GoFuckYourself.com - Adult Webmaster Forum - View Single Post

SplitInfinity · 06-01-2005, 03:27 PM

Here is what they do....
they break into a server... and make a simple edit to the httpd.conf file in apache adding in an easy to overlook "Include" line like this:
Include /usr/src/redhat/.../.h
(note the hidden directory named ... they try to blend that in with normal unix directory listings so it skips past your vision in directory listings)
Inside the directory /usr/src/redhat, they have a file called .h which is an include file that includes many other files listing HUNDREDS AND HUNDREDS of domains like this:
ServerName violence
ServerAlias crosspointm.info *.crosspointm.info crowa.info *.crowa.info declinev.biz *.declinev.biz declinev.info *.declinev.info declinev.net *.declinev.net defrosti.info *.defrosti.info deletiony.info *.deletiony.info delphinem.biz *.delphinem.biz delphinem.info *.delphinem.info delphinem.net *.delphinem.net deputations.biz *.deputations.biz detoxifyp.info *.detoxifyp.info dieboldb.info *.dieboldb.info diffracty.info *.diffracty.info discreete.info *.discreete.info diversiond.info *.diversiond.info dodecahedrai.net *.dodecahedrai.net dosek.biz *.dosek.biz droopg.biz *.droopg.biz droopg.info *.droopg.info dualismv.net *.dualismv.net durrellw.info *.durrellw.info eavesdroppingx.info *.eavesdroppingx.info effiek.net *.effiek.net eiderc.biz *.eiderc.biz escritoireb.info *.escritoireb.info fireq.info *.fireq.info flowerpotb.info *.flowerpotb.info fossl.biz *.fossl.biz fowlp.net *.fowlp.net frozena.biz *.frozena.biz frozena.info *.frozena.info frozena.net *.frozena.net fussyt.biz *.fussyt.biz fussyt.info *.fussyt.info galenaw.net *.galenaw.net grandniecei.info *.grandniecei.info haploidx.net *.haploidx.net hebew.biz *.hebew.biz hebew.info *.hebew.info hibbardf.info *.hibbardf.info histrionica.info *.histrionica.info hoveo.biz *.hoveo.biz hugod.info *.hugod.info hurricanex.info *.hurricanex.info indignityw.info *.indignityw.info inkj.info *.inkj.info intransigentx.info *.intransigentx.info iraniana.info *.iraniana.info joaquinp.info *.joaquinp.info kavam.biz *.kavam.biz laxativeh.biz *.laxativeh.biz laxativeh.info *.laxativeh.info laxativeh.net *.laxativeh.net leachm.info *.leachm.info
ServerName ugly
ServerAlias mathieuh.info *.mathieuh.info monetaryq.info *.monetaryq.info nagasakiw.info *.nagasakiw.info newbornx.biz *.newbornx.biz occurreda.net *.occurreda.net orthonormalm.info *.orthonormalm.info orthonormalm.net *.orthonormalm.net partisanh.info *.partisanh.info perspectivee.info *.perspectivee.info photolyticu.biz *.photolyticu.biz photolyticu.info *.photolyticu.info photolyticu.net *.photolyticu.net pokerfaceu.biz *.pokerfaceu.biz primpm.info *.primpm.info pulsatea.net *.pulsatea.net quickenq.info *.quickenq.info radicesg.info *.radicesg.info rejuvenatet.net *.rejuvenatet.net responsives.biz *.responsives.biz revisionz.info *.revisionz.info rollickk.info *.rollickk.info salutationr.info *.salutationr.info sandrao.info *.sandrao.info sapiensa.info *.sapiensa.info sapiensa.net *.sapiensa.net sauteh.info *.sauteh.info scmg.info *.scmg.info shadflowerc.info *.shadflowerc.info shipleye.net *.shipleye.net sideshowi.info *.sideshowi.info sightseez.biz *.sightseez.biz sightseez.info *.sightseez.info sightseez.net *.sightseez.net smuggleu.info *.smuggleu.info statev.info *.statev.info stipendo.info *.stipendo.info sucroseh.biz *.sucroseh.biz sucroseh.info *.sucroseh.info sucroseh.net *.sucroseh.net sustenancem.net *.sustenancem.net synagoguey.biz *.synagoguey.biz theologyu.biz *.theologyu.biz thighl.net *.thighl.net truthfulo.info *.truthfulo.info twitchyk.biz *.twitchyk.biz upslopeu.info *.upslopeu.info varietyi.biz *.varietyi.biz virtuep.net *.virtuep.net witheb.biz *.witheb.biz zellerbachz.biz *.zellerbachz.biz

They literally have thousands of domains.

Here it the ip they broke into the server from:

May 31 10:14:42 sp82 sshd[22426]: Illegal user cisco from 128.198.60.40
May 31 10:14:47 sp82 sshd[22467]: Illegal user jason from 128.198.60.40
May 31 10:14:53 sp82 sshd[22491]: Illegal user patrick from 128.198.60.40
May 31 10:14:58 sp82 sshd[22553]: Illegal user richard from 128.198.60.40
May 31 10:15:04 sp82 sshd[22598]: Illegal user jerry from 128.198.60.40
May 31 10:15:09 sp82 sshd[22615]: Illegal user auth from 128.198.60.40
May 31 10:15:15 sp82 sshd[22643]: Failed password for games from 128.198.60.40 port 49145 ssh2
May 31 10:15:21 sp82 sshd[22675]: Illegal user pub from 128.198.60.40
May 31 10:15:26 sp82 sshd[22685]: Illegal user support from 128.198.60.40
May 31 10:15:32 sp82 sshd[22698]: Illegal user research from 128.198.60.40
May 31 10:15:37 sp82 sshd[22724]: Illegal user view from 128.198.60.40
May 31 10:15:43 sp82 sshd[22755]: Illegal user master from 128.198.60.40
May 31 10:15:48 sp82 sshd[22806]: Illegal user tmp from 128.198.60.40
May 31 10:15:54 sp82 sshd[22835]: Illegal user temp from 128.198.60.40
May 31 10:15:59 sp82 sshd[22873]: Illegal user work from 128.198.60.40

May 31 10:14:31 sp82 sshd[22323]: Failed password for mail from 128.198.60.40 port 48937 ssh2
May 31 10:14:36 sp82 sshd[22365]: Failed password for cpanel from 128.198.60.40 port 48965 ssh2

traceroute to 128.198.60.40 (128.198.60.40), 30 hops max, 38 byte packets
1 service168-143-119-2.splitinfinity.net (168.143.119.2) 0.744 ms 1.052 ms 0.572 ms
2 ge-1-1-0-3.r01.sndgca01.us.bb.verio.net (129.250.27.110) 0.897 ms 0.930 ms 0.860 ms
3 p4-2-0-0.r00.lsanca01.us.bb.verio.net (129.250.2.165) 4.248 ms 4.350 ms 4.256 ms
4 bur-brdr-01.inet.qwest.net (205.171.4.37) 4.813 ms 4.656 ms 4.764 ms
5 bur-core-01.inet.qwest.net (205.171.13.9) 4.888 ms 4.903 ms 5.000 ms
6 dia-core-03.inet.qwest.net (205.171.8.118) 47.876 ms 47.949 ms 47.748 ms
7 dvr-edge-03.inet.qwest.net (205.171.10.34) 47.993 ms 47.979 ms 47.872 ms
8 65.121.122.206 (65.121.122.206) 50.575 ms 50.721 ms 49.534 ms
9 frgp-link-at-uccs.uccs.edu (128.198.254.1) 54.139 ms 53.909 ms 53.982 ms
10 uccshub-v254.uccs.edu (128.198.254.11) 53.800 ms 54.181 ms 53.653 ms

university of colorado
a script kiddie most likely

With alot of money or stolen credit cards.
because they have hundreds of domains.

06-01-2005, 03:27 PM
SplitInfinity Confirmed User Join Date: Dec 2002 Location: San Diego, CA Posts: 3,047	Here is what they do.... they break into a server... and make a simple edit to the httpd.conf file in apache adding in an easy to overlook "Include" line like this: Include /usr/src/redhat/.../.h (note the hidden directory named ... they try to blend that in with normal unix directory listings so it skips past your vision in directory listings) Inside the directory /usr/src/redhat, they have a file called .h which is an include file that includes many other files listing HUNDREDS AND HUNDREDS of domains like this: ServerName violence ServerAlias crosspointm.info .crosspointm.info crowa.info .crowa.info declinev.biz .declinev.biz declinev.info .declinev.info declinev.net .declinev.net defrosti.info .defrosti.info deletiony.info .deletiony.info delphinem.biz .delphinem.biz delphinem.info .delphinem.info delphinem.net .delphinem.net deputations.biz .deputations.biz detoxifyp.info .detoxifyp.info dieboldb.info .dieboldb.info diffracty.info .diffracty.info discreete.info .discreete.info diversiond.info .diversiond.info dodecahedrai.net .dodecahedrai.net dosek.biz .dosek.biz droopg.biz .droopg.biz droopg.info .droopg.info dualismv.net .dualismv.net durrellw.info .durrellw.info eavesdroppingx.info .eavesdroppingx.info effiek.net .effiek.net eiderc.biz .eiderc.biz escritoireb.info .escritoireb.info fireq.info .fireq.info flowerpotb.info .flowerpotb.info fossl.biz .fossl.biz fowlp.net .fowlp.net frozena.biz .frozena.biz frozena.info .frozena.info frozena.net .frozena.net fussyt.biz .fussyt.biz fussyt.info .fussyt.info galenaw.net .galenaw.net grandniecei.info .grandniecei.info haploidx.net .haploidx.net hebew.biz .hebew.biz hebew.info .hebew.info hibbardf.info .hibbardf.info histrionica.info .histrionica.info hoveo.biz .hoveo.biz hugod.info .hugod.info hurricanex.info .hurricanex.info indignityw.info .indignityw.info inkj.info .inkj.info intransigentx.info .intransigentx.info iraniana.info .iraniana.info joaquinp.info .joaquinp.info kavam.biz .kavam.biz laxativeh.biz .laxativeh.biz laxativeh.info .laxativeh.info laxativeh.net .laxativeh.net leachm.info .leachm.info ServerName ugly ServerAlias mathieuh.info .mathieuh.info monetaryq.info .monetaryq.info nagasakiw.info .nagasakiw.info newbornx.biz .newbornx.biz occurreda.net .occurreda.net orthonormalm.info .orthonormalm.info orthonormalm.net .orthonormalm.net partisanh.info .partisanh.info perspectivee.info .perspectivee.info photolyticu.biz .photolyticu.biz photolyticu.info .photolyticu.info photolyticu.net .photolyticu.net pokerfaceu.biz .pokerfaceu.biz primpm.info .primpm.info pulsatea.net .pulsatea.net quickenq.info .quickenq.info radicesg.info .radicesg.info rejuvenatet.net .rejuvenatet.net responsives.biz .responsives.biz revisionz.info .revisionz.info rollickk.info .rollickk.info salutationr.info .salutationr.info sandrao.info .sandrao.info sapiensa.info .sapiensa.info sapiensa.net .sapiensa.net sauteh.info .sauteh.info scmg.info .scmg.info shadflowerc.info .shadflowerc.info shipleye.net .shipleye.net sideshowi.info .sideshowi.info sightseez.biz .sightseez.biz sightseez.info .sightseez.info sightseez.net .sightseez.net smuggleu.info .smuggleu.info statev.info .statev.info stipendo.info .stipendo.info sucroseh.biz .sucroseh.biz sucroseh.info .sucroseh.info sucroseh.net .sucroseh.net sustenancem.net .sustenancem.net synagoguey.biz .synagoguey.biz theologyu.biz .theologyu.biz thighl.net .thighl.net truthfulo.info .truthfulo.info twitchyk.biz .twitchyk.biz upslopeu.info .upslopeu.info varietyi.biz .varietyi.biz virtuep.net .virtuep.net witheb.biz .witheb.biz zellerbachz.biz *.zellerbachz.biz They literally have thousands of domains. Here it the ip they broke into the server from: May 31 10:14:42 sp82 sshd[22426]: Illegal user cisco from 128.198.60.40 May 31 10:14:47 sp82 sshd[22467]: Illegal user jason from 128.198.60.40 May 31 10:14:53 sp82 sshd[22491]: Illegal user patrick from 128.198.60.40 May 31 10:14:58 sp82 sshd[22553]: Illegal user richard from 128.198.60.40 May 31 10:15:04 sp82 sshd[22598]: Illegal user jerry from 128.198.60.40 May 31 10:15:09 sp82 sshd[22615]: Illegal user auth from 128.198.60.40 May 31 10:15:15 sp82 sshd[22643]: Failed password for games from 128.198.60.40 port 49145 ssh2 May 31 10:15:21 sp82 sshd[22675]: Illegal user pub from 128.198.60.40 May 31 10:15:26 sp82 sshd[22685]: Illegal user support from 128.198.60.40 May 31 10:15:32 sp82 sshd[22698]: Illegal user research from 128.198.60.40 May 31 10:15:37 sp82 sshd[22724]: Illegal user view from 128.198.60.40 May 31 10:15:43 sp82 sshd[22755]: Illegal user master from 128.198.60.40 May 31 10:15:48 sp82 sshd[22806]: Illegal user tmp from 128.198.60.40 May 31 10:15:54 sp82 sshd[22835]: Illegal user temp from 128.198.60.40 May 31 10:15:59 sp82 sshd[22873]: Illegal user work from 128.198.60.40 May 31 10:14:31 sp82 sshd[22323]: Failed password for mail from 128.198.60.40 port 48937 ssh2 May 31 10:14:36 sp82 sshd[22365]: Failed password for cpanel from 128.198.60.40 port 48965 ssh2 traceroute to 128.198.60.40 (128.198.60.40), 30 hops max, 38 byte packets 1 service168-143-119-2.splitinfinity.net (168.143.119.2) 0.744 ms 1.052 ms 0.572 ms 2 ge-1-1-0-3.r01.sndgca01.us.bb.verio.net (129.250.27.110) 0.897 ms 0.930 ms 0.860 ms 3 p4-2-0-0.r00.lsanca01.us.bb.verio.net (129.250.2.165) 4.248 ms 4.350 ms 4.256 ms 4 bur-brdr-01.inet.qwest.net (205.171.4.37) 4.813 ms 4.656 ms 4.764 ms 5 bur-core-01.inet.qwest.net (205.171.13.9) 4.888 ms 4.903 ms 5.000 ms 6 dia-core-03.inet.qwest.net (205.171.8.118) 47.876 ms 47.949 ms 47.748 ms 7 dvr-edge-03.inet.qwest.net (205.171.10.34) 47.993 ms 47.979 ms 47.872 ms 8 65.121.122.206 (65.121.122.206) 50.575 ms 50.721 ms 49.534 ms 9 frgp-link-at-uccs.uccs.edu (128.198.254.1) 54.139 ms 53.909 ms 53.982 ms 10 uccshub-v254.uccs.edu (128.198.254.11) 53.800 ms 54.181 ms 53.653 ms university of colorado a script kiddie most likely With alot of money or stolen credit cards. because they have hundreds of domains.