Some thing scary happend

[Sparda]

I was logging in to forum and when I hit login I was forwarded to the URL below.

http://193.170.210.139/user/userstat.php?s...-gouDX6B0yqYQ8b

I immediately changed my password and logged out and back in to see what happened. What is this?

[K1u]

I was logging in to forum and when I hit login I was forwarded to the URL below.

http://193.170.210.139/user/userstat.php?s...-gouDX6B0yqYQ8b

I immediately changed my password and logged out and back in to see what happened. What is this?

Edit.

What exactly did you get.

[VaKo]

Inital check shows nothing odd so far.

[Sparda]

What exactly did you get.

Normal, no forwarding to external sites.

I probably did some thing, but when I saw there was a variable 'string' that could have contained my password and username (separated by the dash? Sparda is six characters long, and my password also happens to be 14 charaters long) encrypted, it was kind of like "Well, time to change the password before I do any thing else".

VaKo, please make me happy and replace the login script page with a known good version of it, and keep a back up of the (allegedly) compromised one. ;)

[digip]

Vienna University Computer Center

[moonlit]

"fcneqn" is "sparda" rot13'd

[K1u]

What exactly did you get.

Normal, no forwarding to external sites.

I probably did some thing, but when I saw there was a variable 'string' that could have contained my password and username (separated by the dash? Sparda is six characters long, and my password also happens to be 14 charaters long) encrypted, it was kind of like "Well, time to change the password before I do any thing else".

VaKo, please make me happy and replace the login script page with a known good version of it, and keep a back up of the (allegedly) compromised one. ;)

How strange... what was the site you were visiting? Hak5?

[VaKo]

VaKo, please make me happy and replace the login script page with a known good version of it, and keep a back up of the (allegedly) compromised one. ;)

Done, one carriage return and a missing version number in different from the orginoal. Also gone thew all the code and nothing weird has shown up.

[digip]

Were you on any TOR, Proxie sites just leeading up to the login on the Hak5 forums? It looks like you may have been redirected or being scanned by some sort of CERT or military site.

mail.hakkrems.ac.at is the name for the ip address you provided and it resides in Austria. It also keeps pointing at cert@aco.net when I do a scan with Evolution.

ACOnet-CERTTeam information

Short team name ACOnet-CERT

Official team name ACOnet-CERT

Membership type Full Member

Date of membership approval 2003-04-07

Team host organization Vienna University

Country of team Austria

Public WWW server http://cert.aco.net/

Constituency

Type of constituency Research & education

Description of constituency Customers of ACOnet, Austrian Academic Computer Network

Team contact information

Regular telephone number +43-1-4277-14045

E-mail address certaco.net

Facsimile number +43-1-4277-9140

Postal address ACOnet-CERT

Vienna University Computer Center

Universitaetsstrasse 7

A-1010 Vienna

Timezone UTC+0100

Cryptography

PGP key id 0x2F94BCFA

PGP fingerprint E72B DEB1 0526 CDBE 46CA  2DF6 B6ED EEF0 2F94 BCFA

www.hakkrems.ac.at  <-- Armenian laguage? (Tried German and  it translated it)

mail.hakkrems.ac.at

Thu 01-February-2007 02:58 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" - "http://www.google.at/"

Thu 01-February-2007 02:59 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" - "http://cards.austrosearch.at/"

Thu 01-February-2007 02:59 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" - "http://www.google.at/"

and

Wed 01-December-2004 02:08 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Hotbar 4.1.8.0)" - "http://www.google.at/"

These are two different requests from the same server with different browser user agents.

http://www.google.com/search?num=50&hl...amp;btnG=Search

[Sparda]

Was fresh install of Kubuntu 7.10, had just installed NoScript, cookiesafe, Master Password Timeout and Password hasher in firefox. No proxy used 9as far as I know).

The internet is far too insecure, if some one got in to just one of BT's routers, they could cause mass havoc.

[digip]

I am just curious about the userstat.php file. I see a lot of them when searching google but what the script could be doing is anyones guess. Most of them are just for things like referring stat pages to get the users stats, like browser agent, ip address, etc, but the fact that it had a rot13'ed string of your name in there was kind of weird.