Results 1 to 10 of 10

Thread: my client's online calendar was hacked

  1. #1
    Junior Member
    Join Date
    Nov 2002
    Posts
    4

    my client's online calendar was hacked

    hi all! i hope i don't sound too much like a noob, i've never had to deal with a hacked web site before.

    apparently matt kruse's calendarscript (www.calendarscript.com) has a vulnerability.

    i installed calendarscript for my client in march of last year. in april this year, someone uploaded an IRC program called unreal 3.2 to my client's ftp. i don't often update that client's site, so i didn't notice it was there until last week. the folder's permissions were set so i couldn't open or modify the folder beyond renaming it. i renamed the folder and contacted their host about changing the permissions so i could see what was in there. i finally got in to see what was going on and i found the IRC program. this thing must have been a huge bandwidth hog. their log file, which only recorded the past 2 hours or so, was already over 1.5mb. i downloaded the unreal files to see if i could get any useful information out of them. i don't know anything about IRC, so its basically useless to me.

    i did a search on calendarscript's forum to see if anyone else had this problem. turns out someone has written a script that lets you gain access to other peoples' calendarscripts via a sneaky url. last night, my client tried to add an event to the calendar and it wiped everything completely blank. a whole year's worth of data is gone, and the script itself has been rendered useless. it won't even let me import the backup files or update anything. i'm guessing the script kiddie who put the IRC program on there didn't appreciate me deleting their chat channel and took out his/her frustrations on my client's calendar. needless to say, i'm a little irritated!

    i'm in the market for a new SECURE calendar script, if anyone has suggestions

    my question is this...is anyone familiar with this unreal program? i would very much like to find out who installed it so i can report them to their isp. i have all their files, but have no idea where to start looking. my client's host's log files are deleted every month, so i can't see what was going in in april. any help would be greatly appreciated.

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    sounds to me like the script was made witha backdoor, that way the creator could just go and mess with who ever downloaded the script. And if you odnt mind me asking how did you delete their chat channel if you know nothing about irc? and shouldnt backups be on say a disk or something incase something like this happens? I mean whats the point of a back up if it is sitting there next to the origianl so they can be trashed at the same time? and my assumtion is that the only way to know who installed it is to look at the logs from when it was installd/last accessed and see what ip they were connecting from. but if your logs are deleted, which sort of defeats the purpose of having logs, then there is really very little you can do.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    i'm in the market for a new SECURE calendar script, if anyone has suggestions
    To be honest I'd be in the market for a host that has a clue about security. Deleting logfiles that cost fractions of pennies per meg to cut to CD and archive on a monthly basis is pretty bloody silly when they have to know that all their different clients, managing their own pages, with all the different vulnerabilities and bad configurations is a disaster waiting to happen. They also have to know that sites will be hacked on a regular basis and that they are therefore a target. Thus they have to know that the probability is high that someone will get to the webfoot and deface _all_ their clients one day causing them loss of business......

    But I suppose their accounting program is secure so why do they care......

    Get a new host first.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Junior Member
    Join Date
    Nov 2002
    Posts
    4
    i don't think the creator did it, the new version has been patched against that hack. (i was using the previous version, and i refuse to use the new version because the host now has php and i want to use a php based calendar instead. i hate cgi!)

    i deleted the unreal irc program by clicking the "delete" button in my ftp program

    my client's host makes weekly backups of the server, so no, they are not just sitting side by side waiting to be hacked. the backups aren't even located on the same server.

    let me rephrase my question...does anyone know where i should look in Unreal 3.2's files, which i downloaded before deleting, to find out who may have installed it? the unreal log file only shows me who connected to it that morning, but those people didn't necessarily install it. i figure the program might have an administrator or something, that's what i'm looking for.

    i'd LOVE for them to get a new host...but its not my decision. i've been pushing for a different host since i took the project. this host is totally clueless. in the root directory, if you go up a level you can see every username for every account they have. not to mention, they originally blamed this on an image uploading script that i integrated into the calendar. the uploader is bugged to email me what its doing every time its executed, so i knew damn well it wasn't the upload script. not to mention, its only programmed to upload into one folder, and only upload images. the irc program wasn't in the specified folder, nor was it an image file.

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    my client's host makes weekly backups of the server
    Is that an overwrite of last weeks backup or are every weeks backups saved and archived? That's kind of important. Because, as you have found with log files, if you don't have good, relevant information to hand you have _no_ information.... period!

    does anyone know where i should look in Unreal 3.2's files, which i downloaded before deleting, to find out who may have installed it
    The attacker would have to be really bloody stupid to point his tools back at his own IP. Therefore, unless you are King Midas himself, those files are useless other than being of interest to look through and play with to determine what they do.

    i'd LOVE for them to get a new host...but its not my decision. i've been pushing for a different host since i took the project. this host is totally clueless. in the root directory, if you go up a level you can see every username for every account they have.
    What position do you hold in this situation? Have you shown the decision makers what you can see and explained to them that enumeration of potential resources is 90% of the attackers job????

    its only programmed to upload into one folder, and only upload images. the irc program wasn't in the specified folder, nor was it an image file
    Wouldn't those log files be nice now? You'd have a clue as to what occurred. As it is you are blind and stabbing away at nothing. You are frustrating yourself and passing some of that frustration over here because of the answers being presented. That's not a great idea but most of us here have broad shoulders and let it pass.

    You may have noticed that logs are my personal "bugbear". I whine about lack of logs to everyone. I tell them if it moves on the network log it..... But no-one does.... It's not important until something happens.....

    You need to face the fact that in 99.9999% of all cases you will not be able to track the attacker back to his "lair". You also need to learn that in most cases the ISP will do bugger all when you have..... It's the way of the world.... Live with it. Put aside your feelings of revenge/retribution and move on. Either fix the problem, (the ISP), or move on.... Your choice.... I wouldn't stay with this bunch of cowboys.... If that's not an option then an employment decision may be in order..... Both options = moving on....

    Good Luck
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Junior Member
    Join Date
    Nov 2002
    Posts
    4
    Is that an overwrite of last weeks backup or are every weeks backups saved and archived? That's kind of important. Because, as you have found with log files, if you don't have good, relevant information to hand you have _no_ information.... period!
    i don't think they archive the backups, but that's no big deal in this case. their last backup was on sunday, and the calendar was wiped on monday. so no real damage was done as far as that goes.

    The attacker would have to be really bloody stupid to point his tools back at his own IP. Therefore, unless you are King Midas himself, those files are useless other than being of interest to look through and play with to determine what they do.
    considering the person who put unreal on there was using a script written by someone else to gain access to the server, i'm guessing he/she isn't the brightest hacker out there. it doesn't take a genius to do a google search to find calendarscript sites and download a hacked script. even if they did cover their tracks, there has to be a bit of useful information in these unreal files. even if i can just find out the name of the chat channel it was running, its better than nothing. if nothing else, i'd just like to see what they were up to. i'm curious, sorry. if this happened to you, you'd probably like to dig around in their files as well, no?

    What position do you hold in this situation? Have you shown the decision makers what you can see and explained to them that enumeration of potential resources is 90% of the attackers job????
    i'm just a web designer. i've explained everything. when my client asks the host about it, of course they're going to believe the host over me. they're in the hosting business, and i'm not. if you'd like to vent your frustrations with the host, feel free http://www.shout.net

    Wouldn't those log files be nice now? You'd have a clue as to what occurred. As it is you are blind and stabbing away at nothing. You are frustrating yourself and passing some of that frustration over here because of the answers being presented. That's not a great idea but most of us here have broad shoulders and let it pass.

    You may have noticed that logs are my personal "bugbear". I whine about lack of logs to everyone. I tell them if it moves on the network log it..... But no-one does.... It's not important until something happens.....
    of course the log files would be nice right about now, you are preaching to the choir! i'm sorry you're frustrated, but i just came here looking for advice and you are barking at me like i did something wrong. if i sounded snippy, well, its because you guys made some pretty harsh assumptions and didn't really answer my question.

    You need to face the fact that in 99.9999% of all cases you will not be able to track the attacker back to his "lair". You also need to learn that in most cases the ISP will do bugger all when you have..... It's the way of the world.... Live with it. Put aside your feelings of revenge/retribution and move on. Either fix the problem, (the ISP), or move on.... Your choice.... I wouldn't stay with this bunch of cowboys.... If that's not an option then an employment decision may be in order..... Both options = moving on....
    i know this, i'm just curious. if i can find information to report to their isp, great. if not, i'd just like to see what they were doing. i won't be losing any sleep over it, and i'm not going to dump one of my biggest clients just because they have poor taste in choosing a host. if anything, it works out in my favor because they have to pay me to fix it.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    considering the person who put unreal on there was using a script written by someone else to gain access to the server, i'm guessing he/she isn't the brightest hacker out there.
    Never underestimate your attacker..... You will lose every time you do.

    All but the most incompetent skiddie knows how to use proxies and zombies to mask their real location. It really isn't rocket science.

    Is the calendar recovered? Because you originally stated:-

    a whole year's worth of data is gone, and the script itself has been rendered useless. it won't even let me import the backup files or update anything. i'm guessing the script kiddie who put the IRC program on there didn't appreciate me deleting their chat channel and took out his/her frustrations on my client's calendar. needless to say, i'm a little irritated!
    Clearly, that implies a years worth of data loss without the ability to recover it.

    Now you state:-

    but that's no big deal in this case. their last backup was on sunday, and the calendar was wiped on monday. so no real damage was done as far as that goes.
    So, naturally, I'm a little confused..... Was harm done or not?.... Besides the obvious system compromise and no way of knowing if priviledges were elevated and further damage done.

    The likelyhood of there being any information of value in the files you have is minimal. Try this tool to strip out the crap and see what's left. Post the results here and I'll see if there is anyting sensible.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Junior Member
    Join Date
    Nov 2002
    Posts
    4
    i was unaware that the client's host made weekly backups at the time of my first post, my partner informed me of it the next day. not that its done a lot of good yet, the stupid host hasn't sent us any useful files. AND they put the irc program back on there! dolts!

    i had a backup from april, and i got the script back in working order last night. at the moment, its missing about 2 months worth of data but at least its functional again. there was an upgrade for the calendar script that is supposed to take care of that security hole, so i installed it as well. apparently there were 2 big security holes, the first being the one involving that hacked script. the other was, get this, you could execute command line in some of the calendar's fields. even though the script is "safe" at the moment, i'm still going to use a different calendar. the programmer is obviously a little careless.

    i'm not sure how to use this strings program, but i'd gladly send you the irc files.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    OK. I got the files and took a look through them......

    Disclaimer: I have no clue about IRC, never used it.....

    This is a basic install of the Unreal IRC server with all the source/includes etc. No finesse, the entire 7.5 megs is there as you well know. Most of it would be unnecessary and would have been cut out by anyone good before they uploaded it.

    The only file I can find that seems to have been "personalized" is unrealircd.conf which contains what I believe to be the name of the admin, (fake I'm sure). He calls himself BabeMagnet or variations of said. It contains the mail address BaBeMaGnEt@Biatch.Com. The whois information for biatch.com is here. As you can see, it will be pretty useless to you. Nslookup has no record of the domain so that's a dead end.

    There's a section in the file that runs as follows:-

    name "cowboy-monkey.com";

    info "cowboy-monkey";

    numeric 39;
    which I take to be the name of the channel/server/whatever. (someone point me in the right direction here....)

    I noticed in one other file that there was a path the read xxxxxxx/monkey/calendarscript/xxxxxx so I'm guessing this is kind of a joke on your own path to the script that was hacked.... Even more funny if that's what your host calls your client and a good thing to show him to get him to change hosts.....

    It seems to be some sex chat channel that is "legit' insofar as they ban a site/user for being sub-seven infection......

    Having said all that, I'm guessing at most of this so I'll post the file below so hopefully someone can lead us both in understanding it or will know what other files to look at.

    I have a feeling that my gut feeling was correct though...... You're chasing clouds.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Senior Member cheesegoduk's Avatar
    Join Date
    May 2002
    Posts
    224
    It appears that they was "Linked" to another irc server as well, Linking is where users on one server can see/join/chat in channels on another server whist still being connected to there orginal one (sorta )

    link OuTy.ShouTy.TrouTy

    {

    username *;

    hostname hub.the-killer.bz;

    bind-ip *;

    port 8067;

    hub *;

    password-connect "sexylink";

    password-receive "sexylink";

    class servers;

    options {

    nodnscache;

    autoconnect;

    nohostcheck;

    };

    };

    (If you was feeling nasty you could create an unrealircd server of your own and give your self netadmin rights and then link in to them (They don't have any checks in place , all thats required is the "sexylink" password) and then shut down there entire network, But we're not nasty )


    Upon checking hub.the-killer.bz(this is the main server) I noticed a number of bot flooding channels, eg PC's Infected with a virus would join this irc network from which then the owner of the network could then give the bots commands to DDOS internet addresses
    It appears as if your clients machine had been used to give these bots a place to connect to.

    There are also a number of other servers linked into this network(probally infected hosts as well)

    Doing an nslookup on hub.the-killer.bz gives back 66.40.240.254 which belongs to an isp called Interland.
    There abuse email is "abuse@interland.com" however, bear in mind that this machine is also probally an infected host, But without there main "hub" these attackers will be forced to rebuild there network.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •