[Klug-general] A friend got script kiddied...
Karl Lattimer
karl at qdh.org.uk
Wed Nov 28 17:57:48 GMT 2007
On Wed, 2007-11-28 at 17:25 +0000, Karl Buckland wrote:
> Karl Lattimer wrote:
> > One of my mates got skiddied last night by an insecure expose module in
> > joomla.
> >
> > We tracked down his MSN address...
> >
> > ------------------
> > 16:47 <us>
> > next time you hack a website, make sure you clean up after yourself...
> > silly mistakes get people caught
> >
> > 16:47 [b] | | ßy HacKeR StingS | |[/b] disconnected
> > ------------------
> >
> > Hope that entertained you...
> >
> > K,
> >
> >
> How did you manage to track him down? I assume he left some sort of
> information.... that would be fairly stupid...
It happened like this, firstly I started back tracing the logs, most of
what he did was automated, looks like a joomla worm of some sort. Here's
the BUT! He made a posting to a forum of a series of domains he'd
defaced, as people from the forum clicked back trough it left us a click
trail to follow, right back to his boasting post which we were unable to
read, however the forum's policy was to display certain contact info
even in private forums, so we nabbed it there.
Pretty simple really.
This is the third time we've had a joomla worm hit us, and it looks like
the same exploit had been used on the server on 5 separate occasions by
5 different worms, time was where you closed the security whole properly
behind you so you could continue to use it and nobody noticed, that is
the essence of ownage.
K,
More information about the Kent
mailing list