- This topic is empty.
-
Posts
-
Somehow he is running a VB cron that initiates a TRUNCATE TABLE, then addds all the data back in.. strill tracking the entire process
IP 75.83.153.248
– – [10/Dec/2007:18:55:07 -0600“GET /phpBB2/cron.php?rand=911745 HTTP/1.1” 200 43 “http://www.allfreechips.com/casino_guide/no-deposit-casinos.html” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”
If this guy truely came from VA he’s going to get some suprises
not an actual cron job though
I see now in my FTP log (yes i didnt catch this to start with) im getting hex data transfered to my servers mail system – /home/account/mail/.Sent/cur/ and i am going to guess that is automatically processed as well into somthing.
user is from
inetnum: 117.0.0.0 – 117.7.255.255
netname: VIETEL-VNNIC-VN
descr: Vietel Corporation
descr: No 1, Giang Van Minh Street, Ba Dinh District, Hanoi City
country: VN
admin-c: LHN1-AP
tech-c: NMH2-AP
status: ALLOCATED PORTABLE
remarks: For spamming matters, mail to *****@viettel.com.vn
mnt-by: MAINT-VN-VNNIC
mnt-lower: MAINT-VN-VIETEL
mnt-routes: MAINT-VN-VIETELIm changing all passwords as we speak and will continue to monitor whats up.
I pm’ed you a link which may help to find out what kind of attack this is and how to fix it.
As im going over the hacked links some really piss me off
like..
InetBet affiliate id 1471
Somebody you know? Is that person on CAP?
nobody I know, and of course the affiliate managers can not reveal anyone.
It looks like the user found a phpbb vulnerability and is doing some XSS. I would search google for phpbb2 exploits and see what comes up. Maybe you will find a patch. If you can’t get it fixed and want to give someone else a shot then send me a pm and I can look into it.
no phpbb here
it all got moved to VB months ago when I had issues with it, they had access via http://FTP.. all new crptographical passwords accross the board now and heavy log monitoring has shown no more access as of yet
