DSLRUsers.com

[gstark]

And a bit of bad

First of all, I've identified the hack, and I have the IP address as well.

The attack was, in fact, the phpbb vulnerbility; I'll post more details shortly.

In the meantime, I'm going to be pulling the server down temproarily for a few minor upgrades. It may be intermittent over the next hour or two as I have a few things to do, so please, bear with me, and thanx all for your patience and help.

If you find you can't get access for a while, please just wait a few minutes and try again.

[xerubus]

Well done Gary.

[sirhc55]

I’ll second that - well done Gary

Chris

[Raydar]

Thanks mate

We'd be lost with out you

Cheers
Ray

[fozzie]

Gary,

If I was you I would lodged an official complaint with the Frederal Police and supply hacker's IP address for follow up. He/She has invaded your space, see how he/she likes a knock at the front door by the Federal Police. BTW: well done to getting the site up and running so quickly.

Cheers,

[birddog114]

Well done Gary, I'll come up with other after that moron!

[Onyx]

Would it be bad if... that IP address was to say, be leaked out into the public, and we could gang up and organise a ddos attack on it?!

Anyway, I noticed the forum logo has reverted back to pre xmas themed too. No more reindeer and pressie...

[mudder]

G'day,

Just logged in and found out about the hack... I tips me hat to you guys for working so hard getting this great forum back on the air for all of us who enjoy it so much... A big thanks...

Re: the hacker, I'd certainly be lodging something official with the relevant authorites, wonder if the ISPs would be interested??? I would imagine the ISP that IP comes from would be very interested... What makes these feeble little minds get a buzz from this sort of rubbish amazes me... Wonder if they wreck phone boxes on their night's off?

Cheers and thanks for your work, tis appreciated by all of us...
Mudder

[Nnnnsic]

Would it be bad if... that IP address was to say, be leaked out into the public, and we could gang up and organise a ddos attack on it?!

Anyway, I noticed the forum logo has reverted back to pre xmas themed too. No more reindeer and pressie...

I don't think the ip will help, after looking at it.

I'll get that logo changed soon though.

[mudder]

G'day,
was the IP provided by some form of proxy?

[Geoff]

Gary - my sincere thanx too. When I woke up this morning (as usual) I logged on to the site to see that it had been hacked and something was wrong...I got a big lump in my throat and my day wasn't the same without my d70users 'fix' in the morning..who needs coffee? . Anyway, thanx from me too for getting it all sorted so promptly. You're a champ. Merry Christmas.


Geoff.

[gstark]

There were three separate attacks, each using a different, and I suspect spoofed, IP address. I've isolated the relevant parts of my log files where the attacks occurred, and I have also retaind a copy of the perl script that this script kiddie ran.

Fairly basic, but it was enough to cause quite some damage.

I still have some damage here that needs rectification, but my primary sites are back up and, hopefuly, any future risk has now been minimized.

[dooda]

Yeah, this really freaked me out as well. I emailed Birddog (only address I have) and asked what was up. We decided that the problem be addressed outside of cyberworld with his 200-400 VR.

Great job Gary, good to see it back up.

[gstark]

I think I've found the last remnants of this miserable cretin's handiwork this morning; my email is now back to normal as well.

You have to wonder about these sorts of idiots - looking at the code that it used, it's really quite nice. Makes you wonder what sort of work this person could get if they only had a life?

Thanx all for your support and help.

[skippy]

Seen this?
http://www.pcworld.idg.com.au/index.php ... 3&eid=-108

Sounds like it may be linked:
"Once Santy infects servers running the phpBB software, it scans directories on the infected site and overwrites files with the extensions HTM, PHP, ASP, SHTM, JSP and PHTM with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation," according to an alert from Kaspersky Labs."

[gstark]

Sounds like it may be linked

Thanx for this. That's exactly what hit us, and the article is correct in that it uses Google to find the vulnerable websites.

Interesting that this article says that it started in the US on Tuesday morning; are they saying Tuesday morning US time, or in the US, Tuesday morning our time? The latter is clearly the case in our situation, with the first hit coming in at around3:45 am Tuesday.

[xerubus]

The interesting thing is this... a lady we shall call 'Jess' found the poor coding quite a few weeks ago and warned phpbb about the consequences and that it would only be a matter of time before an exploit was written... and no... she did not write the exploit.... she gave the phpbb coders guidelines on how to fix the vulnerability and a full summary of the bug so that they could 'pretty it up' when letting the public know, however they ignored her. sometimes it makes you wonder....

[Nicole]

You guys did an awesome job getting it all back and running again. Obviously these people aren't into photography as I'm sure if they were they wouldn't have time for anything else.

[skippy]

Should be better now - Google's blocking the search feature used by the worm:

Google smacks down Santy worm
Web search engine company Google is blocking efforts by a new Internet worm to use its search engine to find vulnerable computers on the Internet, the company announced late Tuesday.
http://www.pcworld.idg.com.au/index.php ... 7&eid=-108