Hello,
I'm sure that you know this by now. Well I at least hope you do. But the server that my site is on was hacked last night and it may have been going on for some time. I have a friend that visits my website and he noticed it being slow. With my permission he investigated the problem and came to the conclusion that the site was being hijacked.
Here is the information that he told me in regards to the hacker status and information that he picked up about the users.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-Info=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Them they used an apache exploit, and they should update their apache version. They used this exploit to create a backdoor with "rootedoor" and "r0nin". Once they made the hole all they had to do was telnet XXXXXXX.com 1666 (and a numerous amounts of other ports) then they get dumped to a shell with apache privileges.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=Port Details-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
BEFORE
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
163/tcp filtered cmip-man
199/tcp open smux
443/tcp open https
445/tcp filtered microsoft-ds
1666/tcp open netview-aix-6 BACKDOOR
1720/tcp filtered H.323/Q.931
1863/tcp open unknown
2222/tcp open unknown
3127/tcp filtered unknown
3306/tcp open mysql this should be disabled, and only viewable by localhost
4400/tcp filtered unknown
5150/tcp filtered unknown
5151/tcp filtered unknown
5190/tcp open aol Dont know why that is there
6667/tcp filtered irc IRC, that they were on
7000/tcp filtered afs3-fileserver
8090/tcp open unknown BACKDOOR
8587/tcp open unknown BACKDOOR
9865/tcp open unknown BACKDOOR
27374/tcp filtered subseven
44464/tcp open unknown BACKDOOR
AFTER
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
163/tcp filtered cmip-man
199/tcp open smux
443/tcp open https
445/tcp filtered microsoft-ds
1720/tcp filtered H.323/Q.931
3306/tcp open mysql
5190/tcp open aol
6667/tcp filtered irc
7000/tcp filtered afs3-fileserver
27374/tcp filtered subseven
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=Hackers Information-=-=
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
200.138.70.151 --- HOSTNAME=200-138-070-151.mganm7004.dsl.brasiltelecom.net.br
WHOIS
nic-hdl-br: BTA17
person: Brasil Telecom S. A - Abuso
e-mail:
abuse@NOC.BRASILTELECOM.NET.BR
address: CNRS - Telebrasilia - SCN Quadra, 03, Bloco A
address: 70710-500 - Brasilia - DF
phone: (0800) 6414040 []
created: 20030624
changed: 20030624
nic-hdl-br: BTC14
person: Brasil Telecom S. A. - CNRS
e-mail:
suporte@NOC.BRASILTELECOM.NET.BR
address: SCN Quadra 3 Ed. Telebrasilia, S/N, S/C
address: 70000-000 - Brasilia - DF
phone: (61) 0800 [6414040]
created: 20031003
changed: 20031003
remarks: Security issues should also be addressed to
remarks:
nbso@nic.br,
http://www.nbso.nic.br/
remarks: Mail abuse issues should also be addressed to
remarks:
mail-abuse@nic.br
195.23.58.100 --- HOSTNAME=195-23-58-100.net.novis.pt
WHOIS
inetnum: 195.23.0.0 - 195.23.255.255
org: ORG-NTS3-RIPE
netname: PT-IPGLOBAL-961101
descr: PROVIDER
descr: IPGlobal, Informatica e Telecomunicacoes, SA
country: PT
admin-c: NVSA1-RIPE
tech-c: NVST1-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: IP-MNT
mnt-routes: IP-MNT
changed:
hostmaster@ripe.net 19961101
changed:
hostmaster@ripe.net 20011016
source: RIPE
route: 195.23.0.0/18
descr: IPGlobal, Informatica e Telecomunicacoes, SA
origin: AS2860
mnt-by: IP-MNT
changed:
pfig@ip.pt 19990129
source: RIPE
organisation: ORG-NTS3-RIPE
org-name: NOVIS Telecom, S.A.
org-type: LIR
address: Novis
address: Edificio Novis
address: Estrada da Outurela, 118-A
address: 2795-606 Carnaxide
address: PORTUGAL
phone: +351 210100000
fax-no: +351 210129259
e-mail:
novis-admin@ip.novis.pt
admin-c: PC203
admin-c: HS131
admin-c: RC23-RIPE
admin-c: PL69-RIPE
admin-c: PM300-RIPE
admin-c: TFD
admin-c: PAC
admin-c: LIMA
admin-c: ZEF-RIPE
admin-c: RRC19-RIPE
mnt-ref: IP-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
changed:
hostmaster@ripe.net 20040415
source: RIPE
role: Novis Admin Contact
address: Novis
address: Edifício Novis, Estrada da Outurela, 118 - A
address: 2795-606 Carnaxide
address: Portugal
phone: +351 2 1010 4400
fax-no: +351 2 1010 4459
e-mail:
novis-admin@ip.novis.pt
admin-c: NVSA1-RIPE
tech-c: NVST1-RIPE
nic-hdl: NVSA1-RIPE
mnt-by: IP-MNT
changed:
novis-tech@ip.novis.pt 20010913
changed:
novis-tech@ip.novis.pt 20011203
source: RIPE
role: Novis Tech Contact
address: Novis
address: Edifício Novis, Estrada da Outurela, 118 - A
address: 2795-606 Carnaxide
address: Portugal
phone: +351 2 1010 4400
fax-no: +351 2 1010 4459
e-mail:
novis-tech@ip.novis.pt
admin-c: NVSA1-RIPE
tech-c: NVST1-RIPE
nic-hdl: NVST1-RIPE
mnt-by: IP-MNT
changed:
novis-tech@ip.novis.pt 20010913
changed:
novis-tech@ip.novis.pt 20011203
source: RIPE
Joe
Most of your information above is incorrect. Access was not gained to the server, tho your visitors attracted nearly 10,000 attempts to do so. The ports you're quoting were never opened on our server.
Nonetheless, I can not, and will not allow this type of activity - and due to the nature of your site content, it seems that it will do nothing but attract this type of behavior.
Please submit your payment receipt so that recurring billing can be cancelled.
You'll need to find new web hosting arrangements.