untergrund.net temporarily down
category: general [glöplog]
the elevated rights indeed is the 'ouch'. i've seen some defacements and trojans and shit over the years, but this is mean shit :)
On abandoned/no longer updated wordpress sites with potential historical interest:
Maybe it would be an idea to just do a recursive wget of sites no longer updated, and leave the flattened plain HTML site for archive purposes?
Do some kind of monthly scan and send out a "I see you haven't interacted with your account for x months now, so unless you do something about that we'll just flatten your site and keep it around as a relic" mail, and then just "auto-archive" it if no reply is sent within y days?
Maybe it would be an idea to just do a recursive wget of sites no longer updated, and leave the flattened plain HTML site for archive purposes?
Do some kind of monthly scan and send out a "I see you haven't interacted with your account for x months now, so unless you do something about that we'll just flatten your site and keep it around as a relic" mail, and then just "auto-archive" it if no reply is sent within y days?
You know a tool to do that ?
Yep, the abandoned accounts that still have useful historical content sure are a problem. The most extreme example for example is Crest's website - a really nice site, but he surely won't return from his grave to update it.
Also, as we are talking about 500+ accounts here I won't have the time to manually check each and every of them - only things that I can automate will be an option.
But first of all we need to find the privilege escalation problem and fix it.
Also, as we are talking about 500+ accounts here I won't have the time to manually check each and every of them - only things that I can automate will be an option.
But first of all we need to find the privilege escalation problem and fix it.
To scamp:
In addition to what I have said in the personal conversation, here is some additional information that might be useful.
I have installed the Wordpress at summer last year. At Sept 21 I've gotten 3 strange comments from simulated facebook users:
Author : Santhosh (IP: 94.23.238.222 , ns308698.ovh.net)
E-mail : sk**ol@bigpowderhorn.net
URL : http://www.facebook.com/profile.php?id=100003444657***
Whois : http://whois.arin.net/rest/ip/94.23.238.222
Comment:
Hi, this is a comment.To detele a comment, just log in and view the post's comments. There you will have the option to edit or detele them.VA:F [1.9.12_1141]please wait...VA:F [1.9.12_1141](from 0 votes)
Author : Anamarija (IP: 146.228.112.136 , 146.228.112.136)
E-mail : p**l@oceanearth.com.au
URL : http://www.facebook.com/profile.php?id=100003444596***
Whois : http://whois.arin.net/rest/ip/146.228.112.136
Comment:
This is exactly what I was looking for. Thanks for wrntgii!
Author : Suzane (IP: 76.74.157.22 , utility1.gpshopper.com)
E-mail : q.le**lic@apache.to
URL : http://www.facebook.com/profile.php?id=100003445045***
Whois : http://whois.arin.net/rest/ip/76.74.157.22
Comment:
Why would I want to delete such a great coemmnt. This coemmnt really adds value to the blog which shows you how little value you can find here
I have hidden some personal details, because all of the facebook profiles are real and the author's names correspond to the names in fb's accounts.
Obviousely, this were not "commercial" bot posts.
Very looked to me like some "crackers" were trying something. I forgot about this accident already and today recognized it and thought of letting you know.
Hope to see the site back live soon and hear that you figured out all the intrusion process.
In addition to what I have said in the personal conversation, here is some additional information that might be useful.
I have installed the Wordpress at summer last year. At Sept 21 I've gotten 3 strange comments from simulated facebook users:
Author : Santhosh (IP: 94.23.238.222 , ns308698.ovh.net)
E-mail : sk**ol@bigpowderhorn.net
URL : http://www.facebook.com/profile.php?id=100003444657***
Whois : http://whois.arin.net/rest/ip/94.23.238.222
Comment:
Hi, this is a comment.To detele a comment, just log in and view the post's comments. There you will have the option to edit or detele them.VA:F [1.9.12_1141]please wait...VA:F [1.9.12_1141](from 0 votes)
Author : Anamarija (IP: 146.228.112.136 , 146.228.112.136)
E-mail : p**l@oceanearth.com.au
URL : http://www.facebook.com/profile.php?id=100003444596***
Whois : http://whois.arin.net/rest/ip/146.228.112.136
Comment:
This is exactly what I was looking for. Thanks for wrntgii!
Author : Suzane (IP: 76.74.157.22 , utility1.gpshopper.com)
E-mail : q.le**lic@apache.to
URL : http://www.facebook.com/profile.php?id=100003445045***
Whois : http://whois.arin.net/rest/ip/76.74.157.22
Comment:
Why would I want to delete such a great coemmnt. This coemmnt really adds value to the blog which shows you how little value you can find here
I have hidden some personal details, because all of the facebook profiles are real and the author's names correspond to the names in fb's accounts.
Obviousely, this were not "commercial" bot posts.
Very looked to me like some "crackers" were trying something. I forgot about this accident already and today recognized it and thought of letting you know.
Hope to see the site back live soon and hear that you figured out all the intrusion process.
there are tons of spam comment like that on WP. as if it was up to date. As Akismet and anti-spam plugins sometime let it forget some false positif :(
Anyway, as i've probably managed 15 Wordpress website on different servers, i could have reported a huge of spam and attack since october. and the most attacked are the most used and not the older one. Spam comment are more intersting on often use website, and hack like what we have here are spotting whole to exploit.
Anyway, updating a WP instance was not easy. in one year WP passed from 3.3 to 3.8 and each version was diffrents and non always compatible with theme or plugins used. So it was always possible to update a WP wihtout losing some stuff...
i'm waitin' news about all of that ; )
Anyway, as i've probably managed 15 Wordpress website on different servers, i could have reported a huge of spam and attack since october. and the most attacked are the most used and not the older one. Spam comment are more intersting on often use website, and hack like what we have here are spotting whole to exploit.
Anyway, updating a WP instance was not easy. in one year WP passed from 3.3 to 3.8 and each version was diffrents and non always compatible with theme or plugins used. So it was always possible to update a WP wihtout losing some stuff...
i'm waitin' news about all of that ; )
We have found the WP installation all this has started from.
All outdated WP installations will be converted into static HTML, afterwards the outdated WP will be deleted.
All outdated WP installations will be converted into static HTML, afterwards the outdated WP will be deleted.
ETA from now is about 18 hours. So untergrund.net should be back tomorrow evening.
One again, thanks for your free scene service, and I while it would be easy to provide the service and then forget about it, you guys pro-actively maintain it and offer fast fixes when there are any problems. You guys are admirable and you have my full respect and thanks. Thank you.
What keito said.
"You guys are admirable and you have my full respect and thanks. Thank you."
+1 !! I never be able to share my music so easily without that help ;)
+1 !! I never be able to share my music so easily without that help ;)
these are pretty bad news to hear but also it is really good to know that you guys have found out and fixed the issue :) also what keito said.
thank you :)
good news :)
effing spammer scum
Nice to hear that untergrund.net is getting fixed and will be available again. I really appreciate the effort.
Since free webspace without any ads is rare - is there some way to support with donations?
Since free webspace without any ads is rare - is there some way to support with donations?
Thank you, no need for donations. untergrund.net is MY donation to the demoscene ;)
And what Keito said! :)
The best way to support is to make a demo about it!
rofl. where to put demo?
Hi,
it took us 2 days, but now the system is fully cleaned up. The following
changes have been made:
- Some infected and abandonded accounts have been removed
- In some cases, we were able to convert infected wordpress
installations to plan HTML. In many cases, we had to completele
delete the installation.
If your WP installation is still there, update it NOW and keep
it updated in future. In future all outdated WP installations will
be deleted on sight.
- Some users had adminer installed, which is exploitable. Please do
not upload adminer or comperable tools. Use
https://phpmyadmin.untergrund.net instead.
- Some users had PHP shells, exploit tools etc installed. Any kind
of such tool on your account will get your account nuked.
We have also tightened security in a lot of areas. This may cause
certain PHP scripts to no longer run. We therefore recommend all users
to check if their websites are still working properly.
A big thank you to masta for his assistance in cleaning up the
system.
Cheers,
scamp
it took us 2 days, but now the system is fully cleaned up. The following
changes have been made:
- Some infected and abandonded accounts have been removed
- In some cases, we were able to convert infected wordpress
installations to plan HTML. In many cases, we had to completele
delete the installation.
If your WP installation is still there, update it NOW and keep
it updated in future. In future all outdated WP installations will
be deleted on sight.
- Some users had adminer installed, which is exploitable. Please do
not upload adminer or comperable tools. Use
https://phpmyadmin.untergrund.net instead.
- Some users had PHP shells, exploit tools etc installed. Any kind
of such tool on your account will get your account nuked.
We have also tightened security in a lot of areas. This may cause
certain PHP scripts to no longer run. We therefore recommend all users
to check if their websites are still working properly.
A big thank you to masta for his assistance in cleaning up the
system.
Cheers,
scamp
Hurrah! Thanks again for all the great work. You're awesome.
THANK YOU! ;o)
Thank you very much Scamp.
I am glad Luis moved our site onto untergrund.
I am glad Luis moved our site onto untergrund.
