UrbanData Hacked

[DropLister]

Just trying to check out the progress of the site urbandata.com but Its been hacked Looks like domain websites are highly targetted by these groups.

 

[weblord]

here's the code

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0033)http://www.cheapfreakhosting.com/ -->
<HTML><HEAD><BGSOUND 
src="BeGa Owned Your Site - Root ONLY_files/xxxxx.htm"><BGSOUND src="http://www.red-hackers.com/r3d.wav" loop=-1><TITLE> Sir.BeGa Owned Your Site - Root ONLY</TITLE><BGSOUND 
src="" loop=infinite>
<META http-equiv=Content-Language content=tr>
<META content="Microsoft FrontPage 5.0" name=GENERATOR>
<META content=FrontPage.Editor.Document name=ProgId>
<META http-equiv=Content-Type content="text/html; charset=windows-1254">
<STYLE>BODY {
	SCROLLBAR-ARROW-COLOR: #c0c0c0; SCROLLBAR-BASE-COLOR: #000000
}
</STYLE>
</HEAD>
<BODY text=#c0c0c0 vLink=#00FF00 link=#C0C0C0 bgColor=#000000>
<DIV align=center>
<CENTER>
<TABLE id=AutoNumber1 height=20 width=613 border=1>
  <TBODY>

  <TR>
    <TD width=613 height=20>
      <P align=center><FONT color=#ffff00 size=5><B><SPAN 
      lang=en-us> </SPAN></B></FONT><B><FONT face=Webdings color=#ff0000 
      size=5> </FONT><SPAN lang=ar-eg><FONT face=QuigleyWiggly color=#ff0000 
      size=5>محمد رسول الله</FONT></SPAN><FONT face=Webdings color=#ff0000 
      size=5>a</FONT></B><FONT face=Wingdings color=#c0c0c0 size=5><STRONG><SPAN 
      lang=en-us>C</SPAN></STRONG></FONT><B><SPAN lang=en-us><FONT 
      face="Palatino Linotype" size=5>< [</FONT><FONT 
      face="Palatino Linotype" color=#ffff00 size=5> </FONT></SPAN></B><FONT 
      color=#ffff00 size=5><B>No God But ALLAH<SPAN lang=en-us> 
      </SPAN></B></FONT><FONT face="Palatino Linotype" size=5><SPAN 
      lang=en-us><B>]</B></SPAN></FONT><B><FONT face="Palatino Linotype" 
      size=5><SPAN lang=en-us>></SPAN></FONT></B><FONT face=Wingdings 
      color=#c0c0c0 size=5><STRONG><SPAN 
      lang=en-us>C</SPAN></STRONG></FONT><B><FONT face=Webdings color=#ff0000 
      size=5>a</FONT><SPAN lang=ar-eg><FONT face=QuigleyWiggly color=#ff0000 
      size=5>لا اله الا 

الله</FONT></SPAN></B></P></TD></TR></TBODY></TABLE></CENTER></DIV>
<P align=center><FONT size=5><STRONG><SPAN lang=en-us><FONT face=Wingdings 
color=#ff0000 size=6>I</FONT></SPAN></STRONG></FONT><FONT 
face="Palatino Linotype" color=#c0c0c0><STRONG><FONT face=Wingdings 
color=#c0c0c0 size=7>N</FONT></STRONG></FONT><SPAN lang=en-us><B><FONT 
face="Palatino Linotype" size=6> </FONT>
</B></SPAN><B><SPAN lang=en-us><FONT size=5>Sir.BeGa</FONT><FONT size=4> </FONT></SPAN></B><FONT face="Palatino Linotype" 
color=#c0c0c0 size=7><STRONG><FONT face=Wingdings 
color=#c0c0c0>N</FONT></STRONG></FONT><FONT size=5><STRONG><SPAN 
lang=en-us><FONT face=Wingdings color=#ff0000 
size=6>I</FONT></SPAN></STRONG></FONT></P><B><FONT color=#ff0000>
<P align=center></FONT><SPAN lang=en-us><FONT color=#ff0000>I</FONT><FONT 
color=#ffff00>I</FONT><FONT color=#ff0000>I</FONT><FONT color=#feb08b> < 
</FONT><FONT color=#00ff00>T</FONT></SPAN><FONT color=#00ff00>his <SPAN 
lang=en-us>M</SPAN>y <SPAN lang=en-us>Li</SPAN>fe<SPAN lang=en-us> A</SPAN>nd 

<SPAN lang=en-us>I</SPAN>'m </FONT><SPAN lang=en-us><FONT color=#00ff00>The 
Loser ></FONT><FONT color=#feb08b> </FONT></SPAN><SPAN lang=en-us><FONT 
color=#ff0000>I</FONT><FONT color=#ffff00>I</FONT><FONT 
color=#ff0000>I</FONT></SPAN></P>
</B>
<P align=center><B><SPAN lang=en-us><FONT size=4><FONT color=#ff0000>--</FONT> 
</FONT><FONT color=#00ff00 size=5>warning</FONT><FONT color=#ff0000 size=4> 
--</FONT></SPAN></B></P>
<P align=center><SPAN lang=en-us><FONT size=4><B>I Hacked Your <FONT 
color=#800000>WebSite </FONT> , If You Want To take It Again 

</B></FONT></SPAN></P>
<P align=center><SPAN lang=en-us><FONT size=4><B>Must Talk To Me  to 
understand one another about Your Sites ,</B></FONT></SPAN></P>
<P align=center><SPAN lang=en-us><FONT size=4><B> I<FONT 
color=#ff0000>I</FONT>I <FONT color=#ff0000>i Removed All Data In Your Sites 
</FONT>,<FONT color=#ff0000> But I Have Full Back Up To Them</FONT> I<FONT 
color=#ff0000>I</FONT>I</B></FONT></SPAN></P>

<P align=center><SPAN lang=en-us><FONT color=#ffff00 size=4><B>If You Want To 
Talk To Me In First Send Message And I Will Tell You How To Contact Me On 
Line</B></FONT></SPAN></P>
<P align=center><SPAN lang=en-us><FONT size=4 color="#FF00FF"><B> See You 
.</B></FONT></SPAN></P>
<p align="center"><span lang="en-us"><font size="4"><b>******</b></font></span></p>
<p align="center"><SPAN lang=en-us><FONT size=4><B>Msn Messenger </B></FONT></SPAN>
</p>
<P align=center dir="ltr"><a href="mailto::[email protected]"><span lang="en-us">
<font size="4"><b>[email protected]</b></font></span></a><SPAN lang=en-us><FONT size=4><B> 
& </B></FONT><font size="4" color="#00FF00"><b><a href="mailto:[email protected]">[email protected]</a> </b></font></SPAN></P>
<P align=center> </P></BODY></HTML>

for analysis purposes only to help out the owner.

 

[AzN]

They also hacked http://www.tuxteno.com/forums.php and http://www.norsk-kurs.no/

 

[OttoYiu]

Ouch, the 2nd link hurted my eyes!

 

[weblord]

they do have great taste for color combo :td:

 

[angisson]

UD, Hope it all works out for you.. sorry to see it hacked.

but more so, I hope everyones info is safe.

 

[UD]

It was a simple little exploit.. He wasn't able to delete anything but rather only upload a index.html which defaulted over the index.php .. All is well again and those arent the only site's they've gotten.. If you havent noticed alot of this is pointing to www.red-hackers.com (A Muslim hacking site?)

 

[lpxxfaintxx]

Looks like a lot of sites got owned by this guy... what the the security problem? I want to protect myself :O

 

[UD]

Still working on this.. but he claims to have gotten root which is rubbish.. in fact all the files remain untouched and he seems to have only a little ability to upload a .html file..

 

[maximum]

Info: communication or reception of knowledge or intelligence

It was a simple little exploit.. He wasn't able to delete anything but rather only upload a index.html which defaulted over the index.php .. All is well again and those arent the only site's they've gotten.. If you havent noticed alot of this is pointing to www.red-hackers.com (A Muslim hacking site?)

They are usually using a common tool called "Metasploit Framework", which is used by hackers to test exploits on networks (usually their own, learning experience and figuring how to make it safer from the next fellow). Most folks have a misunderstanding of the popular term "hacker" (generally the good guys) versus "crackers" (not your friends), so do your research on the terms, learn the diffrence and you'll understand how this happened. Basically, hackers (remember, good guys who break into test exploits on their own networks or others to learn its vulnerabilities therein (or to teach others the same)), created a system (research "Metasploit Framework" on the net, and you'll find more than you care to read) to aid in this. A few of them posted on hacker message boards how to overwrite the index pages on the servers, and a bunch of think-they-know-something script kiddies got ahold of it and started passing it around. It isn't easy to do, but takes no genious hacker (well, in this case cracker). UD is right, these idiots are doing nothing more than overwriting one file. Those that could do more would kill off the server. This exploit was even pulled-off on the SnapNames.com website late last year, and has been done to Ebay.com, Whitehouse.gov, and many other sites you would think had A+ security. No harm done, but a real embarrasment. Unless you have a dedicated server, there is not much you can do, since protecting against the many ways this can be done takes knowledge way beyond most webmasters (and even beyond these script kiddies following the expoit's formula). Even those on dedicated servers have to be able to code at the OS (operating System) level to be able to stop it totally.

Best advice: If you code server-side (CGI/Perl, PHP, ect.), create a script hidden in a very unlikely place (For example, if you use the most-common cPanel, put it in your "etc" folder below root-directory.), so no nut thinks to look for it if they got in, since this is normally just misc. cPanel system-created stuff. Have this script run on a cron-job to every so often read your index page, and compare it to a "copy" of the index page you have hidden in the same folder as this script. Then, if contents of the two does not match, have script email you (prefferably to an email that you get alerts about on your favorite IM as soon as you log-on). You could even have it over-write (re-create) the index page, with the copy, if it finds it diffrent.

Other than that, you could always get your own server or lease a dedicated one, so that you have full OS control, read and study as many computer languages as you can, learn how the exploits themselves work, then get recreating your server's operating system.

The VERY VAST majority of these "hacked" sites, as UD mentioned, only had the index page overwritten. No reason to panic. The folks who wrote the framework to do it, don't do crap like this (true hackers have ethics and hold each other to them). The script kiddies are doing little more than copy+paste and making less-informed think they are the Real McCoy.

For those that may be interested, in the next 2-3 days (I don't have time today..but it is a priority for me, seeing this post), I will write a "check/verify index-page changes" script like I mentioned above, and post it for download here when I get a chance.