Sparda Posted October 19, 2007 Share Posted October 19, 2007 I was logging in to forum and when I hit login I was forwarded to the URL below. http://193.170.210.139/user/userstat.php?s...-gouDX6B0yqYQ8b I immediately changed my password and logged out and back in to see what happened. What is this? Quote Link to comment Share on other sites More sharing options...
K1u Posted October 19, 2007 Share Posted October 19, 2007 I was logging in to forum and when I hit login I was forwarded to the URL below. http://193.170.210.139/user/userstat.php?s...-gouDX6B0yqYQ8b I immediately changed my password and logged out and back in to see what happened. What is this? Edit. What exactly did you get. Quote Link to comment Share on other sites More sharing options...
VaKo Posted October 19, 2007 Share Posted October 19, 2007 Inital check shows nothing odd so far. Quote Link to comment Share on other sites More sharing options...
Sparda Posted October 19, 2007 Author Share Posted October 19, 2007 What exactly did you get. Normal, no forwarding to external sites. I probably did some thing, but when I saw there was a variable 'string' that could have contained my password and username (separated by the dash? Sparda is six characters long, and my password also happens to be 14 charaters long) encrypted, it was kind of like "Well, time to change the password before I do any thing else". VaKo, please make me happy and replace the login script page with a known good version of it, and keep a back up of the (allegedly) compromised one. ;) Quote Link to comment Share on other sites More sharing options...
digip Posted October 20, 2007 Share Posted October 20, 2007 Vienna University Computer Center Quote Link to comment Share on other sites More sharing options...
moonlit Posted October 20, 2007 Share Posted October 20, 2007 "fcneqn" is "sparda" rot13'd Quote Link to comment Share on other sites More sharing options...
K1u Posted October 20, 2007 Share Posted October 20, 2007 What exactly did you get. Normal, no forwarding to external sites. I probably did some thing, but when I saw there was a variable 'string' that could have contained my password and username (separated by the dash? Sparda is six characters long, and my password also happens to be 14 charaters long) encrypted, it was kind of like "Well, time to change the password before I do any thing else". VaKo, please make me happy and replace the login script page with a known good version of it, and keep a back up of the (allegedly) compromised one. ;) How strange... what was the site you were visiting? Hak5? Quote Link to comment Share on other sites More sharing options...
VaKo Posted October 20, 2007 Share Posted October 20, 2007 VaKo, please make me happy and replace the login script page with a known good version of it, and keep a back up of the (allegedly) compromised one. ;) Done, one carriage return and a missing version number in different from the orginoal. Also gone thew all the code and nothing weird has shown up. Quote Link to comment Share on other sites More sharing options...
digip Posted October 20, 2007 Share Posted October 20, 2007 Were you on any TOR, Proxie sites just leeading up to the login on the Hak5 forums? It looks like you may have been redirected or being scanned by some sort of CERT or military site. mail.hakkrems.ac.at is the name for the ip address you provided and it resides in Austria. It also keeps pointing at cert@aco.net when I do a scan with Evolution. ACOnet-CERTTeam information Short team name ACOnet-CERT Official team name ACOnet-CERT Membership type Full Member Date of membership approval 2003-04-07 Team host organization Vienna University Country of team Austria Public WWW server http://cert.aco.net/ Constituency Type of constituency Research & education Description of constituency Customers of ACOnet, Austrian Academic Computer Network Team contact information Regular telephone number +43-1-4277-14045 E-mail address certaco.net Facsimile number +43-1-4277-9140 Postal address ACOnet-CERT Vienna University Computer Center Universitaetsstrasse 7 A-1010 Vienna Timezone UTC+0100 Cryptography PGP key id 0x2F94BCFA PGP fingerprint E72B DEB1 0526 CDBE 46CA 2DF6 B6ED EEF0 2F94 BCFA www.hakkrems.ac.at <-- Armenian laguage? (Tried German and it translated it) mail.hakkrems.ac.at Thu 01-February-2007 02:58 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" - "http://www.google.at/" Thu 01-February-2007 02:59 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" - "http://cards.austrosearch.at/" Thu 01-February-2007 02:59 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" - "http://www.google.at/" and Wed 01-December-2004 02:08 - mail.hakkrems.ac.at - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Hotbar 4.1.8.0)" - "http://www.google.at/" These are two different requests from the same server with different browser user agents. http://www.google.com/search?num=50&hl...amp;btnG=Search Quote Link to comment Share on other sites More sharing options...
Sparda Posted October 20, 2007 Author Share Posted October 20, 2007 Was fresh install of Kubuntu 7.10, had just installed NoScript, cookiesafe, Master Password Timeout and Password hasher in firefox. No proxy used 9as far as I know). The internet is far too insecure, if some one got in to just one of BT's routers, they could cause mass havoc. Quote Link to comment Share on other sites More sharing options...
digip Posted October 20, 2007 Share Posted October 20, 2007 I am just curious about the userstat.php file. I see a lot of them when searching google but what the script could be doing is anyones guess. Most of them are just for things like referring stat pages to get the users stats, like browser agent, ip address, etc, but the fact that it had a rot13'ed string of your name in there was kind of weird. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.