Malicious Website-Hack against me personally!

dmdrake

Trainz Creator since 2001
Here's a bit of nasty news! Recently my site was hacked and a redirect scrip was place on my TTBWRR page.
It redirected all users to http:/ /kaustisenpalokerho.org/me/ (I used a space in the http:// to invalidate the address).
Several people have contacted me about it and I was able to save the page and I am back up but...
I take this as a malicious act against me personally.
To the perpetrator... next time you are feeling tense and need to play with something to 'relieve yourself', do it in a less public way so that others don't have to :mop: :mop: :mop: after you!

Dave

(Mods, understood if last sentence is too strong!)
 
Last edited:
This is kind of interesting. The first part of my scan reveals the Domain Owner information. The second part indicates the Registrant, which is the same IP of The Planet Internet Services, the service used by Auran.
--------------------------------------------------------------------------
Domain owner:
Looking for 'kaustisenpalokerho.org'
Domain zone 'ORG' is for noncommercial organizations
URL for registration of domains: http://www.pir.org/register/reg_country

Server 'whois.pir.org' reply:
Domain ID:D120924108-LROR
Domain Name:KAUSTISENPALOKERHO.ORG
Created On:22-Apr-2006 21:44:51 UTC
Last Updated On:20-Feb-2007 22:17:59 UTC
Expiration Date:22-Apr-2009 21:44:51 UTC
Sponsoring Registrar:OnlineNIC Inc. (R64-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:ONLC-2104639-4
Registrant Name:Jussi Lang
Registrant Organization:Kaustisen Palokerho
Registrant Street1:Harjutie 15
Registrant Street2:Harjutie 15
Registrant Street3:
Registrant City:Kaustinen
Registrant State/Province:FI
Registrant Postal Code:69600
Registrant Country:FI
Registrant Phone:+358.400568407
Registrant Phone Ext.:1111
Registrant FAX:+358.400568407
Registrant FAX Ext.:
Registrant Email:jussi.lang@kaustinen.fi
Admin ID:ONLC-2104639-1
Admin Name:Oulanka Network
Admin Organization:Oulanka Network Corporation
Admin Street1:2900 Trilby Avenue
Admin Street2:2900 Trilby Avenue
Admin Street3:
Admin City:Tampa
Admin State/Province:FL
Admin Postal Code:33611
Admin Country:US
Admin Phone:+1.8138396890
Admin Phone Ext.:1111
Admin FAX:+1.8138396890
Admin FAX Ext.:
Admin Email:domain-admin@oulanka.com
Tech ID:ONLC-2104639-2
Tech Name:Tekniikka
Tech Organization:Oulanka Network Corporation
Tech Street1:2900 Trilby Avenue
Tech Street2:2900 Trilby Avenue
Tech Street3:
Tech City:Tampa
Tech State/Province:FL
Tech Postal Code:33611
Tech Country:US
Tech Phone:+1.8138396890
Tech Phone Ext.:1111
Tech FAX:+1.8138396890
Tech FAX Ext.:
Tech Email:POISTAtech-support@oulanka.com
Name Server:NS1.OULANKA.IN
Name Server:NS2.OULANKA.IN
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:


IP address:
Looking for '74.52.85.106'

Server 'whois.arin.net' reply:

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 315 Capitol
Address: Suite 205
City: Houston
StateProv: TX
PostalCode: 77002
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 74.52.0.0 - 74.55.255.255
CIDR: 74.52.0.0/14
NetName: NETBLK-THEPLANET-BLK-14
NetHandle: NET-74-52-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2006-02-17
Updated: 2008-02-28

RTechHandle: PP46-ARIN
RTechName: Pathos, Peter
RTechPhone: +1-214-782-7800
RTechEmail: admins@theplanet.com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: The Planet Abuse
OrgAbusePhone: +1-281-714-3560
OrgAbuseEmail: abuse@theplanet.com

OrgNOCHandle: THEPL-ARIN
OrgNOCName: The Planet NOC
OrgNOCPhone: +1-281-714-3555
OrgNOCEmail: noc@theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-214-782-7800
OrgTechEmail: admins@theplanet.com
 
Yes, nothing sinister about that site at all.

Yes, nothing sinister about the site at all, the redirect code on my page could have been to any other site. It was not done by that web site for sure, they are perfectly legitimate. Nothing against that site at all.

Dave
 
Here's a bit of nasty news! Recently my site was hacked and a redirect scrip was place on my TTBWRR page.
It redirected all users to http:/ /kaustisenpalokerho.org/me/ (I used a space in the http:// to invalidate the address).
Several people have contacted me about it and I was able to save the page and I am back up but...
I take this as a malicious act against me personally.
To the perpetrator... next time you are feeling tense and need to play with something to 'relieve yourself', do it in a less public way so that others don't have to :mop: :mop: :mop: after you!

Dave

(Mods, understood if last sentence is too strong!)

The latest trendy thing in Malware is to hack web sites. It's done with automated tools and Linux based web servers are more open to attack than Microsoft ones.

It probably isn't personal just someone trying to make money by renting out zoombie machines for denial of service attacks etc.

Cheerio John
 
Yes, nothing sinister about the site at all, the redirect code on my page could have been to any other site. It was not done by that web site for sure, they are perfectly legitimate. Nothing against that site at all.

Dave

They are?? I understood that they were a notorious webjacking outfit distributing malware. You'd better recheck your information.
 
The latest trendy thing in Malware is to hack web sites. It's done with automated tools and Linux based web servers are more open to attack than Microsoft ones.

It probably isn't personal just someone trying to make money by renting out zoombie machines for denial of service attacks etc.

Cheerio John

Are you sure? Linux is more secure than microsoft, any day!
 
Dave,

Probably totally obvious advice - but it might be wise to report this incident to your web hosting company if you haven't already, see if they offer any advice, comments, etc.

John
 
Dave,

I work for an ISP and we had our hosting accounts attacked in a similiar manner over this past weekend. It appears to have been done by a botnet. The aim was to redirect people to a site infected with javascript code that downloaded a bot to the viewer's computer thus adding it to the botnet. While we are still looking into the matter it appears that the attacking bot sniffed the siteadmin user names and passwords from ftp connections to the sites. Ftp sends this information in plain text. Using secure ftp or sftp is better since it encrypts this information.

Be sure to check your site for any javascript code that you didn't add. We have found it mostly on the index.html pages of some of the sites we host. Oddly, it affected only sites that were setup more than 10 months ago and which the siteadmin password had not been changed in that time period. Changing your password often is a good thing.

It affected both Linux and windows hosting systems since nothing was hacked. Valid passwords were used and the bot used ftp and a script to change the code.

William
 
Last edited:
Are you sure? Linux is more secure than microsoft, any day!

They pay me to keep databases secure on more than a 1,000 servers and some of those are fairly large containing information on the geographic location of every home in Canada for example. Shall we say one of the problem areas has been versions of UNIX with no antivirus software available and people saying Linux can be locked down tighter than Microsoft's operating systems. Most Linux systems are not kept up to date with security patches and have no automated patching mechanism. There are web sites that give default userids and passwords if you know where to look.

If you do this stuff professionally you use Microsoft if you want to be secure. We do other things on top but Vista and Server 8 are fundamentally much more secure than anything else.

Strangely enough until the US government came out with the POSIX standard there was no definition of what was a UNIX operating system. The first operating system to become POSIX compliant was Windows. If you ever work with the core version of Windows server 8 you'll find there is no GUI just command line prompt.

Cheerio John
 
They pay me to keep databases secure on more than a 1,000 servers and some of those are fairly large containing information on the geographic location of every home in Canada for example. Shall we say one of the problem areas has been versions of UNIX with no antivirus software available and people saying Linux can be locked down tighter than Microsoft's operating systems. Most Linux systems are not kept up to date with security patches and have no automated patching mechanism. There are web sites that give default userids and passwords if you know where to look.

If you do this stuff professionally you use Microsoft if you want to be secure. We do other things on top but Vista and Server 8 are fundamentally much more secure than anything else.

Strangely enough until the US government came out with the POSIX standard there was no definition of what was a UNIX operating system. The first operating system to become POSIX compliant was Windows. If you ever work with the core version of Windows server 8 you'll find there is no GUI just command line prompt.

Cheerio John

I see your point!

Sorry!
 
I suspect there are people out there who treat hacking as a kind of scavanger hunt. "How many sites can you hack in day?"

You must gain points for each system you actually break into. Question is, is there a penalty if you, as the hacker, get hacked yourself?

One day my coworker announced that someone was trying to hack one of our FTP servers using a script (basically bang away at all the obvious ids such as root, admin, etc). He did a reverse port scan of the offending IP address and found an open NETBIOS port. Discovered he could login to the PC so he located the process running the script and killed it. He later informed me that he could have reformated the guy's C drive if he wanted to, but didn't want to risk the possibility the hacker didn't own the PC he was using (i.e. work, school, friend, complete stranger).

Tom
 
hi all

we keep getting hit by this address but iana shows it to be unkept

201.222.197.164/

% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '0.0.0.0 - 255.255.255.255'

inetnum: 0.0.0.0 - 255.255.255.255
netname: IANA-BLK
descr: The whole IPv4 address space
country: EU # Country is really world wide
org: ORG-IANA1-RIPE
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
remarks: The country is really worldwide.
remarks: This address space is assigned at various other places in
remarks: the world and might therefore not be in the RIPE database.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
source: RIPE # Filtered

organisation: ORG-IANA1-RIPE
org-name: Internet Assigned Numbers Authority
org-type: IANA
address: see http://www.iana.org
remarks: The IANA allocates IP addresses and AS number blocks to RIRs
remarks: see http://www.iana.org/ipaddress/ip-addresses.htm
remarks: and http://www.iana.org/assignments/as-numbers
e-mail: bitbucket@ripe.net
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

role: Internet Assigned Numbers Authority
address: see http://www.iana.org.
e-mail: bitbucket@ripe.net
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
nic-hdl: IANA1-RIPE
remarks: For more information on IANA services
remarks: go to IANA web site at http://www.iana.org.
mnt-by: RIPE-NCC-MNT
source: RIPE # Filtered


they alwasy get blocked, but they never stop

any ideas?

thanks
ron
 
If you do this stuff professionally you use Microsoft if you want to be secure. We do other things on top but Vista and Server 8 are fundamentally much more secure than anything else.

Wow, where have you been? That is plain absurd.
 
hi all

we keep getting hit by this address but iana shows it to be unkept

201.222.197.164/

they alwasy get blocked, but they never stop

any ideas?

thanks
ron

Yup! Here ya go:
=======================================================
164-197-222-201.adsl.terra.cl [201.222.197.164]
Domain owner:
Looking for 'terra.cl'
Domain zone 'CL' is for Chile
URL for registration of domains: http://www.nic.cl/

Server 'whois.nic.cl' reply:
terra.cl:

ACE: terra.cl (RFC-3490, RFC-3491, RFC-3492)

TERRA NETWORKS CHILE (TERRA NETWORKS CHILE S A)

Contacto Administrativo (Administrative Contact):
Nombre : Sistema Terra Network
Organización: TERRA NETWORKS CHILE

Contacto Técnico (Technical Contact):
Nombre : Juan Enrique Sánchez Serrano
Organización: NameAction Chile S.A.

Servidores de nombre (Domain servers):
ns.terra.cl (200.28.216.1)
ns2.terra.cl (200.28.216.2)

Última modificación al formulario
(Database last updated on): 22 de abril de 2006 (09:49:36 GMT)

Más información (More information):
http://www.nic.cl/cgi-bin/dom-CL?q=terra

Este mensajes está impreso en ISO8859-1
(This message is printed in ISO8859-1)

IP address:
Looking for '201.222.197.164'

Server 'whois.lacnic.net' reply:




inetnum: 201.222.192/18
status: allocated
owner: Terra Networks Chile S.A.
ownerid: CL-TNCS-LACNIC
responsible: Technical Contact
address: Avda. Vitacura, 2736, Piso 2
address: 1 - Santiago - RM
country: CL
phone: +56 2 8102333 []
owner-c: TEC
tech-c: TEC
inetrev: 201.222.192/18
nserver: NS.TERRA.CL
nsstat: 20080312 AA
nslastaa: 20080312
nserver: NS2.TERRA.CL
nsstat: 20080312 AA
nslastaa: 20080312
created: 20060307
changed: 20060307

nic-hdl: TEC
person: Technical Contact
e-mail: technical@CORP.TERRA.CL
address: Vitacura, 2736, Piso 2
address: 1 - Santiago - M
country: CL
phone: +56 2 8102333 []
created: 20021220
changed: 20050824
 
Last edited:
Quote:
Originally Posted by johnwhelan
If you do this stuff professionally you use Microsoft if you want to be secure. We do other things on top but Vista and Server 8 are fundamentally much more secure than anything else.

Wow, where have you been? That is plain absurd.

Based on and not just an opinion please? The Microsoft range of products are considerably more secure than others. Specifically for databases our security area for example would quite like to dump Oracle there are so many back doors into it and the DBAs are very bad at applying patches or even upgrading to the latest version just in case something goes wrong. Version 8.03 crashed something like 30% of the people who upgraded and since then we have had problems coaxing people into keeping up to date.

Cheerio John
 
Back
Top