server hack?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • emmanuelle
    Confirmed User
    • Mar 2003
    • 3662

    #1

    server hack?

    My friend just had a bunch of his index pages replaced with
    "SPYKIDS .. irc.chatplus.com.br #spykids.. enjoy "


    Anybody know who's behind this stuff and how they tend to get in?
  • BIGTYMER
    Junior Achiever
    • Nov 2004
    • 17066

    #2
    They get in via an exploit of some sort. You need to harden and keep your box patched and updated.

    Comment

    • Alky
      Confirmed User
      • Apr 2002
      • 5651

      #3
      Originally posted by Kingpins
      They get in via an exploit of some sort. You need to harden and keep your box patched and updated.
      good advice

      Comment

      • NetRodent
        Confirmed User
        • Jan 2002
        • 3985

        #4
        Why not ask the people on the irc channel #spykids on the server irc.chatplus.com.br.
        "Every normal man must be tempted, at times, to spit on his hands, hoist the black flag, and begin slitting throats."
        --H.L. Mencken

        Comment

        • Ad3pt
          Confirmed User
          • Aug 2002
          • 476

          #5
          Originally posted by emmanuelle
          My friend just had a bunch of his index pages replaced with
          "SPYKIDS .. irc.chatplus.com.br #spykids.. enjoy "


          Anybody know who's behind this stuff and how they tend to get in?
          server spec's?
          Don't look here for the joke. It's in your pants.

          South O - World Class surfer destination since 2001.

          Comment

          • BIGTYMER
            Junior Achiever
            • Nov 2004
            • 17066

            #6
            Originally posted by Alky
            good advice
            And you've got better?

            Comment

            • Ad3pt
              Confirmed User
              • Aug 2002
              • 476

              #7
              Originally posted by Kingpins
              They get in via an exploit of some sort. You need to harden and keep your box patched and updated.
              how do you know this to be the case?
              Don't look here for the joke. It's in your pants.

              South O - World Class surfer destination since 2001.

              Comment

              • Dirty F
                Too lazy to set a custom title
                • Jul 2001
                • 59204

                #8
                Originally posted by emmanuelle


                Anybody know who's behind this stuff and how they tend to get in?
                Just a wild guess but maybe these guys:

                SPYKIDS .. irc.chatplus.com.br

                I did some research.

                Comment

                • BIGTYMER
                  Junior Achiever
                  • Nov 2004
                  • 17066

                  #9
                  Originally posted by Ad3pt
                  how do you know this to be the case?
                  How else would they get in? Did they login via ftp with his u/p? I hight doubt it. And its showing an IRC page and IRC is know for its carding, hacking kiddies.

                  Comment

                  • Ad3pt
                    Confirmed User
                    • Aug 2002
                    • 476

                    #10
                    Originally posted by Kingpins
                    How else would they get in? Did they login via ftp with his u/p? I hight doubt it. And its showing an IRC page and IRC is know for its carding, hacking kiddies.
                    If they have the ftp u/p it's not an exploit.

                    On the other hand, if their local workstation is owned by a trojan/keylogger that would be an exploit.

                    Only point Im trying to make is that having this guy jump to conclusions isn't going to give him the info he needs.
                    Don't look here for the joke. It's in your pants.

                    South O - World Class surfer destination since 2001.

                    Comment

                    • Dirty D
                      Confirmed User
                      • May 2002
                      • 4044

                      #11
                      It looks like someone got root access to the server.

                      There are many exploits to get root access.

                      Here are some tools to check for and fix rootkits

                      http://www.chkrootkit.org


                      My advice:
                      Eliminate any backdoors (rootkit)
                      Restore the domains
                      Change all user and root passwords
                      Verify linux and apache are up to date.

                      Dirty D - ICQ #1326843 - $1 Million Dollars of Bonus Money - 8,000+ FHG!
                      Glory Hole Girlz - Crack Whore Confessions - Tampa Bukkake - Slut Wife Training - Fuck a Fan
                      Electricity Play - Porn Video Drive - Theater Sluts - Skunk Riley - Ukraine Amateurs - Strapon Sessions

                      Comment

                      • BIGTYMER
                        Junior Achiever
                        • Nov 2004
                        • 17066

                        #12
                        Originally posted by Ad3pt
                        If they have the ftp u/p it's not an exploit.

                        On the other hand, if their local workstation is owned by a trojan/keylogger that would be an exploit.

                        Only point Im trying to make is that having this guy jump to conclusions isn't going to give him the info he needs.
                        Yes, but the chances are greater that they got in via an exploit.

                        Comment

                        • erehwon
                          Confirmed User
                          • Nov 2003
                          • 3759

                          #13
                          Originally posted by emmanuelle
                          My friend just had a bunch of his index pages replaced with
                          "SPYKIDS .. irc.chatplus.com.br #spykids.. enjoy "


                          Anybody know who's behind this stuff and how they tend to get in?
                          It sounds like a run of the mill defacement, your friend probably didn't patch something they should have.

                          The hackers likely went to a database like Packetstorm and found something to break into the server.

                          Have your friend drop these guys, http://www.ibouncer.com a line, to lock things down
                          Money NEVER $leep$...

                          Comment

                          • V_RocKs
                            Damn Right I Kiss Ass!
                            • Nov 2003
                            • 32449

                            #14
                            What domains were effected?

                            Comment

                            Working...