PhotoPost Community - View Single Post

rcwild · November 3rd, 2007, 08:27 AM

This is part of the text received from our admin. I removed the long lists of error messages she included.

They use the programs you have to upload into the server and it allows full commands and then they install it all in tmp and then once it there, the programs are little robots that run and do the work all automation

they ran the application called Raven and it scans for ssh security holes

sh.tgz is port scanner a program that opens root on 4444 port on telnet

they ran this last night

muh is a smart IRC-bouncing tool that remains on IRC all the time. You can
take control over your nick by connecting to muh with an IRC client that is able to supply a password for the server connection.

>>>>>>>>>>>>>>>>>>>>>
its part of the port package when they Unzip it 200 applcations run and start working

we removed and they put it back at 4am

>>>>>>>>>>>>>>>>>>>>>>>>>>

that script also hacks sites that visit it

>>>>>>>>>>>>>>>>>>>>>>>>>>>>

its something you have in your diectory thats hacked they spent hours in there

when a error is caused, it makes a hole

there are thousands of "File does not exist" entries like below: the hacker
calling for something to create the hole

[Thu Sep 13 05:51:49 2007] [error] [client 70.58.42.163] File does not exist:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

now at the same time frame as the installs
now same time as hack downloaded
this was run
[2007-09-18 03:23:26]: info: (target/actual) uid: (canyon/canyon) gid:
(canyon/canyon) cmd: image.php

thats in the suexec file

>>>>>>>>>>>>>>>>>>>>>>>>>>>

I deleted a folder in content they added
they named
.k
had the raven script in it

>>>>>>>>>>>>>>>>>>

I changed the permissions on the forums
but I did not change the permissions on the gallery until right now-
right now -live as I am typing this
someone is trying to install

This is how the files were uploaded

A security hole in showphoto.php (not passing in an album results in no
password protection)

Fixes are here
http://photos.gavintech.com/develope...stec&ViewPass=
easier to read here
http://photos.gavintech.com/source.php

permissions changed on the gallery folder and the forums folder
please do not change back until you run the fixes
and please do one folder at a time

also please look in these folders for any files or folders I may have
missed
or they managed to install before I changed the permissions

also -please contact who the forum and gallery application programmers-
you may have the wrong set up,
and you need to talk to the program people you
got it from

November 3rd, 2007, 08:27 AM	#2 (permalink)
rcwild Member Verified Customer Join Date: Aug 2005 Posts: 47	This is part of the text received from our admin. I removed the long lists of error messages she included. They use the programs you have to upload into the server and it allows full commands and then they install it all in tmp and then once it there, the programs are little robots that run and do the work all automation they ran the application called Raven and it scans for ssh security holes sh.tgz is port scanner a program that opens root on 4444 port on telnet they ran this last night muh is a smart IRC-bouncing tool that remains on IRC all the time. You can take control over your nick by connecting to muh with an IRC client that is able to supply a password for the server connection. >>>>>>>>>>>>>>>>>>>>> its part of the port package when they Unzip it 200 applcations run and start working we removed and they put it back at 4am >>>>>>>>>>>>>>>>>>>>>>>>>> that script also hacks sites that visit it >>>>>>>>>>>>>>>>>>>>>>>>>>>> its something you have in your diectory thats hacked they spent hours in there when a error is caused, it makes a hole there are thousands of "File does not exist" entries like below: the hacker calling for something to create the hole [Thu Sep 13 05:51:49 2007] [error] [client 70.58.42.163] File does not exist: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> now at the same time frame as the installs now same time as hack downloaded this was run [2007-09-18 03:23:26]: info: (target/actual) uid: (canyon/canyon) gid: (canyon/canyon) cmd: image.php thats in the suexec file >>>>>>>>>>>>>>>>>>>>>>>>>>> I deleted a folder in content they added they named .k had the raven script in it >>>>>>>>>>>>>>>>>> I changed the permissions on the forums but I did not change the permissions on the gallery until right now- right now -live as I am typing this someone is trying to install This is how the files were uploaded A security hole in showphoto.php (not passing in an album results in no password protection) Fixes are here http://photos.gavintech.com/develope...stec&ViewPass= easier to read here http://photos.gavintech.com/source.php permissions changed on the gallery folder and the forums folder please do not change back until you run the fixes and please do one folder at a time also please look in these folders for any files or folders I may have missed or they managed to install before I changed the permissions also -please contact who the forum and gallery application programmers- you may have the wrong set up, and you need to talk to the program people you got it from