows web servers.

Ah well... we got IP's, and we got times... and with such a big target like eBay, I'm sure they'll follow it through until they catch the fucker. Then he can be exploited too... by the biggest hairest man in minimum secruity.

Oh yeah, traced the IP... it's based in Germany.

.... lol, if he hacked your server and found that one dir, do you think its the actual i.p.?

.... lol, if he hacked your server and found that one dir, do you think its the actual i.p.?

Well, he could be dumb enough. But if you go to that address http://81.196.20.134/ you'll see that there is a server there.

Now, it's quite possible that he was using that machine to connect to mine, or that it's spoofed. The point is, he didn't even attempt to hide his changes. The logs have not been doctored or deleted at all.

Either way, I'll forward the logs to iiNet and eBay, and they'll chase it down. I know the eBay will, cause they take things like this seriously.

its easy enough to set up a hacked server to do all the hacking for you. e.g. autorooter

its easy enough to set up a hacked server to do all the hacking for you. e.g. autorooter
hehehe. You said root.

hehehe.

its easy enough to set up a hacked server to do all the hacking for you. e.g. autorooter

Yeah I know... but hopefully it'll give them a trail to follow.

Exactly how many failed events were there in the event viewer (assuming you run windows)? You can gauge just how much of a loser he is by the amount of time he spent trying to find that 1 dir.

so where does the script kiddie come in? all looks to be manual stalking to me?

so where does the script kiddie come in? all looks to be manual stalking to me?

No where, I just wanted to say script kiddie. :)

Exactly how many failed events were there in the event viewer (assuming you run windows)? You can gauge just how much of a loser he is by the amount of time he spent trying to find that 1 dir.

It's an FC3 box. The apache log had about a page of access denied errors as he was trying different directories.

Wow that blows!! good thing they caught on quick or it could have gotten messy