[Resolved]01micko.com compromised

[01micko]

You can buy a cheap ARM computer and host everything at home. It's a one-time fee and you get full access to the server.

That's what I do - mine runs a modded distro with a web server I wrote myself. It's security hardened and surrounded with home-made honeypots. In total, I waste ten minutes on administration each month.

yeah thought of that and nearly did it but my upload speed at best is 80kbps ..that would annoy everybody downloading from me apart from dialup users!

[Karl Godt]

the firefox browser re-directs www.01micko.com to a sub page of www.68ecshop.com , which seems to be a Japanese shopping site , currently for me .

http://en.wikipedia.org/wiki/DNS_spoofing writes :

DNS spoofing (or DNS cache poisoning) is a computer hacking attack,
whereby data is introduced into a Domain Name System (DNS) name server's cache database,
causing the name server to return an incorrect IP address,
diverting traffic to another computer (often the attacker's).

I have no idea how this a works except the thirteen so-called 13 " root name servers " .

According to the German http://de.wikipedia.org/wiki/Root-Nameserver

Code: Select all

M 		202.12.27.33 	2001:dc3::35 	WIDE Project 	verteilt (Anycast)

is located in Japan .

But what it has with ANYCAST ??

In this case the CACHE file of some name server has been altered .

Since I am in Europe , I would have expected not being affected , since two main root servers are in Europe : London and Stockholm .

But my provider's APN is internet.t-mobile , which operates world-wide .

In any case , it looks like you'd need to contact ICANN directly, to clear the issue .

[01micko]

Yeah ICANN has been a thought. If the host doesn't clear it up by Monday that's the only option.

You are right, 13 root hint servers but there are other DNS servers, lots of them, you can fairly simply set one up yourself. DNS is an hierarchical system. The root hint server will deliver com. net. co. au. ca. tk. or whatever then it gets passed down the chain adding bits. These records are replicated around the world. If you haven't cleared cache in a long while it's possible that you get my site (like 8-bit did) but that wont last long.

What the attacker has done is hijacked the IP address somehow. If you do a whois you can find my IP (27.124.113.33 .actually easy gotten with ping -c3 01micko.com) and you do a reverse whois on that IP it leads to my host. So I don't think there is a lot ICANN can do. The domain is still mine and if worse comes to worse I can transfer it, which I'll do anyway.

Since that IP is hijacked I can't do anything with it. I have another domain which still works fine from said account, and it's IP is different but I can access my files over ftp. If you want that IP PM me.

[Karl Godt]

I have found one :
CORRECT :

Code: Select all

# busybox-1.21.0 nslookup 01micko.com 202.12.27.33
Server:    202.12.27.33
Address 1: 202.12.27.33 M.ROOT-SERVERS.NET

Name:      01micko.com
Address 1: 27.124.113.33 server-x-r6.ipv4.au.syrahost.com

Incomplete :

Code: Select all

# busybox-1.21.0 nslookup 01micko.com 193.0.14.129
Server:    193.0.14.129
Address 1: 193.0.14.129 k.root-servers.net

Name:      01micko.com
Address 1: 27.124.113.33

I took the M (13) from
http://www.root-servers.org/
and that was right .

So I tried 12 and 11, and :
It is actually the K (11) that probably shows incomplete / wrong .
Operator : RIPE NCC

But that incomplete output may be network / server or client ( busybox ) related .

The German wikipedia apparently numbers the servers different than root-servers.org with the Japanese being Nr. 11 .

http://k.root-servers.org/nodes/nskix/
http://k.root-servers.org/nodes/tokyo/

And 68ecshop.com is apparently Chinese - not Japanese .
The Chinese apparently have the same international currency symbol .
chin.: Yuan
jap.: Yen

both have

Code: Select all

# echo -e '\0190'

ascii code sign ... #another project for me to display all special characters in the terminal , and not only bin squares and diamond question marks
.

[SFR]

both have

Code: Select all

# echo -e '\0190'

ascii code sign ... #another project for me to display all special characters in the terminal , and not only bin squares and diamond question marks
.

This one?

Code: Select all

# echo -e '\xc2\xa5'
¥
# 

Greetings!

[gcmartin]

Everyone 01Micko is sharing an understanding of what is hacked. The various "whats" has been discussed in open forums on the internet for years. And this specific "what" is the topic of discussion that has raged for all too many years. In years pasts, it was blamed first on kids, then on hackers, then on the mob, then on the Russians, then African nations, now its the Chinese.

I offer that we use this thread to take focus for our purposes a manner of managing how we can exercise this event to our advantage.

Let's step back for a moment to look at some of the problems like this:
What happens when secondary/third-level DNS is poisoned such that a sitename is redirected to another host's IP? How is it repaired? (I maintain, as 01Micko does) that ISPs have dealt with this type of problem for years and are uniquely positioned to deal with this. In the past, I have always steered my customers (especially first-timers who lack staff to support website "Management" to use NSI (the strongest of the worlds's ISP) or Yahoo or Google and most recently had good results from GoDaddy for site management and issues resolution.
Reason: Years of experience and 24hour assistance from those I mentioned. They have seen many-most every website problem in existence and have solid manners for addressing such, directly and quickly.

This kind of problem, in the past, too, has resulted in a customer/ISP have its domain-name expire where "there is a business" of persons/companies circling-the internet waiting for domain-name expiration and seizing the name because of the number of hits. They then sell service on a their own webpage or they offer the name for purchase to the highest bidder (Again, this is a KNOWN business element of buying and selling expired domain-names). In this case, usually, the company which bought the name sells it back at a premium to the company or person who wants their old domain-name back.

Also, along the same lines, an ISP can be working over a weekend on updates and do get things screwed up in internet domain-name resolution issues. This, they usually fixed by a refreshed DNS blast for its domains at the end of their updates.

If it is clear which path was used to hijack the domain-name, we can turn this thread into a "Howto..." for addressing domain-name issues. Advantage: Puppyland Domain-name holders

As I mentioned before, there appears to be a similar domain-name issue with Smokey01.com where the sites files are there but to get there thru top-level sitename is gone. To better explain this to those who dont understand, http:/smokey01.com is gone from resolution, but, http:/smokey01.com/01micko is still there.

Anyone see my points??? Other ideas of how this problem can be our advantage?

[8-bit]

One thing that bothers me is this the start of a systematic attack of Puppy Domains? How many developers have files stored on those domains that they do not have backups of?
Imagine if this progressed to the point of this thread and also this forum suddenly getting directed to some other site as well as the backup forum.
I am hoping that the content of 01micko.com is still ok and the attack on his site is just a redirection to another site as well as preserving contents of other puppy domains.

[Karl Godt]

What irritates me further is , that 01micko.com still shows in the location bar in firefox .

When re-direction occurs, my experience was with phishing ,
that not xyz_bank.com is showing anymore in the location bar ,
but the real address of the page , in my cases mainly somewhere in Mexico .
Perhaps all of Mick's .html pages are replaced ?
Or the server at crazy domains.com presents a set of wrong index.html
that are located on the server partition ?

Or could there be any .php or .js scripts in Mick's index.html be injected ?

When Mick is capable of logging in , is it possible for him to view the .html files -- like `# less index.html' ?

What confuses me also , is the firefox view source shows

Code: Select all

<div class="goodsbox1">
				<div class="imgbox1"><a href="goods.php?id=8"><img src="http://1.2.3.12/bmi/01micko.com/images/200905/thumb_img/8_thumb_G_1241425513488.jpg"

lines with " http://1.2.3.12/bmi/01micko.com " together with <a href="http://www.68ecshop.com">
--
while `# wget http://01micko.com'' shows no http://1.2.3.12/bmi/01micko.com -- only http://www.68ecshop.com
...

[Karl Godt]

both have

Code: Select all

# echo -e '\0190'

ascii code sign ... #another project for me to display all special characters in the terminal , and not only bin squares and diamond question marks
.

This one?

Code: Select all

# echo -e '\xc2\xa5'
¥
# 

Greetings!

Yup ..

Code: Select all

#!/bin/ash

A='0 1 2 3 4 5 6 7 8 9 a b c d e f'

for i in $A
do
for j in $A
do
for k in $A
do
for l in $A
do

case $i in
[0]) case $j in
[0-9]|[b-f]) case $k in
      8) case $l in
         [0-9]|[a-d]) continue;;
         esac
      ;;
      9|[a-f]) continue;;
      esac
   ;;
   esac
;;

[1-7]) case $j in
[0-9]|[a-f]) case $k in
      8) case $l in
         [0-9]|[a-d]) continue;;
         esac
      ;;
      9|[a-f]) continue;;
      esac
   ;;
   esac
;;
[8-9]|[a-b]|[e-f]) continue
;;
c|d) case $j in
 [0-1]|3) continue;;
  2) case $k in
   [0-9]|[c-f]) continue;;
     esac
     ;;
  [4-9]|[a-f]) case $k in
  [0-7]|[c-f]) continue;;
     esac
     ;;
   esac
;;
esac

echo -e "$i $j $k $l:"'"'"\\x$i$j\\x$k$l"'"''\n' >> ascii.hex.tab

done
done
done
done

Views in e3 , but

Code: Select all

strings ascii.hex.tab >ascii.hex.tab.2

erases all these funny signs like
c 8 b f:"ȿ"
or
c 6 9 c:"Ɯ"
or
c 5 a 6:"Ŧ"
or
c 2 a 5:"¥"

[gcmartin]

To begin to see the DNS issue I speak of, do this from a terminal Window:

Code: Select all

# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=1 ttl=44 time=275.179 ms
64 bytes from 27.124.113.33: seq=2 ttl=43 time=278.243 ms
64 bytes from 27.124.113.33: seq=3 ttl=43 time=273.757 ms
64 bytes from 27.124.113.33: seq=4 ttl=43 time=274.601 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 273.757/275.445/278.243 ms

If this is done from every continent we begin to see what the DNS resolutions are telling your browsers. The above is from a North-Western Hemisphere PC.

What continent and what does your resolution show? This helps in that we can get a worldly picture of what the browsers are being told. And, to how far the problem has cascaded.

[tallboy]

This is probably the single most stupid question here, but both 01Micko.com and 68ecshop.com start with a numerical expression, does that have any significance?

Pinged from Oslo, Norway:(wifi)

Code: Select all

# ping -c5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=45 time=1399.818 ms
64 bytes from 27.124.113.33: seq=1 ttl=45 time=887.716 ms
64 bytes from 27.124.113.33: seq=2 ttl=45 time=799.641 ms
64 bytes from 27.124.113.33: seq=3 ttl=45 time=839.573 ms
64 bytes from 27.124.113.33: seq=4 ttl=45 time=1007.489 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 799.641/986.847/1399.818 ms

tallboy

[rokytnji]

Code: Select all

# ping -c 5 01micko.com 
PING 01micko.com (27.124.113.33) 56(84) bytes of data.
64 bytes from 01micko.com (27.124.113.33): icmp_req=1 ttl=43 time=254 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=2 ttl=43 time=254 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=3 ttl=43 time=261 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=4 ttl=43 time=255 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=5 ttl=43 time=259 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 254.296/256.978/261.635/2.956 ms

Texas/Mexican Border.

[Karl Godt]

What I could think of that someone has copied a limited set of 6-12 .html from 68ecshop.com and placed them on Mick's server , since only the :80 port seems affected .

Reason would be to get people entering shopping ec-card information .

Code: Select all

# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=1 ttl=41 time=499.208 ms
64 bytes from 27.124.113.33: seq=2 ttl=41 time=549.060 ms
64 bytes from 27.124.113.33: seq=3 ttl=41 time=508.912 ms
64 bytes from 27.124.113.33: seq=4 ttl=41 time=508.801 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 499.208/516.495/549.060 ms
# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=41 time=729.947 ms
64 bytes from 27.124.113.33: seq=1 ttl=41 time=509.697 ms
64 bytes from 27.124.113.33: seq=2 ttl=41 time=519.725 ms
64 bytes from 27.124.113.33: seq=3 ttl=41 time=490.085 ms
64 bytes from 27.124.113.33: seq=4 ttl=41 time=489.466 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 489.466/547.784/729.947 ms

[stemsee]

Code: Select all

sh-4.1# ping -c 5 01micko.com 
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=45 time=396.678 ms
64 bytes from 27.124.113.33: seq=1 ttl=45 time=392.599 ms
64 bytes from 27.124.113.33: seq=2 ttl=45 time=408.535 ms
64 bytes from 27.124.113.33: seq=3 ttl=45 time=395.692 ms
64 bytes from 27.124.113.33: seq=4 ttl=45 time=402.718 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 392.599/399.244/408.535 ms

London, England

[01micko]

My host is allocated 27.124.111.0 to 27.124.118.255

My actual IP address is in the range 203.170.80.0 to 203.170.87.255. I can log on to that one with FTP. (Also allocated to my host)

Ping this domain; computerfairy.net, browse the site if you wish, it's a drupal install on my host, same root directory as 01micko.com. I own the domain. That's my real IP address.

Karl, see if you can log in through a browser once you have my real IP. The root folder is public_html, however you may only be able to get to public_html/KRG with your permissions.

In the browser bar

Code: Select all

ftp://$REAL_IP_ADDRESS/public_html/

Happy hunting.

By the way, I've renamed my word press folder and removed any js from my index.html. I have removed a couple of perl scripts too. I don't expect to see an improvement based on the above info.

[James C]

Code: Select all

james@mx1:~
$ ping -c5 01micko.com 
PING 01micko.com (27.124.113.33) 56(84) bytes of data.
64 bytes from server-x-r6.ipv4.au.syrahost.com (27.124.113.33): icmp_req=1 ttl=42 time=313 ms
64 bytes from server-x-r6.ipv4.au.syrahost.com (27.124.113.33): icmp_req=2 ttl=42 time=314 ms
64 bytes from server-x-r6.ipv4.au.syrahost.com (27.124.113.33): icmp_req=3 ttl=42 time=321 ms
64 bytes from server-x-r6.ipv4.au.syrahost.com (27.124.113.33): icmp_req=4 ttl=42 time=321 ms
64 bytes from server-x-r6.ipv4.au.syrahost.com (27.124.113.33): icmp_req=5 ttl=42 time=318 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 313.394/318.055/321.856/3.529 ms
james@mx1:~

[8-bit]

This ping request is from southern Oregon, USA.

Code: Select all

# ping -c5 01micko.com 
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=50 time=241.197 ms
64 bytes from 27.124.113.33: seq=1 ttl=50 time=240.690 ms
64 bytes from 27.124.113.33: seq=2 ttl=50 time=239.967 ms
64 bytes from 27.124.113.33: seq=3 ttl=50 time=241.003 ms
64 bytes from 27.124.113.33: seq=4 ttl=50 time=240.462 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 239.967/240.663/241.197 ms

It seems to read about the same as others have got.
But the only information it gives is that the domain exists and gives the IP address found if I am correct in this.

[Karl Godt]

My host is allocated 27.124.111.0 to 27.124.118.255

My actual IP address is in the range 203.170.80.0 to 203.170.87.255. I can log on to that one with FTP. (Also allocated to my host)

Ping this domain; computerfairy.net, browse the site if you wish, it's a drupal install on my host, same root directory as 01micko.com. I own the domain. That's my real IP address.

Karl, see if you can log in through a browser once you have my real IP. The root folder is public_html, however you may only be able to get to public_html/KRG with your permissions.

In the browser bar

Code: Select all

ftp://$REAL_IP_ADDRESS/public_html/

Happy hunting.

By the way, I've renamed my word press folder and removed any js from my index.html. I have removed a couple of perl scripts too. I don't expect to see an improvement based on the above info.

This is what I get using firefox and gftp :

Looking up ftp.01micko.com
Trying 01micko.com:21
Connected to 01micko.com:21
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 07:35. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
USER KRG@01micko.com
331 User KRG@01micko.com OK. Password required
PASS xxxx
530 Login authentication failed
Disconnecting from site ftp.01micko.com

Micko, you gave me such a great password with a ']' in it .
Had already tried using
wget --ftp-user=USER --ftp-password=PASS

Code: Select all

wget --ftp-user=KRG@01micko.com --ftp-password='VERY]GOODpassword' ftp://01micko.com
--01:41:27--  ftp://01micko.com/
           => `.listing'
Resolving 01micko.com... 27.124.113.33
Connecting to 01micko.com|27.124.113.33|:21... connected.
Logging in as KRG@01micko.com ... 
Login incorrect.

So I had thought, that you had changed all passwords incl. mine or even removed it from the TOP SECRET hidden password file /var/.shalow ...
( Linux is very secure .. )

[01micko]

Karl,

You are responsible for your password and you can change it to whatever you want

Try logging in with the IP. The real IP is 203.170.81.33. You should be able to just fine in gftp or filezilla. It works in browser too, ftp only.

Meanwhile I redirected my home page to micko.computerfairy.net and reinstated the javascript. If that is the cause (which I think not) then that address will succumb to the predator as well.

[l0wt3ch]

Sorry to hear about this!

Hopefully it all gets sorted out without very much trouble.