[Chugalug] d at mn scammers/hackers

K I Goldman kigtest at hotmail.com
Thu Oct 18 02:36:21 UTC 2012

I may have just been helping a friend look into this hack.  Do you see hits like:http://www.somsitethatisnotrealbutisjoomla.org/administrator/templates/bluestork/stcp.php?action=start&time_s=1349981288&time_e=1349988288&page===ZwN1YwV1AF4lAQZhZGSoV104ZSfwKGR0JlAqAmNjZN
After it created these filesstcp.phpstph.phpindx.phperror.php

The page = '==ZwN1YwV1AF4lAQZhZGSoV104ZSfwKGR0JlAqAmNjZN';
Translates to:[#]80[#]14[#]7000(Looks like is Regions Bank)And it is sending a string of 'AAAAAAAAAAAAAA' (14 As) to the ip address '' port 80

So it looks like they are setting up for a DDOS attack best I can see.  Dude asked me if there are any other files he should look for.  The best I could tell is it could write files with the rights of apache, but it looked like it was designed to only write files in the web-root directory of the hacked site.
Do you have any suggestions/thoughts on what other prudent things to check?
Anyone?  Anyone? Anyone?  Buelller?  Bueller?  Bueller?

And the weird part of the code I really did not see the point of was this function embedded in a conditional statement:        function pack_str($str, $len)        {                $out_str = "";                for($i=0; $i<$len; $i++)                {                        $out_str .= pack("a$len", ord(substr($str, $i, 1)));                }                return $out_str;        }

and it did not look like it was being used at all.  Even DDOS attackers are under a deadline and end up writing crappy code, perhaps?

> Date: Thu, 18 Oct 2012 02:00:52 +0000
> From: cluon at geeklabs.com
> To: chugalug at chugalug.org
> Subject: [Chugalug] d at mn scammers/hackers
> The little Linode slice that hosts chugalug.org
> and a handful of other sites had a Joomla install brute forced.
> Actually nailed on October 10th, but they did not
> install and abuse things until yesterday.
> The apache logs show many many thousands of login/password attempts
> on the two joomla sites on this system... from only two IP's. in rapid 
> succession. and they finally got one. Then they uploaded a new theme, with 
> some extra functionality in the files.
> Note: Both IP's were from static ip leasing services. That's a new twist 
> to me... usually they are from another hacked server.
> And then they went "Bank of America Customer Fishing"
> This server was only a relay, it's some interesting code.
> As many of you are also hosting/using Joomla and other content management 
> systems, you might want to look at your logs. Moving your login/admin
> urls is the first step, there are many more worth taking.
> I'm out of the internet / web hosting / security business and yet, since 
> the beginning of September, I've been involved in 6 comprimises, 2 of which, 
> like this one, I was partially responsible for some part of the system.
> The others I was just called in to help clean up afterwards.
> My relevant almost on topic point is: It seems to me the intensity, focus 
> and volume of hacks, comprimises and abuses have seeming increased 
> significantly.
> Be careful out there. I'm putting my uber-paranoid hat on after
> about 10 years of not wearing it (all the time), you should also.
> The not so nice people are out to get us all. All of us.
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20121017/db4442f0/attachment-0001.html>

More information about the Chugalug mailing list