News and Reviews > Official Announcements
Thread about the DonationCoder.com server Shutdown on March 2nd, 2008
mouser:
It looks like they got in using an exploit in an older version of the Subversion Version Control System (SVN) that i had installed on the server a while ago. It's a good lesson that the moment you install a service on your server, you need to forever after keep it updated, or disable it. You cannot just install something on a web-accessible server and forget about it.
Rover:
I felt like I had let down the visitors to this site. If i don't seem contrite enough at the moment, it's only because in the last 4 days since the server was down i have gradually calmed down from a state of hyperventilation.-Mouser
--- End quote ---
Mouser, while I appreciate your humility, I do not hold you or anyone on the DC team responsible for this attack. To me, that'd be like blaming a rape victim* for their attack. It's not your fault, we're happy DC is back.
THANKS FOR ALL YOU DO :Thmbsup:
*I am not attempting to equate the two, relax.
Gothi[c]:
It looks like they got in using an exploit in an older version of the Subversion Version Control System (SVN) that i had installed on the server a while ago.
--- End quote ---
It does look like that, but there is no way to be 100% sure.
The facts are:
* Someone logged into the svn user account (which for some reason had a bash shell bound to it instead of being pointed to /sbin/nologin or something) before logging in as root (timestamps show svn was first)
* The svn user account had " nano /etc/passwd " in it's .bash_history. It is safe to assume that they erased the .bash_history on every log-in, so it will only show the commands they ran on last login, nothing before that.
* About one hour and a half later, they logged in as root through the front door. According to the ssh logs, it seems they used a valid password. Then went straight to installing their trojan code on the webpage. As far as we can tell anyway, the .bash_history does show that it wasn't erased because it had commands in there we ran before the attack. However, they could easily manipulate it and only delete the lines they were responsible for.
* They also killed the log daemons upon login. Thus adding more uncertainty since we only have partial information.
* The attackers came from at least 3 different IP addresses:
24.39.219.73
82.201.163.136
62.13.171.41
It's most probably safe to assume that these are also hacked computers.
* The way they infected the pages was by running a script called fr.sh which traversed the directories looking for index.html/htm pages (It also got 2 PHP pages that were not accessible to the public). It seems like it grabbed the code to inject from a file they created (filename was Script).
Deozaan:
The quick way is checking whether you have a file called ntos.exe in %SystemRoot\system32, like mouser mentioned above.
-f0dder (March 07, 2008, 08:52 AM)
--- End quote ---
Is it only ntos.exe? I checked and I have an ntoskrnl.exe in the system32 folder. Is that safe?
tomos:
The quick way is checking whether you have a file called ntos.exe in %SystemRoot\system32, like mouser mentioned above.
-f0dder (March 07, 2008, 08:52 AM)
--- End quote ---
Is it only ntos.exe? I checked and I have an ntoskrnl.exe in the system32 folder. Is that safe?
-Deozaan (March 07, 2008, 02:13 PM)
--- End quote ---
a google search gives the impression it's more of a problem not to have that (ntoskrnl.exe) -
I had checked it out myself earlier
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=th3&q=ntoskrnl.exe&btnG=Search
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version