[Resolved]01micko.com compromised

News, happenings
Message
Author
User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

[Resolved]01micko.com compromised

#1 Post by 01micko »

My site has been compromised.

See UPDATE 1

See UPDATE 2

As far as I can tell mainly it's the domain name. All the files are still there but I can't access it via FTP. It appears to me that DNS is compromised, but that doesn't explain the FTP.

The files are unimportant (I have local copies) but my database is, to some degree. I have backed up the whole site but the download breaks (6GB) through a browser. Wget doesn't work as the domain is kaput.

Of course I have emailed my host's support but no response. I expect I won't see one until Monday. They are lazy.

Sorry for any inconvenience.
Last edited by 01micko on Mon 16 Jun 2014, 02:09, edited 3 times in total.
Puppy Linux Blog - contact me for access

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#2 Post by Sylvander »

Might "someone" be messing with the files whilst the site is compromised?
e.g. Inserting "backdoors"?

Would it perhaps be wise to scrap all of the files and replace them with known good copies?

User avatar
Ted Dog
Posts: 3965
Joined: Wed 14 Sep 2005, 02:35
Location: Heart of Texas

#3 Post by Ted Dog »

A bad DNS record happens by accident as well. Sometimes more than one person buys a domain and the powers have to sort it out. Since he has the older record it should still be his. Contact the holder of the DNS record to get this resolved faster.

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#4 Post by 8-bit »

It appears that some files are still accessible in some sub-directories.
I was able to access http://01micko.com/slacko5.5/ with no apparent problems. The mains site though would bring up a 404 error in the browser though.
I hope you get it remedied as I hate to see any sites that contain puppy related files un-accessible.
I just tried backing up the tree by using "Parent directory" using the above link and was able to get a tree list of the directories in 01mico.com!
That may help in recovering important personal and development files!

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#5 Post by 01micko »

UPDATE

It is definitely a DNS attack on my host. My site HAS NOT been compromised. I can login using the IP address and nothing is amiss. As a precaution I have beefed up my already beefy password.

It's a waiting game now for the slack-assed host to get off it's rump and fix the issue.
Puppy Linux Blog - contact me for access

User avatar
russoodle
Posts: 707
Joined: Fri 12 Sep 2008, 17:36
Location: Down-Under in South Oz

#6 Post by russoodle »

Hey Micko....i empathise with you, matey....so many screwballs out there :evil:

Hope your host gets off that lard-arse soon and sorts it out for you!

I don't imagine there's anything i can do to help in the circumstances, but if there is, please let me know..

Cheers,
russoodle
[i][color=Green][size=92]The mud-elephant, wading thru the sea, leaves no tracks..[/size][/color][/i]

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#7 Post by 01micko »

Thanks Suz,

I know exactly how you have felt on a couple of occasions now. Frustrated, pissed off and helpless.

What's worse is that my host is on Linux. Not a good advertisement. You would think that with Linux being free, in every sense of the word, that they wouldn't have a drama keeping up with security issues. I know bind (the Linux program for DNS) is continually updated. Obviously their's wasn't. :roll:

Stay cool. 8)

NB: next time I purchase hosting I want a VM that I am in charge of... can administer over ssh and scp. Cost isn't the issue. It's service. Thought about hosting from home but my upload speed maxes at 80kbps.. pathetic.
Puppy Linux Blog - contact me for access

stemsee

#8 Post by stemsee »

http://01micko.com/

is this correct? It goes to ECSHOP Demo site. China. When I lived in China (7 year) They routinely hacked my phone's database and caused it to misbehave. I worked at a youth hostel in china and they hacked that and used it as a server with 40GB of hidden files!!
Attachments
capture6763.jpg
(31.13 KiB) Downloaded 592 times

stemsee

#9 Post by stemsee »

Sylvander wrote:Might "someone" be messing with the files whilst the site is compromised?
e.g. Inserting "backdoors"?

Would it perhaps be wise to scrap all of the files and replace them with known good copies?
I, too, have strongly suspected this!!
I would be amazed if some entity DIDN'T hack puppy linux in every way it could!! So your advise is sound!

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#10 Post by 01micko »

stemsee.. nah, they hacked DNS of the host. Enough to piss me off and frustrate me but not much more. Should be fine by Tuesday (for me).. if they get off their lazy arse and fix it.
Puppy Linux Blog - contact me for access

anikin
Posts: 994
Joined: Thu 10 May 2012, 06:16

#11 Post by anikin »

stemsee wrote:
Sylvander wrote:Might "someone" be messing with the files whilst the site is compromised?
e.g. Inserting "backdoors"?

Would it perhaps be wise to scrap all of the files and replace them with known good copies?
I, too, have strongly suspected this!!
I would be amazed if some entity DIDN'T hack puppy linux in every way it could!! So your advise is sound!
Yep, the hackers have had plenty of time to do anything they wanted. From now on, Slacko's communication with icanhazip will be under full control of the brutal Chinese regime. Outrageous. On the other hand, this is a good publicity opportunity for micko ... I didn't even suspect, he had a website.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#12 Post by 01micko »

Yep, the hackers have had plenty of time to do anything they wanted. From now on, Slacko's communication with icanhazip will be under full control of the brutal Chinese regime. Outrageous
:lol:
Sad thing is that you are for real. Truly sad.
On the other hand, this is a good publicity opportunity for micko ... I didn't even suspect, he had a website.
Oh yes. It's only been around for 3 years. More clicks is good. Especially for my Chinese partners.
Puppy Linux Blog - contact me for access

User avatar
Iguleder
Posts: 2026
Joined: Tue 11 Aug 2009, 09:36
Location: Israel, somewhere in the beautiful desert
Contact:

#13 Post by Iguleder »

double post
Last edited by Iguleder on Sat 14 Jun 2014, 17:35, edited 1 time in total.
[url=http://dimakrasner.com/]My homepage[/url]
[url=https://github.com/dimkr]My GitHub profile[/url]

User avatar
Iguleder
Posts: 2026
Joined: Tue 11 Aug 2009, 09:36
Location: Israel, somewhere in the beautiful desert
Contact:

#14 Post by Iguleder »

You can buy a cheap ARM computer and host everything at home. It's a one-time fee and you get full access to the server.

That's what I do - mine runs a modded distro with a web server I wrote myself. It's security hardened and surrounded with home-made honeypots. In total, I waste ten minutes on administration each month.
[url=http://dimakrasner.com/]My homepage[/url]
[url=https://github.com/dimkr]My GitHub profile[/url]

tlchost
Posts: 2057
Joined: Sun 05 Aug 2007, 23:26
Location: Baltimore, Maryland USA
Contact:

#15 Post by tlchost »

Iguleder wrote:You can buy a cheap ARM computer and host everything at home. It's a one-time fee and you get full access to the server.
Only if your ISP's TOS(Terms of Service) allows it

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#16 Post by 01micko »

Iguleder wrote:You can buy a cheap ARM computer and host everything at home. It's a one-time fee and you get full access to the server.

That's what I do - mine runs a modded distro with a web server I wrote myself. It's security hardened and surrounded with home-made honeypots. In total, I waste ten minutes on administration each month.
yeah thought of that and nearly did it but my upload speed at best is 80kbps :( ..that would annoy everybody downloading from me apart from dialup users!
Puppy Linux Blog - contact me for access

User avatar
Karl Godt
Posts: 4199
Joined: Sun 20 Jun 2010, 13:52
Location: Kiel,Germany

#17 Post by Karl Godt »

the firefox browser re-directs www.01micko.com to a sub page of www.68ecshop.com , which seems to be a Japanese shopping site , currently for me .

http://en.wikipedia.org/wiki/DNS_spoofing writes :
DNS spoofing (or DNS cache poisoning) is a computer hacking attack,
whereby data is introduced into a Domain Name System (DNS) name server's cache database,
causing the name server to return an incorrect IP address,
diverting traffic to another computer (often the attacker's).
I have no idea how this a works except the thirteen so-called 13 " root name servers " .

According to the German http://de.wikipedia.org/wiki/Root-Nameserver

Code: Select all

M 		202.12.27.33 	2001:dc3::35 	WIDE Project 	verteilt (Anycast)
is located in Japan .

But what it has with ANYCAST ??

In this case the CACHE file of some name server has been altered .

Since I am in Europe , I would have expected not being affected , since two main root servers are in Europe : London and Stockholm .

But my provider's APN is internet.t-mobile , which operates world-wide .

In any case , it looks like you'd need to contact ICANN directly, to clear the issue .

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#18 Post by 01micko »

Yeah ICANN has been a thought. If the host doesn't clear it up by Monday that's the only option.

You are right, 13 root hint servers but there are other DNS servers, lots of them, you can fairly simply set one up yourself. DNS is an hierarchical system. The root hint server will deliver com. net. co. au. ca. tk. or whatever then it gets passed down the chain adding bits. These records are replicated around the world. If you haven't cleared cache in a long while it's possible that you get my site (like 8-bit did) but that wont last long.

What the attacker has done is hijacked the IP address somehow. If you do a whois you can find my IP (27.124.113.33 .actually easy gotten with ping -c3 01micko.com) and you do a reverse whois on that IP it leads to my host. So I don't think there is a lot ICANN can do. The domain is still mine and if worse comes to worse I can transfer it, which I'll do anyway.

Since that IP is hijacked I can't do anything with it. I have another domain which still works fine from said account, and it's IP is different but I can access my files over ftp. If you want that IP PM me.
Puppy Linux Blog - contact me for access

User avatar
Karl Godt
Posts: 4199
Joined: Sun 20 Jun 2010, 13:52
Location: Kiel,Germany

#19 Post by Karl Godt »

I have found one :
CORRECT :

Code: Select all

# busybox-1.21.0 nslookup 01micko.com 202.12.27.33
Server:    202.12.27.33
Address 1: 202.12.27.33 M.ROOT-SERVERS.NET

Name:      01micko.com
Address 1: 27.124.113.33 server-x-r6.ipv4.au.syrahost.com
Incomplete :

Code: Select all

# busybox-1.21.0 nslookup 01micko.com 193.0.14.129
Server:    193.0.14.129
Address 1: 193.0.14.129 k.root-servers.net

Name:      01micko.com
Address 1: 27.124.113.33
I took the M (13) from
http://www.root-servers.org/
and that was right .

So I tried 12 and 11, and :
It is actually the K (11) that probably shows incomplete / wrong .
Operator : RIPE NCC

But that incomplete output may be network / server or client ( busybox ) related .

The German wikipedia apparently numbers the servers different than root-servers.org with the Japanese being Nr. 11 .

http://k.root-servers.org/nodes/nskix/
http://k.root-servers.org/nodes/tokyo/

And 68ecshop.com is apparently Chinese - not Japanese .
The Chinese apparently have the same international currency symbol .
chin.: Yuan
jap.: Yen

both have

Code: Select all

# echo -e '\0190'
ascii code sign ... #another project for me to display all special characters in the terminal , and not only bin squares and diamond question marks
.

User avatar
SFR
Posts: 1800
Joined: Wed 26 Oct 2011, 21:52

#20 Post by SFR »

Karl Godt wrote:both have

Code: Select all

# echo -e '\0190'
ascii code sign ... #another project for me to display all special characters in the terminal , and not only bin squares and diamond question marks
.
This one?

Code: Select all

# echo -e '\xc2\xa5'
¥
# 
Greetings!
[color=red][size=75][O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource[/size][/color]
[b][color=green]Omnia mea mecum porto.[/color][/b]

Post Reply