pouët.net

Boy, how I HATE outdated exploitable wordpress installations.

I don't yet know how exactly the attack worked to escape the jail users are in, but someone managed to exploit something in PHP to actually break out of their home dir. Right now for a ton of users, own php files got infected with a commercial php trojan, which provides fake advertisting backlinks to search engines.

While the untergrund.net system itself does not appear to be compromised, a lot of user directories are.

The system will be down for a couple of days until we have fully analyzed on what has happened. After that we'll either clean the system or revert to a pre-infection backup.

TL;DR: untergrund.net and all hosted sites will be down for a few days.

:( -- good luck with fixing it! and thx for keeping up the great service!

Thanks for the information scamp, will check my own wordpress installation! Could you provide any details on how to detect that infection?

Good luck Scamp, and other dudes!
BTW. How ppl LOVE to destroy the work of other guys. I am speechless..

Shit. Good luck fixing it! And thanks for all your work!

Yeah... I think it deserves a donation...

Transformers Cracked Undegraund!!!
ZXAAA.net Thief!!!

http://www.youtube.com/watch?v=rtu62Gklgso

Thanks for the information Scamp.

They don't love it. It's business.

Well.. When one hear business one may be sure it is not clean, so.
In short - let's make some troubling shit in the name of the money.

Meh sounds orrible' best of luck getting it fixed \o_

pretty funny that it happened in the middle of jumalauta's demo-a-day-a-thon or whatever tho :D

F*&%ing Haxxors!

Arf... so it seems to be a big attack :(

Indeed. I'm sure this is either an attack against our freedom by some anti-jumalauta terrorist group or a false flag operation by one of our members.

Crossing fingers that you fix it soon :/

scamp can you tell which version of wordpress was exploited?

I have few instances of wordpress running on planet-d and I think it's time I double check everything's up to date :(

Is it really that hard to keep WP installations up to date? Drupal automatically sends out emails to administrators if any module (no matter if core or user-installed) is outdated.

Good luck for the fix.
F*ck those damn "commercial hacks"!

There are several users who are running outdated WP installations, yes. But well, even if WP itself is exploitable, one should not be able to infect other user's directories, but that has happened. We are still doing forensics to find out how that has happened.

Tomorrow we'll start the cleanup work, and hopefully we'll be back online Sunday.

Scamp: Does that mean some if my or other users files could be corrupted?

"of" my .. .even :)

We are quite sure we'll be able to resolve this without any data loss. We'll most likely however kill all outdated wordpress installations.

knowing untergrund there are tons of outdated sites once set up by sceners but not updated in years.
its still valuable content but im not surprised theres security issues.
however if a bot or hacker is able to elevate his rights once hacked into a user account its a general security problem and should be adressed asap.