INTL is coming dangerously close to being shut down.



Username [Register?]: \| Password [Lost Password?]: Save Password?

Bottom of Page

INTL v5.0 > Discussion Forums > The "Song A Day" Thread Forum > INTL is coming dangerously close to being shut down. > Viewing Thread
Also Here: 1 guest.	Moderated by: D drahnier
Page: [ 1 2 ]	[ Thread Views: 5220 \| Total Posts: 42 ]
Rate This Thread:	Reply to Thread \| Create New Thread \| Create New Poll \| Convert To Poll \| Subscribe To Thread

Air Bud
Internet Superstar

Some plants even masturbate into their own vaginas in order to reproduce.

Ballkicks: (+918 / -56)
Posts: 6785 (0.947)
Reg. Date: Sep 2001
Location: TEH INTARNET!
Gender: Male

If you have any questions as to why, please read below:

We have received reports of unauthorized traffic originating from this server. This indicates possible server compromise, and is your responsibility to investigate and resolve. However, should you require help, we are more than happy to assist you in any way we can.

------------------------------------------

(nnewton-03/09/2006 16:50:59):
An initial investigation revealed the following malicious processes running:

25569 www 25 0 2080 2080 240 R 49.5 0.2 617:46 0 perl
25201 www 25 0 452 452 392 R 43.5 0.0 1:52 0 pscan2
16966 www 15 0 748 748 632 S 0.0 0.0 0:00 0 ps
25160 www 16 0 340 340 292 S 0.0 0.0 0:00 0 ovi
25162 www 15 0 356 356 300 S 0.0 0.0 0:00 0 ovi
25163 www 15 0 1104 1104 940 S 0.0 0.1 0:00 0 sh
25200 www 15 0 900 900 792 S 0.0 0.0 0:00 0 wtf

I have kill –stop’d these processes and also found malicious scripts in the following directories:

/var/tmp
drwxrwxrwt 4 root root 4096 Mar 9 15:12 .
drwxr-xr-x 23 root root 4096 Apr 30 2004 ..
drwxr-xr-x 3 www www 4096 Mar 9 15:09 .. (renamed bad by us)
drwx------ 2 www www 4096 Mar 9 15:12 wtf

/var/tmp/wtf
drwx------ 2 www www 4096 Mar 9 15:12 .
drwxrwxrwt 4 root root 4096 Mar 9 15:12 ..
-rw-r--r-- 1 www www 131072 Mar 9 15:20 67.19.pscan.22
-rwx------ 1 www www 206 Jul 21 2004 auto
-rw------- 1 www www 22354 Dec 1 2004 common
-rwx------ 1 www www 265 Nov 24 2004 gen-pass.sh
-rwx------ 1 www www 92 Apr 6 2005 go.sh
-rw------- 1 www www 26939 Nov 25 19:50 pass_file
-rw------- 1 www www 2270 May 26 2005 pass_filees
-rwx------ 1 www www 21407 Jul 21 2004 pscan2
-rwx------ 1 www www 453972 Jul 12 2004 ss
-rwx------ 1 www www 842424 Sep 6 2004 sshf
-rwx------ 1 www www 842736 Dec 23 12:57 ssh-scan
-rwx------ 1 www www 440 Dec 4 09:09 wtf

/var/tmp/bad]
d--------- 3 root root 4096 Mar 9 15:09 .
drwxrwxrwt 4 root root 4096 Mar 9 15:43 ..
-rw-r--r-- 1 root root 233 Mar 6 11:09 1
-rwxr-xr-x 1 root root 25122 Sep 4 2005 ovi
-rwxr-xr-x 1 root root 169692 Mar 9 15:09 pico
-rwx------ 1 root root 612470 Mar 6 11:09 ps
drwxr-xr-x 2 root root 4096 Feb 23 2005 randfiles
-rw-r--r-- 1 root root 1043 May 14 2005 raw.levels
-rw------- 1 root root 6 Mar 9 15:08 raw.pid
-rw-r--r-- 1 root root 2405 Mar 6 11:10 raw.set
-rwxr-xr-x 1 root root 160 Mar 8 2005 shit

We have chown root.root and chmod 000 these files.
Please check these directories and secure them. If you need any assistance with this please let us know.

Thank you.

------------------------------------------

(jpoletes-03/10/2006 11:43:40):
Can you provide us with an update with resolution right away. An intruder on your system is attacking other The Planet customers. Thank you for your help.

------------------------------------------

(jbeall-03/13/2006 05:03:00):
Malicious files are still being ran from your server:

PROCESSES
16966 www 15 0 116 116 0 T 0.0 0.0 0:00 0 ps
25160 www 15 0 48 48 0 T 0.0 0.0 0:00 0 ovi
25162 www 15 0 56 56 0 T 0.0 0.0 0:00 0 ovi
25163 www 15 0 164 164 0 T 0.0 0.0 0:00 0 sh
25200 www 15 0 108 108 0 T 0.0 0.0 0:00 0 wtf
25201 www 25 0 60 60 0 T 0.0 0.0 3:15 0 pscan2
6813 www 16 0 7660 7544 3220 S 0.0 0.7 0:46 0 httpd
6814 www 16 0 7348 7232 3208 S 0.0 0.7 0:02 0 httpd
6838 www 15 0 7164 7048 3204 S 0.0 0.6 0:01 0 httpd
6939 www 16 0 7404 7288 3204 S 0.0 0.7 0:02 0 httpd

LOCATION
/tmp
/var/tmp/
/var/tmp/bad
/var/tmp/bad/ps

-rw-r--r-- 1 www www 332 Mar 12 11:12 bot.txt
-rwxrwxrwx 1 www www 19626 Mar 11 07:37 httpd

--------------------------------------
(c17114inte-03/13/2006 17:49:15):I have absolutely no idea what is going on with the server. I don't check this control panel regularly and haven't received any emails regarding this ticket, despite this ticket being opened for the last four days.
------------------------------------------

(rvera-03/13/2006 17:54:09):
It is likely one or more sites on your server is getting exploited. To help prevent these exploit we suggest you install mod_security. We have a great kb page at.

http://support.theplanet.com/knowledgebase/users/kb.php?id=10906
--------------------------------------
(c17114inte-03/13/2006 18:05:28):As soon as the server is brought back online, I will install mod_security and see what I can do about resecuring the server to avoid further exploits. If this situation arises again, I will just back up my data onto my personal computer and request an OS reload, then just restore my sites' data after the reload.
------------------------------------------

(channa-03/13/2006 20:24:51):
Thanks for keeping us updated. Let us know if you should have any questions.
------------------------------------------

(lcarter-03/14/2006 16:15:53):
/tmp
-rw-r--r-- 1 www www 332 Mar 12 11:12 bot.txt

the following processes were running -
2037 www 16 0 7708 7592 3220 S 15.7 0.7 0:03 0 /home/apache2/bin/httpd -k restart
1820 www 16 0 8172 8056 3220 S 4.9 0.7 0:02 0 /home/apache2/bin/httpd -k restart
16966 www 15 0 116 116 0 T 0.0 0.0 0:00 0 ps x
25160 www 15 0 48 48 0 T 0.0 0.0 0:00 0 bash
25162 www 15 0 56 56 0 T 0.0 0.0 0:00 0 bash
25163 www 15 0 164 164 0 T 0.0 0.0 0:00 0 sh -i
25200 www 15 0 108 108 0 T 0.0 0.0 0:00 0 /bin/bash ./wtf 67.19
25201 www 25 0 60 60 0 T 0.0 0.0 3:15 0 ./pscan2 67.19 22
1817 www 15 0 9568 9452 3224 S 0.0 0.9 0:02 0 /home/apache2/bin/httpd -k restart
1824 www 15 0 7580 7464 3208 S 0.0 0.7 0:03 0 /home/apache2/bin/httpd -k restart
1867 www 15 0 8452 8336 3220 S 0.0 0.8 0:02 0 /home/apache2/bin/httpd -k restart
1976 www 15 0 7260 7144 3204 S 0.0 0.6 0:01 0 /home/apache2/bin/httpd -k restart
2030 www 15 0 4284 4168 2536 S 0.0 0.4 0:00 0 /home/apache2/bin/httpd -k restart
2070 www 15 0 4292 4176 2536 S 0.0 0.4 0:00 0 /home/apache2/bin/httpd -k restart
2072 www 15 0 4292 4176 2536 S 0.0 0.4 0:00 0 /home/apache2/bin/httpd -k restart
2073 www 15 0 4276 4160 2536 S 0.0 0.4 0:00 0 /home/apache2/bin/httpd -k restart

ovi 25160 www cwd DIR 3,3 4096 2 /
ovi 25160 www rtd DIR 3,3 4096 2 /
ovi 25160 www txt REG 3,3 25122 8421536 /var/tmp/bad/ovi
ovi 25160 www mem REG 3,3 1573120 2261131 /lib/tls/libc-2.3.2.so
ovi 25160 www mem REG 3,3 106912 524354 /lib/ld-2.3.2.so
ovi 25160 www 0u CHR 1,3 67053 /dev/null
ovi 25160 www 1u CHR 1,3 67053 /dev/null
ovi 25160 www 2u CHR 1,3 67053 /dev/null
ovi 25160 www 3u IPv4 30610734 TCP *:1144 (LISTEN)
ovi 25160 www 4u IPv4 31733756 TCP *:1987 (LISTEN)

pscan2 25201 www cwd DIR 3,3 4096 7438377 /var/tmp/wtf
pscan2 25201 www rtd DIR 3,3 4096 2 /
pscan2 25201 www txt REG 3,3 21407 7438523 /var/tmp/wtf/pscan2
pscan2 25201 www mem REG 3,3 1573120 2261131 /lib/tls/libc-2.3.2.so
pscan2 25201 www mem REG 3,3 106912 524354 /lib/ld-2.3.2.so
pscan2 25201 www 0u CHR 3,0 72570 /dev/ttyp0
pscan2 25201 www 1u CHR 3,0 72570 /dev/ttyp0
pscan2 25201 www 2u CHR 3,0 72570 /dev/ttyp0
pscan2 25201 www 3u IPv4 30610734 TCP *:1144 (LISTEN)
pscan2 25201 www 4u IPv4 31733756 TCP *:1987 (LISTEN)
pscan2 25201 www 5w REG 3,3 131072 7438520 /var/tmp/wtf/67.19.pscan.22

I have nullified the files with chown root.root and chmod 000, and kill -STOP the processes.

Please let us know if you have any further questions.
------------------------------------------

(lcarter-03/15/2006 11:23:04):
I did not find any new malicious files or processes running today.
Please let us know if you have any questions or need any assistace.

Thank you
------------------------------------------

(rvera-03/16/2006 11:32:49):
We have found more malicious files in /tmp. Please look into this as soon as possible.

[root@intl tmp]# ls -la | grep www
-rwxr-xr-x 1 www www 105 Mar 15 13:40 cacti
-rwxr--r-- 1 www www 27551 Mar 16 00:04 foc
-rwxrwxrwx 1 www www 19626 Mar 11 07:37 httpd
-rwxr--r-- 1 www www 400972 Mar 15 13:06 iron
-rw-r--r-- 1 www www 293 Mar 15 23:40 listen.log

------------------------------------------

(codygee-03/17/2006 13:14:59):
You will need to audit your system for any installations of phpBB, PHPNuke, osTicket, My_eGallery, mambo, ModernBill, awstats, phpad, and any other popular PHP applications you might be running and ensure they are at their most current versions. This is something we can not do.

You can also install mod_security for apache to mitigate these attacks at apache:
http://www.modsecurity.org/projects/modsecurity/apache/index.html
http://eth0.us/mod_security

This link gives direction on how to use mod_security:
http://support.theplanet.com/knowledgebase/users/kb.php?id=10906

Please keep us updated.
------------------------------------------

(mavenna-03/18/2006 15:51:08):
Hello; Do you have any updates regarding this issue? Please let us know what steps you have taken to ensure this issue has been resolved. Thank you.
------------------------------------------

(channa-03/19/2006 20:11:11):
Were you able to look into this? Please update us as soon as possible. Thanks.
------------------------------------------

(jbeall-03/21/2006 03:07:20):
The request for an OS reload does not appear to have been resoled. Were you able to successfull install RDC.

Air Bud
Internet Superstar

Some plants even masturbate into their own vaginas in order to reproduce.

Ballkicks: (+918 / -56)
Posts: 6785 (0.947)
Reg. Date: Sep 2001
Location: TEH INTARNET!
Gender: Male

Just a little bit of a forewarning.

Later this evening, once I get off of work (about 5pm Central Standard Time), I will be shutting down the website and backing up the forums, uploaded files, etc. INTL may be down for as long as a week, depending on how long it takes for me to reinstall the core software and get things back to running smoothly again, so be prepared for an extended outage.

As far as the forums coming dangerously close to being shut down, I mean that if once the operating system reload has been done, if the server gets compromised yet again, I will be indefinitely suspending the forums and no longer running INTL. So if this is all being caused by one of you out there, which I highly doubt is the case, but I'm not ruling out, you will be the sole cause of this forum being wiped off the face of the earth, so congratulations, asshole! Job well done!

D
Sticks \vs/ Drums
Ñ…Ð¾Ñ‡Ñƒ ÑÐ¿Ð°Ñ‚ÑŒ

i didn't have the strength to get it all the way off

Ballkicks: (+1952 / -91)
Posts: 18505 (2.655)
Reg. Date: Mar 2002
Location:
Gender: Male

This is scary stuff. Goodluck fixing the internet man, we love you.

"They could have grown up to become Hitler....collectively." - Ztolk's creepy Flash man

Air Bud
Internet Superstar

Some plants even masturbate into their own vaginas in order to reproduce.

Ballkicks: (+918 / -56)
Posts: 6785 (0.947)
Reg. Date: Sep 2001
Location: TEH INTARNET!
Gender: Male

Just did a bit of research and it costs $25 for the reload and an additional $150/hour in "operating system reloading administration". That's a problem, since come to think of it, I haven't received a single donation in the last couple months. Not trying to run a guilt trip on anyone, but seriously, would any of you spend upward of $200 out of your own pocket to run a website that has absolutely no return whatsoever? How about roughly $1000/year? How about investing a few hundred hours into performing technical maintenance on it?

Yeah, I thought not.

This may very well be the end, unless I can find another server to host INTL on for free, which I may be able to do, but if not, sorry guys, but this will likely be the end.

Lucifer Beowulf Helidon
The Reel RS Krew
MY PAYPAL ACCOUNT IS LUCIFER@ROKBOM.COM

LBH was here... All thats left are the shattered remains of a broken man.

Ballkicks: (+458 / -89)
Posts: 1058 (0.161)
Reg. Date: Apr 2003
Location: Brisbane
Gender: Male

sorry it was me and everything is fixed now

Zippo
pooooooop

Leveling entire cities with her magnificient girl-cock

Ballkicks: (+1097 / -49)
Posts: 5302 (0.788)
Reg. Date: Nov 2002
Location: America's Wang
Gender: Unspecified

Quoted from Sandamnit:
This may very well be the end, unless I can find another server to host INTL on for free, which I may be able to do, but if not, sorry guys, but this will likely be the end.

Don't be sorry. You've already done well beyond the call of duty to maintain this community by financially and technically supporting the INTL site. Thank you for that.

Does this "server compromise" damage the integrity of your code? Or did someone just upload some bad files that have no effect on it?

animatedcardigan: your nose is sexy[/w]

[w]Apprenticed under Kage-STFU the art of bujutsu
"It is in Men that we must place our hope." - Gandalf the Grey

greenidentity
Disco naps and liquorice Snaps.

It is time for some fine fine wine.....or box wine it's all good man

Ballkicks: (+603 / -81)
Posts: 3891 (0.565)
Reg. Date: Jun 2002
Location: Planet Seeth
Gender: Unspecified

Damn.......

You make me sick
Because I adore you so.

jimmy
Selber Schuld, kein Mitleid

I am really bad at giving custom titles and, well, the internet in general tbqh

Ballkicks: (+506 / -233)
Posts: 2398 (0.377)
Reg. Date: Nov 2003
Location: On the back burner.
Gender: Male

put this on the front page. nobody reads the stickies.

artzilla
Firefox remembers my PASSWORD

More like Grandpa AWESOME

Ballkicks: (+95 / -25)
Posts: 547 (0.097)
Reg. Date: Dec 2005
Location: Northern Kentucky
Gender: Male

How many people are there on this forum? If we all send 5.00 it may very well do the trick. That's not very much to keep this thing alive. I for one think it would be worth it. Anyone else in for this?

Mind over Matter! I don't mind and it don't matter!

Guy Tuttle and Ass
Global Moderator

gotta get that VICTORY ROYALE #gamer #memes #LoL

Ballkicks: (+1783 / -130)
Posts: 15966 (2.291)
Reg. Date: Mar 2002
Location: California
Gender: Male

Quoted from artzilla:
How many people are there on this forum? If we all send 5.00 it may very well do the trick. That's not very much to keep this thing alive. I for one think it would be worth it. Anyone else in for this?

Just do it, man. Every little bit helps. i'm a serial-killer :)

edit: $20 paypal'd

Scruffy - The Janitor
Alcoholics Anonymous
While anarchy can often turn a humdrum weekend into something unforgettable, eventually the mob must be kept from stealing the conch and killing Piggy.

Pimpin is just a haircut and a shave away!

Ballkicks: (+650 / -57)
Posts: 3017 (0.453)
Reg. Date: Jan 2003
Location: Someplace where there's beer...
Gender: Male

Quoted from donate:
SPC Derka, Derka
HHC 16th SIG BN
APO, AE 09334

Just verifying that this is still the address cash should be sent to for those of us without Paypal.

An intelligent man is sometimes forced to be drunk to spend time with his fools.

This reply was last edited on 12-23-07 02:30:58 PM by Air Bud.

C
Administrator

Level 90 Ginger

Ballkicks: (+723 / -204)
Posts: 6647 (0.967)
Reg. Date: Jun 2002
Location: Missouri
Gender: Male

Well damn. Sorry it had to end this way. I guess I'll see you guys around the internets.

PS- If you are looking for another server, layeredtech has some pretty nice stuff. I doubt it's quite the stats INTL is currently running on, but it should be enough for the forums.

Realize that falling in love with someone is just the results of a series of generic events that can occur between you and basically anyone who meets your standards of attractiveness. It's just an emotional manifestation of a handfull of chemicals bouncing back and forth. It's not the holy grail of living, it's not your reason to exist and it's definitely not something reserved for "that one person". Accept that you are just an animal with a big brain that allows him to fret over what only amounts to a game of hormone pool. What you're feeling is not your soul dying a gurgling, ugly death, but withdrawal. All the happy chemicals that saturated your body when you were with her are kicking out cold turkey, and your body is screaming bloody murder, where are my fucking endorphins? It's just chocolate. Find a new bar.

Wandering Idiot
INTL Premium Member

Surely something dumber has come up since my apparent forgetfulness for STDs and doctor visits.

Ballkicks: (+257 / -16)
Posts: 2130 (0.328)
Reg. Date: Jul 2003
Location: Arms' reach of my wifes' bitchslap
Gender: Male

Arnok, that address is outdated now that he is back stateside. If you can paypal him, that'd probably be best. There's an option somewhere on paypal to send money from a credit/debit card, but I don't use it so I'm not sure how that works.

Jeff, $50 will be on the way when my tax return comes in this week and my paypal gets unfucked.

If my ears could talk, they would say, "Thank you, Zorak. You have enriched us both."

Mr Excitable
INTL Premium Member
My girlfriend is the Michelin Man

Ballkicks: (+514 / -60)
Posts: 3218 (0.483)
Reg. Date: Jan 2003
Location:
Gender: Male

this had better be the biggest april fools joke of all time