WTF is this goons crap

Status
Not open for further replies.
Yeah, let's all root for the wonderful, speedy, hard working F.B.I....

...they'll never be caught, so let's move on...

Since it was a certain exploit that was turned on, I don't think they targeted the chat as the time to attack. Unless they had inside info, they had no idea when the exploit would be closed and would attack as soon as they could. The chat happening is just coincidence IMO.

But if it's not inside, it would indicate a general member is a member of that group, and got them the info that it was exploitable, and that blows. Could someone be so upset that this site has usurped the other sites that they'd try to bring it down for a while? Is this "war" really that serious? I know you guys talk about it a lot but is it really that hardcore?
 
Glad you got it under control, if you want, you can issue (all as root) a chattr +i /pathto/file/blah.php to make a file so 'it cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute', regardless of normal perms, most kiddies don't know how to undo this (i run a honeypot machine and they usually think its a user perm problem, and give up after a bit), and as long as the file isn't meant to be written to by a normal process, it won't cause any issues (just when ya update/want to write to the now +i file(s), you will have to undo it with:
chattr -i /pathto/file/blah.php else you'll get denied, make sure to redo it after the update), you can use also use -R for recursion to lock entire directories and all files in those dirs (be careful to use a complete path doing chattr +i ./* while in / would be bad...), the recurse option is: chattr +i -R /pathto/dir/, which will set chattr +i all dirs and files under /pathto/dir/ and /pathto/dir/ itself...also its good to do (as root) a: chmod 700 /usr/bin/chattr (or wherever your distro keeps it, you can find it with 'which chattr' or in one command: chmod 700 `which chattr` (use chmod 750 if you think you have any daemons with bin user perms that may need chattr), this way noone can alter any of the chattr +i pages, unless they first get root (to get perms to run chattr), then issue the right chattr -i commands, in which case if they got root, you got problems anyways) this way if someone tries to overwrite a (normally) read only file through a non-root method, they will never be able to overwrite.

And good work to the admins for mitigating the damage and downtime...:)

issue a: man chattr (or info chattr): for descriptions of options.

NOTE: I realize that the admin probably already knows about chattr and where it is, not trying to be condecending (in fact I'm impressed), just want to be complete in my explainations.

By the way admins, if you read this post, and feel it might give away that tactic, feel free to delete it :) Also, I am not saying this would have helped with the g00ns, if it was pure sql injection...but it doesn't hurt for protection against future attacks that might try to overwrite site files (a problem which I hope you never ever have again).
 
This is my first post here, but I've read here quite alot and gotten much useful info. I just wanted to add that there is still a thread with the hack, it is in the D* HD forum, and the thread title is "New, no local HD reception, now what?" It's on the first page, about halfway down.

Not much for a first post, but I just wanted to do my part - this forum is a great resource!
 
Purogamer said:
Yeah, let's all root for the wonderful, speedy, hard working F.B.I....

...they'll never be caught, so let's move on...

Since it was a certain exploit that was turned on, I don't think they targeted the chat as the time to attack. Unless they had inside info, they had no idea when the exploit would be closed and would attack as soon as they could. The chat happening is just coincidence IMO.

But if it's not inside, it would indicate a general member is a member of that group, and got them the info that it was exploitable, and that blows. Could someone be so upset that this site has usurped the other sites that they'd try to bring it down for a while? Is this "war" really that serious? I know you guys talk about it a lot but is it really that hardcore?

I just thought about this but maybe it was someone who got banned for asking a hack question on the FTA forum? That kind of scum would try to ask a hack question and get pissed off when they got banned. Pissed enough to attack the site. That's the only thing i could think of that would get somone pissed off at our site.
 
Texanmutt said:
I just thought about this but maybe it was someone who got banned for asking a hack question on the FTA forum? That kind of scum would try to ask a hack question and get pissed off when they got banned. Pissed enough to attack the site. That's the only thing i could think of that would get somone pissed off at our site.

Thats what lead me to beleive also.
 
Texanmutt said:
I just thought about this but maybe it was someone who got banned for asking a hack question on the FTA forum? That kind of scum would try to ask a hack question and get pissed off when they got banned. Pissed enough to attack the site. That's the only thing i could think of that would get somone pissed off at our site.

they even mentioned that on their site, I became a member just to see what they were saying.
 
huh, imagine that

someone got banned for asking a hack question when we have 3 warnings about no hack talk :)
 
If that is the case then it might be possible to match up a banned IP addy with the server's firewall logs and find that a**holes IP addy.
 
Texanmutt said:
If that is the case then it might be possible to match up a banned IP addy with the server's firewall logs and find that a**holes IP addy.

By all means I think they should try to do that if they are willing to go all the way, but, even the lamest script kiddie knows to use a proxy, chances are the ip would be either in russia, romainia, or china netspace (along with maybe a few other possibilities), that is the usual scenario with these kinds of attacks, and rarely are any of those countries helpful in tracking these kinds of abuse, all the ip would get them is an infected machine, whom the owner has no idea their machine was used in an attack, or an misconfigured open proxy (which the admin of the proxy, based on that alone, is clueless and wouldn't know an ip from a teepee).

Truth is, if it was that easy, they'd have been caught by now.
 
I think we should see this as a benefit to the site and the community. It has benefited us in that the dev team has learned to be more careful in what software commands they use and leave open. It has also prompted the dev team and site owner to become more cautious and make sure that the softwae used is up to date and to recheck every aspect of the site and server to minimize potential threats in the future. Satelliteguys got lucky, very lucky, as did all of its members who have personal information here, this could have been alot worse and ruinsom but it wasnt. Consider what has happened to have been nothing more anoying than the neighbors cat wailing outside your bedroom window at 3 am.
 
Status
Not open for further replies.

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)

Who Read This Thread (Total Members: 1)

Top