WTF is this goons crap

Status
Not open for further replies.
If you click on this thread: it takes you to the the hacker site: http://www.satelliteguys.us/showthread.php?t=111321

Also, doesn't look like their ISP would give a sh*t about what they do:

Their DNS is hosted by:
OrgName: Managed Solutions Group, Inc.
OrgID: MSG-48
Address: 46750 Fremont Blvd.
Address: #107
City: Fremont
StateProv: CA
PostalCode: 94538
Country: US
OrgAbuseHandle: ABUSE429-ARIN
OrgAbuseName: MSG Inc Abuse
OrgAbusePhone: +1-888-585-8889
OrgAbuseEmail: abuse@managedsg-inc.com

Sounds like this company is just out for the money and doesn't care what they host:

From: http://www.americandaily.com/article/7040

The Aryan Nations Site is apparently hosted by the California Based Managed Solutions Group which also appears to do business as Managed Solutions ( www.managed.com ). The ISP's hosting of this site violates its acceptable use agreement ( www.managed.com/support.htm ) which reads in part that users may not, "Utilize the Services to threaten persons with bodily harm, to make harassing or abusive statements or messages, or to solicit the performance of acts or services that are illegal under applicable law."

Managed Solutions also appears to host a number of other hate sites that include www.Aryanradio.com , www.kkkchat.com and the American Nazi Party at www.nsm88.com/


Or from http://www.infovlad.net/?p=36

Currently a bunch of terrorist sites are hosted at Managed Solutions, San Jose California. Also, 357 Islamic WebHosting is known as the “webmaster of terrorists“. 357Hosting was recently booted out of AcmeCommerce in Malaysia and is relocating some of their sites to San Jose.



Nice bunch of folks out there.
 
On behalf of Satelliteguys -- Members, Pubmember, staff and administrators, we apologize for the inconvenience of these hack attacks that started yesterday evening. The administrators have been trying to get this resolved and will continue to get rid of this annoying hacks. Unfortunately, the site we'll probably have to be taken down in order to fix it once and for all.

Scott, maybe on its way home from CES in NYC. We shot lots of videos, pictures and have lots of information to post but we felt that it was better to take care of the current hack problem before posting all this good information. Most likely the site will be down tomorrow depending on what Scott and LER decide to do.

LER and Scott are doing all they can to stop the hacking but as everyone has experienced everytime is fixed something else comes up. We regret all of this and hope to once and for all fix the problem.
 
Sean Mota said:
Rad.... I have temporarily deleted the thread...

If that was the thread about "all major networks," I narrowed it down to that. when you tried to enter it you went straight to goons..... That thread is now gone, so I'm guessing that was it.
 
We have encountered that problem with another thread and we also nuked it. So this is just one type of the problem and there seems to be more...
 
so is g00ns-forums.net vulnerable to the same hack? someone should try it and redirect them back here.
 
I am on myway back from NYC. I am very sorry for the downtime.

I have talked with Ler, sean and hancox and as of now we will be taking the site offline tommorow and will be doing our planned software update tommorow.

Thanks for all your sugestions I will look into them all tommorow when I get in front of a PC.

I understand that we have contacted the FBI about this issue and are working with them to put a stop to this issue.

Hang in there... It will get better.

We shot a lot of interesting stuff today... BTW does anyone know who Ugly George is? :)
 
You guys might want to disable php error notices as they devulge the user account login, home dirs, and page/forum paths, helping those who would do you harm.

in php.ini:
display_errors = Off

(if you need logging see log_errors = On)

and if your forum code uses register_globals = On (VERY bad), I suggest you rewrite it so that it will function using register_globals = Off, also in php.ini.

Also the latest PHP is 4.4.1 you have 4.4.0 it fixes some bugs that will cause you problems if you do use globals..and may cause you problems still if you don't.

http://www.php.net/ChangeLog-4.php#4.4.1

I also assume you're using sql, if so you might want to look at mod_security at http://www.modsecurity.org/ you can use filters to stop sql injection attacks before the scripts run them (in case that is what they used) and offers some other security features that help.

Lots of other things you can do to secure it more, btw, securing systems is one of my hats..so PM if you need help or have questions.

If they are breaking in on a local shell, the admin needs to jail his users' daemons and set tighter perms, and impliment something like tripwire.


Just trying to help.
 
Thanks...

I will look into every one of those. BTW if you have not noticed yet we have moved satelliteguys dns back to the old server which I believe is a more secure box.

Since the dns change has taken effect I have not seen us go down again. This is a good thing :)

Since the
 
No problem, I sent an email to helpme@. which you may or may not seen, it has my email, feel free to ask for any help.

If you didn't get it, and want my email without having to lookup my acct, PM me for it.

Did the admin figure out how they got access?

Also, in the future, NEVER, EVER use the default web paths the app comes with, for example, if you get phpbb forums, and the default install dir is whatever.com/phpbb, the kiddies who use these php scanners know this (I've got weeks of logs with these scanners looking for that latest rpc exploit in different apps, WebCalender, blogs, phpgroupware, drupal, you name it), changing it to a unique one will at least keep the scanners kiddies at bay (but alas does nothing for you when someone specifically targets you). I'll bet you if the admin has the logs, he'll see crap like this just before the first crack:

206.111.125.xxx - - [15/Nov/2005:06:32:14 -0500] 1 "POST /phpgroupware/xmlrpc.php HTTP/1.1" 405 253 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
206.111.125.xxx - - [15/Nov/2005:06:32:16 -0500] 1 "POST /wordpress/xmlrpc.php HTTP/1.1" 405 250 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
206.111.125.xxx - - [15/Nov/2005:06:32:17 -0500] 1 "POST /xmlrpc.php HTTP/1.1" 405 240 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
206.111.125.xxx - - [15/Nov/2005:06:32:18 -0500] 1 "POST /xmlrpc/xmlrpc.php HTTP/1.1" 405 247 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"


Anyhow, good luck.
 
Seems like it's time to put the children to bed.
We must be older and wiser tech heads. Show the kiddies how to really play the hack game.
 
Hope you resolve this quickly and put the bad guys behind bars. It is annoying and frustrating, not to mention that it is not good form to let the bad guys get away with it. Sorry I don't have any useful info regarding how to do it.
 
Hope you resolve this quickly and put the bad guys behind bars. It is annoying and frustrating, not to mention that it is not good form to let the bad guys get away with it. Sorry I don't have any useful info regarding how to do it.

Christ! I can't even post this!
 
Well seems to happened again, got a nice vB error message though, may help you track down the issue:

Parse error: parse error, unexpected '<' in /XXX/includes/functions.php(2080) : eval()'d code on line 1

(guessing its from lotsa custom code, good luck finding it!)

(that sounded evil and devious, but I know how finding a needle in a haystack is, it blows :/)
 
Status
Not open for further replies.

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)

Who Read This Thread (Total Members: 1)

Top