SomeoneE1se Posted December 20, 2007 Share Posted December 20, 2007 I may have just POSTed my forum user/pass to http://193.170.210.139 or http://193.170.210.139/user/userstat.php?s...rbarRyfr-qngn45 in ROT-13 uggc://193.170.210.139/hfre/hfrefgng.cuc?fgevat=SomeoneElse-data45 so if something happens y'all don't think I'm doing something bad or something [me=SomeoneE1se]changes password[/me] I'm not sure how this happend but I went to hak5 from my bookmarks so you might want to take a look at the server logs VaKo Quote Link to comment Share on other sites More sharing options...
VaKo Posted December 20, 2007 Share Posted December 20, 2007 Looking into it. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 20, 2007 Author Share Posted December 20, 2007 if someone can code my up a script to bruteforce that page I'l sove to spam the help out of it with fake random user passes TomB? Quote Link to comment Share on other sites More sharing options...
moonlit Posted December 20, 2007 Share Posted December 20, 2007 Isn't this what happened so someone before? Edit: How odd, it's listed on here: http://thales.memphis.edu/mw/data.bak (the only reference I can find to that file is http://marc.info/?l=log&m=100334499223652&w=3)... It's a mail server it seems, whois turns up mail.hakkrems.ac.at (Vienna University Computer Center). http://mail.hakkrems.ac.at/ is up on port 80, according to the favicon it's linux based. Edit2: Previous instance of this issue: http://forums.hak5.org/index.php/topic,7683.0.html Edit3:Â Apache/2.0.53 (Linux/SUSE), apparently. Quote Link to comment Share on other sites More sharing options...
SmoothCriminal Posted December 20, 2007 Share Posted December 20, 2007 I was joking when I said I hacked into your account, now that it looks like someone actually did, wasn't me. Quote Link to comment Share on other sites More sharing options...
digip Posted December 20, 2007 Share Posted December 20, 2007 Being the second time this has happened to someone here, I would make a note to forward any traffic from 193.170.210.139 to www.hak5.org on your local machine. Just as a precation, but I am curious as to what exactly this is. Does it seem as if someone is hijacking the login page or using a xss attack to redirect people to that site?? Or is it a problem on the hak5 hosts side of things... Just curious, but you said it was from a bookmark in your browser. Maybe there is an exploit in your browser that when you visited a certain site(other than the one posted), it looks through your bookmarks and tries to find login pages and then replaces the shortcuts to something like the address you posted. Go through all your bookmarks and see if there are any others that redirect to that page. Quote Link to comment Share on other sites More sharing options...
VaKo Posted December 20, 2007 Share Posted December 20, 2007 Later on today I'm going to reinstall the whole forum software. (The DB will remain intact). I can't see any reference to that IP in the code, or the DB, but 2 times is enough for me. I would also advise that you change your passwords. I will be putting out an APB about this later on, but, and I cannot stress this enough atm, so far there is no evidence that we've been hacked. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 20, 2007 Author Share Posted December 20, 2007 I have no software firewall on THIS machine but I don't suspect it was my error because this same thing happened to sparda so... Firefox 2.0.0.11 with NoScript so I doubt it was a scripting attack Quote Link to comment Share on other sites More sharing options...
digip Posted December 20, 2007 Share Posted December 20, 2007 I have no software firewall on THIS machine but I don't suspect it was my error because this same thing happened to sparda so... Firefox 2.0.0.11 with NoScript so I doubt it was a scripting attack But doens't NoScript allow you to whitelist sites. So even if you have all sites blocked but allow things like hak5.org, and hak5.org had some sort of xss attack placed somewhere in the site, you would still be vulnerable? Like lets say you turned it on for a site where you watch video clips, becuase obviously you will need scripting to view the clips. If something is embeded in the site you would then be open to attack with a hidden iframe or something. Just a theory. Two of you had the same problem, and I think that both of you are more than computer savy enough to know how to lock down your computers, yet you both got redirected to this http://193.170.210.139/user/userstat.php? page. Someone or somehting seems to be outsmarting us somehow. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted December 20, 2007 Author Share Posted December 20, 2007 no script filters XSS attacks even from sites that you have whitelisted and still blocks IPs not just domain names this was not some sort of XSS (though I cant prove that) Vako keep a backup of the site see so we can go through it also a good idea would be to take a clean install of SMF and md5 every single file and see if any of the files have been altered ( I did think that moding the install would alter the install but it's just an idea) it's just an idea to start with VaKo have you posted this to SMF yet... along with the list of mods you have added maybe one of them has been compromised? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.