Jump to content

http://193.170.210.139 account watch


SomeoneE1se
 Share

Recommended Posts

I may have just POSTed my forum user/pass to http://193.170.210.139

or http://193.170.210.139/user/userstat.php?s...rbarRyfr-qngn45

in ROT-13 uggc://193.170.210.139/hfre/hfrefgng.cuc?fgevat=SomeoneElse-data45

so if something happens y'all don't think I'm doing something bad or something

[me=SomeoneE1se]changes password[/me]

I'm not sure how this happend but I went to hak5 from my bookmarks so you might want to take a look at the server logs VaKo

Link to comment
Share on other sites

Isn't this what happened so someone before?

Edit: How odd, it's listed on here: http://thales.memphis.edu/mw/data.bak (the only reference I can find to that file is http://marc.info/?l=log&m=100334499223652&w=3)...

It's a mail server it seems, whois turns up mail.hakkrems.ac.at (Vienna University Computer Center).

http://mail.hakkrems.ac.at/ is up on port 80, according to the favicon it's linux based.

Edit2: Previous instance of this issue: http://forums.hak5.org/index.php/topic,7683.0.html

Edit3:  Apache/2.0.53 (Linux/SUSE), apparently.

Link to comment
Share on other sites

Being the second time this has happened to someone here, I would make a note to forward any traffic from 193.170.210.139 to www.hak5.org on your local machine. Just as a precation, but I am curious as to what exactly this is.

Does it seem as if someone is hijacking the login page or using a xss attack to redirect people to that site?? Or is it a problem on the hak5 hosts side of things...

Just curious, but you said it was from a bookmark in your browser. Maybe there is an exploit in your browser that when you visited a certain site(other than the one posted), it looks through your bookmarks and tries to find login pages and then replaces the shortcuts to something like the address you posted. Go through all your bookmarks and see if there are any others that redirect to that page.

Link to comment
Share on other sites

Later on today I'm going to reinstall the whole forum software. (The DB will remain intact). I can't see any reference to that IP in the code, or the DB, but 2 times is enough for me. I would also advise that you change your passwords. I will be putting out an APB about this later on, but, and I cannot stress this enough atm, so far there is no evidence that we've been hacked. 

Link to comment
Share on other sites

I have no software firewall on THIS machine but I don't suspect it was my error because this same thing happened to sparda so...

Firefox 2.0.0.11 with NoScript so I doubt it was a scripting attack

But doens't NoScript allow you to whitelist sites. So even if you have all sites blocked but allow things like hak5.org, and hak5.org had some sort of xss attack placed somewhere in the site, you would still be vulnerable?

Like lets say you turned it on for a site where you watch video clips, becuase obviously you will need scripting to view the clips. If something is embeded in the site you would then be open to attack with a hidden iframe or something. Just a theory.

Two of you had the same problem, and I think that both of you are more than computer savy enough to know how to lock down your computers, yet you both got redirected to this http://193.170.210.139/user/userstat.php? page. Someone or somehting seems to be outsmarting us somehow.

Link to comment
Share on other sites

no script filters XSS attacks even from sites that you have whitelisted and still blocks IPs not just domain names this was not some sort of XSS (though I cant prove that)

Vako keep a backup of the site see so we can go through it

also a good idea would be to take a clean install of SMF and md5 every single file and see if any of the files have been altered ( I did think that moding the install would alter the install but it's just an idea)

it's just an idea to start with

VaKo have you posted this to SMF yet... along with the list of mods you have added maybe one of them has been compromised?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...