Server hacked by Un-Root

2025-04-14

I had sleepless night for the last two days. A cracker called himself un-root hacked into my server, defaced my website and ran some spamming program. Up to today, I'm still tracing back what other damage he has caused.

Now I'd like to share with everyone my experience and discovery of this hacker.

This is what he said about himself when I talked to him on MSN

He is part of a team called Un-Root from Brazil/Portugal. He call himself [ANB]-M1 a.k.a. Figo. He is 20 years old. Studying telecomunications and computers.

Apparently, he gain access to my server thru a vulnerability found in osticket. Something about remote PHP injection. Once he grabbed my password in mysql, he used it to log into whm, cpanel, ftp, ssh, etc... this is due to my ignorant of using the same password for all services. Stupid me. Now I learnt my lesson.

From there, he replaced my index file in public_html to his. On the page it said something like

Quando olho para o lado encontro muitas vezes pobreza, miséria, inveja, tantas coisas que podiam ser banidas desta sociedade
que se diz evoluida. Mas não, porque ha muita gente a ganhar dinheiro com isso.
Estamos perante uma "aldeia global" que cada
vez se torna mais deprimente e angustiante. É a altura de pensar e dizer chega, porque somos todos nós que fazemos esta sociedade
em que vivemos e todos temos a obrigação de cuidar dela contribuindo para o seu crescimento.
Socrates e Lula vamos acabar com isto estamos todos a espera :], mas ninguem faz nada!

Aliança Luso-Brasileira
Portugal & Brazil

See attachment for the banner he put on the page.

He could have destroy all my clients' website, but luckilly he did not. Well, I thanked him for that.

At the same time, I received thousands of bounced email in admin mailbox. Well, that took me quite some time to discover that the culprit is in /tmp folder. A malicious program was sending thousands of email every minute. It jammed my mailbox, slow down the server, and increased the server's load to red.

After more investigation, here are the list of programs/files he "wget" in my /tmp folder.

http://www.fendora.net/asc/xpl/remap
http://www.fendora.net/asc/xpl/w00t
http://www.fendora.net/asc/xpl/pwned
http://www.fendora.net/asc/xpl/krad
http://www.fendora.net/asc/xpl/newsmp
http://www.fendora.net/asc/xpl/stackgrow2
http://www.fendora.net/asc/xpl/setsockopt
http://www.fendora.net/asc/xpl/uselib24
http://www.fendora.net/asc/xpl/sik
http://www.fendora.net/asc/xpl/final
http://www.ciget.com.ve/.0/elf
http://www.ciget.com.ve/.0/f3
http://www.peterlassen.dk/c/yim
http://www.peterlassen.dk/c/w00t
http://www.fendora.net/asc/xpl/ptrace
http://www.fendora.net/asc/xpl/mremap_pte
http://www.fendora.net/asc/xpl/mremap2
http://www.fendora.net/asc/xpl/kmod
http://www.fendora.net/asc/xpl/elflbl
http://troop18.roxxu.com/enviar.txt
http://www.angelfire.com/co4/demoniac_mind/mails.txt
http://www.angelfire.com/co4/demonia.../assistatv.scr
http://www.angelfire.com/co4/demonia...instalador.scr
http://dl2.rapidshare.de/files/16534...instalador.scr
http://dl2.rapidshare.de/files/16535.../assistatv.htm
http://mail.icehost.ch/.0/elf
http://users.********/alforum/smash.perl

To prevent that, the first thing I do is I changed all my passwords. After that, I installed mod_security and set proper permission (chmod 750) to "wget" and other binaries.

Well, up to now, everything seems to be calm down now. But more should be done to secure the server to prevent more attacks.

The lesson I learnt? hosting is a scary business. Don't ever walked into the battlefield without wearing any armour or weapon. You won't even know where or who your enemies are and when they are going to attack. All you can do is defend yourself and hope that your armour is strong anough to withstand the attack. Most important is not yourself, but your clients websites. Remember, your enemy only has to win once.