I am glad I have some shortcuts to some of the forums here: When I go to http://www.detailingbliss.com I get the following: " BY iSKORPiTX (TURKISH HACKER) ALEMiN KRALI best regards to all world"
Some of it like the homepage hacking/hijacking is all automated now, they just seek out hosts with insecure user directories.
Good. Seems someone is working on it now. When I access it I am getting now: "Sorry, we're performing maintenance."
Was this the faster re-takeover by an admin in history? The site was only down for a few hours, thats an impressive recovery by anyones standards. Great job admin + team!
Not sure. Dunno how long it takes when it's a defaced type attack. That hacker took out something like 20,000 pages in one day. I did a google search on the name.
Further info on the attack: "iskorpitx Mass IIS Defacement Hack Info We read on artical on SecurityFocus regarding a mass hack of over 38,500 web sites running on Windows web servers with IIS. More detailed information is available at the defacement archive zone-h.org Quote from zone-h.org: "Yesterday the Turkish cracker going by the handle "Iskorpitx", succesfully hacked 21,549 websites in one shot (plus 17,000 as our last update) and defaced (on a secondary page) all of them with a message showing the Turkish flag (with AtaTurk face on it)" We have done a limited amount of research on this and the mass defacement appears to be related in some way to sites registered or hosted through godaddy or secureserver.net. zone-h.org has text file that contains a list of the defaced sites at http://www.zone-h.org/defaced/list.txt. We have done a whois search on about 30 sites in the list. All show godaddy as the registrar. The hack seems to have been done through a asp script that is automatically installed on all hosting customers accounts on these particular servers. The mass defacement was placed in a sub directory on each site. /ssfm/isko.htm A search on google for: ' ssfm vulnerability ' (without quotes) returns a google cache result with a godaddy user complaining about being hacked through the ssfm directory, and a response from "hosting support" claiming that the problem "is a vulnerability in the Microsoft IIS". Quote: This email is in regards to the issue that you escalated on xx xxxxx 2005. The ssfm hack is not something we can really defend against. It is a vulnerability in the Microsoft IIS webserving system. As Microsoft uses closed source software, we are dependant on them for a fix to this issue. They have not, as of yet, issued a patch for this vulnerability. Rest assured that your passwords have not been compromised. The attacker does not need these to insert his file into the account as it is done through a hole in the IIS system (and this is the only directory that they would have access to). A search on google for: ' ssfm directory asp ' (without quotes) returns multiple results for godaddy users seeking help with the file 'gdform.asp'. The 'gdform.asp' appears to be a form mail type script. The source code of 'gdform.asp' also contains a reference to the SSFM folder. filename = Server.MapPath("ssfm"). (See the second post at Asp email form on godaddy - ASP Free for the source code to gdform.asp A search on google for: ' ssfm directory godaddy ' (without quotes) or ' ssfm directory secureserver.net ' (without quotes) returns multiple results for users seeking help with the 'gdform.asp' or 'gdform.php' form mail type scripts. We have not examined the source code to the asp file in detail or done more than superficial research on this mass defacement, but this does not appear to be a vulnerability in IIS. This appears to be a problem with poor script coding and / or failing to properly validate user form input. I would guess that the hacker is able to inject their own code into the asp or php script being used to send mail. If anyone has more time to look over the source code and determines where the code could have been injected, or knows of any other goddady scripts that write to the ssfm directory that could be responsible for this mass defacement, we would like to hear your comments at ssfm@stokia.com StoKia Support Team"
Phil and his Admin Team kick fucking ass is all I can say at this point. Outstanding work guys/gals :what: What took Autopia 3 weeks. Phil and Gang accomplished in 3 hours :claping:
Different attack all together. A simple index replace vs a database injection attack. Not even in the same league of complexity.
well i bet someone is getting rich over all the "Fee's" we pay on this site, sure does not look like it going towards protecting this site... not cool
Fees just for using a business name in a detail write-up that was free before new owner took over and had fee for everything regarding forum. Like I mention before, everything is commercial, everyone want to make money of anythin they can given any chance.. don't worry about member security, thats extra fee.
Actually if you had your business name in a picture or thread with the previous owner, you'd be banned. Many of the fees were simply carried over from when Carlos ran the site. Phil merely simplified it and created two different membership classes instead of multiple ones. Dave
