Go to bottom

untergrund.net temporarily down

category: general [glöplog]
Boy, how I HATE outdated exploitable wordpress installations.

I don't yet know how exactly the attack worked to escape the jail users are in, but someone managed to exploit something in PHP to actually break out of their home dir. Right now for a ton of users, own php files got infected with a commercial php trojan, which provides fake advertisting backlinks to search engines.

While the untergrund.net system itself does not appear to be compromised, a lot of user directories are.

The system will be down for a couple of days until we have fully analyzed on what has happened. After that we'll either clean the system or revert to a pre-infection backup.

TL;DR: untergrund.net and all hosted sites will be down for a few days.
added on the 2014-02-27 01:44:46 by scamp scamp
:( -- good luck with fixing it! and thx for keeping up the great service!
added on the 2014-02-27 02:35:25 by dipswitch dipswitch
Thanks for the information scamp, will check my own wordpress installation! Could you provide any details on how to detect that infection?
added on the 2014-02-27 08:09:48 by xTr1m xTr1m
Good luck Scamp, and other dudes!
BTW. How ppl LOVE to destroy the work of other guys. I am speechless..
added on the 2014-02-27 09:18:30 by sim sim
Shit. Good luck fixing it! And thanks for all your work!
added on the 2014-02-27 09:50:54 by raer raer
Yeah... I think it deserves a donation...
added on the 2014-02-27 11:02:42 by sim sim
Transformers Cracked Undegraund!!!
ZXAAA.net Thief!!!

added on the 2014-02-27 11:12:59 by 3ASOFT 3ASOFT
Thanks for the information Scamp.
added on the 2014-02-27 13:44:39 by Sylvao Sylvao
How ppl LOVE to destroy the work of other guys. I am speechless..

They don't love it. It's business.
added on the 2014-02-27 13:50:23 by Gargaj Gargaj
Well.. When one hear business one may be sure it is not clean, so.
In short - let's make some troubling shit in the name of the money.
added on the 2014-02-27 15:05:58 by sim sim
Meh sounds orrible' best of luck getting it fixed \o_
added on the 2014-02-27 15:13:23 by ne7 ne7
added on the 2014-02-27 15:31:16 by rez rez
pretty funny that it happened in the middle of jumalauta's demo-a-day-a-thon or whatever tho :D
added on the 2014-02-27 16:00:04 by ferris ferris
F*&%ing Haxxors!
added on the 2014-02-27 16:11:33 by Optimus Optimus
Arf... so it seems to be a big attack :(
pretty funny that it happened in the middle of jumalauta's demo-a-day-a-thon or whatever tho :D

Indeed. I'm sure this is either an attack against our freedom by some anti-jumalauta terrorist group or a false flag operation by one of our members.
added on the 2014-02-28 00:15:46 by sauli sauli
Crossing fingers that you fix it soon :/
added on the 2014-02-28 07:01:52 by ltk_tscc ltk_tscc
scamp can you tell which version of wordpress was exploited?

I have few instances of wordpress running on planet-d and I think it's time I double check everything's up to date :(
Is it really that hard to keep WP installations up to date? Drupal automatically sends out emails to administrators if any module (no matter if core or user-installed) is outdated.
Good luck for the fix.
F*ck those damn "commercial hacks"!
added on the 2014-02-28 16:32:45 by Strider Strider
There are several users who are running outdated WP installations, yes. But well, even if WP itself is exploitable, one should not be able to infect other user's directories, but that has happened. We are still doing forensics to find out how that has happened.

Tomorrow we'll start the cleanup work, and hopefully we'll be back online Sunday.
added on the 2014-02-28 20:58:27 by scamp scamp
Scamp: Does that mean some if my or other users files could be corrupted?
added on the 2014-02-28 21:12:42 by ltk_tscc ltk_tscc
"of" my .. .even :)
added on the 2014-02-28 21:13:02 by ltk_tscc ltk_tscc
We are quite sure we'll be able to resolve this without any data loss. We'll most likely however kill all outdated wordpress installations.
added on the 2014-02-28 21:20:07 by scamp scamp
knowing untergrund there are tons of outdated sites once set up by sceners but not updated in years.
its still valuable content but im not surprised theres security issues.
however if a bot or hacker is able to elevate his rights once hacked into a user account its a general security problem and should be adressed asap.
added on the 2014-02-28 22:20:47 by wysiwtf wysiwtf


Go to top