[Chugalug] d at mn scammers/hackers

Mike Harrison cluon at geeklabs.com
Thu Oct 18 02:52:25 UTC 2012


On Wed, 17 Oct 2012, K I Goldman wrote:
> I may have just been helping a friend look into this hack.  Do you see hits like:
> http://www.somsitethatisnotrealbutisjoomla.org/administrator/templates/bluestork/stcp.php?action=start&time_s=1349981
>       288&time_e=1349988288&page===ZwN1YwV1AF4lAQZhZGSoV104ZSfwKGR0JlAqAmNjZN
> After it created these files
> stcp.php
> stph.php
> indx.php
> error.php

You nailed it exactly.  And got deeper than I did.

Yeah, same hack, and best I can tell also,
limited to apache user and this exploit/target.

Unsure of the purpose of other code,
I have other issues to resolve tonight (but not related to this)

Yours was on a .org also? Interesting. Both that I had were also .orgs.
I wonder if that is the targeted low hanging fruit of this campaign.












More information about the Chugalug mailing list