Website down

[EHM-1001 Robert]

Congratulation to a super idiot and his team:

HOOFMAGOOF AND ALL THE GUYS AT #h4cky0u!

our website was hacked and 2 files were harmed, that causes strange behaviours of the forum for example. Soon the original state will be restored.

Sorry for the inconvenience.

[EHM-0654 Murray]

I've replaced the front pages so the main website is working again for now, and replacing the forum's index page appears to have sorted the forum out to.

[EHM-1343 Jonathan]

thanks Murray ma' man...Its people who call this fun that make me angry, and sad for them...
They find fun causing us trouble...its stupid...:@

[EHM-0361 Karsten]

thanks Murray ma' man...Its people who call this fun that make me angry, and sad for them...
They find fun causing us trouble...its stupid... :@

I think that everyone only can agree with you on that Razza. But perhaps we should be thankfull that it looks like only a few files where harmed, and we again can do what we think is fun.

[EHM-1703 Philip]

I feel I must pass my regards to the MT once again. Obviously this attack took place yesterday and I was online pretty much all day and never noticed a major problem with the exception of a 15 minute period where the Forums were playing up. Many thanks to you for your hard work again.

[EHM-1281 Cyriel]

Well it happened again. I would do a major check on your upload scripts like the screenshot library people!

Edit:

I took the liberty to check the forums these guys use to publish their hacks. Check http://www.h4cky0u.org/viewtopic.php?t=8253 for explanation on how they did the ehm site.

[EHM-1651 Christian]

Well seems like they have great fun in this.....
Can't see the fun in this childish behavior

[EHM-0654 Murray]

Originally posted by cyriel
I took the liberty to check the forums these guys use to publish their hacks. Check http://www.h4cky0u.org/viewtopic.php?t=8253 for explanation on how they did the ehm site.

Thanks for that Cyriel. Might just lock this tool and his criminal cronie friends out now... I think I got the "upload script" references from his latest "artwork" well enough to put a stop to them straight away, but going by what that page says it may be possible for them to get past my "fix".

Everyone, rest assured the MT team is taking this *very* seriously now (it was "fun" the first time only...). If any sort of prosecutions are possible in this sort of case, they will be considered. We believe we've gotten the initial vector that was used closed, and we are just waiting for new authentication accounts to be issued to the website control software by our hosting company. Then, hopefully, we'll be able to go through the entire site with a fine-toothed comb and clear up the rest of the mess that this idiot and his "friends" have left.

[EHM-1612 Paolo]

Uff....I couldn't imagine since 10 mins ago how many child can use nowadays the pc....do they get a lot of fun from this? :!

[EHM-1703 Philip]

Well glad to see it's back up for now, lets hope they get bored and go and play elsewhere!

[EHM-0641 Rico]

Target: www.h4cky0u.org
Date: 02/24/2006 (Friday), 03:15:05
Nodes: 3


Node Data
Node Net Reg IP Address      Location            Node Name
   3   1   1 213.150.45.197  Unknown             www.h4cky0u.org


    Information related to '213.150.45.192 - 213.150.45.207'

inetnum:        213.150.45.192 - 213.150.45.207
netname:        CUST005517
descr:          InterXion Denmark ApS
country:        DK
admin-c:        WTC2-RIPE
tech-c:         WTC2-RIPE
status:         ASSIGNED PA
mnt-by:         TJANTIK-MNT
source:         RIPE   Filtered

role:           WEBPARTNER Technical Contact
address:        WEBPARTNER A/S
address:        Aarhusgade 88, 5.sal
address:        DK-2100 Copenhagen Oe
phone:          +45 70 26 23 00
fax-no:         +45 70 26 23 01
admin-c:        NSG
admin-c:        RH128-RIPE
tech-c:         NSG
tech-c:         RH128-RIPE
mnt-by:         TJANTIK-MNT
nic-hdl:        WTC2-RIPE
abuse-mailbox:  abuse@webpartner.dk
remarks:        ************************************************************
remarks:        *** In case of abuse, please contact abuse@webpartner.dk ***
remarks:        ************************************************************
source:         RIPE   Filtered

  Information related to '213.150.32.0/19AS9167'

route:        213.150.32.0/19
descr:        WEBPARTNER A/S
origin:       AS9167
mnt-by:       TJANTIK-MNT

[EHM-0641 Rico]

Contact their ISP, and tell them what tey did..

Submitt a complaint to InterPol, and also to FBI Hackerwatch, containg the above info

[EHM-0641 Rico]

Some more info:

Target: www.h4cky0u.org.com
Date: 02/24/2006 (Friday), 03:27:54
Nodes: 3


Node Data
Node Net Reg IP Address      Location            Node Name
   3   1   1 216.234.246.153 Unknown             www.h4cky0u.org.com


Network Data
Network id#: 1

OrgName:    ThePlanet.com Internet Services, Inc.
OrgID:      TPCM
Address:    1333 North Stemmons Freeway
Address:    Suite 110
City:       Dallas
StateProv:  TX
PostalCode: 75207
Country:    US

NetRange:   216.234.224.0 - 216.234.255.255
CIDR:       216.234.224.0/19
NetName:    THEPLANET-BLK-1
NetHandle:  NET-216-234-224-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    1999-08-31
Updated:    2000-10-10

RTechHandle: PP46-ARIN
RTechName:   Pathos, Peter
RTechPhone:  +1-214-782-7800
RTechEmail:  admins@theplanet.com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-214-782-7802
OrgAbuseEmail:  abuse@theplanet.com

OrgNOCHandle: TECHN33-ARIN
OrgNOCName:   Technical Support
OrgNOCPhone:  +1-214-782-7800
OrgNOCEmail:  admins@theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName:   Technical Support
OrgTechPhone:  +1-214-782-7800
OrgTechEmail:  admins@theplanet.com

[EHM-0948 Bruno]

Hi,

The site is up again. We discovered that they were also attacking us via a special file that we had on our servers. This file was removed, so let's hope that now everything is okay.

Also, the ISP provider had a security breach on their shell access (something that not even us have access!) and they are analysing it.

I also discovered how all of this could be possible:

1. The hacker discovered a way to upload files to our server via a special file on the server.

2. The hacker uploaded a C file that had run on the cgi-bin directory, then the file moved to another place that I discovered.

3. This C file opened a breach backdoor on the server via ports 8008 and 8001 for him to have access to the shell.

4. The guy injected some files saying that childish things that we saw, but the intention (yes, he wrote me an email) was not to harm us but to show that our site was vurnerable.

Ok, on the email he gave a link where I could see information on how they got inside our site, but I also got a strange message from a guy that says that he wants revenge on our company .

The link is: http://nostur.squareownz.net/index.php?n=modules/forum&a=3&d=10&o=24&q=12

Regards, and let's hope all of this is solved out.
Bruno.

[EHM-1651 Christian]

Well then I know whoo was trying to get into my computer to, my firewall detected 37 atempts to gain entrance from an ip within that range.

[EHM-1703 Philip]

Hey Bruno, you must have fired him in the past! hehehe! Seriously though, it just shows how childish these people are! Although I don't expect he reads the forums, he may just to see what sort of reaction he was getting, so all I will say is "GET A LIFE!" Do something worth while, you may find it more fun!

[EHM-0948 Bruno]

It's true Phil. I wrote him an email saying what does he gain with this type of matters.
We know what we loose: A 200 pilot site that is blocked and no one can fly.

Well, now everybody can relax a bit and get back on our regular activity.

I would also thank you all for your true dedication and help to quickly solve this matter. I received dozens of emails from pilots trying to help us, and trying to inform me that we were having problems on the site. To all of you my greatest thank you.

About the hackers, let's give them what they deserve: Indiference.

Regards and thank you one more time.

[EHM-1703 Philip]

Just as a side note Bruno, I guess the signature banners are down due to the site being hacked. (All the information is missing)

[EHM-1651 Christian]

And the upload function for screenshots doesn't work either just so you know

[EHM-1417 Tamas]

Hmm!
Example I'm a hacker.
Founded security problem on website....
First step, to contact website or system administrator, and present problem.
Next step, after backup database and authorized hacking site demonstarted problem.
continued to... writing to sysadmin the security problem, solving tips and other.

Why not make ways? Why destructions alert security problem? Typical idiotism.

Contact Hacker or Police?

And: SQL database make weekly backup (Pirep, flight hours, etc )?

[EHM-0654 Murray]

Regarding things not working, while I don't know for sure, I suspect that the passwords to the database have changed. Hence everything that relies on DB access (the sigs, and probably the gallery too) is broken at the moment.

On behalf of Bruno (who will no doubt make all these changes himself) and the rest of the MT, I thank you in advance for your patience while we clear up the mess...

[EHM-1651 Christian]

Well it seems I'm the fault here and not the website concerning the screenshoots LOL.....
And I'm very patient

[EHM-1821 Javier]

:@I dont understand y these ppl like to hack websites, especially a VA. On that day,i had just landed at Budapest and was about to send in pirep when this happened.Instead i had to wait 4 the next day.and like what philip said,these ppl need to get a life.