HOW IT STARTED

HOW IT STARTED!

I got this email from a concerned friend...

--paste--

----- Original Message -----

From: ???????

To: Leda@ledamay.com

Sent: Saturday, December 17, 2005 4:57 AM

Subject: site password theft

Hey leda, I came across a site (3xhq.com, it's a forum) that posted a bunch of your passwords...

www3.ledamay.com/members

sagi:sagi
rekabp:rekabp63
dakind:dakind54
limestop:football
bramble:booger
scorp4u:marina
digraz:xfiles
9367473:xxxxxx

so I'd disable them if they aren't already!
Just giving you a heads up!
-Deege

--
_______________________________________________
The coolest e-mail address on the web and it's FREE! Sign-up today for Beer Mail @ beer.com.
--END--

I then checked my Sentry Program to make sure it has suspended all the compromised logins and it had done its job properly!
It monitors IPs against the usernames and uses a Mask3 Type matching. If that exceeds a threshold I set it will automatically suspend that user and email me the info as well as send that user to a page telling them what's up and to contact me.

First, I was baffled they were able to decrypt the pass file once they obtained it. My .htaccess files are not viewable to show them WHERE the pass file is so they had to get it another way! They used a CGI I put on the server to write their own PHP files.

What they did is dump a dictionary file against my encrypted passfile with the known logins. Doing this at my login prompt! Once it has completed it's attack it saves what worked and disregards the rest.

That person then has a few of your logins to do with how they please given how good the dictionary and brute program they have is they used.

I Shelled into my box and made a list of all PHP CGI and PL files located on my web folders...

find . -name '*.php' > phplist CGI PL etc...

I deleted all useless executables and then renamed all I must keep to something obscure only I know of.

I then went to the sites for the scripts I must keep to check if they have any updates for them that might help patch needed files and installed those!

I found a functions.php located in my TOP100list dir which did not belong and deleted that. I've renamed all my top100 executables as well.

How they obtained my passfile was using a vulnerable CGI to write their files to my hard disk. They would only have access allowed that of The Apache program which is a BAD THING!

I sure hope I have covered all bases but if you have any other ideas please let me know.

Here is what program the hacker used once he found a cgi he could compromise.
http://rst.void.ru

These are the Malicious files Created. Download and view HERE! VIEW THIS TOO...