Loading ...
902 Views | 2 Comments
Nailed that bastard! After two weeks of not being able to post anything, and getting our site hijacked and junk posted by some unknown hacker, we’ve managed to isolate him, detect his intrusion and kick him the hell out. Needless to say, this is the last you’ll see of him.
Turns out he’s some asshole called Atlas and he’s the one responsible for all the weird stuff you’ve been seeing on our site for all these days. We couldn’t get a fix on his location, since the weird trace that we ran pointed out that he was somewhere in the middle of the Atlantic. Yeah, right! In any case, we’re not sure what damage he’s caused to our systems, but we managed to retreive one log that he forgot to delete after his hack. Looks like he managed to find some sort of file… but we can’t find it anywhere on our servers. We’ve put up the log of his hack in this post. Goddamn if I know what needs to be done… but at least its over.
Starting Nmap 4.52 ( http://insecure.org ) at 2007-12-19 17:12 India Standard Time
Initiating Ping Scan at 17:12
Scanning 68.178.254.107 [2 ports]
Completed Ping Scan at 17:12, 0.49s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:12
Completed Parallel DNS resolution of 1 host. at 17:12, 2.35s elapsed
Initiating SYN Stealth Scan at 17:12
Scanning theangrypixel.com (68.178.254.107) [1716 ports]
Discovered open port 21/tcp on 68.178.254.107
Discovered open port 22/tcp on 68.178.254.107
Discovered open port 80/tcp on 68.178.254.107
Discovered open port 6972/tcp on 68.178.254.107
SYN Stealth Scan Timing: About 19.31% done; ETC: 17:15 (0:02:05 remaining)
Completed SYN Stealth Scan at 17:14, 110.44s elapsed (1716 total ports)
Host theangrypixel.com (68.178.254.107) appears to be up … good.
Interesting ports on theangrypixel.com (68.178.254.107):
Not shown: 1713 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp PureFTPd
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
80/tcp open http Apache httpd
6972/tcp open secureaudio Rapture Secure Audio Log
443/tcp closed httpsRead data files from: /usr/atlas/nmap/
Nmap done: 1 IP address (1 host up) scanned in 113.951 seconds
Raw packets sent: 3446 (151.604KB) | Rcvd: 28 (1429B)(prompt) su root
SD9*11p^l2$1 (returned prompt)
cd / (returned /)
pwd (returned /)
sanuke 68.178.254.107 -urldump -I -v
(returned)
SecAud Nuke v1.2 Verbose Mode, Ignore Corrupt Data
Establishing connection to 68.178.254.107… done.
Bypassing secure store… done
URLDump succeeded… 1 file(s) located at
/rapaudlog19571231.comp
exit
TRANSLATE
Translate this post into your favorite language. Click on any of the flags below to view the translated version. NOTE: Translations use the AltaVista Babel Fish Translation Service and may not be 100% accurate.
 |  |  |  |  |  |  |  |  |  |
 |  |  |  |  |  |  |  |  |  |
 |  |  |  |  |  |  |  |  |  |
 |  |  |  | ||||||
| By N2H | |||||||||
January 8th, 2008 at 11:24 pm
ah shit *the program* isnt working on my system… dont know why…
January 9th, 2008 at 12:20 pm
Oh noes. My worst fear, manifested!!