Ask us about the forums: READ THE OP or get BANNED. - General

[QUOTE=LordCrypto;34479272]Question, why was the toolkit able to post. As mods indicated that the IP posting was the normal users.[/QUOTE] It can be done with a simple AJAX request. I think the toolkit reloads itself every time from Jessecar's server, so it could have been altered as well.

[QUOTE=Generic Jesse;34479084]Alright. There is a virus on my server somehow. I don't think it's related to my script. Just uninstall it and don't go on my server at all. I'll see what's going on.[/QUOTE] Why not just stop all together seeing how you're unable to make or code anything that can't be compromised? You wrote that code yourself which is inside the script, so I don't see how blaming a "virus" is going to fix that for you.

[QUOTE=Benlecyborg;34479332]IP's were stored so I guess whoever did it just masked their IP using the ones gained from fpalts.php [/QUOTE] This does not add up. You can't 'mask' an IP like that. My thoughts was that if the C99 Shell was used (Duh) then it was used to make fast changes to the script. Can you please post the IP to where the info was going to? [editline]31st January 2012[/editline] Did you take dates from when the C99 shell was dropped?

sandbox?

First, Tell us where fpalts.php was sending the file to (Use nano or something ON server) Then wipe the whole server (because rootkits)

[QUOTE=Jessey;34476344]Aye will do, will also just remove cookies/cache and whatever just incase.[/QUOTE] And done.

Clicking through all the RC threads, it seems like most of the compromised don't have the hidden mode disabled. So it seems like the attacker just looked at all the usernames, and did the ones with online and who were online at the time. If they had been offline, then the post wouldn't have done anything.

Why does all the fun stuff happen while I'm asleep?

Don't sleep then?

[QUOTE=LordCrypto;34480055]Don't sleep then?[/QUOTE] I went to sleep about 20 minutes before this all happened, and I was up until somewhere between 6 and 7am, at least.

Maybe once the new extension is proven to be clean, but I honestly didn't/don't think it was his fault

[QUOTE=Benlecyborg;34480097]Just to sum it up: A file (c.php) was uploaded to the server on October 2010 (false because the server didn't exist back then), it hijacked fpalts.php to send the POST data to an external site (sent the SECURITYTOKEN to [B]someone else's server[/B]). The file (c.php) corrupts when opened so I can't have a look at it. c.php is a Backdoor:PHP/C99shell.U[/QUOTE] Where is this server?

The serverside hosting method of the toolkit kinda proved to be its downfall. since it was designed to automatically download the new script. all someone had to do was edit it on jesse's server then it propagated through all the users

Benlecyborg and Jesse are good people, I don't see them being behind this. However, Jesse is horrible with security as proven multiple times, so some blame could be put on him.

[QUOTE=Seiteki;34480046]Why does all the fun stuff happen while I'm asleep?[/QUOTE] Didn't really miss much, just craptasket and rusty being internet detectives, and this: [IMG]http://i.imgur.com/i3vRZ.png[/IMG] [editline]31st January 2012[/editline] Speaking of which, someone change Craptasket's title to Facepunch Detective.

c99 shell fancy stuff, well we all jesse's track record on having a secure server (it sucks)

Is it only the people that had the script installed that had their account compromised?

[QUOTE='[EG] Pepper;34480966']Is it only the people that had the script installed that had their account compromised?[/QUOTE]yep yeppers

[QUOTE=Benlecyborg;34480097]Just to sum it up: A file (c.php) was uploaded to the server on October 2010 (false because the server didn't exist back then), it hijacked fpalts.php to send the POST data to an external site (sent the SECURITYTOKEN to someone else's server). The file (c.php) corrupts when opened so I can't have a look at it. c.php is a Backdoor:PHP/C99shell.U[/QUOTE] c99.php is merely a shell, used to display the files that are on a server. You need to have the password of a server to edit/add files on it (shell included). I think Jesse or Benlecyborg have left their password somewhere visible and it was stolen and used against them.

Cross-rant from H&S [QUOTE=Meatspin;34481155]Well jessecar96 was bound to get hacked anyways, there are signs of poor coding all over First warning is this: [code] Notice: Undefined index: security in /var/www/html/net/fp/fpalts.php on line 9 Notice: Undefined index: array in /var/www/html/net/fp/fpalts.php on line 9 Notice: Undefined index: user in /var/www/html/net/fp/fpalts.php on line 9 Notice: Undefined index: hash in /var/www/html/net/fp/fpalts.php on line 9 Notice: Undefined index: user in /var/www/html/net/fp/fpalts.php on line 28 You're using an older version of the FP Alt Finder, Download the newest Version[/code] (opening alt finder without supplying the arguments) Instant full path disclosure Judging from the line numbers here, most values are inserted into an SQL query Theres signs of poor coding all over this thing Also, fp_posts.php now throws [code]Parse error: syntax error, unexpected '}' in /var/www/html/net/fp/fp_posts.php on line 39[/code] Again, he was sending your session cookies to his own server, judging by the errors of running it without input, he was actually using it for something, which you should never, ever do /rant[/QUOTE] [QUOTE=TerabyteS_;34481268]c99.php is merely a shell, used to display the files that are on a server. You need to have the password of a server to edit/add files on it (shell included). I think Jesse or Benlecyborg have left their password somewhere visible and it was stolen and used against them.[/QUOTE] Theres alternate ways to upload shells My favorite is MySQL servers which doesnt have permissions set properly, find one SQL injection exploit and you can write files (although this is only possible under Windows, where MySQL runs under NT Authority, on Linux it only has access to write in its own data directory), I doubt this happened to jesse however, but theres a lot of ways a hacker could have gotten into that pile of crappy coding

I am a dumb poster.

Alright, I wiped my entire server. Everything is fine now. [highlight](User was permabanned for this post ("Alt of permabanned user" - postal))[/highlight]

Stop making sites/scripts or at least get better security this is the 5th time this happened!

[QUOTE=Wootman;34483211]Stop making sites/scripts or at least get better security this is the 5th time this happened![/QUOTE] This has only been the 2nd time. My server's password got leaked and someone used it to modify the script.

how does a password get leaked why did you even write it down in a place that could be leaked

[QUOTE=Jo The Shmo;34483311]why did you even write it down[/QUOTE]

could this password have been the same one jesse used for his alt "tf2master" that he shared with permabanned user hazzahardie which coincidentally got permabanned by postal shorty before all those people got compromised?

It wasn't written down. The person that runs my server installed nginx on it to make it faster, but ever since then I had to start php manually when the server was restarted. (When PHP is not running you can see all the site's code and password in plain text) So someone could have seen it during one of those times. All the passwords have been changed now to more secure ones. [editline]31st January 2012[/editline] [QUOTE=FoxMeister;34483450]could this password have been the same one jesse used for his alt "tf2master" that he shared with permabanned user hazzahardie which coincidentally got permabanned by postal shorty before all those people got compromised?[/QUOTE] No

What are you golds discussing about there? [img] http://filesmelt.com/dl/golds.png[/img] [sp]User was banned for this post: Leaking GMF thread titles[/sp] :v:

[QUOTE=Generic Jesse;34483482]It wasn't written down. The person that runs my server installed nginx on it to make it faster, but ever since then I had to start php manually when the server was restarted. (When PHP is not running you can see all the site's code and password in plain text) So someone could have seen it during one of those times.[/QUOTE] Couldn't you just have added php-fpm to rc.conf?