Jump to content

Some thing scary happend


Sparda

Recommended Posts

What exactly did you get.

Normal, no forwarding to external sites.

I probably did some thing, but when I saw there was a variable 'string' that could have contained my password and username (separated by the dash? Sparda is six characters long, and my password also happens to be 14 charaters long) encrypted, it was kind of like "Well, time to change the password before I do any thing else".

VaKo, please make me happy and replace the login script page with a known good version of it, and keep a back up of the (allegedly) compromised one. ;)

Link to comment
Share on other sites

What exactly did you get.

Normal, no forwarding to external sites.

I probably did some thing, but when I saw there was a variable 'string' that could have contained my password and username (separated by the dash? Sparda is six characters long, and my password also happens to be 14 charaters long) encrypted, it was kind of like "Well, time to change the password before I do any thing else".

VaKo, please make me happy and replace the login script page with a known good version of it, and keep a back up of the (allegedly) compromised one. ;)

How strange... what was the site you were visiting? Hak5?

Link to comment
Share on other sites

VaKo, please make me happy and replace the login script page with a known good version of it, and keep a back up of the (allegedly) compromised one. ;)

Done, one carriage return and a missing version number in different from the orginoal. Also gone thew all the code and nothing weird has shown up.

Link to comment
Share on other sites

Were you on any TOR, Proxie sites just leeading up to the login on the Hak5 forums? It looks like you may have been redirected or being scanned by some sort of CERT or military site.

mail.hakkrems.ac.at is the name for the ip address you provided and it resides in Austria. It also keeps pointing at cert@aco.net when I do a scan with Evolution.

ACOnet-CERTTeam information

Short team name ACOnet-CERT

Official team name ACOnet-CERT

Membership type Full Member

Date of membership approval 2003-04-07

Team host organization Vienna University

Country of team Austria

Public WWW server http://cert.aco.net/

Constituency

Type of constituency Research & education

Description of constituency Customers of ACOnet, Austrian Academic Computer Network

Team contact information

Regular telephone number +43-1-4277-14045

E-mail address certaco.net

Facsimile number +43-1-4277-9140

Postal address ACOnet-CERT

Vienna University Computer Center

Universitaetsstrasse 7

A-1010 Vienna

Timezone UTC+0100

Cryptography

PGP key id 0x2F94BCFA

PGP fingerprint E72B DEB1 0526 CDBE 46CA  2DF6 B6ED EEF0 2F94 BCFA

www.hakkrems.ac.at  <-- Armenian laguage? (Tried German and  it translated it)

mail.hakkrems.ac.at

Thu 01-February-2007 02:58 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" - "http://www.google.at/"

Thu 01-February-2007 02:59 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" - "http://cards.austrosearch.at/"

Thu 01-February-2007 02:59 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" - "http://www.google.at/"

and

Wed 01-December-2004 02:08 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Hotbar 4.1.8.0)" - "http://www.google.at/"

These are two different requests from the same server with different browser user agents.

http://www.google.com/search?num=50&hl...amp;btnG=Search

Link to comment
Share on other sites

Was fresh install of Kubuntu 7.10, had just installed NoScript, cookiesafe, Master Password Timeout and Password hasher in firefox. No proxy used 9as far as I know).

The internet is far too insecure, if some one got in to just one of BT's routers, they could cause mass havoc.

Link to comment
Share on other sites

I am just curious about the userstat.php file. I see a lot of them when searching google but what the script could be doing is anyones guess. Most of them are just for things like referring stat pages to get the users stats, like browser agent, ip address, etc, but the fact that it had a rot13'ed string of your name in there was kind of weird.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...