[Chugalug] d at mn scammers/hackers

Mike Harrison cluon at geeklabs.com
Thu Oct 18 02:00:52 UTC 2012

The little Linode slice that hosts chugalug.org
and a handful of other sites had a Joomla install brute forced.
Actually nailed on October 10th, but they did not
install and abuse things until yesterday.

The apache logs show many many thousands of login/password attempts
on the two joomla sites on this system... from only two IP's. in rapid 
succession. and they finally got one. Then they uploaded a new theme, with 
some extra functionality in the files.

Note: Both IP's were from static ip leasing services. That's a new twist 
to me... usually they are from another hacked server.

And then they went "Bank of America Customer Fishing"
This server was only a relay, it's some interesting code.

As many of you are also hosting/using Joomla and other content management 
systems, you might want to look at your logs. Moving your login/admin
urls is the first step, there are many more worth taking.

I'm out of the internet / web hosting / security business and yet, since 
the beginning of September, I've been involved in 6 comprimises, 2 of which, 
like this one, I was partially responsible for some part of the system.
The others I was just called in to help clean up afterwards.

My relevant almost on topic point is: It seems to me the intensity, focus 
and volume of hacks, comprimises and abuses have seeming increased 

Be careful out there. I'm putting my uber-paranoid hat on after
about 10 years of not wearing it (all the time), you should also.

The not so nice people are out to get us all. All of us.

More information about the Chugalug mailing list